46
SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO
SESSION ID:
Continuous Monitoring with the 20 Critical Security Controls
SPO1-W02
Wolfgang KandekCTO
#RSAC
2
We called 2013 the year of the data breach…
#RSAC
3
…but 2014 started in much the same spirit…
#RSAC
Background
Open System Administration Channels
Default and Weak Passwords
End-user has Admin Privileges
Outdated Software Versions
4
#RSAC
Outdated Software Versions
5
EDB+MSP
Metasploit
Exploit DB
CVSS 10
Random
0% 5% 10% 15% 20% 25% 30% 35%
Vulnerability Breach Use Probability
#RSAC
Background
Open System Administration Channels
Default and Weak Passwords
End-user has Admin Privileges
Outdated Software Versions
Non-Hardened Configurations
=> Flaws in System Administration
6
#RSAC
Solution
20 Critical Security Controls
What works in Security?
7
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
8
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industryexpert input
9
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
10
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
11
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industryexpert input
International Participation
12
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industryexpert input
International Participation
13
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
5 Tenets
14
#RSAC
5 Tenets 20 CSC
Offense informs Defense
Prioritization
Metrics
Continuous Diagnostics and Mitigation
Automation
15
#RSAC
5 Tenets 20 CSC
Offense informs Defense
Prioritization
Metrics Continuous Diagnostics and Mitigation
Automation
16
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
5 Tenets
Prioritized
17
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
5 Tenets
Prioritized
18
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
5 Tenets
Prioritized
Implementation Guidelines
19
#RSAC
Solution
20 Critical Security Controls
What works in Security?
Owned by the Council on Cybersecurity With widespread industry expert input
International Participation
5 Tenets
Prioritized
Implementation Guidelines = Quick Wins, Visibility/Attribution, Configuration/Hygiene, Advanced
20
#RSAC
Implementation Guidelines
21
#RSAC
Implementation Guidelines
Quick Win 1 - Control 1 – HW Inventory Implement an automated discovery engine (active/passive)
Quick Win 3 – Control 2 – SW Inventory Scan for Deviations from Approved List
Quick Win 3 – Control 3 – Secure Configurations Limit Admin privileges
Quick Win 10 – Control 4 – Vulnerability Scanning Risk rate by groups
22
#RSAC
Implementation Guidelines
Measure Success Control 1: Detect new machines in 24 hours
Control 1: How many unauthorized machines on network?
Control 2: How many unauthorized software packages installed?
Control 3: Percentage of machines that do not run an approved image ?
Control 4: Percentage of machines not scanned recently (3d)?
23
#RSAC
Implementing Quick Wins - Prototype
QualysGuard, API, PERL, Splunk
Daily Authenticated Scan of Network
Scripted API Access and Load
24
#RSAC
Implementing Quick Wins - Prototype
25
#RSAC
Implementing Quick Wins - Prototype
Logins - user, date, type
Scans - user, date, type, target, duration
Reports - user, date, type, duration, size
Hosts – machine, date, active, fixed, severity counts, scores
Vulnerabilities – id, severity, cvss, age
Software – name, publisher
Certificates – subject, validdate, signer, self-signed
Ports – date, ports
26
#RSAC
Implementing Quick Wins - Prototype
Logins - user, date, type
Scans - user, date, type, target, duration
Reports - user, date, type, duration, size
Hosts – machine, date, active, fixed, severity counts, scores
Vulnerabilities – id, severity, cvss, age
Software – name, publisher
Certificates – subject, validdate, signer, self-signed
Ports – date, ports
27
#RSAC
Implementing Quick Wins - Prototype
QualysGuard, API, PERL, Splunk
Daily Authenticated Scan of Network
Scripted API Access and Load
Data Transformation in Scripts Scoring – Dept. State CVSS based
Data Promotion Software, Patches, MAC address
Splunk for Reports and Graphing
28
#RSAC
CSC1 – HW Inventory - Quick Win 1
Deploy Asset Inventory Discovery Tool (active/passive)
Goal: Discover new machines within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for new Machines ~ where the earliest scandate is within the last day
29
#RSAC
CSC1 – HW Inventory - Quick Win 1
Asset Inventory Discovery Tool (active/passive)
Discover new machines within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for new Machines
30
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for new Server Ports ~ where the earliest scandate is within the last day
31
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
32
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for new Software ~ where the earliest scandate is within the last day
33
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for new Server Ports ~ where the earliest scandate is within the last day
Query Splunk for new Software
34
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for new Software ~ where the earliest scandate is within the last day
Can be Alerted On
35
#RSAC
CSC3 – Secure Configuration
Automation: Discover Non Standard Setups
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for certain SoftwareMarker Here: “Qualys Desktop Build” – which is a custom SW package
that identifies our IT standard builds
36
#RSAC
CSC3 – Secure Configuration
Automation: Discover Non Standard Setups
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for certain SoftwareMarker Here: “Qualys Desktop Build” – which is a custom SW packag
that identifies out IT standard builds
37
#RSAC
CSC3 – Secure Configuration
Automation: Discover Non Standard Setups
Goal: Within 24 hours
Daily Active Scan of the Network -> Splunk
Query Splunk for certain Software Marker Here: “Qualys Desktop Build” – which is a custom SW package
that identifies out IT standard builds
Can be Alerted On
38
#RSAC
Further Uses and Projects
Plot Progress for a Machine
39
#RSAC
Further Uses and Projects
Plot Progress for a Machine
40
#RSAC
Further Uses and Projects
Plot Progress for a Machine
Plot Progress for a Network
41
#RSAC
Further Uses and Projects
Plot Progress for a Machine
42
#RSAC
Other Operational Reports
Usage Reporting User Logins
API Logins
Reports
Anomaly Detection GeoIP
43
#RSAC
Other Operational Reports
Usage Reporting User Logins
API Logins
Reports
Anomaly Detection GeoIP
44
#RSAC
Beyond Prototyping
Continuous Monitoring
Alert on Additions & Changes Machines
Vulnerabilities
Ports
Certificates
Simple Configuration
45
