ConvergenceCONFIGURATIONS, VULNERABILITIES
AND UNEXPECTED CHANGES
8 October, 2014
JOEL BARNES – EMEA SE MANAGER
2
Convergence:
What Is It? What do we mean by “convergence?”
How Does It Apply? What does it mean in the context of information security?
What’s It Look Like? Where do we see examples of convergence?
How To Drive It? Where are there technical examples, and what do I get if I leverage them?
3
What Do We Mean by Convergence?
Definitions are great things
4
Two Definitions
Technological convergence
is the tendency for
different technological systems
to evolve toward performing
similar tasks or even
the same overall ”job”
“Convergence” can have seven or more definitions depending on the dictionary being used
Evolutionary convergence
describes the development
of the same biological traits
in unrelated organisms that
have fundamentally different
“jobs” in an environment
5
Technological Convergence
Entertainment systems like the Wii
have internet connections with built-
in web browsers and social
networking applications
• Watch TV
• Shop
• Buy music
• Check in with friends
Combining different “jobs” in one unit
6
Technological Convergence
Cell phones contain high-resolution
cameras, voice dictation systems, video,
music players and a whole host of
computing features
• Check weather
• Check in with friends
• Buy tickets
• Send and receive email
Combining different “jobs” in one unit
7
Technological Convergence
Of course, there are some examples
of technical convergence that make
little or no sense at all.
Combining different “jobs” in one unit
8
Evolutionary Convergence
Similar structures evolve even though they serve radically different jobs.
These creatures all have wings, but their jobs are to:
• Find and eat insects
• Find and drink nectar
• Find and eat rodents
Similar attributes doing different “jobs”
9
Which Of These are We Talking About Today?
This is not about adding features.
It’s about leveraging the same underlying…• Architecture• Structure• Design• Language• Environments
In different products to reach a common end
So that all of them can do their jobs better
Surprisingly, we’re talking about ….
“Evolutionary convergence”
…
but viewed in the context
of information security
technologies
10
Basic Premise
Vulnerability Assessment ….
…Security Configuration Management ….
…and File Integrity Monitoring ….
Are three different jobs that use many of the same underlying principles.
None replaces the other.
But when used together, the shared principles become powerful leverage points.
Similarities are good, but differences matter
11
What Does it Mean in the Context of InfoSec?
Where does this occur? How?
12
Incr
ea
sed
de
pth
, d
eta
il a
nd
fre
qu
en
cy
of
sca
ns
FileServer
Database Server
Application Server
VirtualServer
Directory Server
Firewalls & Routers
DesktopsWireless Access
BYOD
Vulnerability ManagementKnown Vulnerabilities and Currency Tests for Versions, Patches and Updates
File Integrity Monitoring
Detection and analysis of anomalies and changes that
threaten file and system integrity or introduce risk
Printers & Imaging
Security Tools
Web Server
Assesses known vulnerabilities using published CVEs or
patch policies. Scanned weekly or monthly.
Assesses changes (often deep and subtle) to critical file attributes such as:
• Content Security settings• Hash values File weight and size
• Permissions Version reconciliation• Specific content values (credit card or SSN data)
Scanned daily, hourly or by the minute.
Approach: Typically scans critical assets only, host-based, collects deep detailed
information with real-time capabilities as needed
Approach: Scan twice as many assets as
FIM and gather information more deeply than VA scans
Security Configuration ManagementSecure Configuration Settings Based on Standards & Security Policies, with Remediation Workflow, Customization & Exception Management
Approach: Scan everything, externally
based, relatively shallow collection of information
Assesses secure configuration settings against hardening standards:
Ports, services, connection settings, users, security protocols, permissions.
Scanned daily or weekly.
13
Incr
ea
sed
de
pth
, d
eta
il a
nd
fre
qu
en
cy
of
sca
ns
FileServer
Database Server
Application Server
VirtualServer
Directory Server
Firewalls & Routers
DesktopsWireless Access
BYOD
Vulnerability ManagementKnown Vulnerabilities and Currency Tests for Versions, Patches and Updates
File Integrity Monitoring
Detection and analysis of anomalies and changes that
threaten file and system integrity or introduce risk
Printers & Imaging
Security Tools
Web Server
Security Configuration ManagementSecure Configuration Settings Based on Standards & Security Policies, with Remediation Workflow, Customization & Exception ManagementDefense in Depth
14
Incr
ea
sed
de
pth
, d
eta
il a
nd
fre
qu
en
cy
of
sca
ns
FileServer
Database Server
Application Server
VirtualServer
Directory Server
Firewalls & Routers
DesktopsWireless Access
BYOD Printers & Imaging
Security Tools
Web Server
Common management systems
Commons notions of • Risk• Priority• Dependency• Business Value• “Language” for Risk
Common “policy” for expectations
• When?• How often?• To what level?• What about exceptions? • What about alerts?
15
Incr
ea
sed
de
pth
, d
eta
il a
nd
fre
qu
en
cy
of
sca
ns
FileServer
Database Server
Application Server
VirtualServer
Directory Server
Firewalls & Routers
DesktopsWireless Access
BYOD
Vulnerability ManagementKnown Vulnerabilities and Currency Tests for Versions, Patches and Updates
File Integrity Monitoring
Detection and analysis of anomalies and changes that
threaten file and system integrity or introduce risk
Printers & Imaging
Security Tools
Web Server
Security Configuration ManagementSecure Configuration Settings Based on Standards & Security Policies, with Remediation Workflow, Customization & Exception Management
How do we tie these together
to provide better Defense
in Depth?
16
Where Do We See Examples of Convergence?
What standards or best Practices are already aligning security technologies?
17
Convergence: Vulnerability, SCM & Change Control
NERC CIP V5, In Draft
Convergence in the Energy Space:
Latest V5 of NERC CIP requirements, now in approval process, pulls
VA, change auditing, and configuration management from separate
CIP areas and combines them together in a new CIP 10 section.
18
Convergence: Vulnerability Management & SCM
Convergence in Finance: The latest version of the Monetary
Authority of Singapore’s risk
management guidelines puts
security configuration
management and vulnerability
assessment side-by-side
19
Convergence: Vulnerability, Baselines & SCM
Convergence in EMEANew cyber security guidance from UK
government puts vulnerability assessment and security configuration management in one control group under the heading Secure
Configuration
20
Convergence: Vulnerability, SCM & RiskConvergence by analysts
Recent research from Gartner and Securosis highlight the connection of vulnerability
management and SCM
21
So What? (Or, “Where are The Wings?”)
What examples are there of technical convergence, and what do they give me?
22
VA + SCM + FIM* is a Killer Combination
1. All three controls view vulnerabilities and threats in much the same way
2. All can be (when fully leveraged) proactive controls that insure robust security
3. All speak “the language of risk”
4. All enable what we call “Connecting Security to the Business”
Leveraging Technical Aspects of Convergence
* For a complete discourse on the differences between “Checkbox FIM” and “True FIM”, please contact me after the presentation
23
Similar Views Proactive Controls (When Used Correctly) Similar Language Connect Security to the
Business or Mission
Leveraging Convergent Controls: VA, SCM, and FIM
• Asset groupings, by business unit, geography, compliance oversight, or service dependencies can be shown in the same way for all controls, while still retaining their unique control perspectives
• All three controls have the same notions of risk and severityo Configuration failures o On an un-patched system o That has experienced
unexpected or “bad” changes
• When VA is used to determine where overall patching strategies have lapsed, it is becoming proactive
• When SCM is used to determine overall security posture (and how to improve it) it is becoming proactive
• When critical changes information is sent to SIEM systems or treated as incident indicators, it’s becoming proactive
• CVE (MITRE’S “Common Vuln and Exposures”) enable data exchange between security products and provide a baseline index point for evaluating tools and services
• CCE (NIST’s “Common Config. Enumerations”) provide unique identifiers for security-related system configuration issues across multiple information sources and tools
• All three solutions provide “security posture information” that is uniquely suited to indicate the overall susceptibility of a system to an attack
• All three controls can roll-up information and present it in a common context: o Number of un-patched
vulns rising or fallingo Configuration “failure”
count rising or fallingo Unapproved change count
going up / down
24
Similar Views Proactive Controls (When Used Correctly) Similar Language Connect Security to the
Business or Mission
Leveraging Convergent Controls: VA, SCM, and FIM
• Asset groupings, by business unit, geography, compliance oversight, or service dependencies can be shown in the same way for all controls, while still retaining their unique control perspectives
• All three controls have the same notions of risk and severityo Configuration failures o On an un-patched system o That has experienced
unexpected or “bad” changes
• When VA is used to determine where overall patching strategies have lapsed, it is becoming proactive
• When SCM is used to determine overall security posture (and how to improve it) it is becoming proactive
• When critical changes information is sent to SIEM systems or treated as incident indicators, it’s becoming proactive
• CVE (MITRE’S “Common Vuln and Exposures”) enable data exchange between security products and provide a baseline index point for evaluating tools and services
• CCE (NIST’s “Common Config. Enumerations”) provide unique identifiers for security-related system configuration issues across multiple information sources and tools
• All three solutions provide “security posture information” that is uniquely suited to indicate the overall susceptibility of a system to an attack
• All three controls can roll-up information and present it in a common context: o Number of un-patched
vulns rising or fallingo Configuration “failure”
count rising or fallingo Unapproved change count
going up / down
25
How can Tripwire do it?Automatic Asset Tagging
26
How can Tripwire do it?Automatic Asset Tagging
27
How can Tripwire do it?Automatic Asset Tagging
28
The Results
Consolidated security information
Consolidated context for• Configuration failures• Unapproved changes• Patch / vulnerability
violations
Convergence Provides:
29
The Results
Linked drill-down between possible security issues with:
• Consistency• Traceability• Roll-up with
examination of details as needed
Convergence Provides:
30
The Results
One overall measure of security posture from multiple controls
Once consistent roll-up score
Convergence Provides
IP360
IP360
31
Don’t Look For “Fully Integrated” Suites
Look instead for:
1. Solutions that share context
2. Security controls that can be independent but cooperative
3. Solutions that leverage common frameworks for:• Asset tagging or identification
• Risk assessments
• Business information (like BU, geo, business priority)
You’re likely to get refrigerators with TVs built into them