ConvergenceCONFIGURATIONS, VULNERABILITIES

AND UNEXPECTED CHANGES

8 October, 2014

JOEL BARNES – EMEA SE MANAGER

2

Convergence:

What Is It? What do we mean by “convergence?”

How Does It Apply? What does it mean in the context of information security?

What’s It Look Like? Where do we see examples of convergence?

How To Drive It? Where are there technical examples, and what do I get if I leverage them?

3

What Do We Mean by Convergence?

Definitions are great things

4

Two Definitions

Technological convergence 

is the tendency for

different technological systems

to evolve toward performing

similar tasks or even

the same overall ”job”

“Convergence” can have seven or more definitions depending on the dictionary being used

Evolutionary convergence

describes the development

of the same biological traits

in unrelated organisms that

have fundamentally different

“jobs” in an environment

5

Technological Convergence

Entertainment systems like the Wii

have internet connections with built-

in web browsers and social

networking applications

• Watch TV

• Shop

• Buy music

• Check in with friends

Combining different “jobs” in one unit

6

Technological Convergence

Cell phones contain high-resolution

cameras, voice dictation systems, video,

music players and a whole host of

computing features

• Check weather

• Check in with friends

• Buy tickets

• Send and receive email

Combining different “jobs” in one unit

7

Technological Convergence

Of course, there are some examples

of technical convergence that make

little or no sense at all.

Combining different “jobs” in one unit

8

Evolutionary Convergence

Similar structures evolve even though they serve radically different jobs.

These creatures all have wings, but their jobs are to:

• Find and eat insects

• Find and drink nectar

• Find and eat rodents

Similar attributes doing different “jobs”

9

Which Of These are We Talking About Today?

This is not about adding features.

It’s about leveraging the same underlying…• Architecture• Structure• Design• Language• Environments

In different products to reach a common end

So that all of them can do their jobs better

Surprisingly, we’re talking about ….

“Evolutionary convergence”

…

but viewed in the context

of information security

technologies

10

Basic Premise

Vulnerability Assessment ….

…Security Configuration Management ….

…and File Integrity Monitoring ….

Are three different jobs that use many of the same underlying principles.

None replaces the other.

But when used together, the shared principles become powerful leverage points.

Similarities are good, but differences matter

11

What Does it Mean in the Context of InfoSec?

Where does this occur? How?

12

Incr

ea

sed

de

pth

, d

eta

il a

nd

fre

qu

en

cy

of

sca

ns

FileServer

Database Server

Application Server

VirtualServer

Directory Server

Firewalls & Routers

DesktopsWireless Access

BYOD

Vulnerability ManagementKnown Vulnerabilities and Currency Tests for Versions, Patches and Updates

File Integrity Monitoring

Detection and analysis of anomalies and changes that

threaten file and system integrity or introduce risk

Printers & Imaging

Security Tools

Web Server

Assesses known vulnerabilities using published CVEs or

patch policies. Scanned weekly or monthly.

Assesses changes (often deep and subtle) to critical file attributes such as:

• Content Security settings• Hash values File weight and size

• Permissions Version reconciliation• Specific content values (credit card or SSN data)

Scanned daily, hourly or by the minute.

Approach: Typically scans critical assets only, host-based, collects deep detailed

information with real-time capabilities as needed

Approach: Scan twice as many assets as

FIM and gather information more deeply than VA scans

Security Configuration ManagementSecure Configuration Settings Based on Standards & Security Policies, with Remediation Workflow, Customization & Exception Management

Approach: Scan everything, externally

based, relatively shallow collection of information

Assesses secure configuration settings against hardening standards:

Ports, services, connection settings, users, security protocols, permissions.

Scanned daily or weekly.

13

Incr

ea

sed

de

pth

, d

eta

il a

nd

fre

qu

en

cy

of

sca

ns

FileServer

Database Server

Application Server

VirtualServer

Directory Server

Firewalls & Routers

DesktopsWireless Access

BYOD

Vulnerability ManagementKnown Vulnerabilities and Currency Tests for Versions, Patches and Updates

File Integrity Monitoring

Detection and analysis of anomalies and changes that

threaten file and system integrity or introduce risk

Printers & Imaging

Security Tools

Web Server

Security Configuration ManagementSecure Configuration Settings Based on Standards & Security Policies, with Remediation Workflow, Customization & Exception ManagementDefense in Depth

14

Incr

ea

sed

de

pth

, d

eta

il a

nd

fre

qu

en

cy

of

sca

ns

FileServer

Database Server

Application Server

VirtualServer

Directory Server

Firewalls & Routers

DesktopsWireless Access

BYOD Printers & Imaging

Security Tools

Web Server

Common management systems

Commons notions of • Risk• Priority• Dependency• Business Value• “Language” for Risk

Common “policy” for expectations

• When?• How often?• To what level?• What about exceptions? • What about alerts?

15

Incr

ea

sed

de

pth

, d

eta

il a

nd

fre

qu

en

cy

of

sca

ns

FileServer

Database Server

Application Server

VirtualServer

Directory Server

Firewalls & Routers

DesktopsWireless Access

BYOD

Vulnerability ManagementKnown Vulnerabilities and Currency Tests for Versions, Patches and Updates

File Integrity Monitoring

Detection and analysis of anomalies and changes that

threaten file and system integrity or introduce risk

Printers & Imaging

Security Tools

Web Server

Security Configuration ManagementSecure Configuration Settings Based on Standards & Security Policies, with Remediation Workflow, Customization & Exception Management

How do we tie these together

to provide better Defense

in Depth?

16

Where Do We See Examples of Convergence?

What standards or best Practices are already aligning security technologies?

17

Convergence: Vulnerability, SCM & Change Control

NERC CIP V5, In Draft

Convergence in the Energy Space:

Latest V5 of NERC CIP requirements, now in approval process, pulls

VA, change auditing, and configuration management from separate

CIP areas and combines them together in a new CIP 10 section.

18

Convergence: Vulnerability Management & SCM

Convergence in Finance: The latest version of the Monetary

Authority of Singapore’s risk

management guidelines puts

security configuration

management and vulnerability

assessment side-by-side

19

Convergence: Vulnerability, Baselines & SCM

Convergence in EMEANew cyber security guidance from UK

government puts vulnerability assessment and security configuration management in one control group under the heading Secure

Configuration

20

Convergence: Vulnerability, SCM & RiskConvergence by analysts

Recent research from Gartner and Securosis highlight the connection of vulnerability

management and SCM

21

So What? (Or, “Where are The Wings?”)

What examples are there of technical convergence, and what do they give me?

22

VA + SCM + FIM* is a Killer Combination

1. All three controls view vulnerabilities and threats in much the same way

2. All can be (when fully leveraged) proactive controls that insure robust security

3. All speak “the language of risk”

4. All enable what we call “Connecting Security to the Business”

Leveraging Technical Aspects of Convergence

* For a complete discourse on the differences between “Checkbox FIM” and “True FIM”, please contact me after the presentation

23

Similar Views Proactive Controls (When Used Correctly) Similar Language Connect Security to the

Business or Mission

Leveraging Convergent Controls: VA, SCM, and FIM

• Asset groupings, by business unit, geography, compliance oversight, or service dependencies can be shown in the same way for all controls, while still retaining their unique control perspectives

• All three controls have the same notions of risk and severityo Configuration failures o On an un-patched system o That has experienced

unexpected or “bad” changes

• When VA is used to determine where overall patching strategies have lapsed, it is becoming proactive

• When SCM is used to determine overall security posture (and how to improve it) it is becoming proactive

• When critical changes information is sent to SIEM systems or treated as incident indicators, it’s becoming proactive

• CVE (MITRE’S “Common Vuln and Exposures”) enable data exchange between security products and provide a baseline index point for evaluating tools and services

• CCE (NIST’s “Common Config. Enumerations”) provide unique identifiers for security-related system configuration issues across multiple information sources and tools

• All three solutions provide “security posture information” that is uniquely suited to indicate the overall susceptibility of a system to an attack

• All three controls can roll-up information and present it in a common context: o Number of un-patched

vulns rising or fallingo Configuration “failure”

count rising or fallingo Unapproved change count

going up / down

24

Similar Views Proactive Controls (When Used Correctly) Similar Language Connect Security to the

Business or Mission

Leveraging Convergent Controls: VA, SCM, and FIM

• Asset groupings, by business unit, geography, compliance oversight, or service dependencies can be shown in the same way for all controls, while still retaining their unique control perspectives

• All three controls have the same notions of risk and severityo Configuration failures o On an un-patched system o That has experienced

unexpected or “bad” changes

• When VA is used to determine where overall patching strategies have lapsed, it is becoming proactive

• When SCM is used to determine overall security posture (and how to improve it) it is becoming proactive

• When critical changes information is sent to SIEM systems or treated as incident indicators, it’s becoming proactive

• CVE (MITRE’S “Common Vuln and Exposures”) enable data exchange between security products and provide a baseline index point for evaluating tools and services

• CCE (NIST’s “Common Config. Enumerations”) provide unique identifiers for security-related system configuration issues across multiple information sources and tools

• All three solutions provide “security posture information” that is uniquely suited to indicate the overall susceptibility of a system to an attack

• All three controls can roll-up information and present it in a common context: o Number of un-patched

vulns rising or fallingo Configuration “failure”

count rising or fallingo Unapproved change count

going up / down

25

How can Tripwire do it?Automatic Asset Tagging

26

How can Tripwire do it?Automatic Asset Tagging

27

How can Tripwire do it?Automatic Asset Tagging

28

The Results

Consolidated security information

Consolidated context for• Configuration failures• Unapproved changes• Patch / vulnerability

violations

Convergence Provides:

29

The Results

Linked drill-down between possible security issues with:

• Consistency• Traceability• Roll-up with

examination of details as needed

Convergence Provides:

30

The Results

One overall measure of security posture from multiple controls

Once consistent roll-up score

Convergence Provides

IP360

IP360

31

Don’t Look For “Fully Integrated” Suites

Look instead for:

1. Solutions that share context

2. Security controls that can be independent but cooperative

3. Solutions that leverage common frameworks for:• Asset tagging or identification

• Risk assessments

• Business information (like BU, geo, business priority)

You’re likely to get refrigerators with TVs built into them

Thank YouANY QUESTIONS?

jbarnes@tripwire.com