Reducing Cyber Exposure for the Modern Attack Surface

Gregg Earnhart, SE

Welcome

• Today’s IT is creating a cyber

exposure gap

• Who’s affected?

• Reducing the cyber exposure

gap

TOPICS

2

Today’s IT is Creating a Cyber Exposure Gap

4

“Bold, tightly integrated

digital strategies will be

the biggest differentiator

between companies that

win and companies that

don’t.”

– McKinsey & Co.

Digital Transformationis Accelerating

Every organization is transforming into an information organization

Putting pressure on every function to innovate and operate faster

5

How Are YouResponding?

What is the organization’sdigital strategy?

How is Security enabling thatstrategy?

Laptop

Server

VirtualMachine

Desktop

Enterprise IoT

Cloud

NetworkInfrastructure

Container

Mobile

ICS / SCADA

Industrial IoT

Web App

6

Creating Massive Exposure for Every Organization

7

The result is aCyber Exposure gap

Legacy Approaches Cannot Keep Pace

8

Why?

Discovering Short-Lived Assets is Hard

Traditional: Servers Modern: Containers

Request Deploy Patch Retire

Visibility

8%...companies that know the scope of shadow IT at their organizations, according to a survey by the Cloud Security Alliance

Compliance

48%...of organizations store some sensitive data, like employee records, in the cloud according to a SANS Security in the Cloud report

Consistency

31% … of respondents in the same SANS report found poor configuration practices in place due to applications being spun up quickly

9

Why?

Assessing State of Cloud Environments is Hard

10

Why?

Maintaining Application Security is Hard

Number of web applications with at least

ONE vulnerability1:

99.7%

Average number of web application vulnerabilities2:

3

Average time to fix web application vulnerabilities2:

Critical Risk: 129 days High Risk: 196 days

Sources:

1. TechRepublic, “Report: 99.7% of web apps have at least one vulnerability,” June 20, 2017

2. White Hat Security, “2017 Application Security Statistics Report,” July 2017

Who’s Affected?

11

New stakeholders and asset owners will impact an organization’s Cyber Exposure

OT / IoTOT Manager,

EngineerLine of

Business

CloudDevOps

Container

12

OT assets are becoming an

expansive attack surface

Shadow IT and cloud assets are creating a huge

blind spot

DevOps velocity requires new

security approaches

Security teams need to provide strategic insight and manage risk across the organization

13

Security Director

OT Manager, Engineer

Line of Business

DevOps

• Protect brand equity• Gain strategic decision support on risk

• Secure DevOps processes• Decrease costs to fix defects

• Increase SOC efficiency• Maintain regulatory compliance

• Reduce risk across a growing modern attack surface

Reduce the Cyber Exposure Gap

14

15

DISCOVERIdentify and map every asset across any environment. From here you can baseline the current and desired operational state.

ASSESSWith every change, automatically assess the current state against the baseline state of the environment, including misconfigurations, vulnerabilities and other key indicators of security health, such as out of date antivirus or high risk users.

ANALYZEAdd context to the asset’s exposure to prioritize remediation based on the asset’s business criticality and the severity of the vulnerability.

FIXPrioritize which exposures to fix first, if at all, and select the appropriate remediation technique, whether it’s a temporary security control or a complete fix.

The Operational Lifecycle

Discover Every Asset

desktop laptop mobile virtual public cloud web appserver

16

container

17

Active Scanning + Additional Data Sensors

Active Scanning

Agent Scanning

IntelligentConnectors

Image Registry

ContinuousMonitoring

Web Mobile

Networks

Endpoint

Cloud

Containers

Virtual

18

Assess the Current State, Including Misconfigurations

• Various sources such as CIS, DISA, USGBC, and vendor supplied best practice guides

• Examples:

• https://www.cisecurity.org/benchmark/amazon_web_services/

• https://www.cisecurity.org/benchmark/docker/

• Educate other stakeholders

• Review regularly

19

Assessment extends beyond CVEs to include application vulnerabilities

BROKEN AUTH AND SESSION MANAGEMENT

INJECTION(SQL, XXE & LDAP)

CROSS SITE SCRIPTING(XSS)

BROKEN ACCESS CONTROL

SECURITY MISCONFIGURATION

A1 A2 A3 A4 A5

XSS

INSUFFICIENT ATTACK PROTECTION

SENSITIVE DATA EXPOSURE

CROSS SITE REQUEST FORGERY

COMPONENT VULNERABILITIES

UNDERPROTECTED API

A6 A7 A8 A9 A10

CSRF API

The OWASP Top 10

Analyze to Prioritize Remediation Based on Context: Cloud Services Example

20

All cloud services are not created equal• Cloud data or sensitive data?• What data could be shared?

Visible?• What’s interacting with the cloud

service? What subnets is it connecting to?

• Configuration issues?

Prioritize What to Fix

21

Why reduce cyber exposure?

● Attack surface hardening

● Asset inventory

● Patch auditing

22

Prevent vulnerabilities by fixing vulnerabilities prior to deployment

Integrate security into the DevOps

toolchain

Identify and remediate

vulnerabilities before they are

exploitable

Ensure all assets are secure and

compliant before production

Category Description Goal Example Metric

Attack surface hardening

How exposed is my

organization?

Make attack surface as small as possible % exploitable vulnerabilities

on internet-facing systems

Asset inventory

Do I know what needs

protecting?

Effectiveness at collecting accurate

accounting of vulnerabilities – including

for systems that require credentials

% of systems discovered vs

scanned in last 30 days

Patch auditing

Are my systems up to

date?

Effectiveness of patch process for

security, feature/functionality, and

warranty needs

% of systems patched in last

30 days

23

• Modern computing today is made up of both

traditional and modern assets

• Don’t let either increase your cyber exposure

• Follow an operational security Discover – Assess –

Analyze – Fix lifecycle

24

Summary

Why Tenable

25

Technology LeadershipCreator of Nessus and relentless innovator advancing modern cybersecurity – from IT to cloud to IoT and OT

Singular Vision#1 Vulnerability Management technology in the world, pioneering Cyber Exposure to help customers measure & reduce cybersecurity risk – from operations to the CXO

Customer CommitmentComplete dedication to our customers’ success – every day, in all we do

Tenable at a Glance

26

• Founded in 2002

• Exploded with the widespread adoptionof Nessus and later, SecurityCenter

• Released Tenable.io in 2017 to introduce the first cyber exposure platform and evolve vulnerability management

• Relentless innovator:“Tenable has [massive] brand equity with Nessus, yet [is] one of the most forward-thinking companies in VM.” – Forrester, 2017

100%

Top 10 US Tech Companies

50%

Fortune 500

80%

Top 10 US Financial

Institutions

800+Employees

1.6MGlobal Users

23,000+Customers

27