Reducing Cyber Exposure for the Modern Attack Surface
Gregg Earnhart, SE
Welcome
• Today’s IT is creating a cyber
exposure gap
• Who’s affected?
• Reducing the cyber exposure
gap
TOPICS
2
Today’s IT is Creating a Cyber Exposure Gap
4
“Bold, tightly integrated
digital strategies will be
the biggest differentiator
between companies that
win and companies that
don’t.”
– McKinsey & Co.
Digital Transformationis Accelerating
Every organization is transforming into an information organization
Putting pressure on every function to innovate and operate faster
5
How Are YouResponding?
What is the organization’sdigital strategy?
How is Security enabling thatstrategy?
Laptop
Server
VirtualMachine
Desktop
Enterprise IoT
Cloud
NetworkInfrastructure
Container
Mobile
ICS / SCADA
Industrial IoT
Web App
6
Creating Massive Exposure for Every Organization
7
The result is aCyber Exposure gap
Legacy Approaches Cannot Keep Pace
8
Why?
Discovering Short-Lived Assets is Hard
Traditional: Servers Modern: Containers
Request Deploy Patch Retire
Visibility
8%...companies that know the scope of shadow IT at their organizations, according to a survey by the Cloud Security Alliance
Compliance
48%...of organizations store some sensitive data, like employee records, in the cloud according to a SANS Security in the Cloud report
Consistency
31% … of respondents in the same SANS report found poor configuration practices in place due to applications being spun up quickly
9
Why?
Assessing State of Cloud Environments is Hard
10
Why?
Maintaining Application Security is Hard
Number of web applications with at least
ONE vulnerability1:
99.7%
Average number of web application vulnerabilities2:
3
Average time to fix web application vulnerabilities2:
Critical Risk: 129 days High Risk: 196 days
Sources:
1. TechRepublic, “Report: 99.7% of web apps have at least one vulnerability,” June 20, 2017
2. White Hat Security, “2017 Application Security Statistics Report,” July 2017
Who’s Affected?
11
New stakeholders and asset owners will impact an organization’s Cyber Exposure
OT / IoTOT Manager,
EngineerLine of
Business
CloudDevOps
Container
12
OT assets are becoming an
expansive attack surface
Shadow IT and cloud assets are creating a huge
blind spot
DevOps velocity requires new
security approaches
Security teams need to provide strategic insight and manage risk across the organization
13
Security Director
OT Manager, Engineer
Line of Business
DevOps
• Protect brand equity• Gain strategic decision support on risk
• Secure DevOps processes• Decrease costs to fix defects
• Increase SOC efficiency• Maintain regulatory compliance
• Reduce risk across a growing modern attack surface
Reduce the Cyber Exposure Gap
14
15
DISCOVERIdentify and map every asset across any environment. From here you can baseline the current and desired operational state.
ASSESSWith every change, automatically assess the current state against the baseline state of the environment, including misconfigurations, vulnerabilities and other key indicators of security health, such as out of date antivirus or high risk users.
ANALYZEAdd context to the asset’s exposure to prioritize remediation based on the asset’s business criticality and the severity of the vulnerability.
FIXPrioritize which exposures to fix first, if at all, and select the appropriate remediation technique, whether it’s a temporary security control or a complete fix.
The Operational Lifecycle
Discover Every Asset
desktop laptop mobile virtual public cloud web appserver
16
container
17
Active Scanning + Additional Data Sensors
Active Scanning
Agent Scanning
IntelligentConnectors
Image Registry
ContinuousMonitoring
Web Mobile
Networks
Endpoint
Cloud
Containers
Virtual
18
Assess the Current State, Including Misconfigurations
• Various sources such as CIS, DISA, USGBC, and vendor supplied best practice guides
• Examples:
• https://www.cisecurity.org/benchmark/amazon_web_services/
• https://www.cisecurity.org/benchmark/docker/
• Educate other stakeholders
• Review regularly
19
Assessment extends beyond CVEs to include application vulnerabilities
BROKEN AUTH AND SESSION MANAGEMENT
INJECTION(SQL, XXE & LDAP)
CROSS SITE SCRIPTING(XSS)
BROKEN ACCESS CONTROL
SECURITY MISCONFIGURATION
A1 A2 A3 A4 A5
XSS
INSUFFICIENT ATTACK PROTECTION
SENSITIVE DATA EXPOSURE
CROSS SITE REQUEST FORGERY
COMPONENT VULNERABILITIES
UNDERPROTECTED API
A6 A7 A8 A9 A10
CSRF API
The OWASP Top 10
Analyze to Prioritize Remediation Based on Context: Cloud Services Example
20
All cloud services are not created equal• Cloud data or sensitive data?• What data could be shared?
Visible?• What’s interacting with the cloud
service? What subnets is it connecting to?
• Configuration issues?
Prioritize What to Fix
21
Why reduce cyber exposure?
● Attack surface hardening
● Asset inventory
● Patch auditing
22
Prevent vulnerabilities by fixing vulnerabilities prior to deployment
Integrate security into the DevOps
toolchain
Identify and remediate
vulnerabilities before they are
exploitable
Ensure all assets are secure and
compliant before production
Category Description Goal Example Metric
Attack surface hardening
How exposed is my
organization?
Make attack surface as small as possible % exploitable vulnerabilities
on internet-facing systems
Asset inventory
Do I know what needs
protecting?
Effectiveness at collecting accurate
accounting of vulnerabilities – including
for systems that require credentials
% of systems discovered vs
scanned in last 30 days
Patch auditing
Are my systems up to
date?
Effectiveness of patch process for
security, feature/functionality, and
warranty needs
% of systems patched in last
30 days
23
• Modern computing today is made up of both
traditional and modern assets
• Don’t let either increase your cyber exposure
• Follow an operational security Discover – Assess –
Analyze – Fix lifecycle
24
Summary
Why Tenable
25
Technology LeadershipCreator of Nessus and relentless innovator advancing modern cybersecurity – from IT to cloud to IoT and OT
Singular Vision#1 Vulnerability Management technology in the world, pioneering Cyber Exposure to help customers measure & reduce cybersecurity risk – from operations to the CXO
Customer CommitmentComplete dedication to our customers’ success – every day, in all we do
Tenable at a Glance
26
• Founded in 2002
• Exploded with the widespread adoptionof Nessus and later, SecurityCenter
• Released Tenable.io in 2017 to introduce the first cyber exposure platform and evolve vulnerability management
• Relentless innovator:“Tenable has [massive] brand equity with Nessus, yet [is] one of the most forward-thinking companies in VM.” – Forrester, 2017
100%
Top 10 US Tech Companies
50%
Fortune 500
80%
Top 10 US Financial
Institutions
800+Employees
1.6MGlobal Users
23,000+Customers
27