Upload
vutuyen
View
225
Download
0
Embed Size (px)
Citation preview
Rapid7 and Thycotic Integration at Ventas
Bryan Krausen, Senior Systems Administrator, Ventas, Inc.
Nathan Wenzler, Senior Technology Evangelist, Thycotic
Secured Authenticated Scanning
Who is Ventas?Ventas (NYSE: VTR) is a leading healthcare Real Estate Investment Trust (REIT) with a portfolio of more than 1,600 assets in the US, Canada, and United Kingdom.
• Bryan Krausen - Sr. Systems Administrator responsible for managing and maintaining infrastructure including VMware, Storage, Servers, Security, and more.
• Ventas currently utilizes Rapid7 Nexpose for vulnerability scanning for everything from infrastructure and servers to end user’s client.
• Ventas uses Thycotic Secret Server for privileged account management and password rotation for both servers and clients.
20% of Forbes 50
10% of Forbes Global 2000
4 of top 5 in Software**
**based on Forbes Global 2000 Classification
Honoree, 2013 and 2014 Finalist, Security and Compliance Finalist, Best Customer Service
Who is Thycotic?3,000 customers around the world from Fortune 5 to mid-market to small IT departments.
Headquarters in Washington, DC. Offices in London and Sydney.
Rated top in class for customer satisfaction*.
*Forrester Research independent survey.
Thycotic Product slide
Vulnerability Analysis Find weaknesses in target systems before an attacker does
and (hopefully) remediate
Need as much visibility as possible!
Non-Authenticated scan vs.
Authenticated scan
Unauthenticated Scanning finds only
basic issues
• Operating systems and versions
• Open network ports
• Services listening on open ports
• Data leaked by services (banner grabbing,
etc.)
Why Authenticated Scanning?
More detections
• Some items can’t be discovered without authenticating to the target
More accuracy
• Reduce false positives
• Obtain more detailed information about remotely-discovered vulnerabilities
Better Reporting and Analysis
• More complete patch requirements
• Increased trend analysis for overall security posture
• Complete visibility into the state of the target system
Privileged Account Management
in a Nutshell
A password vault is NOT a true PAM solution
• Privileged accounts = Non-human account (Root, Local Admin, Domain Admin, etc.)
• Control, Audit and Monitor
• Rotate passwords on a regular basis – Better security
• Limit who can access the credentials, reducing exposure of these passwords
• Automate processes to reduce staff overhead
PAM Components
- Password Rotation
- Account Discovery
- Access Control to Credentials and
Target
- Action Logging
- Who Accessed the Account?
- Check In/Out
- Session Recording
- Event Notifications
- Heartbeat Check of Credentials
CONTROL AUDITING MONITORING
Putting it into Perspective
Ventas Implementation
• Origin of Vulnerability Analysis program
• Origin of Secret Server need and implementation
• What was security program like at first before either product?
• Timeframes for implementation
• What obstacles were found?
Nexpose and Secret Server Integration
• Integration comes in the form of a Ruby Gem and can be easily
scheduled
• Prerequisites:
• Credentials configured within Thycotic Secret Server w/ Access
to Rapid7 Service Account
• Credentials configured within Rapid7 Nexpose
• SiteIDs for Nexpose Sites to be managed
Nexpose and Secret Server IntegrationConfiguration (part 1)
• Within a Ruby environment, install the nexpose_Thycotic-0.0.4.gem obtained from Rapid7 (or Google)
• Set required Environment Variables:
• Thycotic URL -https://hostname/SecretServer/webservices/SSWebservice.asmx?wsdl
• Rapid7 URL – hostname – must match the certificate – no https://
• Thycotic Secret Server - Username and Password
• Rapid7 Nexpose - Username and Password
Nexpose and Secret Server IntegrationConfiguration (part 2)
• Modify nx_Thycotic.rb file to include the SiteIDs you wish to change• sites = [5,9,18,23]
• Set the Environment Variables Run the Script
• Example of Script to Run
setx THYCOTIC_URL
https://passwords.company.com/SecretServer/webservices/SSWebservice.asmx?wsdl
setx THYCOTIC_USER Thycotic_user
setx THYCOTIC_PASS P@ssw0rd1
setx NEXPOSE_URL rapid7.company.com
setx NEXPOSE_USER Rapid7_user
setx NEXPOSE_PASS P@ssw0rd1
nx_Thycotic.rb
Vulnerability Data before Authentication
A total of 3 vulnerabilities found on a target host.
Vulnerability Data after Authentication
158 total vulnerabilities found (118 Critical) on the same target host
COMPARING THE DATAAuthenticated Scan ResultsNon-Authenticated Scan Results
• 3 total vulnerabilities found• No critical vulnerabilities found• No application vulnerabilities detected
• 158 total vulnerabilities found• 118 critical vulnerabilities found• Application vulnerabilities and missing
patches detected
Results at Ventas
• Better overall visibility across environments
• Reduced risk from exposure of privileged credentials
• Huge reduction in total vulnerabilities
• Improved security audit results
• Foiled external pen tester’s attempts to gain Domain Admin creds for the first time in 5 years
Resource Documents
• Bryan’s post for the Integration How-to:http://www.itdiversified.com/configuring-integration-
between-thycotic-secret-server-and-rapid7-nexpose/
• Contact Rapid7 Support for Nexpose Configuration and Integration Guide
Questions?