Embed Size (px)
Citation preview
1/3/13
1
QualysGuard Vulnerability Management
Copyright 2012 by Qualys, Inc. All Rights Reserved.
QualysGuard Vulnerability Management Housekeeping
− Please turn your phones to vibrate − Breaks are generally every hour − Free Lunch around 11:30am
− Introductions
1/3/13
2
QualysGuard Vulnerability Management Topics Covered
• Getting Started With QualysGuard − Introduction to QualysGuard SaaS Architecture − The QualysGuard Vulnerability Management Engine − The QualysGuard KnowledgeBase
• Con!guring a QualysGuard Solution − Mapping − Asset Management − Scanning − Reporting − User Management − Understanding Saved Searches − Search Lists and Customizing Option Pro!les − Remediating − EXAM
QualysGuard Software-as-a-Service
Bringing Security and Compliance together
No Software to Deploy or Maintain!
Satisfying the needs of all constituents with a single solution
1/3/13
3
QualysGuard Cloud Security Platform
QualysGuard Lifecycle 1. Discover 2. Priori.ze Assets 3. Assessment 4. Repor.ng 5. Remedia.on 6. Verifica.on
1/3/13
4
QualysGuard Vulnerability Management (VM) Engine
QualysGuard VM Engine Key Concepts
• At the end of this section, you should be able to understand: • The QualysGuard Vulnerability Management Engine • Work"ow of the Mapping and Scanning Functions
1/3/13
5
QualysGuard VM Engine
• Core Engine § Manages the operation
• Modules § Speci!c tests based on Information gathered § Responsible for collecting data from the hosts
• Information § Data collected by modules § Used to determine necessary modules
QualysGuard VM Engine • Host Discovery Module − Requires : {IP ADDRESS} − Task : Checks if remote host is alive − Produces : {HOST STATUS:HOST DEAD?}
• TCP Port Scanner Module − Requires : {HOST STATUS:ALIVE} (host can be reached from
Internet) − Task : Finds all open TCP ports − Produces : {TCP Open Ports}
• TCP Service Detection Module − Requires : {TCP Open Ports} (at least one open TCP port) − Task : Detects which service is running on an open TCP port − Produces : {Services, OS}
1/3/13
6
Host Discovery Module
Discovery Process • 13 TCP ports (con!gurable to 20)
• 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445 • Half-open/SYN scanning • MSS set to avoid some !ltering issues
• 6 UDP ports
• ICMP
Port Scanning Module
Scan Process – Port Scan • 1900 TCP ports
• Con!gurable to 65535 • 180 UDP ports
• Con!gurable, but will fall-back with slow-responding stacks
1/3/13
7
Service Detection Module
Service Discovery • Detection by valid protocol negotiation • Non-destructive tests Exceptions • Services running on non-standard ports • Services using non-standard (unpredictable) banners
23/tcp
80/tcp
162/udp
. . . TELNET
. . . HTTP
. . . SNMP
Service Discovery Engine
Note: QualysGuard VM can detect more than 600 different services on TCP and UDP ports. To review these services go to the Help > About Section.
Service Detection Module
• Uses IANA as a guideline, but not dependent upon it.
• Port 80 is open: • “Do you speak HTTP?
• Port 22 is open: • Do you speak SSH?”
• If you're going to see a service impact, it will happen here.
1/3/13
8
Service Detection Module What OS are you? 1 0.000000 qualys -> target TCP 3344 > ssh [SYN] Seq=0 Len=0 2 0.000052 qualys -> target TCP 3345 > ssh [SYN] Seq=0 Len=0 MSS=237 3 0.000095 qualys -> target TCP 3346 > ssh [SYN] Seq=0 Len=0 MSS=1011 4 0.000132 qualys -> target TCP 3347 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=3 5 0.000171 qualys -> target TCP 3348 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=0 TSV=2841121084 TSER=0 6 0.000505 target -> qualys TCP ssh > 3344 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 7 0.000537 qualys -> target TCP 3344 > ssh [RST] Seq=1 Len=0 8 0.000587 target -> qualys TCP ssh > 3345 [SYN, ACK] Seq=0 Ack=1 Win=16590 Len=0 MSS=1460 9 0.000601 qualys -> target TCP 3345 > ssh [RST] Seq=1 Len=0 10 0.000689 target -> qualys TCP ssh > 3346 [SYN, ACK] Seq=0 Ack=1 Win=17187 Len=0 MSS=1460 11 0.000708 qualys -> target TCP 3346 > ssh [RST] Seq=1 Len=0 12 0.000742 target -> qualys TCP ssh > 3347 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 13 0.000751 qualys -> target TCP 3347 > ssh [RST] Seq=1 Len=0 14 0.000845 target -> qualys TCP ssh > 3348 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 15 0.000864 qualys -> target TCP 3348 > ssh [RST] Seq=1 Len=0 16 3.000233 qualys -> target TCP 3349 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=0 TSV=2841124084 TSER=0 17 3.000682 target -> qualys TCP ssh > 3349 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 18 3.000705 qualys -> target TCP 3349 > ssh [RST] Seq=1 Len=0
Service Detection Module Scan Process • 5 packets (excluding RSTs and responses) ! • Analyzing packet characteristics (similar to other tools).
• TTL • MSS • Window Size • TCP Options • Etc…
• Authenticated scanning is obviously more accurate, as the
host simply tells us what it is (uname -a, Windows registry, cat /etc/redhat-release, etc).
1/3/13
9
QualysGuard VM Main Goals
• Asset Discovery Map (Domains and/or Netblocks)
• Provides full information on your domains (DNS records, topology)
• Identi!es all active hosts located in your Internet/Intranet perimeter
• Vulnerability Scan (IP Addresses)
• Reports Con!rmed and Potential Vulnerabilities on your hosts
• Provides complete information related to your hosts
QualysGuard VM Asset Discovery Map
3 Step Process • Network Discovery
• Domain or Netblock
• Host Discovery • Detects all active hosts
• Device Identi!cation • Basic information gathering on active host
1/3/13
10
QualysGuard VM Asset Discovery Map
• Network Discovery Methodology − Domain Lookup <whois> − DNS Zone Transfer − DNS Brute Force (www.qualys.com, ftp.qualys.com, mail.qualys.com) − Reverse DNS Lookups in class C range − Router and Firewall detection
• Option Pro!le Settings − “Perform live host sweep” (enabled by default) − “Ignore !rewall generated RST and SYN-ACK packets”
QualysGuard VM Vulnerability Scan
First Steps – Similar to Mapping
Host Discovery • Checks for availability of target hosts. One response from the host indicates the host is
"alive"
Port Scanning • Finds all open TCP and UDP ports on target hosts • Based on Scan settings
Device Identi!cation • Attempts to identify the operating system on the !rst open port
1/3/13
11
QualysGuard VM Vulnerability Scan
• Vulnerability Detection
• Module launching • Speci!c vulnerability modules loaded based on information gathered in previous
phases
• Signatures • Template-based vulnerability signatures • Active (but non-intrusive) tests for almost all detections • Specially crafted request to distinguish between patched and un-patched versions • Multiple tests validate each others’ results to “con!rm” the vulnerability
The KnowledgeBase
1/3/13
12
KnowledgeBase Key Concepts
• At the end of this section, you should be able to understand: • Con!rmed vs. Potential Vulnerabilities • QualysGuard Severity Levels • Anatomy of a QID
KnowledgeBase The Central Repository
− All QIDs are stored here
1/3/13
13
KnowledgeBase Severity
KnowledgeBase Severity Levels
• Severity 5 – Most Urgent • Severity 1 – Least Urgent
1/3/13
14
KnowledgeBase CVSS
• Remotely exploitable vulnerabilities get priority using CVSS http://www.!rst.org/cvss/
• Common Vulnerability Scoring System allows the vulnerability to include additional metrics to determine if there is a greater potential for risk
• Defacto rating system for PCI
KnowledgeBase Mitre
• The KnowledgeBase correlates Vulnerabilities and CVE • http://cve.mitre.org/
• OVAL (Write your own Vulnerabilities and import them) is available at http://oval.mitre.org
1/3/13
15
KnowledgeBase Anatomy of a QID
• What is a QID? − A numeric identi!er given to vulnerabilities, potential vulnerabilities
or information gathering items. − Used by other QualysGuard components:
• Option pro!les • Report Templates • Remediation Rules • Asset Search • Risk Analysis
KnowledgeBase Anatomy of a QID
• Threat – de!nes the inherent threat within the vulnerability • Impact – de!nes what could happen should the vulnerability be exploited • Solution – how to !x the issue
• Compliance – if there are compliance concerns • Results – what was returned when we probed for information
Disabled Vulnerabilities are still scanned but they are not reported or ticketed
1/3/13
16
KnowledgeBase Editing Vulnerabilities
• Change Severity Levels • Threat – Impact – Solution have user comments field • Updates from the service not overridden • Edited Vulnerabilities are noted in Scan results
KnowledgeBase Search
Use the search functionality to !nd vulnerabilities by QID, title, user con!gurations and other criteria
1/3/13
17
KnowledgeBase Demo
Mapping and Scanning
1/3/13
18
QualysGuard Key Concepts
• At the end of this section, you should be able to complete the main functionality of QualysGuard:
• Mapping • Asset Management • Scanning
Asset Mapping
1/3/13
19
Mapping Con!guration
Map (On-Demand or
Scheduled)
Option Profile (the how)
Map Preferences
Assets (the what)
Domains/Netblocks Asset Groups
QualysGuard Basics Why Map the Network?
Mapping is the foundation for proper asset management
Shows an overall view of your corporate assets
1/3/13
20
Asset Discovery Map
Asset Management Asset Groups
− Logical or physical divisions of the enterprise architecture − Asset groups can be based on:
• Device type • Priority or criticality • Geographic location • Ownership (department)
1/3/13
21
Conventional Asset Management Scanning vs Reporting Asset Groups
• For scanning, work with Asset Groups based on location • Asset Groups:
− Scan_Chicago − Scan_London − Scan_Tokyo
(Workstations / Desktops)
CHICAGO (Workstations / Desktops)
LONDON (Workstations / Desktops)
TOKYO
Conventional Asset Management Scanning vs Reporting Asset Groups
• Asset Groups for Reports have different requirements. Each department needs information about their responsibilities(Server Admin vs. Desktop Admin)
• Asset Groups: − Servers − Desktops
(Desktops)
CHICAGO (Desktops)
LONDON (Desktops)
TOKYO
(Servers) (Servers) (Servers)
1/3/13
22
Asset Management Asset Groups – Extending their use
• Business Info allows for your enterprise to expand the use of the Asset Groups.
• Set the Business Impact for the Risk Analysis
• Set the Asset Tags for further • categorization
• Allows for more granular • Scorecard Reports
Asset Management Risk Management
Security Risk is a technical security score, calculated using • Vulnerability Severity Levels • Number of Con!rmed/Potential Vulnerabilities • Average or Highest Severity
Business Risk is displayed in status (auto) reports for each asset group (typically requires sorting by asset group)
• Combines Security Risk and Business Impact. • Helps prioritize vulnerabilities among your hosts.
1/3/13
23
Asset Management Risk Management
Two factors • Security Risk • Business Impact
Business Impact is a con!gurable attribute of an Asset Group
Five levels • Titles are freely con!gurable
For each Business Impact level, a weight is assigned for each Security Risk
Asset Management and Tagging
Asset Tagging provides the following capabilities*: • Support for multiple hierarchies (OS, region, line of business, etc..) • Custom attributes such as location, business function, and owner • Dynamic tags automatically assigned base on any detectable attribute • Available for Scanning, Reporting, Asset Searches, and more…
* Asset Tagging feature must be added to your subscription
1/3/13
24
IP Address: 10.0.30.18 OS: Windows 2008 Tags: Server
10.0.30.16/28 TELNET ON
Host Info
Automated discovery and tagging
(IT Security)
10.0.30.19 10.0.30.17
(Scanner)
Network 10.0.30.16/28
01001
10.0.30.18 10.0.30.20
Workstation 10.0.30.16/28 Server
10.0.30.16/28 Workstation 10.0.30.16/28
?
Server 10.0.30.16/28 TELNET ON
Initial Asset Tags
The service creates some initial asset tags based on existing objects in your account: • Asset Groups • Business Units • Malware Domain Assets • Web Application Assets
1/3/13
25
Creating and Assigning Tags
• Edit and create new tags using the Asset Search Portal and the Asset Management application.
Asset Tag Rule Engine
Although tags can be created statically (No Dynamic Rule), Dynamic Asset Tags provide the most "exible and scalable way to automatically discover, organize and manage your assets.
1/3/13
26
Asset Search Portal • Utilizes the results of your Vulnerability Scans to locate or
identify speci!c assets within your organization • Find all hosts of a speci!c operating system • Finds hosts affected by a speci!c vulnerability • Find hosts with an open TCP or UDP port • Find hosts running a speci!c service
• Centralized location for asset management • Perform bulk actions on selected results • Create new asset groups • Create new asset tags
Asset Search Portal • Choose the Search Criteria
1/3/13
27
Asset Search Portal
• Choose multiple Assets and select any action from the Actions drop-down menu.
Applications, Ports and Services Inventory
1/3/13
28
Vulnerability Scanning
Scan Con!guration
Scan (On-Demand or Scheduled)
Option Profile (the how)
Authentication (optional)
Auth Record
Scan Preferences
Assets (the what)
IP addresses
Asset Groups
Asset Tag
Scanner appliance?
1/3/13
29
Launch Vulnerability Scan Scan Settings
Vulnerability Scan “On Demand”
1/3/13
30
Vulnerability Scan Scheduled
• Allows the automation of the scanning process
• Schedules can be paused to comply with maintenance windows
The data from a scheduled scan is not available within the subscrip.on (scan reports and .ckets) un.l a user logs in.
QualysGuard Scan Calendar
1/3/13
31
Vulnerability Scan Results
Unfiltered, raw data of your scan targets
QualysGuard VM How often to Map? How often to Scan?
“How Often Should I Scan?” Qualys updates its vulnerability database as vulnerabilities emerge.
“How Often Should I Map?” Discovery is not a one time process. A Discovery strategy assists in overall asset management.
How often to either map or scan your environment should be determined by your security team and added to your corporate Security Policy
1/3/13
32
Demonstration and Labs
QualysGuard Reporting
1/3/13
33
QualysGuard Key Concepts
• At the end of this section, you should be able to: • Understand Reporting Basics • Create Report templates for your audience: • Sort data in the most efficient manner for your audience
Reporting Con!guration
Report (On-‐Demand or Scheduled)
Report Template
Run Time vs. Auto (Scan Templates)
Search Lists
Assets Graphics and Filtering
Assets
IP addresses Asset Groups
Asset Tags
1/3/13
34
QualysGuard Reporting − Makes Map and Scan data readable
• Create a report of pertinent data
• Raw data is cumbersome
− Many Report Types: • Scan Reports • Remediation Reports • Patch Reports • Map Reports • Scorecards
− Uses a central repository for users to store reports for multiple viewers
QualysGuard Reporting Report Templates
− QualysGuard has a set of standard templates that assist in reporting on scans, maps, and remediation
1/3/13
35
Customized Reporting Data Types
• Status vs. Run Time Data • Status reports (Auto) utilize all cumulative (normalized) scan
data for the reports - Vulnerability Management
• Run Time (Manual) allows user to choose speci!c scan data. Suggested for PCI reports
Customized Reporting Display Options
• This: • Produces:
•
1/3/13
36
Customized Reporting Display Options
• What do you want to see in the detailed results? • Do you need to have the Threat de!ned and the results of the
test, or do you need to know how to solve it? • The information will be pulled from the QID.
QualysGuard Patch Report
Actionable and prioritized list of patches to apply • KB supersede information included, so
only the most relevant patches displayed
New “Online” Format • Uses “New Platform” UI components
for more interactivity (sorting, !ltering)
Automation-friendly output for future integration with patch management systems
1/3/13
37
QualysGuard Scorecard Reports • Provide vulnerability data and statistics appropriate for different business
groups and functions
• Search for data by business unit, business info tag, or asset group
• Display is con!gurable
• View is con!gurable
• Filter by OS and/or vulnerability type
Scheduled Reporting
• Several report types that can be scheduled: • Template-based scan reports (using auto data) • Scorecard reports • Patch reports • Template-based compliance reports • Remediation reports
1/3/13
38
Scheduling and Report Noti!cation
Scheduled Reports Setup
1/3/13
39
Subscription Set Up Report Share
• Report Share is a centralized location for storing and sharing reports
• When enabled for subscription, Managers specify the maximum amount of report data that each user may save
• Managers have the option to enable secure PDF distribution of reports
Reporting Use Cases
Scenario: I need to see how vulnerable my production Web Servers are, and how to !x them. How do I do this?
Scenario: I run a weekly report of all the vulnerabilities found within my workstation network. My support team says the report is too long, but they need to know what the vulnerability is and how to !x it, in terms of priority – how can we accomplish this?
1/3/13
40
Reporting Use Cases
Scenario: What type of vulnerability is more prevalent in my network? How can I tell?
Scenario: My manager wants to see what we have accomplished with QualysGuard. Where can I !nd that?
Reporting Use Cases
Scenario: I am running authenticated scans. How can I tell, if my authentication attempts are successful?
Scenario: Do my Windows desktops have antivirus software?
1/3/13
41
iDefense Threat Intelligence • Get customized alerts about zero-day threats • “% at Risk” is the percentage of hosts at risk for each vulnerability listed • Authenticated scan is required (QIDs 45141 and 90235, speci!cally)
Zero-Day Risk Analyzer Correlations
Windows 7 Adobe Reader 9.1
DCOM enabled iDefense Feed
Host A
Host B
Predictive Engine
1/3/13
42
Demonstration and Labs
QualysGuard User Management
1/3/13
43
User Management User Roles & Permissions
Different Roles • Each Role has its own permission set • Each User can get extended
permissions
Types of Roles • Manager • Unit Manager • Scanner • Reader • Contact
User Management User Permission Hierarchy
Subscription Setup
Readers
Reporting
Remediation
Vulnerability Scans
Network Discovery Maps
Management
Least privileged
Most privileged
Managers
Unit Managers
Scanners
1/3/13
44
Adding and Removing IPs • We can now add or subtract assets from our account as Manager.
User Management - VIP − Two Factor Authentication
1/3/13
45
Subscription Set Up Security • Set security to
prevent unauthorized users
• Set security options related to how users access the system, user-de!ned passwords, and session time outs
User Management Business Units
• New User Role: Business Unit Manager
• Not Mandatory
• Business Units cannot include other business units
• Business Unit attributes: • Business Unit Manager(s) • Asset Groups • Users • Comments
1/3/13
46
User Management Business Units
• Create Business Unit in Users Section
• Add Asset Groups to the Business Unit
• Assign Scanner & Reader Users (optional)
• First User is promoted to BU Manager
User Management Business Unit Manager
• Privileges: − Perform all vulnerability management functions:
− Map, Scan − Remediation − Reporting
− Manage assets, add users, and publish template reports within their Business Unit
• Extended Permissions : − Add assets − Create pro!les − Purge host information − Create/edit con!guations (remediation policy,
authentication records/vaults, virtual hosts) − Manage compliance, web applications − Manage virtual appliances
• Restrictions: − Can only be in one Business Unit − Can only be created if the Business Unit has been established − Limited to Asset Groups de!ned in their Business Unit − May not have rights to run speci!c reports via the API
1/3/13
47
User Management Business Units
Demonstration and Labs
Create New User Account Dashboard
1/3/13
48
Understanding Search Lists
QualysGuard Key Concepts
• At the end of this section, you should be able to understand: • The Differences between a Static Search List and a Dynamic Search List • In which cases a search list should be used
1/3/13
49
Search List Locations
Search Lists
Option Profile For which vulns are
we scanning?
Report Template On which vulns do we want to report?
Remediation Policy On which vulns and devices do we want
a ticket?
Search Lists Overview
• User-de!ned Groups of QIDs • Static search list
• Manually de!ned • Dynamic search list
• De!ned based on search criteria
• Bene!ts • Dynamic List updates when new
QIDs meet the search criteria • No limitation to the number of QIDs
in search list
1/3/13
50
Search Lists Static Saved Searches
Static searches are good in cases where a speci!c set of QIDs needs to be excluded
Search Lists Saved Search Object Information
− Detailed information about a saved search is available anywhere the is shown − General Info, the KB criteria, and
all QIDs that match the criteria are shown − Also shown is a list of all report
templates, option pro!les and remediation rules where the list is used
1/3/13
51
Search Lists Use Cases
• Create an automatically updated report for Microsoft’s Patch Tuesday vulnerabilities
• Create remediation rules that link the application having the vulnerability with the right person to !x it
• Exclude vulnerabilities from scanning when they may interrupt normal operation of a host
• Create a self updating report on only vulnerabilities that have a patch available
• Create a report that contains a static list of authentication QIDs to validate successful QualysGuard authentication.
Fine Tuning the Scan Process with Option Pro!les
1/3/13
52
QualysGuard Key Concepts
• At the end of this section, you should be able to !ne tune QualysGuard by: • Creating custom option pro!les for mapping and scanning • Limiting scans to certain vulnerabilities • Using Authentication Records
Option Pro!les Bene!ts
• Customize scanning and mapping parameters − Choose TCP and UDP port numbers − Enable authentication − Scan for speci!c vulnerabilities − Exclude certain vulnerabilities from scans − Throttle or increase scan performance − Password Brute Forcing − Enumerate Windows shares
Best prac.ce: Authen.cated scans should be done via internal scanners
1/3/13
53
Option Pro!les Overview
Option Pro!les • Con!gure map & scan launch options • Unlimited (per-user) number of pro!les
Option Pro!les Advanced Con!gurations - Mapping
1/3/13
54
Option Pro!les Advanced Con!gurations - Scanning
Option Pro!les Advanced Con!gurations - Scanning • Add a saved search
• Although recommended in some cases, in general it is better to attach a saved search to a Report or Remediation Rule.
1/3/13
55
Option Pro!le Authenticated (Trusted) Scanning
• Connect to service to extract more meaningful data
• Discover vulnerabilities not detected by untrusted scan
• Con!rm Potential Vulnerabilities
Requires Authentication Record
Authentication Vaults • In large organizations where thousands of machines are scanned
regularly for vulnerabilities, managing passwords is a challenge.
• Some organizations are reluctant to let their credentials leave the network
1/3/13
56
Demonstration and Labs
Saved Search Lists OpSons Profiles
Vulnerability Management Remediating Risk
1/3/13
57
QualysGuard Key Concepts
• At the end of this section, you should be able to: • Create remediation policies • Understand the implications of whom the ticket is assigned to
Remediation Ticketing Basics
• QualysGuard automatically creates remediation tickets when you create at least one Remediation Policy. o One ticket for each vulnerability discovered.
• Remediation tickets can be created/viewed from within reports that contain the “work"ow action” icon (e.g., High Severity and Technical Reports).
• QualysGuard automatically marks Open tickets as Closed/Fixed (when vulnerability is no longer detected).
1/3/13
58
Remediation Create a new Rule
• Ticket Assignment
• A speci!c user • Asset Owner • The user who launched
the scan
• Set Deadline for remediation
• Ignore - do not create a ticket
Remediation Policy Rules • Rules can be speci!c to Business Units
• System matches rules from top to bottom
• First matching rule stops the system check
1/3/13
59
Remediation Manual Ticket Creation & Veri!cation
• Manual Trouble ticket generation • From Automatic Report • From Host Information
• Launching Veri!cation Scans
Demonstration and Labs
OpSonal
1/3/13
60
Thank You
![{Slides} Job+ Presentation Slides [MKS-40]](https://img.pdfslide.net/doc/110x75/58f058861a28ab96248b45f5/slides-job-presentation-slides-mks-40.jpg)
