Embed Size (px)
Citation preview
Vulnerability Management at ESS
Remy MudingayEuropean Spallation Source ERIC
ICALEPCS 2019
New York, Brooklyn2019-10-06
Overview
• Introduction
• Vulnerability Assessment & Management
• People, Processes and Security
• Solutions
• Final thoughts
• Questions
2
TargetNeutronInstrumentHall
European Spallation Source – Lund, Sweden – construction project
InfoSec Organisation
4
CERT
VulnerabilityManagement
Introduction: What are vulnerabilities?
6
Why you should care
Applications and OSs not Configured to Secure Standards
• Never configured
• Configuration Change
Client TierDesktop – Web
Browser
Internet/Intranet
Tier
Network
Web Server Tier Apache IIS, etc
Application Server
Tier
PHP, Java/J2EE,
Ruby, Wordpress,
etc
Database Tier MySQL, Oracle, DB2
System and Applications not patched for known security flaws
• Hardware
• Operating System
• Application
• Database
• Network Equipment
Web Applications and Web Services
• With known security issues
• Incorrect Code
• Not patched for known security flaws
Browser and Plugins
• Not up to date
• Not patched for known security flaw
Vulnerability Assessment
• Vulnerability Assessment
– Often simply only a scanning program• Hard to measure success long-term
• Is it checking patch levels?
• Is it lowering risk overall?
• What processes are working?
• Where is it not working in the organization?
• Are you compliant?
– Generally too much data as it lacks context
– Point in time only
7
Differences between: Vulnerability Assessment and Vulnerability Management
Vulnerability Management
• Vulnerability Management
– Accountability
– Not just about vulnerability scanning• A process to find, rate, remediate, track, progress
• Should be about context, context and more context
– Need to build a program that allows for the following• Meeting compliance and/or regulatory goals
• Defined success factors
• Measurable
• Repeatable
• Integration with other programs, patch management, ticketing, asset management, configuration management
8
Differences between: Vulnerability Assessment and Vulnerability Management
Vulnerability Management
9
People
What do they do?• Operations• Security• Administrators• Privileged access
What is important to them?• Uptime• Reputation• Accountability
Their Place in the organization• Director• EMT• CIO like role• CISO• Teams• Users
Vulnerability Management
10
Process
How often should you scan?• Daily• Weekly• Monthly
Provide reports (intervals)?• Daily• Weekly• Monthly
What should be measured?• Open Vulnerabilities• Closed Vulnerabilities• Overdue Vulnerabilities
Patch prioritization?• High Risk• High Severity• Asset Criticality
Patching intervals?• By OS• By Server• By Workstation
How do you classify assets?• By business Application• By Business Unit
Vulnerability Management
11
Security
Should ALL vulnerabilities be treated equally?
How many vulnerabilities do you have?• Today?• Last month?• A year ago?
What is the context of each vulnerability?• How do you classify assets?• Do you manually rank
vulnerability?**
How do you measure the Security in the organization?• Service Level Agreements• Open• Closed• Risk level
Is your Security Audited?• Regulatory• IEC 61508• etc
Vulnerability Management
12
Way forward (previous lessons learnt)
Many organisations prioritise or focused on the wrong things• Let’s fix all the vulnerabilities!• No need to know the context to patch vulnerabilities!• Looking to match patching tools• KPIs - how many issues are open/closed• No need to integrate assessments and patching into other systems
(ticketing, logs, etc.)
Change the paradigm!• Admit that you can not fix all vulnerabilities
• Improve weakest areas (first)
• Perform Root Cause Analysis for each of the highlighted items
Solutions
• Tenable.sc SC
– Current version 5.8 and reports global compliance and can produce audit reports
• Nessus scanner NS (included)
– Nessus cloud (included) – scan your externally exposed services
– Nessus agent (included) – installed directly on critical services and scans the operating system
– Nessus scanner (included) – scans the internal network
• Passive vulnerability scanner PVC now called Nessus network monitor NNM (included)
– SPAN port and scans network traffic for anomalies
• Log correlation engine LCE (included)
– Correlates events across multiple sources
• Industrial security (additional licence required) – useful for controls (PLC and OT environments)
– Standard 1Gbps
– Enterprise 10Gbps
– Only product on the market that provides this
• Web application scanning (additional licence required)13
Commercial
Deployment guidelines
• OpenVAS
• scanner
• Passive vulnerability scanner – Suricata
– SPAN port and scans network traffic for anomalies
• Graylog -
– Correlates events across multiple sources
• Web application scanning
– Nikto
14
Open source
VulnerabilityManagement
Vulnerability management
20
SC LCE
NS
NS
NS
NS
NNM
NNM
NNMNessus cloud
Nessus scanner
Nessus network monitor
Log correlation engine
Security center
Act
ive
scan
sC
om
plia
nce
sca
ns
Network Zone Passive scans
Span port/tapNNM
Etc. Industrial Zone
LCE
Industrial security
Network Monitoring
21
Sflow/Netflow
• Elastiflow• Firewalls• Network switches• Virtualisation hosts
Central Logging
22
Configuration Management
• Repeatability
• Reproducibility
• Reliability
• Traceability
23
Continuous integration & delivery
2019-10-06 ICS Jamboree Infrastructure 24
Build TestCode
analysisPublish Deploy
Build
• Isolation
• Build tools
• Dependencies
• Repeatability
25
Build TestCode
analysisPublish Deploy
Test
• Find defects
• Avoid regression
• Quality
• Reproducibility
26
Build TestCode
analysisPublish Deploy
Code quality analysis
• Reliability
• Efficiency
• Security
• Maintainability
27
Build TestCode
analysisPublish Deploy
Code quality analysis
28
Artifact storage
• File integrity
• Version handling
• Retention policies
• Caching remotes
29
Build TestCode
analysisPublish Deploy
Artifact storage
30
Deployment
• Automation
• Orchestration
• Reliability
• Visibility
31
Build TestCode
analysisPublish Deploy
Deployment
32
VulnerabilityManagement
Final thoughts
• Deployment (Ansible playbooks for all components)
– ESS deployment scripts (Link)
• Licence management
• Account/Administrative privileges
– Limit access to only CERT teams
• Privacy (Logs -> LCE)
– Centralise logs for the entire organisation – in line with GDPR
34
Questions?
35
