Upload
44con
View
325
Download
1
Tags:
Embed Size (px)
DESCRIPTION
According to the NIST National Vulnerability Database, 1772 software vulnerabilities with a CVSS score of 7 or higher were disclosed in 2012, and 2013 is so far (at the time of writing) not looking any better. A lot of times the window of exposure - from when a vulnerability is discovered to when a patch has been deployed - is very long. In a corporate environment, it’s not unusual to rely solely on patch management and semi-static security tools such as firewalls, IPS and antivirus for protection, and because of various reasons patch deployment might take a long time or may not even be possible. This talk will discuss why patch management is insufficient for protection against new vulnerabilities, how the traditional “defense in depth” model needs to be re-architected, and finally how the window of exposure can be reduced by active response before incidents occur.
Citation preview
Surviving 0-daysreducing the window of exposure
Andreas Lindh, 44Con 2013
About me
• Security analyst/architect
• Defender by day
• @addelindh on Twitter
The TL;DR
0-days
Disclosure Patch available Patch deployed
Out of our control In our control
Unknown
Discovery
The window of exposure
Common protection
• Patching
• Virtual patching
• Uninstall
How hard can it be?
Pretty hard!
What if you can’t patch?
• Legacy systems
• 3rd party systems
• Insufficient tools
Disclosure Patch available Patch deployed
Out of our control In our control
Unknown
Discovery
HD Moore’s law
Defense in depth
Concept
Implementation
Meanwhile...
Which leaves us with...
Are we on it?
"Put another way, n people want to fix
security holes, 10n people want to
exploit security holes, and 100000n
want Tetris.” (Dan Kaminsky)
What to do?
Root cause
• Over-reliance on patching
• Network-centric defense
architecture
• All about prevention
Firewall all the things?
Things to consider
• Exposure
• Attack likelihood
• History
• Patch status
Approach
• Prevention• Mitigation• ( Detection)
1. Build
Focus
• Proactive
• Inside -> out
• Onion style
• Reusable (ideally)
An example
Software
Sandbox
OS security features
Software restriction
policy
Intermediary channels
Endpoint protection
User permission
s
IPS
Pros and cons
• Pros– Improved security baseline
– Reduced impact
– Pro-active
• Cons– Generic
– Added complexity
2. React
INCIDENT!
React!
(disclos
ure)
Incident timeline
Focus
• Specific vulnerability
• Fast implementation
• Input to #1
Pros and cons
• Pros– Timely mitigation
– Focused approach
– Compliments #1
• Cons– Limited time
– Reactive
Wrapping it up
• Patching takes time
• Can’t patch the unknown
• Traditional controls are
often insufficient
Let’s build!
Thank you for listening!
Questions?