Upload
skybox-security
View
412
Download
1
Embed Size (px)
DESCRIPTION
Presented at Black Hat 2014. Heartbleed. Target. Adobe … businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. It’s a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity. But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time. In this deep dive session on vulnerability analysis and prioritization, we’ll cover: - Calculating risk exposure: Risk = Impact * Likelihood * Time - The data you need to be collecting about assets and vulnerabilities - Prioritizing vulnerabilities using simple 2 factor relationships - Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data - Techniques to drive down the risk exposure time
Citation preview
Sean Keef
Director, Sales Engineering
Skybox Security
Don’t be a Target: Everything You Know About
Vulnerability Prioritization is Wrong
© 2014 Skybox Security Inc., Confidential 2
Everything you ‘know’ about VM is wrong:
My active scanner finds all known vulnerabilities
Our traditional VM approach is reducing risk
We know what we need to fix first
Severity is a good indicator of what to fix
Low and medium severity vulnerabilities can be ignored
30 days scan cycle is acceptable
© 2014 Skybox Security Inc., Confidential 3
Agenda
The Present
The Purpose
The Pain
Relationships
The Prioritization
The Process
The Punchline
© 2014 Skybox Security Inc., Confidential 4
Definitions
Risk – The probability of
occurrence and degree of damage
an undesirable event will cause.
Vulnerability – Host-based,
application and operating system
vulnerabilities.
Vulnerability Management – The
process of discovering, prioritizing
and remediating vulnerabilities
© 2014 Skybox Security Inc., Confidential 5
Case Study (FinCorp Bank)
90% of the servers are scanned
every 30 days
50% Workstations are scanned
every 90 day
Average PC has ~117
vulnerabilities
Over 1 million vulnerabilities to be
remediated
Critical severity remediation SLA
is 15 days
© 2014 Skybox Security Inc., Confidential 6
The Present
Vulnerability Management
Discovery with an active scanner
Prioritization, remediation and
SLAs based on severity
Critical vulnerabilities are not
remediated before the next scan is
executed, leading to SLAs not
being met.
© 2014 Skybox Security Inc., Confidential 7
The Purpose
To ensure that risk causing vulnerabilities exist in an
exploitable state for the shortest amount of time possible
Ris
k
Time
© 2014 Skybox Security Inc., Confidential 8
Case Study (FinCorp Bank)
Spends ~100 man hours per week remediating vulnerabilities
Week to Week:
– Average ~1 million vulnerabilities
– Average ~20% Critical, ~50% High, ~30% Medium or lower
– No significant reduction of vulnerability count or breakdown week over week. (Was actually growing.)
No real plan for how to reduce the overall number of vulnerabilities or overall risk.
No prioritization plan beyond severity.
A realization that severity based remediation isn’t doing the job.
© 2014 Skybox Security Inc., Confidential 9
Ris
k
Time
The Pain
Risk is not decreased over time
Remediating low risk-causing
vulnerabilities
Not remediating high risk-causing
vulnerabilities
Remediating high risk-causing
vulnerabilities
Severity Risk
© 2014 Skybox Security Inc., Confidential 10
Case Study (FinCorp Bank)
Priorities
1. Risk visibility and qualification
2. Prioritization
3. Communication
Solutions
– Collect more data
– Correlate the data
– Relationships
© 2014 Skybox Security Inc., Confidential 11
Relationships
Exploitability
Impact
Severity Severity
© 2014 Skybox Security Inc., Confidential 12
Host – Vulnerability Relationship
Hosts Vulnerabilities
© 2014 Skybox Security Inc., Confidential 13
Host – Vulnerability Relationship
Vulnerabilities Hosts
Asset Data Network Map Vulnerability Data
© 2014 Skybox Security Inc., Confidential 14
Host Value
Assets
Value
Function
Location
Asset Data
– Baby Steps
• Get the data that exists
• PIC CDE machines
• Important networks
• Known critical machines
• Incomplete is better than
nothing
– Asset classification is its
own project
© 2014 Skybox Security Inc., Confidential 15
Host Loss
Assets
C A I Confidentiality
Availability
Integrity
© 2014 Skybox Security Inc., Confidential 16
Host – Vulnerability Relationship
Vulnerabilities
C A I
© 2014 Skybox Security Inc., Confidential 17
Host – Vulnerability Relationship
Vulnerabilities
Expanded
Vulnerability
Data
© 2014 Skybox Security Inc., Confidential 18
Vulnerability Attributes
Vuln
era
bili
ty
Impact
IPS
Severity
Vector
Catalog
© 2014 Skybox Security Inc., Confidential 19
Host – Vulnerability Relationship
Vuln
era
bili
ty
Impact
IPS
Severity
Network
Catalog
Assets
© 2014 Skybox Security Inc., Confidential 20
Vulnerability + Host importance
(Impact)
Vulnerability + Time on host
Vulnerability + Host location
Vulnerability + Host type
Vulnerability + Patch
(Quick win)
Vulnerability + IPS Signature
(IPS shielding)
Prioritization – Simple Relationships
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Hard – (Application)
Hard – (Application)
© 2014 Skybox Security Inc., Confidential 21
Prioritization – IPS Signature to Vulnerability
© 2014 Skybox Security Inc., Confidential 22
Prioritization – Patch to Vulnerability
Quick Win!
© 2014 Skybox Security Inc., Confidential 23
Case Study (FinCorp Bank)
<Missing something>
Critical vulnerabilities on PCI
CDE Hosts
Vulnerabilities that can be IPS
Shielded
Patch that wipes out the most
vulnerabilities
© 2014 Skybox Security Inc., Confidential 24
Prioritization – Complex Relationships
Risk = Impact * Likelihood * Time
Vulnerability &
Host
Host w/ Vulnerability &
Network Security
© 2014 Skybox Security Inc., Confidential 25
Likelihood
Compromised Workstation
Foreign Threat
Exploited Partner
Attack Simulations
Vulnerabilities
CVE 2014-0160
CVE 2014-0515
CVE 2014-1776
© 2014 Skybox Security Inc., Confidential 26
Stair Step Attacks
© 2014 Skybox Security Inc., Confidential 27
Prioritize Vulnerabilities by Multiple Factors
Vulnerabilities Prioritized
Directly Exploitable Vulnerabilities
Vulnerabilities on PCI hosts
IPS Shielded Vulnerabilities
Vulnerabilities remediated with a single MS Bulletin
© 2014 Skybox Security Inc., Confidential 28
Ris
k
Time
The Result
Risk is reduced over time
Risk visibility and communication is increased
Remediating high risk-causing
vulnerabilities Risk reduced by reducing attack
surface
© 2014 Skybox Security Inc., Confidential 29
Case Study (FinCorp Bank)
Before
Losing the fixed vs found battle
Unfocused remediation
Risk not reduced over time
After
Full visibility into many
relationships
Risk and attack surface reduced
week over week
Understanding of network
topology + network map
Result – More effective understanding and
application of remediation options
© 2014 Skybox Security Inc., Confidential 30
The Process
Discovery – Is there a better way than active scanning?
© 2014 Skybox Security Inc., Confidential 31
Case Study
Large Multi-national
– Central IT / Strong Business Units
– Loosely controlled scanning / Business units can opt out.
– CISO needed to be able to ensure a single vulnerability was
wiped out.
– Had SCCM everywhere
© 2014 Skybox Security Inc., Confidential 32
Limited and Out of Date Information
The value of vulnerability information decays over time
Time
Add
knowledge
during scan
Decay of
knowledge
post scan
Month 1 Month 2 Month 3
80%
100%
Missing
data
60%
© 2014 Skybox Security Inc., Confidential 33
We just don’t need to scan more
Unable to gain credentialed access to scanportions of the network
The cost of licenses is prohibitive
Some hosts are not scannable due to their use
We don't have the resources to deal withbroader patching activity
We don’t have the resources to analyze more frequent scan data
We are concerned about disruptions fromscanning 59%
58%
41%
34%
29%
12%
5%
Reasons that respondents don’t scan more often
Why Not Scan More Often? (2012 Survey)
It’s Just Too Difficult
© 2014 Skybox Security Inc., Confidential 34
So Security Teams Try to Limit Impact
Disruption
“Oops, we took
down the net”
Scan Today
Scan Next Week
Scan Next Month
Scan Next Year
Scan NEVER
© 2014 Skybox Security Inc., Confidential 35
Scan Frequency and Coverage (2012 Survey)
0
50
100
150
200
250
300
350
10% 20% 30% 40% 50% 60% 70% 80% 90%
Frequency and Coverage
Scan F
requency in D
ays
% of Network Scanned
Partner/External
Networks
~60-90 days
<50% of hosts
Critical
systems, DMZ
~30 days
50-75% of hosts
Goal
~Daily / Continuous
90%+ of hosts
© 2014 Skybox Security Inc., Confidential 36
Host – Vulnerability Relationship
Asset
Windows 7
Firefox
Adobe Reader
10
Java SE 20
Buffer Overflow
Window 7
Windows 2K SP2
Windows 2K SP1
Remote Code
Execution
Adobe Reader
8
Adobe Reader
9
Adobe Reader
10
Adobe Reader
7.7
Security Bypass
Firefox
Thunderbird
SeaMonkey
Remote DOS
IIS 6.0
IIS 7.5
Remote Unspecified
Java 7.4
Java FX
2.2.4
Java JRE 6.7
Java SE
7.11
© 2014 Skybox Security Inc., Confidential 37
Vulnerability Deduction Process
Vulnerability Deduction
Product Catalog
(CPE)
OS version & patch level. Application versions
Vulnerability List
(CVE)
Vulnerability Database
Pro
du
ct
Pro
fili
ng
Asset / Patch
Management
Networking
Devices
Active
Scanner
© 2014 Skybox Security Inc., Confidential 38
Speed
Typical scanner Analytical Scan
250 host/hour
100,000 host/hour
VS
© 2014 Skybox Security Inc., Confidential 39
Analytics Give You a Continuous View
of Vulnerabilities
Time Month 1 Month 2 Month 3
50%
Combining active scanning and analytics
based vulnerability detection
100%
Active
scanner
Analytics-based
detection
© 2014 Skybox Security Inc., Confidential 40
Case Study
Large MultiNational
– Visibility on ~100% of hosts in less than
a week.
– Able to eradicate Heartbleed on 98% of
PCs (over 500k) in less than a week.
– Complete eradication in 23 days.
– Has visibility into network devices.
– Able to discover vulnerabilities on
mission critical portions of the network.
© 2014 Skybox Security Inc., Confidential 41
Not all scanners have every vulnerability
Qualys McAfee TripWire Tenable
CVE-2014-4228 Jul 17 Jul 29 Not Added Jul 16
CVE-2014-4943 Jul 28 Jul 24 Jul 19 Jul 17
CVE-2013-1741 Apr 4 Dec 11 Nov 18 Dec 6
CVE-2014-4607 Jul 14 Jul 10 Jan 1 Jun 27
CVE-2014-2804 Apr 28 Jun 25 Jul 8 Jul 8
CVE-2014-2783 Apr 28 Jul 8 Sep 26 Jul 8
CVE-2014-1375 Jul 2 Not Added Jun 30 Jul 1
CVE-2014-1369 Not Added Jul 10 Not Added Jun 30
CVE-2014-0015 Not Added Jul 9 Jun 30 Not Added
Date vulnerability was added to scanner by vendor
© 2014 Skybox Security Inc., Confidential 42
Your scanner needs to be part of a greater
plan
The more data sources you can include, the better.
Advisories Scanners IPS Other Sources
Adobe eEye Retina* HP Tipping Point CERT
Cisco PSIRT ISS Internet Scanner* ISS Proventia Mitre CVE
Microsoft Security
Bulletin
McAfee Foundstone Palo-Alto Networks NIST’s NVD
Oracle Qualys Guard SourceFire Rapid7 Metasploit
Rapid7 Nexpose SourceFite Rapid7 Metasploit
Tenable Nessus Symantec
SecurityFocus
Tripwire nCirce Symantec Worms
© 2014 Skybox Security Inc., Confidential 43
The Power of Seven Scanners at Once
© 2014 Skybox Security Inc., Confidential 44
The Process
Remediation and Tracking – Do you know how you are
doing?
© 2014 Skybox Security Inc., Confidential 45
Remediation Reporting
© 2014 Skybox Security Inc., Confidential 46
The Punchline
To ensuring that risk causing vulnerabilities exist in an
exploitable state for the shortest amount of time
possible, you must:
– Discover vulnerabilities quickly – Challenge the Active Scanner
Status Quo
– Understand the relationship between the hosts and your
vulnerabilities to discover what matters
– Remediate or mitigate based on analysis or risk – not severity.
Enable reporting.
© 2014 Skybox Security Inc., Confidential 47
Thank you!
Interested in Skybox for Vulnerability Assessment and
Management? Start your 30-Day Trial today!
www.skyboxsecurity.com/trial