Upload
tripwire
View
1.329
Download
0
Embed Size (px)
DESCRIPTION
The Heartbleed vulnerability is causing heartburn to IT and security teams as they struggle to patch systems, identify what was vulnerable, harden their systems against active attack. The Heartbleed vulnerability shows the need for organizations to have a robust security strategy for rapid reaction to vulnerabilities and threats. In this webcast we discussed: - The Heartbleed vulnerability in detail, how it occurred with examples of how it can be used against your organization - How you can identify your business exposure and what systems are vulnerable - How Tripwire’s solutions work together to help you close the detection, remediation and prevention gaps around Heartbleed The recording of the webcast that accompanies this slide deck is available here: http://www.tripwire.com/register/heartbleed-outpatient-care-steps-for-secure-recovery/
Citation preview
Heartbleed Outpatient Care: Steps for Secure Recovery
ENTERPRISE THREAT GAP: DETECTION, REMEDIATION & PREVENTION
2
Ken WestinProduct Marketing ManagerSecurity Intelligence
Katherine BrocklehurstProduct Marketing ManagerSecurity Configuration Management
Ed SmithProduct Marketing ManagerVulnerability Management
Heartbleed Outpatient Care: Steps for Secure RecoveryEnterprise Threat Gap: Detection, Remediation & Prevention
3
Agenda
• Heartbleed – what is it, how did it happen, and how can it be used against you
• How to identify your business exposure
• What systems are vulnerable and what you can do to check for Heartbleed
• How Tripwire’s solutions work together on detection, prevention, and remediation for Heartbleed
4
What Is Heartbleed?
• OpenSSL vulnerability
• Affects 2/3 of Internet and more
• Active exploits in the wild
• You may have already been compromised
CVE-2014-0160
5
OpenSSL Flaw
How Does Heartbleed Work?
Source: xkcd.com/1354/
6
OpenSSL Flaw
How Does Heartbleed Work?
Source: xkcd.com/1354/
7
Timeline
RECON/ENUMERATIONWEAPONIZATION
EXPLOITATIONCOMMAND &
CONTROLACTIONS/
EXFILTRATION
Cyber Kill Chain: Sophisticated Attacks
Cyber Kill Chain® is a registered trademark of Lockheed Martin
8
Heartbleed Exploit ExampleLive Exploit
9
Cyber Kill Chain Not Required- NO INDICATORS
- SIMPLE EXPLOIT
- EVERYWHERE
Cyber Kill Chain® is a registered trademark of Lockheed Martin
Timeline
RECON/ENUMERATIONWEAPONIZATION
EXPLOITATIONCOMMAND &
CONTROLACTIONS/
EXFILTRATIONX X X
10
Who Was Affected….
11
Who Was Affected….
Who Wasn’t?
12
Enterprise Threat Gap
DETECTION
REMEDIATION
PREVENTION
Prevention GapTime to put preventative
measures in place to avoid repeated attacks
Can we avoid this happening again?
Remediation GapTime between discovery to remediation to limit damage
How bad is it?
Detection GapTime between actual breach and discovery
Have we been breached?
13
• Correlation content now available now for IDS/IPS: Cisco, Sourcefire/SNORT, McAfee, Palo Alto
• Create alerts, automate remediation and share reports on Heartbleed exploit attempts
REAL-TIME HEARTBLEED EXPLOIT DETECTION
DETECTION
14
Exploit
Heartbleed Detection with Tripwire Log CenterIDS Correlation and Reporting
Intrusion Detection
15
Exploit
!
Heartbleed Detection with Tripwire Log CenterIDS Correlation and Reporting
Vulnerable Host
Intrusion Detection
16
Exploit
!
Actions & Alerts
Heartbleed Detection with Tripwire Log CenterIDS Correlation and Reporting
Reporting
Vulnerable Host
Intrusion Detection
17
Intrusion Detection
ExploitVulnerable Host
Actions & Alerts
Intelligent Vulnerability ManagementTripwire Log Center + Tripwire IP360
• Vulnerabilities of attacked host• Business value of target asset
!
18
• Automated inventory of devices and applications to know what’s on your network
• Continuous detection of Heartbleed and 60,000 other vulnerabilities
AUTOMATED SCANNING FOR CONTINOUS PREVENTION
PREVENTION
19
Heartbleed Is Not a Single “Bug”
20
There are Different Breeds of the Heartbleed Bug
21
The Heartbleed Bug Doesn’t Just Live in Perimeter Networks…
22
Heartbleed Also Thrives Inside Corporate Networks and Datacenters
23
Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f
Critical Security Control 1&2:
Inventory of Authorized and Unauthorized Hardware and Software
24
Where is OpenSSL on Your Network?
Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f
Critical Security Control 1&2:
Inventory of Authorized and Unauthorized Hardware and Software
25
Where is OpenSSL on Your Network?
Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f
Perimeter Networks• Web Servers• Email
Servers• FTP Servers
Critical Security Control 1&2:
Inventory of Authorized and Unauthorized Hardware and Software
26
Where is OpenSSL on Your Network?
Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f
Perimeter Networks• Web Servers• Email
Servers• FTP Servers
Datacenter• Databases• Application
Servers
Critical Security Control 1&2:
Inventory of Authorized and Unauthorized Hardware and Software
27
Where is OpenSSL on Your Network?
Heartbeat Feeds On OpenSSL v1.0.1 - 1.0.1f
Perimeter Networks• Web Servers• Email
Servers• FTP Servers
Datacenter• Databases• Application
Servers
Internal Network• Operating
Systems• VPN Clients
Critical Security Control 1&2:
Inventory of Authorized and Unauthorized Hardware and Software
28
Scan Perimeter Networks to find Heartbleed bugs exposed to the public internet
Add TRIPWIRE LOGO TO SCANNER
29
Scan Internal Networksto find Heartbleed bugs hackers can leverage
30
Remote Checks look for Heartbleed Bugs Exposed to the Network
31
Local Checks Use Administrative Credentials Closely Inspect Machines
32
Automated Scanning Offers Continuous Prevention
33
Not a Tripwire Vulnerability Management Customer?
• Free for up to 100 IPs, up to 4 times a month• Automated Scanning for Internal Networks• Remote and Local Heartbleed Checks• Scan Web, FTP, IMAP, POP3, XMPP, and SMTP services for Heartbleed
vulnerabilities
Scan For Heartbleed Today: www.tripwire.com/securescan
34
35
36
37
38
39
40
41
Remote Checks
Network Services Vulnerabilities
Local Checks
Software Vulnerabilities
• Heartbleed TLS• Certificate Risks• XMPP• POP3• IMAP• FTP
• SMTP• Juniper• Debian• PostgreSQL
• OpenSUSE• Oracle Linux• Ubuntu• CentOS• Red Hat• OpenVPN
Tripwire Heartbleed Vulnerability Coverage
42
Remote Checks
Network Services Vulnerabilities
Local Checks
Software Vulnerabilities
• Heartbleed TLS• Certificate Risks• XMPP• POP3• IMAP• FTP
• SMTP• Juniper• Debian• PostgreSQL
• OpenSUSE• Oracle Linux• Ubuntu• CentOS• Red Hat• OpenVPN
Tripwire Heartbleed Vulnerability Coverage
THE CHECKS ABOVE ARE ALL FOR HEARTBLEED
43
Healing Heartbleed
If You Do Detect Heartbleed:
• Update OpenSSL to 1.0.1g+
• Contact the Vendor for a Fix
• Update or revoke your certificates as a precaution
• If appropriate, ask or require users to revise their passwords
44
Prevention Recap
.1
• Know What You Have and Where OpenSSL Lives
2• Check both Perimeter and
Internal Networks
3• Patch both Remote and Local
Vulnerabilities
45
Tripwire Vulnerability Management
• Heartbleed coverage released April 9th
• Additional Heartbleed checks released April 15th • 17 Remote and Local Heartbleed Checks for Web, FTP, IMAP, POP3,
XMPP, and SMTP services for Heartbleed vulnerabilities• On-premise solution with optional cloud-based perimeter scanning
Learn More & Request a Demo: www.tripwire.com
46
Intrusion Detection
ExploitVulnerable Host
Actions & Alerts
Intelligent Vulnerability ManagementTripwire Log Center + Tripwire IP360
• Vulnerabilities of attacked host• Business value of target asset
!
47
ExploitVulnerable Host
Actions, Alerts & Reporting
Bridging the Threat GapTripwire Log Center + Tripwire IP360 + Tripwire Enterprise
Intrusion Detection
!
48
How Bad Is It?
Identified inventory of affected systems applications, network devices, operating systems, databases, file systems, servers, desktops, mobile devices, etc…..
Post-Heartbleed Safety
REMEDIATION
49
X X
X X
X X
X X
X XX X
50
The Green Laser Trip Wire
51
52
53
Now the issue is watching for change Unauthorized
Authorized
File integrity and change control What Changed
When
By Whom
Remediation can be immediate and automated Return to baseline – built in rules / custom rules
Policy Compliance
Reducing the Threat Gap
Post-Heartbleed Safety
REMEDIATION
54
Tripwire Enterprise (TE) Results
55
DETECTION
REMEDIATION
PREVENTION
56
DETECTION
REMEDIATION
PREVENTION
• Keep Watchful• Use auto-remediation if warranted back to known good configurations
• Scan and discovery• Inventory of
hardware and software assets
• Pinpoint Heartbleed wherever it may be
• Receive input from other systems
• Intelligently alert, take action, and report on indicators of compromise
57
Other Resources• SecureScan (Free Heartbleed Network Scanner)
http://www.tripwire.com/securescan
• Tripwire VERT Heartbleed Researchhttp://www.tripwire.com/vert/heartbleed/
• Detecting Heartbleed Exploits in Real-Timehttp://www.tripwire.com/state-of-security/incident-detection/heart-attack-detect-heartbleed-exploits-in-real-time-with-active-defense/
• Blogpost on checking home routers for Heartbleedhttp://www.tripwire.com/state-of-security/security-data-protection/heartbleed-and-your-soho-wireless-systems/
• Tripwire Customer Portalhttp://www.tripwire.com (select Customer Support at top)
• OpenSSL.org – advisories, news, and further detailhttps://www.openssl.org/news/secadv_20140407.txt
• www.heartbleed.com
• CVE details at Mitre.org - Common Vulnerabilities and Exposures (CVE)https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
tripwire.com | @TripwireInc
Q & A?
THANK YOU!
59
Tripwire’s Solution Breadth Heartbleed – Detection, Remediation, Prevention
• Possible Heartbleed?• Scan and discovery• Inventory hardware and
software assets
• Other Heartbleed Indicators?
• Receive and intelligently alert on indicators of compromise
• Post-Heartbleed?• Keep Watchful• Use auto-remediation if warranted • back to known good configurations