Embed Size (px)
Citation preview
Marek Skalicky, CISM, CRISC Managing Director for Central Eastern Europe
QualysGuard Security & Compliance Suite supporting SANS TOP 20 Critical Controls
Qualys GmbH September, 2013
SANS TOP-‐20 CriBcal Security Controls Critical Controls for Effective Cyber Defense To secure against cyber attacks, organizations must vigorously defend their networks and systems from a variety of internal and external threats. They must also be prepared to detect and thwart damaging follow-on attack activities inside a network that has already been compromised. Two guiding principles are: "Prevention is ideal but detection is a must" and "Offense informs defense." The Goal of the Critical Controls The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs. Strong emphasis on "What really Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.
SANS TOP-‐20 CriBcal Security Controls Brief History of TOP-20 CSC • In 2008, the Office of the Secretary of Defense asked the National Security
Agency for help in prioritizing the myriad security controls that were available for cybersecurity with strong emphasis on "What really Works”.
• The request went to NSA because NSA best understood how cyber attacks
worked and which attacks were used most frequently.
• A consortium of U.S. and international cyberdefense agencies quickly grew, and was joined by experts from private industry and around the globe.
• Surprisingly, the clear consensus of the consortium was that there were only 20
Critical Controls that addressed the most prevalent attacks found in government and industry. This then became the focus for an initial draft document. The draft of the 20 Critical Controls was circulated in 2009 to several hundred IT and security organizations for further review and comment.
• Over 50 organizations commented on the draft. They endorsed the concept of a focused set of controls and the selection of the 20 Critical Controls.
• Last release - Version 4.1, March, 2013
SANS TOP-‐20 CriBcal Security Controls 5 critical principles ofeffective cyber defense system as reflected in the Critical Controls are: 1. Offense informs defense: Use knowledge of actual attacks that have compromised
systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
2. Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
3. Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
4. Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
5. Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.
SANS TOP-‐20 CriBcal Security Controls
Critical Security Controls key-consortium members (US Federal agencies)
SANS TOP 20 CriBcal Controls
••
••
Qualys soluBon for Very-‐High to Mid-‐High SANS CriBcal Controls
••
••
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESealVMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC1: Inventory of Authorized and Unauthorized Devices
Goal: EffecBve asset management ensures that assets are discovered, registered, classified, and protected from aPackers who exploit vulnerable systems accessible via the Internet.
How QualysGuard supports this: VM gives full asset visibility over live devices with network mapping:
Size of Network Machine Types LocaBon
VM detects authorized and unauthorised devices: Authorized Unauthorized
VM offers full support for automaBon Scans are scheduled (conBnuous, daily, weekly etc) Delta reports for changes AlerBng, BckeBng API for integraBon for example with Asset management tools
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC1: Inventory of Authorized and Unauthorized Devices
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
Goal: EffecBve soXware management ensures that soXware are discovered, registered, classified, and protected from aPackers who exploit vulnerable soXware.
How QualysGuard supports this: VM & POL gives full soXware visibility with scanning:
OperaBng Systems ApplicaBons Versions Patch Level
VM & POL gives BlacklisBng of unauthorised soXware and services VM & POL gives WhitelisBng of authorised soXware and services VM provides InteracBve Search VM & POL offers full support for automaBon
Scheduled scans & reports Email reports AlerBng on excepBons TickeBng API for IntegraBon with Asset Management tools
CC2: Inventory of Authorized and Unauthorized SoXware
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC2: Inventory of Authorized and Unauthorized SoXware
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC3: Secure Base ConfiguraBon
Goal: EffecBve configuraBon management ensures assets are configured based on industry standards and protected from aPackers who find and exploit misconfigured systems.
How QualysGuard supports this: ConfiguraBon validaBon of each system Build in controls catalogue: CIS, SCAP, FDCC User Defined Controls Golden image policy ReporBng on deviaBon from the baseline With full support for automaBon
Scheduled scans & reports Email reports AlerBng on excepBons TickeBng API for IntegraBon with GRC tools
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC3: Secure Base ConfiguraBon
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC4: ConBnuous Vulnerability Assessment/RemediaBon
Goal: EffecBve vulnerability management will ensure that assets are monitored for vulnerabiliBes and are patched, upgraded or services disabled to protect from exploit code.
How QualysGuard supports this: Scheduled & On demand Vulnerability Scanning ConBnuous Vulnerability Assessment AuthenBcated Scanning Patch VerificaBon Report on Unauthorized Services With full support for automaBon
Scheduled scans & reports Email reports AlerBng on excepBons TickeBng with SLA metrics and confirmaBon API for IntegraBon with IPS, SIEM etc
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC4: ConBnuous Vulnerability Assessment/RemediaBon
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC5: Malware Defenses
Goal: The processes and tools used to detect/prevent/correct installaBon and execuBon of malicious soXware on all devices.
How QualysGuard supports this: Vulnerability Scan can detect installed Malware by running malicious services AuthenBcated Vulnerability Scan can detect installed Malware in file-‐system and registries Vulnerability Report will report discovered Malware Web ApplicaBon Scan now contains Malware DetecBon Scan for web applicaBons StaBc signatures and Behavioural Analyses of HTML code Malware Scan of web apps prevent clients from being infected by corporate web sites
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC5: Malware Defenses
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC6: ApplicaBon SoXware Security Goal: EffecBve applicaBon security ensures that developed and 3rd party delivered applicaBons are protected from aPackers who inject specific exploits to gain control over vulnerable machines.
How QualysGuard supports this: Scheduled & On demand Web ApplicaBon Scanning OWASP TOP-‐10 and WASC TOP-‐10 VulnerabiliBes supported Web applicaBon discovery (web crawling) User -‐ AuthenBcaBon support Fully unaPended and automated Part of development lifecycle With full support for automaBon
Scheduled scans & reports TickeBng with SLA metrics and confirmaBon API for IntegraBon with WAF
WAF provides acBve protecBon of corporate data and reputaBon provided via web applicaBon interface
PrevenBon with WAS and ProtecBon with WAF available in the same UI and integrated security suite
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC6: ApplicaBon SoXware Security
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC7: Wireless Device Control
Goal: The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
How QualysGuard supports this: • VM Network Mapping can discover Wireless hotspots, segments and wireless devices
connected via IP ranges. • VM Vulnerability Scanning can discover over 30 vulnerabiliBes specific for various wireless
hotspots plaeorms and vendors • API integraBon with AirTight Wireless Security Appliance provides integrated reporBng
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
CC7: Wireless Device Control
VMVM
Vulnerability Management
PCPC
PolicyCompliance
PCIPCI
PCICompliance
Web ApplicationFirewall
*WAFWAFWASWAS
Web ApplicationScanning
MDSMDS
MalwareDetection Service
SECURESeal
SANS TOP 20 CriBcal Controls -‐ REMINDER
••
••
QualysQuard Security and Compliance Suite delivers High and Very High effect
on Cyber-Attack Mitigation!
Thank You [email protected]
