Upload
fedscoop
View
672
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
www.redsealnetworks.com
Threat Impact Analysis Without Crash Testing The Network
Virtual Attack Simulation For Proving Security Control Effectiveness
Dr. Mike Lloyd | CTO | April 2013
www.redsealnetworks.com
Continuous Monitoring:- The right idea- At the right time- Mandated
Why? How? What’s special about
network security? Lessons learned
Agenda
© 2013 RedSeal Networks, Inc. All rights reserved.2
www.redsealnetworks.com
What problem?
Billions of $$$ in IT security spending
90% of Organizations say they have been breached
in the last 12 months**Perceptions About Network Security, Ponemon Institute,
© 2013 RedSeal Networks, Inc. All rights reserved.3
www.redsealnetworks.com
Lack of control leads directly to breach
97% of attacks could have been avoided through “consistent application of simple or intermediate controls”
- Verizon Data Breach Investigations Report, 2012
© 2013 RedSeal Networks, Inc. All rights reserved.4
www.redsealnetworks.com
We’ve got data- Lots of it
Making sense of it is hard- Skills shortage- Sheer scale
Hard to prioritize actions Hard to demonstrate effectiveness Compliance is pain with little gain
What we hear from CISO’s
© 2013 RedSeal Networks, Inc. All rights reserved.5
www.redsealnetworks.com
Dynamic compliance
© 2013 RedSeal Networks, Inc. All rights reserved.6
www.redsealnetworks.com
Main idea is simple:- Asset Inventory- Policy- Check the assets (and repeat)
Not too bad for physical assets Doors
- List all doors- Require card reader on external doors- Check
Desktops are a bit harder- Can you find them all?- Policy gets more technical- Testing is downright fiddly
SCAP, FDCC have worked hard on this problem
Continuous Monitoring 101
© 2013 RedSeal Networks, Inc. All rights reserved.7
www.redsealnetworks.com
Network security is the same, right?- List all network gear- Write configuration rules- Test them
Any problems with this?
Network security
© 2013 RedSeal Networks, Inc. All rights reserved.8
www.redsealnetworks.com
How not to do it
Check the outcome, not the details
© 2013 RedSeal Networks, Inc. All rights reserved.9
www.redsealnetworks.com
Networks are about pairs- Can A attack B?
Hosts can be checked- Lots of work, but possible
For the network, square it- 10,000 hosts => 100
million questions Well outside human range Far too many interactions
Networks are different
© 2013 RedSeal Networks, Inc. All rights reserved.10
www.redsealnetworks.com
Gather& Map
TestElements
Test theSystem
MeasureRisk
Four gears
© 2013 RedSeal Networks, Inc. All rights reserved.11
www.redsealnetworks.com
You can’t manage what you can’t see
Network configuration stores vary widely- Some have a chosen CMDB vendor- Some have many- Some have none
All have problems
First gear: gather & map
© 2013 RedSeal Networks, Inc. All rights reserved.12
1
www.redsealnetworks.com
Every network store has gaps Maps make it obvious Good news: it’s possible
to “bootstrap” The data you have can
tell you what’s missing- Report on “known unknowns”
Lesson 1: Everyone has Dark Space
© 2013 RedSeal Networks, Inc. All rights reserved.13
Disconnected objects
www.redsealnetworks.com
RedSeal includes over 100basic single-device tests- Vendor supplied passwords- Insecure management protocols- Industry-wide best practice checks
We find around 10 issues per device Lesson 2: all configurations need to be
checked But element testing isn’t enough …
Second gear: test elements
© 2013 RedSeal Networks, Inc. All rights reserved.14
2
www.redsealnetworks.com
Testing elements is easy Testing whole systems is hard, for humans Automation works, if you can tell the
machine what your objectives are
Third gear: test the system
© 2013 RedSeal Networks, Inc. All rights reserved.15
3
www.redsealnetworks.com
Main PKI site, plus disaster recovery Strict access controls expected
Zone defense in practice
Internet
Cert Authority
Cert Admins
WAN to Extranet
DR Site
© 2013 RedSeal Networks, Inc. All rights reserved.16
www.redsealnetworks.com
Testing the system end to end
People set the objectives Automation to compare to the “as built”
Red arrow means something is wrong
Unexpected access
© 2013 RedSeal Networks, Inc. All rights reserved.17
www.redsealnetworks.com
Drill down to see the exception
Many interacting elements Something went wrong
© 2013 RedSeal Networks, Inc. All rights reserved.18
www.redsealnetworks.com
Pin-point root cause
In this case, three gaps- One for a telecommuter who left 8 years ago- Two more for “temporary” testing
Lost among thousands of details
Access Found
“Subway Map”showing path
Flow through one hop
Specific rules
© 2013 RedSeal Networks, Inc. All rights reserved.19
www.redsealnetworks.com
How did this happen?
A network built with care- By people who knew what
they were doing Repeated audits, over years How did the error survive? Complexity Lesson 3: zone defense is easy for
computers
© 2013 RedSeal Networks, Inc. All rights reserved.20
www.redsealnetworks.com
Once you understand access,you can prioritize vulnerabilities
Run attack simulations See what’s easiest to break into Score using Risk = Value * Ease of Exploit
Fourth gear: measure risk
© 2013 RedSeal Networks, Inc. All rights reserved.21
4
www.redsealnetworks.com
Virtual Attack Simulation: a real example
Internet
DMZ
Main Site
© 2013 RedSeal Networks, Inc. All rights reserved.22
www.redsealnetworks.com
• Attackers can reach these exposed servers
Step 1 – Vulnerabilities exposed in DMZ
© 2013 RedSeal Networks, Inc. All rights reserved.23
www.redsealnetworks.com
• Just a few pivot attacks are possible
Step 2 – Some attack paths sneak in
© 2013 RedSeal Networks, Inc. All rights reserved.24
www.redsealnetworks.com
• Attackers can get in if they find this first!
Step 3 – Attack fans out
© 2013 RedSeal Networks, Inc. All rights reserved.25
www.redsealnetworks.com
How easily canattackers get in?
Risk metric dashboards
How big is my attack surface?
How much is undocumented?
© 2013 RedSeal Networks, Inc. All rights reserved.26
www.redsealnetworks.com
Lesson 4: Metrics that matter
Defensive posture CAN be measured This drives to better outcomes
- Measure posture => improved posture You can sleep better
- Demonstrate effectiveness, not busyness
© 2013 RedSeal Networks, Inc. All rights reserved.27
www.redsealnetworks.com
Making lemonade
Continuous Monitoring is now possible- And a good idea- And mandated
Automation is far easier than human effort
But you still need to write rules There’s another process you can leverage
- Change Review Board
© 2013 RedSeal Networks, Inc. All rights reserved.28
www.redsealnetworks.com
Optimized change process
Big win: record intent up front, in Risk Assessment Use software as “catcher’s mitt”, detect drift
Change request
Compliancereport
“I want”
Enterprise
Implementation“How”
Network Ops
Riskassessment
Continuousmonitoring
“Yes”
“Yes, but”
“OK”“Not OK”Security Oversight
© 2013 RedSeal Networks, Inc. All rights reserved.29
www.redsealnetworks.com
Optimized change process
Change request
Compliancereport
“I want”
Enterprise
Implementation“How”
Network Ops
Riskassessment
Continuousmonitoring
“Yes”
“Yes, but”
“OK”“Not OK”Security Oversight
Auto-compute details
Continuous monitoringAutomated assessment
© 2013 RedSeal Networks, Inc. All rights reserved.30
www.redsealnetworks.com
Conclusions
© 2013 RedSeal Networks, Inc. All rights reserved.31
Continuous Monitoring is:1. A good idea
2. Mandatory
3. Impossible with human effort alone
4. Easy with automation Networks multiply the complexity Automated risk assessment is key
Gather& Map
TestElements
Test theSystem
MeasureRisk
www.redsealnetworks.com