1 / 46

Continuous Monitoring with the 20 Critical Security Controls

Continuous Monitoring with the 20 Critical Security Controls. SPO1-W02. Wolfgang Kandek CTO. We called 2013 the year of the data breach…. …but 2014 started in much the same spirit…. Background. Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges

wyanet
Download Presentation

Continuous Monitoring with the 20 Critical Security Controls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO

  2. We called 2013 the year of the data breach…

  3. …but 2014 started in much the same spirit…

  4. Background Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions

  5. Outdated Software Versions

  6. Background Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions Non-Hardened Configurations => Flaws in System Administration

  7. Solution 20 Critical Security Controls What works in Security?

  8. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input

  9. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industryexpert input

  10. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation

  11. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation

  12. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industryexpert input • International Participation

  13. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industryexpert input • International Participation

  14. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets

  15. 5 Tenets 20 CSC Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation

  16. 5 Tenets 20 CSC Offense informs Defense Prioritization Metrics  Continuous Diagnostics and Mitigation Automation 

  17. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized

  18. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized

  19. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized • Implementation Guidelines

  20. Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized • Implementation Guidelines = Quick Wins, Visibility/Attribution, Configuration/Hygiene, Advanced

  21. Implementation Guidelines

  22. Implementation Guidelines • Quick Win 1 - Control 1 – HW Inventory • Implement an automated discovery engine (active/passive) • Quick Win 3 – Control 2 – SW Inventory • Scan for Deviations from Approved List • Quick Win 3 – Control 3 – Secure Configurations • Limit Admin privileges • Quick Win 10 – Control 4 – Vulnerability Scanning • Risk rate by groups

  23. Implementation Guidelines • Measure Success • Control 1: Detect new machines in 24 hours • Control 1: How many unauthorized machines on network? • Control 2: How many unauthorized software packages installed? • Control 3: Percentage of machines that do not run an approved image ? • Control 4: Percentage of machines not scanned recently (3d)?

  24. Implementing Quick Wins - Prototype QualysGuard, API, PERL, Splunk Daily Authenticated Scan of Network Scripted API Access and Load

  25. Implementing Quick Wins - Prototype

  26. Implementing Quick Wins - Prototype Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports

  27. Implementing Quick Wins - Prototype Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports

  28. Implementing Quick Wins - Prototype • QualysGuard, API, PERL, Splunk • Daily Authenticated Scan of Network • Scripted API Access and Load • Data Transformation in Scripts • Scoring – Dept. State CVSS based • Data Promotion • Software, Patches, MAC address • Splunk for Reports and Graphing

  29. CSC1 – HW Inventory - Quick Win 1 • Deploy Asset Inventory Discovery Tool (active/passive) • Goal: Discover new machines within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Machines • ~ where the earliest scandate is within the last day

  30. CSC1 – HW Inventory - Quick Win 1 Asset Inventory Discovery Tool (active/passive) Discover new machines within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Machines

  31. CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Server Ports • ~ where the earliest scandate is within the last day

  32. CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk

  33. CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Software • ~ where the earliest scandate is within the last day

  34. CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Server Ports • ~ where the earliest scandate is within the last day • Query Splunk for new Software

  35. CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Software • ~ where the earliest scandate is within the last day • Can be Alerted On

  36. CSC3 – Secure Configuration • Automation: Discover Non Standard Setups • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for certain SoftwareMarker • Here: “Qualys Desktop Build” – which is a custom SW packagethat identifies our IT standard builds

  37. CSC3 – Secure Configuration • Automation: Discover Non Standard Setups • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for certain SoftwareMarker • Here: “Qualys Desktop Build” – which is a custom SW packagthat identifies out IT standard builds

  38. CSC3 – Secure Configuration • Automation: Discover Non Standard Setups • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for certain Software Marker • Here: “Qualys Desktop Build” – which is a custom SW package that identifies out IT standard builds • Can be Alerted On

  39. Further Uses and Projects Plot Progress for a Machine

  40. Further Uses and Projects Plot Progress for a Machine

  41. Further Uses and Projects Plot Progress for a Machine Plot Progress for a Network

  42. Further Uses and Projects Plot Progress for a Machine

  43. Other Operational Reports • Usage Reporting • User Logins • API Logins • Reports • Anomaly Detection • GeoIP

  44. Other Operational Reports • Usage Reporting • User Logins • API Logins • Reports • Anomaly Detection • GeoIP

  45. Beyond Prototyping • Continuous Monitoring • Alert on Additions & Changes • Machines • Vulnerabilities • Ports • Certificates • Simple Configuration

  46. Questions?wkandek@qualys.com@wkandekhttp://laws.qualys.com

More Related