460 likes | 587 Views
Continuous Monitoring with the 20 Critical Security Controls. SPO1-W02. Wolfgang Kandek CTO. We called 2013 the year of the data breach…. …but 2014 started in much the same spirit…. Background. Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges
E N D
Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO
Background Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions
Background Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions Non-Hardened Configurations => Flaws in System Administration
Solution 20 Critical Security Controls What works in Security?
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industryexpert input
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industryexpert input • International Participation
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industryexpert input • International Participation
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets
5 Tenets 20 CSC Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation
5 Tenets 20 CSC Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized • Implementation Guidelines
Solution • 20 Critical Security Controls • What works in Security? • Owned by the Council on Cybersecurity • With widespread industry expert input • International Participation • 5 Tenets • Prioritized • Implementation Guidelines = Quick Wins, Visibility/Attribution, Configuration/Hygiene, Advanced
Implementation Guidelines • Quick Win 1 - Control 1 – HW Inventory • Implement an automated discovery engine (active/passive) • Quick Win 3 – Control 2 – SW Inventory • Scan for Deviations from Approved List • Quick Win 3 – Control 3 – Secure Configurations • Limit Admin privileges • Quick Win 10 – Control 4 – Vulnerability Scanning • Risk rate by groups
Implementation Guidelines • Measure Success • Control 1: Detect new machines in 24 hours • Control 1: How many unauthorized machines on network? • Control 2: How many unauthorized software packages installed? • Control 3: Percentage of machines that do not run an approved image ? • Control 4: Percentage of machines not scanned recently (3d)?
Implementing Quick Wins - Prototype QualysGuard, API, PERL, Splunk Daily Authenticated Scan of Network Scripted API Access and Load
Implementing Quick Wins - Prototype Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports
Implementing Quick Wins - Prototype Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports
Implementing Quick Wins - Prototype • QualysGuard, API, PERL, Splunk • Daily Authenticated Scan of Network • Scripted API Access and Load • Data Transformation in Scripts • Scoring – Dept. State CVSS based • Data Promotion • Software, Patches, MAC address • Splunk for Reports and Graphing
CSC1 – HW Inventory - Quick Win 1 • Deploy Asset Inventory Discovery Tool (active/passive) • Goal: Discover new machines within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Machines • ~ where the earliest scandate is within the last day
CSC1 – HW Inventory - Quick Win 1 Asset Inventory Discovery Tool (active/passive) Discover new machines within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Machines
CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Server Ports • ~ where the earliest scandate is within the last day
CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk
CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Software • ~ where the earliest scandate is within the last day
CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Server Ports • ~ where the earliest scandate is within the last day • Query Splunk for new Software
CSC2 – SW Inventory - Quick Win 3 • Discover Unauthorized Software • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for new Software • ~ where the earliest scandate is within the last day • Can be Alerted On
CSC3 – Secure Configuration • Automation: Discover Non Standard Setups • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for certain SoftwareMarker • Here: “Qualys Desktop Build” – which is a custom SW packagethat identifies our IT standard builds
CSC3 – Secure Configuration • Automation: Discover Non Standard Setups • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for certain SoftwareMarker • Here: “Qualys Desktop Build” – which is a custom SW packagthat identifies out IT standard builds
CSC3 – Secure Configuration • Automation: Discover Non Standard Setups • Goal: Within 24 hours • Daily Active Scan of the Network -> Splunk • Query Splunk for certain Software Marker • Here: “Qualys Desktop Build” – which is a custom SW package that identifies out IT standard builds • Can be Alerted On
Further Uses and Projects Plot Progress for a Machine
Further Uses and Projects Plot Progress for a Machine
Further Uses and Projects Plot Progress for a Machine Plot Progress for a Network
Further Uses and Projects Plot Progress for a Machine
Other Operational Reports • Usage Reporting • User Logins • API Logins • Reports • Anomaly Detection • GeoIP
Other Operational Reports • Usage Reporting • User Logins • API Logins • Reports • Anomaly Detection • GeoIP
Beyond Prototyping • Continuous Monitoring • Alert on Additions & Changes • Machines • Vulnerabilities • Ports • Certificates • Simple Configuration