QUALYS Cybersecurity incident response planning and scenarios ISACA, Ljubljana, marec 2015 Andrej Vnuk Number of attacks is growing Ponemon Institute© Research Report Exponential growth … • New ransomware • New malware • VIR: McAfee Threat Report Q2 2013 Exponential growth… Most common types of attacks • Types of cyber attacks experienced by 257 benchmarked companies from 7 countries (USA, UK, F, D, AUS, JAP, RUS) Ponemon Institute© Research Report The prevalent threats in Slovenia • Malware (Viruses, Worms, Trojans, Root-kits, …) • Botnets • Phishing & SE • Web-based attacks • Is the existing technology (FW, AV, IPS, NAC, …) efficient enough? How to improve it without replacing it? How to improve the security posture if your resources are limited? Better prevent than cure … • More than 90% of successful attacks due to vulnerable systems and/or applications! • Automated vulnerability detection and management: – System vulnerabilities (computers, network devices, system SW, certificates, …) – Web applications • Pen-testing • Source code auditing … and better monitor than getting surprised! • Idealy: log all events from all sources, correlate them, recognize incidents, alert in real-time, prioritize and solve issues! • Obstacles in the real world: – funds – Human resources – Absence of metrics to plan such solutions • SIEM “incarnations”: – “proper” SIEM: collecting all events, act upon normalized (filtered) data – “expanded” SIEM: act upon ALL data, able to recognize yet unknown types of attacks AND/OR react to incidents via some management platform – “minimized” SIEM: integral part of a solution to produce SIEM like functionality for particular solution Continuous Attacks / Changes Attackers scan / attack you continuously • New machines are probed within minutes • Vulnerable machines are exploited within hours • Toxic Combinations Expose Your Data • Vectors for further infections • Zero-days / Race to the finish line Controls change at network speed Any process run by people eventually fails Securing the Global Enterprise A Problem of Scale and Accuracy OUTDATED SOFTWARE ACCESS PRIVILEGES VULNERABILITIES CODING WEAKNESSE S Dispersed IT Assets, Data and Networks THE EXTENDED ENTERPRISE MISCONFIGURATIONS THREATS INCOMPLETE INVENTORY SOCIAL MEDIA SANS TOP 20 Critical Security Controls – ver.5, March 2014 Qualys solution for Very-high to Mid-high SANS Critical Controls Traditional Approach .. 1. Scan  Periodic Scanning 2. Report  Review and act based on static reports  Sort/prioritize through heaps of data 3. Repeat Then wait until the next time you scan and repeat the entire process again and again – simply doesn’t Scale Leaving plenty of time for hackers ... What Is Needed Your security/audit teams should have tools & processes at least as good as your attackers. Continuous Assessment Comprehensive Analysis Timely Action Why Continuous Monitoring / Auditing? Don’t let the hackers have a better view of your systems than you do! How Continuous Monitoring Works Leverage Existing Scans Nothing new required – just scan as normal Leverage Qualys’ global cloud infrastructure scale as needed Define Your Needs Whitelists and blacklists of ports, OSes, certificate providers, etc. Important changes – new hosts added, certificates nearing expiration, etc. Inform Via Alerts Distribute email alerts to any users or systems that need to know Alerts sent as often as every 5 minutes or grouped every day/week Why is Continuous Monitoring Unique? Truly Continuous Monitoring  Scan as often as needed with only a browser required.  Keeps your security team ahead of attackers. Automates Analysis  Define how your business works; the system will then find vulnerabilities, misconfigurations, and process problems automatically. Drives Action  Timely and targeted alerts to ensure you’re protected.  Drive action before a breach occurs! Event Integration  API for SIEM (including Splunk and HP ArcSight)  Common Event Format (CEF) Support Speed, Accuracy and Scale - HeartBleed - Risk Detection for HeartBleed Vulnerability Released Within 24 Hours  Free Tool to Assess Site Vulnerabilities  Information About Overall Health of Site SSL Implementation  Reports Detailing Enterprise Wide Exposure Blue Chip Global Customer Base 40% of Fortune 500 & 20% of Forbes Global 2000 8 of top 10 in Software 8 of top 10 in Technology 6,700+ Customers only bought 70% have one solution so far 8 of top 10 in Biotechnology 8 of top 10 in Retail 7 of top 10 in Banking 7 of top 10 in Media 6 of top 10 in Telecommunications 6 of top 10 in Chemical 6 of top 10 in Car Manufacturing 5 of top 10 in Business Services Based on Forbes Global 2000 Classification. DAIMLER QUALYS Cybersecurity incident response planning and scenarios HVALA ! ISACA, Ljubljana, marec 2015 Andrej Vnuk