Presentation is loading. Please wait.

Presentation is loading. Please wait.

SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.

Similar presentations


Presentation on theme: "SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO."— Presentation transcript:

1 SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO

2 #RSAC 2 We called 2013 the year of the data breach…

3 #RSAC 3 …but 2014 started in much the same spirit…

4 #RSAC Background  Open System Administration Channels  Default and Weak Passwords  End-user has Admin Privileges  Outdated Software Versions 4

5 #RSAC Outdated Software Versions 5

6 #RSAC Background  Open System Administration Channels  Default and Weak Passwords  End-user has Admin Privileges  Outdated Software Versions  Non-Hardened Configurations => Flaws in System Administration 6

7 #RSAC Solution  20 Critical Security Controls  What works in Security? 7

8 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input 8

9 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industryexpert input 9

10 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation 10

11 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation 11

12 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industryexpert input  International Participation 12

13 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industryexpert input  International Participation 13

14 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation  5 Tenets 14

15 #RSAC 5 Tenets 20 CSC  Offense informs Defense  Prioritization  Metrics  Continuous Diagnostics and Mitigation  Automation 15

16 #RSAC 5 Tenets 20 CSC  Offense informs Defense  Prioritization  Metrics   Continuous Diagnostics and Mitigation  Automation  16

17 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation  5 Tenets  Prioritized 17

18 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation  5 Tenets  Prioritized 18

19 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation  5 Tenets  Prioritized  Implementation Guidelines 19

20 #RSAC Solution  20 Critical Security Controls  What works in Security?  Owned by the Council on Cybersecurity  With widespread industry expert input  International Participation  5 Tenets  Prioritized  Implementation Guidelines = Quick Wins, Visibility/Attribution, Configuration/Hygiene, Advanced 20

21 #RSAC Implementation Guidelines 21

22 #RSAC Implementation Guidelines  Quick Win 1 - Control 1 – HW Inventory  Implement an automated discovery engine (active/passive)  Quick Win 3 – Control 2 – SW Inventory  Scan for Deviations from Approved List  Quick Win 3 – Control 3 – Secure Configurations  Limit Admin privileges  Quick Win 10 – Control 4 – Vulnerability Scanning  Risk rate by groups 22

23 #RSAC Implementation Guidelines  Measure Success  Control 1: Detect new machines in 24 hours  Control 1: How many unauthorized machines on network?  Control 2: How many unauthorized software packages installed?  Control 3: Percentage of machines that do not run an approved image ?  Control 4: Percentage of machines not scanned recently (3d)? 23

24 #RSAC Implementing Quick Wins - Prototype  QualysGuard, API, PERL, Splunk  Daily Authenticated Scan of Network  Scripted API Access and Load 24

25 #RSAC Implementing Quick Wins - Prototype 25

26 #RSAC Implementing Quick Wins - Prototype  Logins - user, date, type  Scans - user, date, type, target, duration  Reports - user, date, type, duration, size  Hosts – machine, date, active, fixed, severity counts, scores  Vulnerabilities – id, severity, cvss, age  Software – name, publisher  Certificates – subject, validdate, signer, self-signed  Ports – date, ports 26

27 #RSAC Implementing Quick Wins - Prototype  Logins - user, date, type  Scans - user, date, type, target, duration  Reports - user, date, type, duration, size  Hosts – machine, date, active, fixed, severity counts, scores  Vulnerabilities – id, severity, cvss, age  Software – name, publisher  Certificates – subject, validdate, signer, self-signed  Ports – date, ports 27

28 #RSAC Implementing Quick Wins - Prototype  QualysGuard, API, PERL, Splunk  Daily Authenticated Scan of Network  Scripted API Access and Load  Data Transformation in Scripts  Scoring – Dept. State CVSS based  Data Promotion  Software, Patches, MAC address  Splunk for Reports and Graphing 28

29 #RSAC CSC1 – HW Inventory - Quick Win 1  Deploy Asset Inventory Discovery Tool (active/passive)  Goal: Discover new machines within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for new Machines  ~ where the earliest scandate is within the last day 29

30 #RSAC CSC1 – HW Inventory - Quick Win 1  Asset Inventory Discovery Tool (active/passive)  Discover new machines within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for new Machines 30

31 #RSAC CSC2 – SW Inventory - Quick Win 3  Discover Unauthorized Software  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for new Server Ports  ~ where the earliest scandate is within the last day 31

32 #RSAC CSC2 – SW Inventory - Quick Win 3  Discover Unauthorized Software  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk 32

33 #RSAC CSC2 – SW Inventory - Quick Win 3  Discover Unauthorized Software  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for new Software  ~ where the earliest scandate is within the last day 33

34 #RSAC CSC2 – SW Inventory - Quick Win 3  Discover Unauthorized Software  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for new Server Ports  ~ where the earliest scandate is within the last day  Query Splunk for new Software 34

35 #RSAC CSC2 – SW Inventory - Quick Win 3  Discover Unauthorized Software  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for new Software  ~ where the earliest scandate is within the last day  Can be Alerted On 35

36 #RSAC CSC3 – Secure Configuration  Automation: Discover Non Standard Setups  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for certain SoftwareMarker  Here: “Qualys Desktop Build” – which is a custom SW package that identifies our IT standard builds 36

37 #RSAC CSC3 – Secure Configuration  Automation: Discover Non Standard Setups  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for certain SoftwareMarker  Here: “Qualys Desktop Build” – which is a custom SW packag that identifies out IT standard builds 37

38 #RSAC CSC3 – Secure Configuration  Automation: Discover Non Standard Setups  Goal: Within 24 hours  Daily Active Scan of the Network -> Splunk  Query Splunk for certain Software Marker  Here: “Qualys Desktop Build” – which is a custom SW package that identifies out IT standard builds  Can be Alerted On 38

39 #RSAC Further Uses and Projects  Plot Progress for a Machine 39

40 #RSAC Further Uses and Projects  Plot Progress for a Machine 40

41 #RSAC Further Uses and Projects  Plot Progress for a Machine  Plot Progress for a Network 41

42 #RSAC Further Uses and Projects  Plot Progress for a Machine 42

43 #RSAC Other Operational Reports  Usage Reporting  User Logins  API Logins  Reports  Anomaly Detection  GeoIP 43

44 #RSAC Other Operational Reports  Usage Reporting  User Logins  API Logins  Reports  Anomaly Detection  GeoIP 44

45 #RSAC Beyond Prototyping  Continuous Monitoring  Alert on Additions & Changes  Machines  Vulnerabilities  Ports  Certificates  Simple Configuration 45

46


Download ppt "SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO."

Similar presentations


Ads by Google