Vulnerability Management at Scale

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

Syncsort Data Integration Update Summary Helping Data Intensive Organizations Across the Big Data Continuum Hadoop – The Operating System.
© Copyright 2012 STI INNSBRUCK Apache Lucene Ioan Toma based on slides from Aaron Bannert
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1.
Agile Infrastructure built on OpenStack Building The Next Generation Data Center with OpenStack John Griffith, Senior Software Engineer,
The State of Security Management By Jim Reavis January 2003.
Page 1Prepared by Sapient for MITVersion 0.1 – August – September 2004 This document represents a snapshot of an evolving set of documents. For information.
© copyright 2014 BMC Software, Inc. DevOps consultant Niek Bartholomeus Going DevOps with BMC.
SM STRATA PRESENTATION Tim Garnto - SVP Engineering, edo Interactive Rob Rosen – Big Data Field Lead, Pentaho.
Committed to Deliver….  We are Leaders in Hadoop Ecosystem.  We support, maintain, monitor and provide services over Hadoop whether you run apache Hadoop,
A Model for Exchanging Vulnerability Information draft-booth-sacm-vuln-model-01 David Waltermire.
Data: Migrating, Distributing and Audit Tracking Michelle Ayers, Advisory Solution Consultant
Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.
OOI CI LCA REVIEW August 2010 Ocean Observatories Initiative OOI Cyberinfrastructure Architecture Overview Michael Meisinger Life Cycle Architecture Review.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
INNOV-10 Progress® Event Engine™ Technical Overview Prashant Thumma Principal Software Engineer.
IBM Bluemix Ecosystem Development Hands on Workshop Section 1 - Overview.
CERN IT Department CH-1211 Geneva 23 Switzerland t CF Computing Facilities Agile Infrastructure Monitoring CERN IT/CF.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
1 Copyright © 2007, Oracle. All rights reserved. Installing and Setting Up the Warehouse Builder Environment.
Structured Container Delivery Oscar Renalias Accenture Container Lead (NOTE: PASTE IN PORTRAIT AND SEND BEHIND FOREGROUND GRAPHIC FOR CROP)
1 January 14, Evaluating Open Source Software William Cohen NCSU CSC 591W January 14, 2008 Based on David Wheeler, “How to Evaluate Open Source.
If it’s not automated, it’s broken!
Vulnerability Management Programs & The Lessons Learned
Making the Case for Business Intelligence
Building Enterprise Applications Using Visual Studio®
Unit 3 Virtualization.
Let's talk about Linux and Virtualization in 'vLAMP'
Agenda:- DevOps Tools Chef Jenkins Puppet Apache Ant Apache Maven Logstash Docker New Relic Gradle Git.
From manual test shop to fully automated test coverage: A How-To session to speed up your journey Jayshree Bhakta ITHAKA/JSTOR.
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Hadoop and Analytics at CERN IT
2. OPERATING SYSTEM 2.1 Operating System Function
Outsourcing: The Brinker Experience
Tulika Chaudharie / Harikharan Krishnaraju
Docker Birthday #3.
Francis Bordeleau Chairman, Papyrus IC May 11th, 2016
Overview – SOE PatchTT December 2013.
Spark Presentation.
Delivering Business Insight with SQL Server 2005
Steering Group Member, Link Digital
Project Topic 2: Migration to Java 9
FICEER 2017 Docker as a Solution for Data Confidentiality Issues in Learning Management System.
IBM DATASTAGE online Training at GoLogica
Melbourne Azure Meetup
Microsoft /12/2018 8:06 AM BRK2103 Deliver more features faster with a modern development and test solution Claude Remillard Group Program Manager.
Intro to Ethical Hacking
ADDM/CMDB Overview Ryan Kountz
Simplified Development Toolkit
Ch 4. The Evolution of Analytic Scalability
Collaborative Business Solutions
Overview of big data tools
Herding Cats and Security Tools
JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS
SSDT and Database Project Basics
Metadata The metadata contains
Bringing more value out of automation testing
Dynamicweb PIM General introduction Innovia 2018.
BMC Automation Portal Update
ITAS Risk Reporting Integration to an ERP
PerformanceBridge Application Suite and Practice 2.0 IT Specifications
Analytics, BI & Data Integration
Overview of Databases and Salesforce Chapter 1
Remedy Integration Strategy Leverage the power of the industry’s leading service management solution via open APIs February 2018.
TN19-TCI: Integration and API management using TIBCO Cloud™ Integration
Executive Project Kickoff
IT Management Services Infrastructure Services
A framework for ontology Learning FROM Big Data
Presentation transcript:

Vulnerability Management at Scale Intro: who I am, what I do, where I work. Vulnerability Management at Scale Alexandre Fiori Production Engineer

Talk about landscape: different infrastructure, services, and products of each app; and their build/release systems. Facebook: prod, facilities, corp, EE WhatsApp, Messenger, Instagram: prod, mobile Oculus: prod, mobile, embedded

Overview What’s this about The evolution of the Vulnerability Management program at Facebook, the birth of the Production Engineering team to support the program, and the pragmatic approach to build a highly scalable system for an ever-growing environment.

“Facebook was built on an open source stack “Facebook was built on an open source stack. We support and encourage the use and development of open source software and hardware” Talk about the pros and cons of open source with regards to security and vulnerabilities. Pros: public security bulletins and patches Cons: security information impacting business

Vulnerability Management Timeline …2015: PCI DSS 2016: Internal scanning tools 2017: Broader network scanning 2018: Reboot, build up 2019: VMaaS Take time to go through each bullet point and their short story. “Payment Card Industry Data Security Standard” 2015: PCI requires a Vulnerability Management Program to exist 2016: vulnmetrics, aquilles CVE matching 2017: Extending network scanner infra to EE 2018: styx and new pipelines

Tell the story of 2018 onwards. How the reboot of the program happened. Expand the program Bootstrap new team from 2 ICs and 1 TPM reporting to director 2018

New challenge Scan all infrastructure Merge scanning technologies Improve vulnerability matching Start and track remediation Manage remediation lifecycle Design and build system to support all companies XFN with teams working in silos, merging tech Hire proprietary vulnerability database companies Train security operations team to manage remediation

Architecture

Mindset Big data Scalability and reliability On-line vs off-line pipelines Concept validation and XFN Fast prototype and launch Volume: too much data everywhere; consolidation How to scale the system vs people, add features, maintain SLA On-line traumas from the detection pipelines: rollout, backfill Batches are easier to set up, run, test, scale, and maintain (backfills, etc) Validating concept through XFN, finding early adopters – talk to people

Talk about the concept of extract, transform, load and the parallels with the UNIX philosophy. ETL

Collect Process Report Talk about the concept of running batch-oriented pipelines, e.g. daily. Collectors are stateless Processors may be stateless or stateful (e.g. need vulndb, decorators for domain and first seen) Reporters are stateful – need data from previous runs to proceed (e.g. escalate, cleanup)

Collectors Inventory applications operating systems hardware Scan asset inventories and print to standard output

Processors Aggregate Scan Vulnerabilities Normalize Pre-process, scan vulnerabilities, post-process

Reporters Validate Escalate Notify Track Cleanup Done Reporters manage escalation lifecycle

Inventory Classes Hosted software Installed software Running software Network scanners Hardware Network scanners category already existed but was not integrated Hosted software and installed software came first

Vulnerability Database Public vs Proprietary Multi-vendor system General purpose datasets Specialized for ecosystem Standard format for product->vulnerability matching Proprietary: licensing, restricted use General purpose databases: NVD OS-oriented: Apple, RedHat (IBM?), Microsoft Language / ecosystem: npm, pypi, NuGet Specialized per ecosystem also includes first-party: our own CVEs

Implementation

Design Principles Command line tools do one thing Communicate over a text interface Core functionality shared as libraries Composable code, tools, and pipelines Rely on well established UNIX conventions

Industry Standard Technology MITRE / NIST / NVD Common Platform Enumeration Common Vulnerabilities and Exposures Common Weakness Enumeration Common Vulnerability Scoring System

Infrastructure Tools Services Data warehouse Dashboards Notifications Tools: our own, internal, open source, generic: grep, sort, jq Services: Tupperware tailer, vulndb thrift service Using the data warehouse to leverage orchestration, shared filesystem, persistent storage Data warehouse provides operational dashboards Our system’s data exposed to partners/customers via tables and dashboards Notifications include: cases, tasks, alerts

What’s missing in this diagram: Internal shenanigans for Tupperware and fbpkg Post-processing and remediation pipelines $repo2csv: maven, munki, choco, yum/repoquery

Internal Pipelines Tupperware Container images and packages First-party vs third-party codebase Bad Binary Hunter and Buck Attribution from package to service None of this is mentioned in the diagram slide. Tupperware pipeline uses a tailer + batch job to query all schedulers Another pipeline scan internal packages for traces of third-party dependencies Internal packages are shipped to infra containing third-party code into it BBH scans internal packages using Buck, report third-party dependencies Internal packages are flagged with vulnerabilities from third-party dependencies

Vulnerability Database Tools nvdsync and $vendor2nvd vulndb command line tool Uses NVD CVE JSON 1.0 format Manages versioned datasets backed by MySQL Supports vendor snapshots, custom CVEs, and snoozes vulndb thrift service CVE lookup and CPE matching nvdsync is open source, an rsync-like for NVD datasets $vendor2nvd download vendor databases and convert to NVD CVE JSON 1.0 format vulndb stores NVD datasets vulndb can be open sourced Databases organized by vendor Import vendor snapshots, export merged datasets with custom CVEs (custom edits/fixes) Store snoozes used by post-processors (well, grep -vf) to snooze certain CVEs per provider and collector Thrift service to support UIs and on-demand CVE matching (e.g. vulnquery, “linters”)

Decoration CWE and CVSS Domain and sub-domain First seen Backlog vs influx Owner (on-call ID or UNIX username) Threat Intelligence Decoration is post-processing.

Remediation Starts from CVE inventory Depends on decoration data Supports feedback loop (e.g. snoozes) Understands release cycles per inventory class Manages escalation and lifecycle

Lessons Learned Normalization, aggregation, and blackholes Per-customer decision trees are burdensome Handling delays, XFN work, and fine tuning Tasks and notification updates are annoying False positives can compromise credibility

2019: VMaaS

Goals Self-service system for vulnerability scan Custom aggregation defined by collectors Configurable providers and thresholds Tier-based service, starting from bronze Default dashboards and reports per tier Common CVE inventory for all customers

Progress XFN partnership with early adopters Migrated “hosted software” inventory class Total of 10+ collectors in operation Customers fixing bogus CVEs in the database Snoozes effectively helping fine-tune reports

Next up Migrate other inventory classes Improve data quality and detection speed Tackle backlog via remediation campaigns Tackle influx via push-blocking scans Influence company culture outside security org Migration: brainstorming graph / CPE attribution Data quality: better ranking system and risk analysis Campaigns to tackle backlog *and* emergencies Influx: linters* or push-blocking tests that do scans Influence culture: educate through bootcamp, support groups, campaigns

Thank you

Q&A