Upload
dangphuc
View
227
Download
6
Embed Size (px)
Citation preview
How to Manage Risk in the Age of Digital Transformation
If Visible Then Can Be Secured
Emir Arslanagic, CISSP #4763 Regional Account Manager SEE
[email protected] +387.62.654.080
Cyber Security Risk History or Reality
199x - …
CIS Controls
6 of top 10 in Healthcare 7 of top 10 in Telecommunications
Blue Chip Global Customers Base
Based on Forbes Global 2000 Classification
8 of top 10 in Consumer Staples
5 of top 10 in Industrial & Materials
9 of top 10 in Software 9 of top 10 in Major Banks
5 of top 10 in Energy & Utilities
DAIMLER
70% of the Forbes Global 50 and 25% of the Forbes Global 2000 standardized on Qualys 9,300+ Customers
5 of top 10 in Insurance
10
8 of top 10 in Technology
8 of top 10 in Consumer Discretionary
Qualys Snapshot
Shared Cloud
Private Cloud
FEDRAMP Certified
HHS
Agency ATO
ICT Assets and Apps are everywhere…
On Premise
VMware
Endpoints Cloud
7
Every ICT Asset is possible Attack Vector
Vulnerabilities are growing …
Cyber-threats are getting focused ...
Where is the problem? In scope & time! avg: 1000 IP avg: 20 SW components
avg: 20 per/IP critical: 4 per /IP
avg: 2 per/IP actual: 1 per/IP
avg: +300 contr./IP. critical: 100 contr./IP
Attack Surface: 20.000 ICT Asset components 20.000 Vulnerabilities (20% critical) 1.000 Actual Threats (Malware & Exploits) 100.000 Critical configuration security
t l
Modern approach & solution: Data centralization / normalization / prioritization (Big)Data analytics / automation / workflow Dashboards / Alerts / Tickets / Integrations Cloud based architecture
Example of typical CEE Enterprise:
Moving from Waterfall to Agile Metodology
So what to do – prioritization of controls ?
12
SANS / CIS Critical Security Controls - Version 6.1 – Aug. 2016
Source: https://www.cisecurity.org/critical-controls
Security Data Analytics around ICT Assets
VULNERABILITY MANAGEMENT
+ THREAT
ASSESSMENT +
PATCH PRIORITIZATION
COMPLIANCE MANAGEMENT
+ SELF-AUDIT
BENCHMARKING +
CONFIGURATION HARDENING
DASHBOARDS | ALERTS | TICKETS | WORKFLOWS | INTEGRATIONS
MAPPING TO BUSINESS PROCESSES & BUSINESS APPLICATIONS
ASSET MANAGEMEMNT
+ HW & SW
INVENTORY +
CONTINUOUS VIEW & SEARCH
13
Asset Discovery, Centralization & Correlation
Continuous Discovery
Real-time Distributed
Data Collection
Data Analytics Correlation Backend
Continuous Security
& Compliance
14
Real-Time Correlation of Active Threats, Patches, Zero-Days, ...
Agile Methodology Will Deliver Visibility & Accountability
AssetView
ElasticSearch
Instant Query across millions of IT Assets Unified Assets’ View Dynamic and customizable dashboards
Vulnerability Risk Analysis
dashboard
Synchronization with
Splunk, ServiceNow
& Others
16
AssetView Brings 2s Visibility Across Millions of IT Assets
17
• Can be deployed via:
> Compact command line installer
> Embedded in VM and cloud master images
> Installed/managed by Software Distribution Tools
> Deployed with Group Policy (Windows)
• Single cloud console to manage agents
• Qualys Platform API for Agent management
• HTTPS Proxy support for communications
Cloud Agent Qualys Cloud Agent
• Light-weight agent (2 MB) for:
> on-premise servers
> dynamic cloud environments
> branch offices behind NAT gateways
> roaming / remote end-users
• Built to scale to millions of devices
• Centrally managed, self updating
Simplifies Deployments - Consolidates Multiple Security Functions into a single
lightweight agent
• Inventory global assets
• Discover vulnerabilities
• Monitor critical patches and remediations
• Detect compliance misconfigurations
• Track active exploits against vulnerabilities
VM & Policy Compliance • Automated VM & PC, Continuous Monitoring
• Supports Windows, RedHat, MAC OS, UNIX, AIX
• XML-based APIs integrate reporting data with GRC, SIEM, ERM, IDS
and other security and compliance systems
• Integrates with existing IT ticketing systems
• Centrally manages user logins with SAML-based enterprise SSO
• Built-in library of extensively used policies certified by CIS, including
COBIT, ISO, NIST, ITIL, HIPAA, FFIEC, NERC-CIP and User Defined
Regulatory Cross Reference.
• FISMA Compliant. Use SCAP content streams. Compliant with SCAP
version 1.2: XCCDF 1.2, OVAL 5.10, CCE 5, CPE 2.3, CVE, and CVSS
2, OCIL 2.0, CCSS 1.0, Asset Identification 1.1, ARF 1.1, TMSAD 1.0
• Compliant with United States Government Configuration Baseline
(USGCB), replaces the Federal Desktop Core Configuration (FDCC)
• Scanning Accuracy => 3+ Billion scans per year, exceeds Six Sigma
99.99966% Accuracy
ThreatPROTECT
• Live Intelligence feed enabling real-time correlation of Active threats against your vulnerabilities
• Visualizes critical threats to your environment
• Measures and reports on Threats in real time
• Automated Alerts / Notifications
• Multiple Dashboards modified via widgets for any user’s Situational Awareness & Reporting
Web Application Scanning (WAS)
• Detect, identify, assess, track and remediate OWASP Top 10 risks, WASC threats, CWE weaknesses, and web application CVEs.
• Application discovery and cataloging
• Integrates with software development lifecycle allowing scans at any time by developers, QA and security teams with full visibility on web app security.
• Scalable, high-accuracy progressive scanning saves time
• Supports Selenium to enable complex authentication or workflow sequences for better scan coverage.
• Highly customized reporting provides the big picture and drills into the details.
Malware Detection(MD)
• Qualys MD is included with Qualys WAS for comprehensive detection of hidden malware.
• MD proactively scan your websites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution
• Get immediate notification of zero-day malware detection.
• Supports regularly scheduled scanning for continuous monitoring of websites
Web Application Firewall (WAF)
• Next-generation cloud-based service combines scalability and simplicity to web application security.
• Automated, adaptive approach quickly and efficiently blocks attacks on web server vulnerabilities, prevents disclosure of sensitive information, and control where and when applications are accessed
• Prevents breaches by hardening web applications against current and emerging threats.
• Qualys WAF works together with Qualys WAS to provide true, integrated web application security
• Create “virtual patch” rules to address Qualys WAS findings, enable rapid resolution of false positives, and customize security rules for your environment
Security Assessment Questionnaire (SAQ)
• Collect and analyze information about your organization easily & quickly
• Automates the process of collecting operational business process data to report on regulatory compliance and third-party risks.
• Alleviates auditing nightmares – Unifies technical and business process assessments onto a single platform, reducing complexity and accelerating audits
• Intuitive, web-based UI to create questionnaire templates or leverage pre-built templates covering compliance standards such as ISO, NIST, & FISMA.
• Use a variety of workflow options such as simple information gathering and assign reviewer and/ or approver as needed.
Continuous Monitoring (CM)
• Targeted alerts from continuous monitoring are immediately directed to the appropriate staff for accelerated responses.
• Frees teams from the delay of waiting for scheduled scanning windows and sifting through long reports.
• Continuous monitoring immediately and proactively identifies critical security issues such as:
• Unexpected hosts/OSes. • Expiring SSL certificates. • Inadvertently open ports and services. • Severe vulnerabilities on hosts or in
applications. • Undesired software on perimeter systems.
Payment Card Industry (PCI)
• PCI Compliance provides businesses, online merchants and Member Service Providers highly-automated way to achieve compliance with the Payment Card Industry Data Security Standard (DSS)
• Discovers and maps all devices on your network to help determine which are in scope for PCI.
• Accurate, prioritized scan results with detailed instructions for remediation of vulnerabilities
• Automatically submits quarterly scan results and documentation to acquirer.
• Approved by the PCI Council, fulfills quarterly network and application scanning requirements of PCI DSS. The most accurate, easiest-to-use solution for PCI compliance testing, reporting and submission.