How to Manage Risk in the Age of Digital Transformation

If Visible Then Can Be Secured

Emir Arslanagic, CISSP #4763 Regional Account Manager SEE

Emir@qualys.com +387.62.654.080

Cyber Security Risk History or Reality

199x - …

CIS Controls

6 of top 10 in Healthcare 7 of top 10 in Telecommunications

Blue Chip Global Customers Base

Based on Forbes Global 2000 Classification

8 of top 10 in Consumer Staples

5 of top 10 in Industrial & Materials

9 of top 10 in Software 9 of top 10 in Major Banks

5 of top 10 in Energy & Utilities

DAIMLER

70% of the Forbes Global 50 and 25% of the Forbes Global 2000 standardized on Qualys 9,300+ Customers

5 of top 10 in Insurance

10

8 of top 10 in Technology

8 of top 10 in Consumer Discretionary

Qualys Snapshot

Shared Cloud

Private Cloud

FEDRAMP Certified

HHS

Agency ATO

ICT Assets and Apps are everywhere…

On Premise

VMware

Endpoints Cloud

7

Every ICT Asset is possible Attack Vector

Vulnerabilities are growing …

Cyber-threats are getting focused ...

Where is the problem? In scope & time! avg: 1000 IP avg: 20 SW components

avg: 20 per/IP critical: 4 per /IP

avg: 2 per/IP actual: 1 per/IP

avg: +300 contr./IP. critical: 100 contr./IP

Attack Surface: 20.000 ICT Asset components 20.000 Vulnerabilities (20% critical) 1.000 Actual Threats (Malware & Exploits) 100.000 Critical configuration security

t l

Modern approach & solution: Data centralization / normalization / prioritization (Big)Data analytics / automation / workflow Dashboards / Alerts / Tickets / Integrations Cloud based architecture

Example of typical CEE Enterprise:

Moving from Waterfall to Agile Metodology

So what to do – prioritization of controls ?

12

SANS / CIS Critical Security Controls - Version 6.1 – Aug. 2016

Source: https://www.cisecurity.org/critical-controls

Security Data Analytics around ICT Assets

VULNERABILITY MANAGEMENT

+ THREAT

ASSESSMENT +

PATCH PRIORITIZATION

COMPLIANCE MANAGEMENT

+ SELF-AUDIT

BENCHMARKING +

CONFIGURATION HARDENING

DASHBOARDS | ALERTS | TICKETS | WORKFLOWS | INTEGRATIONS

MAPPING TO BUSINESS PROCESSES & BUSINESS APPLICATIONS

ASSET MANAGEMEMNT

+ HW & SW

INVENTORY +

CONTINUOUS VIEW & SEARCH

13

Asset Discovery, Centralization & Correlation

Continuous Discovery

Real-time Distributed

Data Collection

Data Analytics Correlation Backend

Continuous Security

& Compliance

14

Real-Time Correlation of Active Threats, Patches, Zero-Days, ...

Agile Methodology Will Deliver Visibility & Accountability

AssetView

ElasticSearch

Instant Query across millions of IT Assets Unified Assets’ View Dynamic and customizable dashboards

Vulnerability Risk Analysis

dashboard

Synchronization with

Splunk, ServiceNow

& Others

16

AssetView Brings 2s Visibility Across Millions of IT Assets

17

• Can be deployed via:

> Compact command line installer

> Embedded in VM and cloud master images

> Installed/managed by Software Distribution Tools

> Deployed with Group Policy (Windows)

• Single cloud console to manage agents

• Qualys Platform API for Agent management

• HTTPS Proxy support for communications

Cloud Agent Qualys Cloud Agent

• Light-weight agent (2 MB) for:

> on-premise servers

> dynamic cloud environments

> branch offices behind NAT gateways

> roaming / remote end-users

• Built to scale to millions of devices

• Centrally managed, self updating

Simplifies Deployments - Consolidates Multiple Security Functions into a single

lightweight agent

• Inventory global assets

• Discover vulnerabilities

• Monitor critical patches and remediations

• Detect compliance misconfigurations

• Track active exploits against vulnerabilities

VM & Policy Compliance • Automated VM & PC, Continuous Monitoring

• Supports Windows, RedHat, MAC OS, UNIX, AIX

• XML-based APIs integrate reporting data with GRC, SIEM, ERM, IDS

and other security and compliance systems

• Integrates with existing IT ticketing systems

• Centrally manages user logins with SAML-based enterprise SSO

• Built-in library of extensively used policies certified by CIS, including

COBIT, ISO, NIST, ITIL, HIPAA, FFIEC, NERC-CIP and User Defined

Regulatory Cross Reference.

• FISMA Compliant. Use SCAP content streams. Compliant with SCAP

version 1.2: XCCDF 1.2, OVAL 5.10, CCE 5, CPE 2.3, CVE, and CVSS

2, OCIL 2.0, CCSS 1.0, Asset Identification 1.1, ARF 1.1, TMSAD 1.0

• Compliant with United States Government Configuration Baseline

(USGCB), replaces the Federal Desktop Core Configuration (FDCC)

• Scanning Accuracy => 3+ Billion scans per year, exceeds Six Sigma

99.99966% Accuracy

ThreatPROTECT

• Live Intelligence feed enabling real-time correlation of Active threats against your vulnerabilities

• Visualizes critical threats to your environment

• Measures and reports on Threats in real time

• Automated Alerts / Notifications

• Multiple Dashboards modified via widgets for any user’s Situational Awareness & Reporting

Web Application Scanning (WAS)

• Detect, identify, assess, track and remediate OWASP Top 10 risks, WASC threats, CWE weaknesses, and web application CVEs.

• Application discovery and cataloging

• Integrates with software development lifecycle allowing scans at any time by developers, QA and security teams with full visibility on web app security.

• Scalable, high-accuracy progressive scanning saves time

• Supports Selenium to enable complex authentication or workflow sequences for better scan coverage.

• Highly customized reporting provides the big picture and drills into the details.

Malware Detection(MD)

• Qualys MD is included with Qualys WAS for comprehensive detection of hidden malware.

• MD proactively scan your websites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution

• Get immediate notification of zero-day malware detection.

• Supports regularly scheduled scanning for continuous monitoring of websites

Web Application Firewall (WAF)

• Next-generation cloud-based service combines scalability and simplicity to web application security.

• Automated, adaptive approach quickly and efficiently blocks attacks on web server vulnerabilities, prevents disclosure of sensitive information, and control where and when applications are accessed

• Prevents breaches by hardening web applications against current and emerging threats.

• Qualys WAF works together with Qualys WAS to provide true, integrated web application security

• Create “virtual patch” rules to address Qualys WAS findings, enable rapid resolution of false positives, and customize security rules for your environment

Security Assessment Questionnaire (SAQ)

• Collect and analyze information about your organization easily & quickly

• Automates the process of collecting operational business process data to report on regulatory compliance and third-party risks.

• Alleviates auditing nightmares – Unifies technical and business process assessments onto a single platform, reducing complexity and accelerating audits

• Intuitive, web-based UI to create questionnaire templates or leverage pre-built templates covering compliance standards such as ISO, NIST, & FISMA.

• Use a variety of workflow options such as simple information gathering and assign reviewer and/ or approver as needed.

Continuous Monitoring (CM)

• Targeted alerts from continuous monitoring are immediately directed to the appropriate staff for accelerated responses.

• Frees teams from the delay of waiting for scheduled scanning windows and sifting through long reports.

• Continuous monitoring immediately and proactively identifies critical security issues such as:

• Unexpected hosts/OSes. • Expiring SSL certificates. • Inadvertently open ports and services. • Severe vulnerabilities on hosts or in

applications. • Undesired software on perimeter systems.

Payment Card Industry (PCI)

• PCI Compliance provides businesses, online merchants and Member Service Providers highly-automated way to achieve compliance with the Payment Card Industry Data Security Standard (DSS)

• Discovers and maps all devices on your network to help determine which are in scope for PCI.

• Accurate, prioritized scan results with detailed instructions for remediation of vulnerabilities

• Automatically submits quarterly scan results and documentation to acquirer.

• Approved by the PCI Council, fulfills quarterly network and application scanning requirements of PCI DSS. The most accurate, easiest-to-use solution for PCI compliance testing, reporting and submission.

Q&A emir@qualys.com