Upload
skybox-security
View
545
Download
1
Embed Size (px)
Citation preview
1
Strategies to Address SANS Critical Controls 10 and 11 -
Secure Configurations and Control of Network Devices
John Pescatore, SANSMichelle Johnson Cobb, Skybox Security
Brian Kelly, Skybox Security
2
Making Security Advances During Turbulent Times
Prevent more, detect faster, respond more effectively Third party connections are increasingly targeted
How to implement security zones without impacting business? Misconfigured security controls worse than no controls at all
3
Disrupting the Breach Chain
Source: SecurityIntelligence.com
4
Target Breach Lessons Learned
• Why could HVAC contractors see POS systems/servers?○ Zoning
• Why could PoS system malware talk to server?○ Application control policies
• Why could internal file server talk to external world?○ All of the above
• Usual reasons:○ Segmentation broke apps or sys admin○ Policy was changed “temporarily”
5
The Critical Security Controls History
• 2008 – NSA “Consensus Audit Guidelines”• 2009 – Center for Strategic and International Studies publishes
the “20 Critical Security Controls”• 2011 – SANS takes over stewardship• 2013 – Council on Cybersecurity formed• 2015 – Critical Security Controls and Council become part of
the Center for Internet Security (MS-ISAC)
6
Critical Security Controls
6
1 23
4
5
6
7
89
1011121314
15
16
17
1819 20
1) Inventory of Authorized and
Unauthorized Devices
11) Limitation and Control of Network Ports,
Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4) Continuous Vulnerability Assessment and Remediation
5) Malware Defense
6) Application Software Security
7) Wireless Access Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate Training to Fill Gaps
10) Secure Configuration of Devices such as Firewalls, Routers, and Switches
20) Penetration Tests and Red Team Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access Based on Need to Know
14) Maintenance, Monitoring and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of Administrative Privileges
16) Account Monitoring and Control
7
Critical Security Controls V6 DraftCritical Security Controls Version 5.1 Critical Security Controls Draft 6.0
1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices
2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software
3 Secure Configurations for HW/SW Secure Configurations for HW/SW
4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment
5 Malware Defenses Controlled Use of Admin Privileges
6 Application/Software Security Maint, Monitor, Analysis of Audit Logs
7 Wireless Access Control Email/Browser Security (new)
8 Data Recovery Malware Defenses
9 Security Skills Limitation/Control of Ports
10 Secure Configurations for Network HW Data Recovery
8
Critical Security Controls V6 DraftCritical Security Controls Version 5.1 Critical Security Controls Draft 6.0
11 Limitation/Control of Ports Secure Configurations for Network HW
12 Controlled Use of Admin Privileges Boundary Defenses
13 Boundary Defenses Data Protection
14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know
15 Controlled Access/Need to Know Wireless Access Control
16 Account Monitoring and Control Account Monitoring and Control
17 Data Protection Security Skills
18 Incident Response and Management Application and Software Security
19 Secure Network Engineering Incident Response and Management
20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises
9
Continuous Processes
Shield
Eliminate Root Cause
Monitor/Report
Policy Assess Risk
Baseline Vuln Assessment/Pen TestSecure Configuration
Mitigate
• FW/IPS• Anti-malware• NAC
• Patch Management• Config Management• Change Management
• Software Vuln Test• Training• Network Arch• Privilege Mgmt
Discovery/Inventory
• SIEM• Security Analytics• Incident Response
ThreatsRegulationsRequirementsOTT Dictates
10
Bottom Line: Avoiding Self Inflicted Wounds
• Zoning or segmenting the network is Security 101• Flat networks are usually the path of least resistance• Reducing attack apertures without impacting business flows
requires○ Next Generation Firewall/Application Aware Policies○ Accurate and timely inventory○ Rapid reaction to both change requests and alerts○ Repeatable, scalable policy management processes and governance
Michelle Johnson CobbVP, Worldwide Marketing
Using a Model of the Attack Surface to Address SANS Critical Controls 10 & 11
© 2015 Skybox Security Inc. 12
Skybox Security Overview
Powerful platform uses attack surface visibility and intelligence to address:– Firewall and change management– Network visibility and compliance– Vulnerability and threat management
Over 500 Global 2000 Customers
Risk Analytics for Cyber Security
© 2015 Skybox Security Inc. 13
Challenges implementing Controls 10 & 11
Problem 1: Tons of Vendors
Problem 2: Complex Rulesets
Problem 3: Changes
• 500 network devices
• 25,000 FW rules• 1,000 IPS
signatures• 55,000 nodes• 65 daily network
changes• Infrastructure
spanning three continents
• Will a change introduce a new exposure?
• Are IPS signatures up to date?
• Impact of new vulnerabilities on network devices, hosts?
© 2015 Skybox Security Inc. 14
How do you analyze complex data?
Meterology: Climate models
Aerospace: Flight simulators
Information Security
?
© 2015 Skybox Security Inc. 15
How do you analyze complex data?
Meterology: Climate models
Aerospace: Flight simulators
Information Security: Attack surface model
?
© 2015 Skybox Security Inc. 16
Gain Visibility of the Attack Surface
© 2015 Skybox Security Inc. 17
Gain Visibility of the Attack Surface
ASSETS
• Servers
• Workstations
• Networks
© 2015 Skybox Security Inc. 18
Gain Visibility of the Attack Surface
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
ASSETS
• Servers
• Workstations
• Networks
© 2015 Skybox Security Inc. 19
Gain Visibility of the Attack Surface
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
NETWORK TOPOLOGY
• Routers
• Load Balancers
• Switches
ASSETS
• Servers
• Workstations
• Networks
© 2015 Skybox Security Inc. 20
Gain Visibility of the Attack Surface
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
NETWORK TOPOLOGY
• Routers
• Load Balancers
• Switches
ASSETS
• Servers
• Workstations
• Networks
VULNERABILITIES
• Location
• Criticality
© 2015 Skybox Security Inc. 21
Gain Visibility of the Attack Surface
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
NETWORK TOPOLOGY
• Routers
• Load Balancers
• Switches
ASSETS
• Servers
• Workstations
• Networks
VULNERABILITIES
• Location
• Criticality
THREATS
• Hackers
• Insiders
• Worms
© 2015 Skybox Security Inc. 22
Critical Security Control 10
“Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
#10
© 2015 Skybox Security Inc. 23
Analytics to Maintain Secure Configurations
Firewall rule analysis Platform configuration checks Network compliance Path visualization Rule optimization Change planning Rule lifecycle management
© 2015 Skybox Security Inc. 24
Critical Security Control 11
“Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.”
#11
© 2015 Skybox Security Inc. 25
Attack Simulation to Find and Minimize Risks
Visualize Correlate, Prioritize
Exploitable VulnerabilitiesCVE-1234CVE-0123MS12074CVE-4567CVE-5678
© 2015 Skybox Security Inc. 26
Attack Simulation to Find and Minimize Risks
Visualize Correlate, Prioritize
Understand Controls
Security Controls
Access pathsPolicy violations
Unauthorized changes
© 2015 Skybox Security Inc. 27
Attack Simulation to Find and Minimize Risks
Visualize Correlate, Prioritize
Understand Controls
Identify Attack Vectors
High-risk vector
Brian KellySales Engineer
Demo: Security Policy Management with Skybox
29
30
Resources
• SANS : https://www.sans.org/webcasts/archive• Critical Security Controls –http
://www.counciloncybersecurity.org/critical-controls/• SANS Events:
https://www.sans.org/security-training/by-location/all• Questions: [email protected]• @John_Pescatore• Skybox Security - Best Practices for Network Security: http
://www.skyboxsecurity.com/resources/best-practice-4-steps-more-automated-adaptable-network-security-management#.VgOgY8tVikp
31
Acknowledgements
Thanks to our sponsor:
And to our attendees:
Thank you for joining us today