1

Strategies to Address SANS Critical Controls 10 and 11 -

Secure Configurations and Control of Network Devices

John Pescatore, SANSMichelle Johnson Cobb, Skybox Security

Brian Kelly, Skybox Security

2

Making Security Advances During Turbulent Times

Prevent more, detect faster, respond more effectively Third party connections are increasingly targeted

How to implement security zones without impacting business? Misconfigured security controls worse than no controls at all

3

Disrupting the Breach Chain

Source: SecurityIntelligence.com

4

Target Breach Lessons Learned

• Why could HVAC contractors see POS systems/servers?￮ Zoning

• Why could PoS system malware talk to server?￮ Application control policies

• Why could internal file server talk to external world?￮ All of the above

• Usual reasons:￮ Segmentation broke apps or sys admin￮ Policy was changed “temporarily”

5

The Critical Security Controls History

• 2008 – NSA “Consensus Audit Guidelines”• 2009 – Center for Strategic and International Studies publishes

the “20 Critical Security Controls”• 2011 – SANS takes over stewardship• 2013 – Council on Cybersecurity formed• 2015 – Critical Security Controls and Council become part of

the Center for Internet Security (MS-ISAC)

6

Critical Security Controls

6

1 23

4

5

6

7

89

1011121314

15

16

17

1819 20

1) Inventory of Authorized and

Unauthorized Devices

11) Limitation and Control of Network Ports,

Protocols and Services

2) Inventory of Authorized and Unauthorized Software

3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4) Continuous Vulnerability Assessment and Remediation

5) Malware Defense

6) Application Software Security

7) Wireless Access Control

8) Data Recovery Capability

9) Security Skills Assessment and Appropriate Training to Fill Gaps

10) Secure Configuration of Devices such as Firewalls, Routers, and Switches

20) Penetration Tests and Red Team Exercises

19) Secure Network Engineering

18) Incident Response Capability

17) Data Protection

15) Controlled Access Based on Need to Know

14) Maintenance, Monitoring and Analysis of Audit Logs

13) Boundary Defense

12) Controlled Use of Administrative Privileges

16) Account Monitoring and Control

7

Critical Security Controls V6 DraftCritical Security Controls Version 5.1 Critical Security Controls Draft 6.0

1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices

2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software

3 Secure Configurations for HW/SW Secure Configurations for HW/SW

4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment

5 Malware Defenses Controlled Use of Admin Privileges

6 Application/Software Security Maint, Monitor, Analysis of Audit Logs

7 Wireless Access Control Email/Browser Security (new)

8 Data Recovery Malware Defenses

9 Security Skills Limitation/Control of Ports

10 Secure Configurations for Network HW Data Recovery

8

Critical Security Controls V6 DraftCritical Security Controls Version 5.1 Critical Security Controls Draft 6.0

11 Limitation/Control of Ports Secure Configurations for Network HW

12 Controlled Use of Admin Privileges Boundary Defenses

13 Boundary Defenses Data Protection

14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know

15 Controlled Access/Need to Know Wireless Access Control

16 Account Monitoring and Control Account Monitoring and Control

17 Data Protection Security Skills

18 Incident Response and Management Application and Software Security

19 Secure Network Engineering Incident Response and Management

20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises

9

Continuous Processes

Shield

Eliminate Root Cause

Monitor/Report

Policy Assess Risk

Baseline Vuln Assessment/Pen TestSecure Configuration

Mitigate

• FW/IPS• Anti-malware• NAC

• Patch Management• Config Management• Change Management

• Software Vuln Test• Training• Network Arch• Privilege Mgmt

Discovery/Inventory

• SIEM• Security Analytics• Incident Response

ThreatsRegulationsRequirementsOTT Dictates

10

Bottom Line: Avoiding Self Inflicted Wounds

• Zoning or segmenting the network is Security 101• Flat networks are usually the path of least resistance• Reducing attack apertures without impacting business flows

requires￮ Next Generation Firewall/Application Aware Policies￮ Accurate and timely inventory￮ Rapid reaction to both change requests and alerts￮ Repeatable, scalable policy management processes and governance

Michelle Johnson CobbVP, Worldwide Marketing

Using a Model of the Attack Surface to Address SANS Critical Controls 10 & 11

© 2015 Skybox Security Inc. 12

Skybox Security Overview

Powerful platform uses attack surface visibility and intelligence to address:– Firewall and change management– Network visibility and compliance– Vulnerability and threat management

Over 500 Global 2000 Customers

Risk Analytics for Cyber Security

© 2015 Skybox Security Inc. 13

Challenges implementing Controls 10 & 11

Problem 1: Tons of Vendors

Problem 2: Complex Rulesets

Problem 3: Changes

• 500 network devices

• 25,000 FW rules• 1,000 IPS

signatures• 55,000 nodes• 65 daily network

changes• Infrastructure

spanning three continents

• Will a change introduce a new exposure?

• Are IPS signatures up to date?

• Impact of new vulnerabilities on network devices, hosts?

© 2015 Skybox Security Inc. 14

How do you analyze complex data?

Meterology: Climate models

Aerospace: Flight simulators

Information Security

?

© 2015 Skybox Security Inc. 15

How do you analyze complex data?

Meterology: Climate models

Aerospace: Flight simulators

Information Security: Attack surface model

?

© 2015 Skybox Security Inc. 16

Gain Visibility of the Attack Surface

© 2015 Skybox Security Inc. 17

Gain Visibility of the Attack Surface

ASSETS

• Servers

• Workstations

• Networks

© 2015 Skybox Security Inc. 18

Gain Visibility of the Attack Surface

SECURITY CONTROLS

• Firewalls

• IPS

• VPNs

ASSETS

• Servers

• Workstations

• Networks

© 2015 Skybox Security Inc. 19

Gain Visibility of the Attack Surface

SECURITY CONTROLS

• Firewalls

• IPS

• VPNs

NETWORK TOPOLOGY

• Routers

• Load Balancers

• Switches

ASSETS

• Servers

• Workstations

• Networks

© 2015 Skybox Security Inc. 20

Gain Visibility of the Attack Surface

SECURITY CONTROLS

• Firewalls

• IPS

• VPNs

NETWORK TOPOLOGY

• Routers

• Load Balancers

• Switches

ASSETS

• Servers

• Workstations

• Networks

VULNERABILITIES

• Location

• Criticality

© 2015 Skybox Security Inc. 21

Gain Visibility of the Attack Surface

SECURITY CONTROLS

• Firewalls

• IPS

• VPNs

NETWORK TOPOLOGY

• Routers

• Load Balancers

• Switches

ASSETS

• Servers

• Workstations

• Networks

VULNERABILITIES

• Location

• Criticality

THREATS

• Hackers

• Insiders

• Worms

© 2015 Skybox Security Inc. 22

Critical Security Control 10

“Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”

#10

© 2015 Skybox Security Inc. 23

Analytics to Maintain Secure Configurations

Firewall rule analysis Platform configuration checks Network compliance Path visualization Rule optimization Change planning Rule lifecycle management

© 2015 Skybox Security Inc. 24

Critical Security Control 11

“Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.”

#11

© 2015 Skybox Security Inc. 25

Attack Simulation to Find and Minimize Risks

Visualize Correlate, Prioritize

Exploitable VulnerabilitiesCVE-1234CVE-0123MS12074CVE-4567CVE-5678

© 2015 Skybox Security Inc. 26

Attack Simulation to Find and Minimize Risks

Visualize Correlate, Prioritize

Understand Controls

Security Controls

Access pathsPolicy violations

Unauthorized changes

© 2015 Skybox Security Inc. 27

Attack Simulation to Find and Minimize Risks

Visualize Correlate, Prioritize

Understand Controls

Identify Attack Vectors

High-risk vector

Brian KellySales Engineer

Demo: Security Policy Management with Skybox

29

30

Resources

• SANS : https://www.sans.org/webcasts/archive• Critical Security Controls –http

://www.counciloncybersecurity.org/critical-controls/• SANS Events:

https://www.sans.org/security-training/by-location/all• Questions: q@sans.org• @John_Pescatore• Skybox Security - Best Practices for Network Security: http

://www.skyboxsecurity.com/resources/best-practice-4-steps-more-automated-adaptable-network-security-management#.VgOgY8tVikp

31

Acknowledgements

Thanks to our sponsor:

And to our attendees:

Thank you for joining us today