Cyber Exposure – The Next Frontier

Slides:



Advertisements
Similar presentations
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Advertisements

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Dell Connected Security Solutions Simplify & unify.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Deconstructing API Security
Securing Java Applications
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.
SDN & NFV Driving Additional Value into Managed Services.
Azure Stack Foundation
READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.
Security and resilience for Smart Hospitals Key findings
Defining your requirements for a successful security (and compliance
11/19/2017 9:41 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Updating the Value Proposition:
Securing Your Web Application in Azure with a WAF
Automating Security Frameworks
“Introduction to Azure Security Center”
Hybrid Management and Security
THR2099 What to do BEFORE all hell breaks loose: Building a modern cybersecurity strategy.
Compliance with hardening standards
WEBINAR The Rise Of Insights Services
CIOs, IT, and Digital Transformation
Speaker’s Name, SAP Month 00, 2017
Reducing Cyber Exposure for the Modern Attack Surface
Secure & Unified Identity
BOMGAR REMOTE SUPPORT Karl Lankford
© 2016 Global Market Insights, Inc. USA. All Rights Reserved Fuel Cell Market size worth $25.5bn by 2024 Dynamic Application Security.
Making Information Security Manageable with GRC
Reducing Cyber Exposure for the Modern Attack Surface
Cyber Exposure – The Next Frontier
SAM Financial Services Cybersecurity Assessment
Reducing Cyber Exposure for the Modern Attack Surface
Healthcare Cloud Security Stack for Microsoft Azure
Research for Cyber Security Warwick University Industry Day 2018
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Innovative content & language solutions: Transforming digital.
Securing the Threats of Tomorrow, Today.
Panda Adaptive Defense Platform and Services
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS
The People Ready Vision for Business in the Enterprise
MAZARS’ CONSULTING PRACTICE
The MobileIron® Threat Detection difference:
Technology Convergence
Managing IT Risk in a digital Transformation AGE
KEY INITIATIVE Financial Data and Analytics
Microsoft Data Insights Summit
KEY INITIATIVE Financial Data and Analytics
Healthcare Cloud Security Stack for Microsoft Azure
Healthcare Cloud Security Stack for Microsoft Azure
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
IT Management Services Infrastructure Services
The Intelligent Enterprise and SAP Business One
Cybriant Partner Partner Program White Label Materials
Presentation transcript:

Cyber Exposure – The Next Frontier Elizabeth Leon and Timothy Yungwirth

TOPICS Today’s IT is creating a cyber exposure gap Who’s affected? How to reduce your cyber exposure gap

Today’s IT is Creating a Cyber Exposure Gap

Digital Transformation is Accelerating Every organization is transforming into an information organization Putting pressure on every function to innovate and operate faster “Bold, tightly integrated digital strategies will be the biggest differentiator between companies that win and companies that don’t.” – McKinsey & Co.

How Are You Responding? What is the organization’s digital strategy? How is Security enabling that strategy?  

The Attack Surface is Expanding IoT Industrial IoT ICS/SCADA Enterprise IoT Cloud Cloud Container Web app Virtual machine Mobile Laptop IT Server Desktop Network infrastructure

Creating a Cyber Exposure Gap IoT Industrial IoT ICS/SCADA Enterprise IoT Cloud Cloud Container Web app Virtual machine Mobile Laptop IT Server Desktop Network infrastructure

Cyber Exposure is an emerging discipline for: Managing and measuring your modern attack surface to accurately understand and reduce your cyber risk

Why? Discovering Short-Lived Assets is Hard Traditional: Servers Modern: Containers Request Deploy Patch Retire

Why? Assessing State of Cloud Environments is Hard Visibility 8% ...companies that know the scope of shadow IT at their organizations, according to a survey by the Cloud Security Alliance Compliance 48% ...of organizations store some sensitive data, like employee records, in the cloud according to a SANS Security in the Cloud report Consistency 31% … of respondents in the same SANS report found poor configuration practices in place due to applications being spun up quickly

Why? Maintaining Application Security is Hard Number of web applications with at least ONE vulnerability1: 99.7% Average number of web application vulnerabilities2: 3 Average time to fix web application vulnerabilities2: Critical Risk: 129 days High Risk: 196 days Sources: TechRepublic, “Report: 99.7% of web apps have at least one vulnerability,” June 20, 2017 White Hat Security, “2017 Application Security Statistics Report,” July 2017

Who’s Affected?

New Stakeholders and Asset Owners Will Impact an Organization’s Cyber Exposure OT / IoT Cloud Container OT Manager, Engineer Line of Business DevOps OT assets are becoming an expansive attack surface Shadow IT and cloud assets are creating a huge blind spot DevOps velocity requires new security approaches

Security Teams Need to Provide Strategic Insight and Manage Risk Across The Organization Reduce risk across a growing modern attack surface Security Director OT Manager, Engineer DevOps Increase SOC efficiency Maintain regulatory compliance Line of Business Secure DevOps processes Decrease costs to fix defects Protect brand equity Gain strategic decision support on risk

How to Reduce Your Cyber Exposure Gap

Addressing the Full Cyber Exposure Lifecycle Discover Identify and map every asset for visibility across any computing environment Measure Assess Model and analyze cyber exposure to make better business and technology decisions Understand the state of all assets, including vulnerabilities, misconfigurations and other health indicators IoT OT Cloud IT Fix Analyze Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique Understand exposures in context, to prioritize remediation based on asset criticality, threat context and vulnerability severity

Discover Every Asset server desktop laptop mobile virtual public cloud web app container

Active Scanning + Additional Data Sensors Agent Scanning Endpoint Networks Active Scanning Intelligent Connectors Web Mobile Cloud Image Registry Continuous Monitoring Containers Virtual

Assess the Current State, Including Misconfigurations Various sources such as CIS, DISA, USGBC, and vendor supplied best practice guides Examples: https://www.cisecurity.org/benchmark/amazon_web_services/ https://www.cisecurity.org/benchmark/docker/ Educate other stakeholders Review regularly

Assessment Extends Beyond CVEs To Include Application Vulnerabilities The OWASP Top 10 A1 A2 A3 A4 A5 XSS INJECTION (SQL, XXE & LDAP) BROKEN AUTH AND SESSION MANAGEMENT CROSS SITE SCRIPTING (XSS) BROKEN ACCESS CONTROL SECURITY MISCONFIGURATION A6 A7 A8 A9 A10 CSRF API SENSITIVE DATA EXPOSURE INSUFFICIENT ATTACK PROTECTION CROSS SITE REQUEST FORGERY COMPONENT VULNERABILITIES UNDERPROTECTED API

Analyze to Prioritize Remediation Based on Context: Cloud Services Example All cloud services are not created equal Cloud data or sensitive data? What data could be shared? Visible? What’s interacting with the cloud service? What subnets is it connecting to? Configuration issues?

Prioritize What to Fix Why reduce cyber exposure? Attack surface hardening Asset inventory Patch auditing

Prevent Vulnerabilities By Fixing Vulnerabilities Prior to Deployment Integrate security into the DevOps toolchain Identify and remediate vulnerabilities before they are exploitable Ensure all assets are secure and compliant before production

Category Description Goal Example Metric Attack surface hardening How exposed is my organization? Make attack surface as small as possible % exploitable vulnerabilities on internet-facing systems Asset inventory Do I know what needs protecting? Effectiveness at collecting accurate accounting of vulnerabilities – including for systems that require credentials % of systems discovered vs scanned in last 30 days Patch auditing Are my systems up to date? Effectiveness of patch process for security, feature/functionality, and warranty needs % of systems patched in last 30 days

Summary Assess Analyze Fix Measure IoT OT Cloud IT Discover Modern computing today is made up of both traditional and modern assets Don’t let either increase your cyber exposure Follow an operational security lifecycle: Discover – Assess – Analyze – Fix – Measure    

Technology Leadership Why Tenable 8 Technology Leadership Creator of Nessus and relentless innovator advancing modern cybersecurity – from IT to cloud to IoT and OT Singular Vision #1 Vulnerability Management technology in the world, pioneering Cyber Exposure to help customers measure & reduce cybersecurity risk Customer Commitment Complete dedication to our customers’ success – every day, in all we do

Top 10 US Financial Institutions Tenable at a Glance Founded in 2002 Exploded with the widespread adoption of Nessus and later, SecurityCenter Released Tenable.io in 2017 to introduce the first cyber exposure platform and evolve vulnerability management Relentless innovator: “Tenable has [massive] brand equity with Nessus, yet [is] one of the most forward-thinking companies in VM.” – Forrester, 2017 24,000+ Customers 1.6M Global Users 800+ Employees 50% 100% 80% Fortune 500 Top 10 US Tech Companies Top 10 US Financial Institutions

If you are flying blind to a widening Cyber Exposure Gap, that’s just untenable.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.