Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reducing Cyber Exposure for the Modern Attack Surface

Published byΘεμιστοκλῆς Αυγερινός Modified over 6 years ago

Similar presentations

Presentation on theme: "Reducing Cyber Exposure for the Modern Attack Surface"— Presentation transcript:

1 Reducing Cyber Exposure for the Modern Attack Surface
Alexander Crepas, Channel SE

2 Welcome TOPICS Today’s IT is creating a cyber exposure gap
Who’s affected? Reducing the cyber exposure gap We’ve divided this presentation into three sections: How today’s IT landscape is transforming into something traditional vulnerability management solutions can’t handle, and that’s creating a gap in organization’s cyber eposure We’ll talk about how that affects who’s traditionally been responsible for vulnerability management, as well as introduces new stakeholders We’ll share some techniques and ideas on how to reduce this cyber exposure gap, working with both traditional and new partners

3 Today’s IT is Creating a Cyber Exposure Gap

4 Digital Transformation is Accelerating
Every organization is transforming into an information organization Putting pressure on every function to innovate and operate faster “Bold, tightly integrated digital strategies will be the biggest differentiator between companies that win and companies that don’t.” – McKinsey & Co. Digital transformation is a reality for every organization today – no matter the industry or size, in commercial or public sector From cloud adoption that unleashes on-demand scalability, to industrial IoT that unlocks new revenue opportunities, to DevOps approaches that accelerate innovation, to new customer touchpoints that deepen customer relationships But this accelerating adoption of technology puts pressure on every function – including IT Security Without strong internal collaboration, new technologies and processes expose the organization to more cybersecurity risk than ever (Here’s a good article with examples of digital transformation across various industries: )

5 How Are You Responding? What is the organization’s digital strategy?
How is Security enabling that strategy? What are the major digital initiatives your organization is pursuing today? (pause for discussion) What consequences do those initiatives have for IT Security? How is Security enabling those initiatives? What challenges do you face in enabling them?

6 Creating Massive Exposure for Every Organization
IoT Cloud Industrial IoT IT Cloud Laptop Mobile Server Network Infrastructure Web App ICS / SCADA Desktop Virtual Machine Container Enterprise IoT Many security teams tell us their greatest challenge is simply seeing all the assets in their environment. Difficult because legacy security tools & approaches have not kept up with new technologies adopted by IT and Line of Business Adversaries now have a much larger attack surface to probe and attack you across Think of your security team standing on the left side of this graphic looking out into the distance – and struggling to track the organization’s laptops, cloud deployments, containers, IoT assets, and more. However – adversaries can see everything and will attack wherever they find a weak link It’s a hacker’s playground and it’s growing every day Many organizations are anxious about how to get their arms around this problem. They don’t know what they don’t know They don’t have the right tools to help them This directly drives up the cybersecurity risk to the business

7 Legacy Approaches Cannot Keep Pace
The result is a Cyber Exposure gap The CEO and board want to know: How big is our cybersecurity risk? Where does it reside? Are we reducing it fast enough? Current approaches have fallen behind the modern attack surface, and are falling further behind every day. The distance between what legacy tools provide and what security teams need today creates the cyber exposure gap This gap creates cyber risk. This gap is what Tenable is committed to solving.

8 Why? Discovering Short-Lived Assets is Hard
Traditional: Servers Modern: Containers Request Deploy Patch Retire

9 Why? Assessing State of Cloud Environments is Hard
Visibility 8% ...companies that know the scope of shadow IT at their organizations, according to a survey by the Cloud Security Alliance Compliance 48% ...of organizations store some sensitive data, like employee records, in the cloud according to a SANS Security in the Cloud report Consistency 31% … of respondents in the same SANS report found poor configuration practices in place due to applications being spun up quickly For a second example, let’s look at cloud infrastructure. Organizations continue to adopt more and more cloud services … Amazon Web Services leads the way with Microsoft Azure, Google Cloud Services and many other providers all offering various services For most, the benefits of cloud infrastructure is well known … flexibility, ease of deployment, ease of maintenance The long-held concern that cloud is less secure than on-prem is fading. Gartner recently reported at their Risk & Security Summit that there’s growing confidence in the security of public cloud computing That said, there are unique cloud security challenges. The slide shows three from a Cloud Security Spotlight Report from earlier in 2017 that come up consistently: Visibility Compliance Setting Consistent Security Policies Why do people consistently call out these out as security challenges? Visibility: While cloud instances, like containers, can be short-lived, they also pose a visibility challenge because you may not know about them at all if they’re shadow assets. It’s so easy for anyone in the organization to spin up their own cloud instances. According to a survey last year from the Cloud Security Alliances, only 8% of companies feel they have a good handle on the scope of Shadow IT. Compliance: Most cloud providers have a shared security model where the vendor is responsible for some aspects of security and the consumer others, but consumers might always know the details of the shared responsibility or the cloud provider might not document all the details. If that’s the case, how can a cloud consumer know that what they’re doing in the cloud is complying with the regulations they fall under? And with more organizations storing sensitive data in the cloud, like the 48% noted in the SANS Security in the Cloud report, may or may not be complying with the appropriate handling of that data. Set & Measure:

10 Why? Maintaining Application Security is Hard
Number of web applications with at least ONE vulnerability1: 99.7% Average number of web application vulnerabilities2: 3 Average time to fix web application vulnerabilities2: Critical Risk: 129 days High Risk: 196 days Sources: TechRepublic, “Report: 99.7% of web apps have at least one vulnerability,” June 20, 2017 White Hat Security, “2017 Application Security Statistics Report,” July 2017

11 Who’s Affected?

12 New stakeholders and asset owners will impact an organization’s Cyber Exposure
OT / IoT Cloud Container OT Manager, Engineer Line of Business DevOps OT assets are becoming an expansive attack surface Shadow IT and cloud assets are creating a huge blind spot DevOps velocity requires new security approaches

13 Security teams need to provide strategic insight and manage risk across the organization
Reduce risk across a growing modern attack surface Security Director OT Manager, Engineer DevOps Increase SOC efficiency Maintain regulatory compliance Line of Business Secure DevOps processes Decrease costs to fix defects Protect brand equity Gain strategic decision support on risk

14 Reduce the Cyber Exposure Gap
So far, we’ve talked about modern assets are changing your IT landscape and also the people who contribute to it. Let’s close out today but sharing a few ideas on how to protect this modern attack surface by reducing the cyber exposure gap.

15 The Operational Lifecycle
DISCOVER Identify and map every asset across any environment. From here you can baseline the current and desired operational state. ASSESS With every change, automatically assess the current state against the baseline state of the environment, including misconfigurations, vulnerabilities and other key indicators of security health, such as out of date antivirus or high risk users. FIX Prioritize which exposures to fix first, if at all, and select the appropriate remediation technique, whether it’s a temporary security control or a complete fix. ANALYZE Add context to the asset’s exposure to prioritize remediation based on the asset’s business criticality and the severity of the vulnerability. We’re going to use this operational lifecycle of cyber exposure framework for discussion: Discover: Continuously track any asset on any computing platform, through a single solution Assess: See any type of exposure on the asset Analyze: Understand the true risk of the exposure based on asset context Fix: Use remediation guidance and integration with other systems to ensure exposures are properly addressed

16 Discover Every Asset server desktop laptop mobile virtual public cloud web app container Earlier, we talked about how the modern attack surface and how assets like cloud instances, containers, mobile devices, IoT devices and more are creating a cyber exposure gap. Maybe because we don’t know about them, we’re not assessing everything important to them, or we’re not doing our assessments from the right perspective. To get more visibility into these modern assets, we need to look at new techniques to identify and assess them.

17 Active Scanning + Additional Data Sensors
Agent Scanning Endpoint Networks Active Scanning Intelligent Connectors Web Mobile Cloud Image Registry Continuous Monitoring Containers Virtual For many years, discovering and assessing assets was the domain of active scanning. With modern assets, additional data sensors can bring greater visibility. For example: agents to assess hard-to-scan assets. Connectors that automatically pull information from cloud providers or complementary solutions Continuous monitoring of network data Image registry information Bringing more data sensors means being able to collect more data and get a more complete picture of your cyber exposure.

18 Assess the Current State, Including Misconfigurations
Various sources such as CIS, DISA, USGBC, and vendor supplied best practice guides Examples: Educate other stakeholders Review regularly With modern assets, like traditional assets, it’s important to assess for more than just software flaws. Assessing for secure configurations is also important. Maybe even more important with some modern assets. If we go back to the conversation about cloud security challenges, more than 1/3 of SANS report respondents said they had cloud configuration issues because applications were being spun up quickly. Some good news is that CIS and other organizations that help with security baselines have introduced or are working on secure configuration guidelines for modern assets like Docker, Amazon Web Services and others. You can strictly follow these or develop your own minimum security baseline. Some guidelines to follow: Involve others Review standard

19 Assessment extends beyond CVEs to include application vulnerabilities
The OWASP Top 10 A1 A2 A3 A4 A5 XSS INJECTION (SQL, XXE & LDAP) BROKEN AUTH AND SESSION MANAGEMENT CROSS SITE SCRIPTING (XSS) BROKEN ACCESS CONTROL SECURITY MISCONFIGURATION A6 A7 A8 A9 A10 CSRF API SENSITIVE DATA EXPOSURE INSUFFICIENT ATTACK PROTECTION CROSS SITE REQUEST FORGERY COMPONENT VULNERABILITIES UNDERPROTECTED API

20 All cloud services are not created equal
Analyze to Prioritize Remediation Based on Context: Cloud Services Example All cloud services are not created equal Cloud data or sensitive data? What data could be shared? Visible? What’s interacting with the cloud service? What subnets is it connecting to? Configuration issues? The context of assets is as important in modern computing environments as it has been in traditional environments. Answering questions about the type of data in the asset and what could be shared, as well as understanding what, if any parts of your internal network the cloud service is interacting with can help with prioritizing remediation of issues in cloud services. In just the past few months, organizations using Amazon services have run into issues with AWS S3 config issues. US Veteran data has been exposed, Time Warner Cable exposed 4 million customer records, 1.8 million Chicago voter records were exposed. Once you start discovering what cloud services are in your environment, analyzing them to understand what they’re doing and then setting the appropriate assessments for them can help avoid issues like these.

21 Prioritize What to Fix Why reduce cyber exposure?
Attack surface hardening Asset inventory Patch auditing Prioritizing what to fix starts by asking these two questions: Why does your organization want to reduce cyber exposure … or in other words, what is the goal of your vuln management program How will measure and display it? Let’s move to the next slide to share a few ideas Our suggestion on prioritizing what to fix is to include modern assets in your prioritization … Once you discover them, then assess and analyze their potential impact to your organization’s cyber exposure, don’t treat them as separate or more/less important than any other assets. You should consider them as part of your IT landscape.

22 Prevent vulnerabilities by fixing vulnerabilities prior to deployment
Integrate security into the DevOps toolchain Identify and remediate vulnerabilities before they are exploitable Ensure all assets are secure and compliant before production

23 Category Description Goal Example Metric Attack surface hardening
How exposed is my organization? Make attack surface as small as possible % exploitable vulnerabilities on internet-facing systems Asset inventory Do I know what needs protecting? Effectiveness at collecting accurate accounting of vulnerabilities – including for systems that require credentials % of systems discovered vs scanned in last 30 days Patch auditing Are my systems up to date? Effectiveness of patch process for security, feature/functionality, and warranty needs % of systems patched in last 30 days Here’s some detail on how you might measure whether or not you’re meeting the goals suggested on the previous slide. The first idea on the slide is here is Attack Surface Hardening, making your attack surface as small as possible. If that goal makes sense, you can track metrics like the percent of exploitable systems that are internet facing. Again going back to part 1 of our conversation today, your organization might decide to implement the 5 Critical Controls and have an initial goal of ensuring you inventory all assets so you know what needs protecting. Here, a metric like % of systems discovered vs scanned in the past XX days is one you could track and focus on. A final idea, and one that many customers focus on is Patch auditing - making sure systems are up to date. One metric to track effectiveness for this goal is the % of systems that are patched in the past 30 days. These goals don’t have to be mutually exclusive … you might have one or more of them for your organization. Or you might start with one and add others as it makes sense.

24 Summary Modern computing today is made up of both traditional and modern assets Don’t let either increase your cyber exposure Follow an operational security Discover – Assess – Analyze – Fix lifecycle

25 Why Tenable Technology Leadership Singular Vision Customer Commitment
Creator of Nessus and relentless innovator advancing modern cybersecurity – from IT to cloud to IoT and OT Singular Vision #1 Vulnerability Management technology in the world, pioneering Cyber Exposure to help customers measure & reduce cybersecurity risk – from operations to the CXO Customer Commitment Complete dedication to our customers’ success – every day, in all we do Why am I here today talking about reducing cyber exposure in modern computing environments? It’s because it’s a topic that my employer, Tenable is passionate about. If you’re not familiar with Tenable, here’s a bit about us: We’re a technology leader – you might know us from our Nessus roots Our roots are in vulnerability management but we see a greater need in the area of cyber exposure to help our customers protect their environments And we’re 100% committed to our customers. We’re constantly working to improve our service to them.

26 Top 10 US Financial Institutions
Tenable at a Glance Founded in 2002 Exploded with the widespread adoption of Nessus and later, SecurityCenter Released Tenable.io in 2017 to introduce the first cyber exposure platform and evolve vulnerability management Relentless innovator: “Tenable has [massive] brand equity with Nessus, yet [is] one of the most forward- thinking companies in VM.” – Forrester, 2017 23,000+ Customers 1.6M Global Users 800+ Employees 50% 100% 80% We’re a “fifteen year young” company with the wisdom of experienced security professionals, and the ambition of industry pioneers. From Nessus to SecurityCenter to Tenable.io, Tenable has defined and re-defined vulnerability management. With Cyber Exposure, we’re raising the bar and innovating even faster than ever – all so we can solve your hardest problems. We’re honored by the company we keep – including over half of the Fortune 500 and leading organizations in every industry and geography. Fortune 500 Top 10 US Tech Companies Top 10 US Financial Institutions

27

Download ppt "Reducing Cyber Exposure for the Modern Attack Surface"

Similar presentations

Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
SAM for SQL Workloads Presenter Name.

SAM for SQL Workloads Presenter Name.
ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.

ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.

Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
SDN & NFV Driving Additional Value into Managed Services.

SDN & NFV Driving Additional Value into Managed Services.
READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.

READ ME FIRST Use this template to create your Partner datasheet for Azure Stack Foundation. The intent is that this document can be saved to PDF and provided.
SAM Baseline Review Engagement

SAM Baseline Review Engagement
Internal primer Transform Your Products

Internal primer Transform Your Products
3 Do you monitor for unauthorized intrusion activity?

3 Do you monitor for unauthorized intrusion activity?
Security Autodesk DevDays rEvolution

Security Autodesk DevDays rEvolution
Partner Toolbox Cloud Infrastructure & Management

Partner Toolbox Cloud Infrastructure & Management
Presenter Date | Location

Presenter Date | Location
Automating Security Frameworks

Automating Security Frameworks
CIM Modeling for E&U - (Short Version)

CIM Modeling for E&U - (Short Version)
“Introduction to Azure Security Center”

“Introduction to Azure Security Center”
Hybrid Management and Security

Hybrid Management and Security
Compliance with hardening standards

Compliance with hardening standards
Modern application lifecycle with DevOps

Modern application lifecycle with DevOps

Similar presentations

Ads by Google