Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Exposure – The Next Frontier

Published byGervase Phillips Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Exposure – The Next Frontier"— Presentation transcript:

1 Cyber Exposure – The Next Frontier
Elizabeth Leon and Timothy Yungwirth

2 TOPICS Today’s IT is creating a cyber exposure gap Who’s affected?
How to reduce your cyber exposure gap

3 Today’s IT is Creating a Cyber Exposure Gap

4 Digital Transformation is Accelerating
Every organization is transforming into an information organization Putting pressure on every function to innovate and operate faster “Bold, tightly integrated digital strategies will be the biggest differentiator between companies that win and companies that don’t.” – McKinsey & Co.

5 How Are You Responding? What is the organization’s digital strategy?
How is Security enabling that strategy?

6 The Attack Surface is Expanding
IoT Industrial IoT ICS/SCADA Enterprise IoT Cloud Cloud Container Web app Virtual machine Mobile Laptop IT Server Desktop Network infrastructure

7 Creating a Cyber Exposure Gap
IoT Industrial IoT ICS/SCADA Enterprise IoT Cloud Cloud Container Web app Virtual machine Mobile Laptop IT Server Desktop Network infrastructure

8 Cyber Exposure is an emerging discipline for:
Managing and measuring your modern attack surface to accurately understand and reduce your cyber risk

9 Why? Discovering Short-Lived Assets is Hard
Traditional: Servers Modern: Containers Request Deploy Patch Retire

10 Why? Assessing State of Cloud Environments is Hard
Visibility 8% ...companies that know the scope of shadow IT at their organizations, according to a survey by the Cloud Security Alliance Compliance 48% ...of organizations store some sensitive data, like employee records, in the cloud according to a SANS Security in the Cloud report Consistency 31% … of respondents in the same SANS report found poor configuration practices in place due to applications being spun up quickly

11 Why? Maintaining Application Security is Hard
Number of web applications with at least ONE vulnerability1: 99.7% Average number of web application vulnerabilities2: 3 Average time to fix web application vulnerabilities2: Critical Risk: 129 days High Risk: 196 days Sources: TechRepublic, “Report: 99.7% of web apps have at least one vulnerability,” June 20, 2017 White Hat Security, “2017 Application Security Statistics Report,” July 2017

12 Who’s Affected?

13 New Stakeholders and Asset Owners Will Impact an Organization’s Cyber Exposure
OT / IoT Cloud Container OT Manager, Engineer Line of Business DevOps OT assets are becoming an expansive attack surface Shadow IT and cloud assets are creating a huge blind spot DevOps velocity requires new security approaches

14 Security Teams Need to Provide Strategic Insight and Manage Risk Across The Organization
Reduce risk across a growing modern attack surface Security Director OT Manager, Engineer DevOps Increase SOC efficiency Maintain regulatory compliance Line of Business Secure DevOps processes Decrease costs to fix defects Protect brand equity Gain strategic decision support on risk

15 How to Reduce Your Cyber Exposure Gap

16 Addressing the Full Cyber Exposure Lifecycle
Discover Identify and map every asset for visibility across any computing environment Measure Assess Model and analyze cyber exposure to make better business and technology decisions Understand the state of all assets, including vulnerabilities, misconfigurations and other health indicators IoT OT Cloud IT Fix Analyze Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique Understand exposures in context, to prioritize remediation based on asset criticality, threat context and vulnerability severity

17 Discover Every Asset server desktop laptop mobile virtual public cloud
web app container

18 Active Scanning + Additional Data Sensors
Agent Scanning Endpoint Networks Active Scanning Intelligent Connectors Web Mobile Cloud Image Registry Continuous Monitoring Containers Virtual

19 Assess the Current State, Including Misconfigurations
Various sources such as CIS, DISA, USGBC, and vendor supplied best practice guides Examples: Educate other stakeholders Review regularly

20 Assessment Extends Beyond CVEs To Include Application Vulnerabilities
The OWASP Top 10 A1 A2 A3 A4 A5 XSS INJECTION (SQL, XXE & LDAP) BROKEN AUTH AND SESSION MANAGEMENT CROSS SITE SCRIPTING (XSS) BROKEN ACCESS CONTROL SECURITY MISCONFIGURATION A6 A7 A8 A9 A10 CSRF API SENSITIVE DATA EXPOSURE INSUFFICIENT ATTACK PROTECTION CROSS SITE REQUEST FORGERY COMPONENT VULNERABILITIES UNDERPROTECTED API

21 Analyze to Prioritize Remediation Based on Context: Cloud Services Example
All cloud services are not created equal Cloud data or sensitive data? What data could be shared? Visible? What’s interacting with the cloud service? What subnets is it connecting to? Configuration issues?

22 Prioritize What to Fix Why reduce cyber exposure?
Attack surface hardening Asset inventory Patch auditing

23 Prevent Vulnerabilities By Fixing Vulnerabilities Prior to Deployment
Integrate security into the DevOps toolchain Identify and remediate vulnerabilities before they are exploitable Ensure all assets are secure and compliant before production

24 Category Description Goal Example Metric Attack surface hardening How exposed is my organization? Make attack surface as small as possible % exploitable vulnerabilities on internet-facing systems Asset inventory Do I know what needs protecting? Effectiveness at collecting accurate accounting of vulnerabilities – including for systems that require credentials % of systems discovered vs scanned in last 30 days Patch auditing Are my systems up to date? Effectiveness of patch process for security, feature/functionality, and warranty needs % of systems patched in last 30 days

25 Summary Assess Analyze Fix Measure IoT OT Cloud IT Discover Modern computing today is made up of both traditional and modern assets Don’t let either increase your cyber exposure Follow an operational security lifecycle: Discover – Assess – Analyze – Fix – Measure

26 Technology Leadership
Why Tenable 8 Technology Leadership Creator of Nessus and relentless innovator advancing modern cybersecurity – from IT to cloud to IoT and OT Singular Vision #1 Vulnerability Management technology in the world, pioneering Cyber Exposure to help customers measure & reduce cybersecurity risk Customer Commitment Complete dedication to our customers’ success – every day, in all we do

27 Top 10 US Financial Institutions
Tenable at a Glance Founded in 2002 Exploded with the widespread adoption of Nessus and later, SecurityCenter Released Tenable.io in 2017 to introduce the first cyber exposure platform and evolve vulnerability management Relentless innovator: “Tenable has [massive] brand equity with Nessus, yet [is] one of the most forward-thinking companies in VM.” – Forrester, 2017 24,000+ Customers 1.6M Global Users 800+ Employees 50% 100% 80% Fortune 500 Top 10 US Tech Companies Top 10 US Financial Institutions

28 If you are flying blind to a widening Cyber Exposure Gap, that’s just untenable.

Download ppt "Cyber Exposure – The Next Frontier"

Similar presentations

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan www.gilligangroupinc.com May, 2009.

Automating Enterprise IT Management by Leveraging Security Content Automation Protocol (SCAP) John M. Gilligan May, 2009.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.

IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.
Copyright © 2011 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Deconstructing API Security

Deconstructing API Security
Securing Java Applications

Securing Java Applications
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?

Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?
ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.

ABOUT COMPANY Janbask is one among the fastest growing IT Services and consulting company. We provide various solutions for strategy, consulting and implement.
SDN & NFV Driving Additional Value into Managed Services.

SDN & NFV Driving Additional Value into Managed Services.
Azure Stack Foundation

Azure Stack Foundation

Similar presentations

Ads by Google