Post on 15-Jul-2020
www.cloudsec.com | #cloudsec
Find and Fix the Vulnerabilities Posing the Greatest Risk
to Your Business
Robert Healey | Tenable APAC
2
Be on a mission that doesn’t suck
5
Today’s Big Problem
6
Measuring and Managing the Cyber Risks to Business Operations Report, an independent study conducted by Ponemon Institute, Dec 2018.
7
The Problem (Summary)
8
ANYONE
Armed with the RIGHT TOOLS
And the knowledge of how to use them
Can QUICKLY and EASILY penetrate ANY TARGET
9
Solve the Right Problem
● Locate a vulnerable system (eg Shodan.io)
● Attack target device with Malware (eg WannaCry)
● Take control, steal or encrypt data, cause chaos, etc
How do Attackers Attack?
10
Computer program written to use (exploit)
a Vulnerablity
What is Malware & Ransomware?
11
Software bug or weak point that can be exploited
What is a Vulnerability ?
12
• Operating System, • Hypervisor, • Application, • Database, • Javascript, • etc etc
Which Problem do You Want to Solve?
3 vulnerabilities
300 Malware families
30,000,000Malware executable instances
Eliminate the Vulnerablities
Solve the Right Problem
14
Ignore the Malware, Ransomware, Virus, Endpoint attack, etc etc etc
• Note - still need to Focus & Prioritise !
15
“Oh Really?”
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
Through 2021, the single most impactful enterprise activity to
improve security will be mitigating vulnerabilities
17
How do we do this?
Cyber Exposure
The discipline for managing and measuringcybersecurity risk in the digital era
BUSINESS CONTEXT& TRANSLATION
DATA SCIENCE DRIVEN INSIGHTS
BUSINESS KRIs & KPIs
The Four Key Questions
How are we reducing
exposure over time?
Where are we exposed?
What should we focus on first?
How do we compare to our peers?
The Attack Surface is Expanding
Vulnerability Assessment
If I can discover it, I can remediate it
TRADITIONAL ASSETS
AD-HOCSCANNING
BASICVISIBILITY
Innovating in Vulnerability Assessment
ActiveScanning
Passive Scanning
On-Host Scanning
FIRST IN FIRST IN
Innovating in Vulnerability Assessment
Live Results
MEDIUM OpenSSH < 5.7 Multiple Vulnerabilites SSH 6 SCAN EDIT
CRITICA
LSamba 3.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <
4.1.17
Samba 1 SCAN EDIT
CRITICA
LSamba 3.x < 3.525 / 3.0.x < 4.0.25 / 4.1 Samba 6 SCAN EDIT
HIGH Apache 2.3<2.2.1 Multiple Vulnerabilities Web Servers 6 SCAN EDIT
HIGH Apache 2.3<2.2.20 Multiple Vulnerabilities Web Servers 5 SCAN EDIT
HIGH Apache 2.3<2.2.21 mod_porxy_aip Dos Web Servers 6 SCAN EDIT
HIGH Samba 3.0/3.6x < 3.0.25 / 3.0.x < 3.0.25 / 3.1.x <
3.1.17
Samba 7 SCAN EDIT
MEDIUM TLS Export-Grande Key Exchange Detection Generic 3 SCAN EDIT
LOW Recursive DNS Server Detection DNS Servers 6 SCAN EDIT
LOW Apache 4.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <
4.1.17
Web Servers 12 SCAN EDIT
LOW Apache 3.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <
4.1.17
We Servers 4 SCAN EDIT
MEDIUM OpenSSH < 5.7 Multiple Vulnerabilites SSH 6 SCAN EDITCRITICA
LSamba 3.x < 3.525 / 3.0.x < 4.0.25 / 4.1 Samba 8 SCAN EDIT
HIGH Apache 2.3<2.2.20 Multiple Vulnerabilities Web Servers 2 SCAN EDIT
HIGH Samba 3.0/3.6x < 3.0.25 / 3.0.x < 3.0.25 / 3.1.x <
3.1.17
Samba 3 SCAN EDIT
LOW Recursive DNS Server Detection DNS Servers 4 SCAN EDIT
CRITICA
LSamba 3.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <
4.1.17
Samba 2 SCAN EDIT
Now available in
Vulnerability Management
An intelligent way to prioritize and remediate exposures
TRADITIONAL &MODERN ASSETS
PREDICTIVEPRIORITIZATION
AUTOMATED ASSESSMENT
Non-Traditional Assets
Innovating in Vulnerability Management
APPLICATIONS SOURCE CODE
IOT MOBILE
CONTAINERS
SERVERLESS
Critical Infrastructure
Industrial Security
ENERGY TRANSPORTATION
MANUFACTURING UTILITIES
16500+VULNERABILITIES DISCLOSED IN 2018
59%Of vulnerabilities disclosed in 2018
were rated critical or high.
Over 9,500+ Vulnerabilities
15%Of vulnerabilities disclosed in 2018 were CVSS 9+
2,500 Vulnerabilities
7%Of vulnerabilities disclosed had
publicly available exploits
Over 1,100 Vulnerabilities
28
97%Reduction in vulnerabilities
to be remediated
PREDICTIVEPRIORITIZATION
Innovation in Vulnerability Management
The 3% of
vulnerabilities you
need to focus on first.
Predictive Prioritization
Focus First On What Matters Most
Leverages machine learning and threat
intelligence to reprioritize
vulnerabilities based on real world risk
VULNERABILITY PRIORITY RATING
VPR +Prioritize assets
based on indicators of
business value and criticality
ASSET CRITICALITY RATING
ACR
* Gartner, A Guide to Choosing a Vulnerability Assessment Solution, Prateek Bhajanka, Mitchell Schneider, Craig Lawson, April 3, 2019.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
“BY 2022, ORGANIZATIONS THAT USE THE RISK-BASED
VULNERABILITY MANAGEMENT METHOD WILL SUFFER 80%
FEWER BREACHES.*”
31
“Can you actually fix anything?”
32
/
Clo
ud
CMDB and Ticketing Secu
rity
An
alyt
ics
Identity and Access ManagementMobile Device Management
Network Access Control
Technology Ecosystem
Tenable & Trend Micro
33
Scan & locate
vulnerabilities
Export Vuln Data via API Program Tipping Point
IPS with Vuln Protection
rules
“Virtual Patching”
#cloudsec www.cloudsec.com
THANK YOURobert Healey | Tenable APAC