www.cloudsec.com | #cloudsec

Find and Fix the Vulnerabilities Posing the Greatest Risk

to Your Business

Robert Healey | Tenable APAC

2

Be on a mission that doesn’t suck

5

Today’s Big Problem

6

Measuring and Managing the Cyber Risks to Business Operations Report, an independent study conducted by Ponemon Institute, Dec 2018.

7

The Problem (Summary)

8

ANYONE

Armed with the RIGHT TOOLS

And the knowledge of how to use them

Can QUICKLY and EASILY penetrate ANY TARGET

9

Solve the Right Problem

● Locate a vulnerable system (eg Shodan.io)

● Attack target device with Malware (eg WannaCry)

● Take control, steal or encrypt data, cause chaos, etc

How do Attackers Attack?

10

Computer program written to use (exploit)

a Vulnerablity

What is Malware & Ransomware?

11

Software bug or weak point that can be exploited

What is a Vulnerability ?

12

• Operating System, • Hypervisor, • Application, • Database, • Javascript, • etc etc

Which Problem do You Want to Solve?

3 vulnerabilities

300 Malware families

30,000,000Malware executable instances

Eliminate the Vulnerablities

Solve the Right Problem

14

Ignore the Malware, Ransomware, Virus, Endpoint attack, etc etc etc

• Note - still need to Focus & Prioritise !

15

“Oh Really?”

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Through 2021, the single most impactful enterprise activity to

improve security will be mitigating vulnerabilities

17

How do we do this?

Cyber Exposure

The discipline for managing and measuringcybersecurity risk in the digital era

BUSINESS CONTEXT& TRANSLATION

DATA SCIENCE DRIVEN INSIGHTS

BUSINESS KRIs & KPIs

The Four Key Questions

How are we reducing

exposure over time?

Where are we exposed?

What should we focus on first?

How do we compare to our peers?

The Attack Surface is Expanding

Vulnerability Assessment

If I can discover it, I can remediate it

TRADITIONAL ASSETS

AD-HOCSCANNING

BASICVISIBILITY

Innovating in Vulnerability Assessment

ActiveScanning

Passive Scanning

On-Host Scanning

FIRST IN FIRST IN

Innovating in Vulnerability Assessment

Live Results

MEDIUM OpenSSH < 5.7 Multiple Vulnerabilites SSH 6 SCAN EDIT

CRITICA

LSamba 3.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <

4.1.17

Samba 1 SCAN EDIT

CRITICA

LSamba 3.x < 3.525 / 3.0.x < 4.0.25 / 4.1 Samba 6 SCAN EDIT

HIGH Apache 2.3<2.2.1 Multiple Vulnerabilities Web Servers 6 SCAN EDIT

HIGH Apache 2.3<2.2.20 Multiple Vulnerabilities Web Servers 5 SCAN EDIT

HIGH Apache 2.3<2.2.21 mod_porxy_aip Dos Web Servers 6 SCAN EDIT

HIGH Samba 3.0/3.6x < 3.0.25 / 3.0.x < 3.0.25 / 3.1.x <

3.1.17

Samba 7 SCAN EDIT

MEDIUM TLS Export-Grande Key Exchange Detection Generic 3 SCAN EDIT

LOW Recursive DNS Server Detection DNS Servers 6 SCAN EDIT

LOW Apache 4.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <

4.1.17

Web Servers 12 SCAN EDIT

LOW Apache 3.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <

4.1.17

We Servers 4 SCAN EDIT

MEDIUM OpenSSH < 5.7 Multiple Vulnerabilites SSH 6 SCAN EDITCRITICA

LSamba 3.x < 3.525 / 3.0.x < 4.0.25 / 4.1 Samba 8 SCAN EDIT

HIGH Apache 2.3<2.2.20 Multiple Vulnerabilities Web Servers 2 SCAN EDIT

HIGH Samba 3.0/3.6x < 3.0.25 / 3.0.x < 3.0.25 / 3.1.x <

3.1.17

Samba 3 SCAN EDIT

LOW Recursive DNS Server Detection DNS Servers 4 SCAN EDIT

CRITICA

LSamba 3.5/3.6x < 3.6.25 / 4.0.x < 4.0.25 / 4.1.x <

4.1.17

Samba 2 SCAN EDIT

Now available in

Vulnerability Management

An intelligent way to prioritize and remediate exposures

TRADITIONAL &MODERN ASSETS

PREDICTIVEPRIORITIZATION

AUTOMATED ASSESSMENT

Non-Traditional Assets

Innovating in Vulnerability Management

APPLICATIONS SOURCE CODE

IOT MOBILE

CONTAINERS

SERVERLESS

Critical Infrastructure

Industrial Security

ENERGY TRANSPORTATION

MANUFACTURING UTILITIES

16500+VULNERABILITIES DISCLOSED IN 2018

59%Of vulnerabilities disclosed in 2018

were rated critical or high.

Over 9,500+ Vulnerabilities

15%Of vulnerabilities disclosed in 2018 were CVSS 9+

2,500 Vulnerabilities

7%Of vulnerabilities disclosed had

publicly available exploits

Over 1,100 Vulnerabilities

28

97%Reduction in vulnerabilities

to be remediated

PREDICTIVEPRIORITIZATION

Innovation in Vulnerability Management

The 3% of

vulnerabilities you

need to focus on first.

Predictive Prioritization

Focus First On What Matters Most

Leverages machine learning and threat

intelligence to reprioritize

vulnerabilities based on real world risk

VULNERABILITY PRIORITY RATING

VPR +Prioritize assets

based on indicators of

business value and criticality

ASSET CRITICALITY RATING

ACR

* Gartner, A Guide to Choosing a Vulnerability Assessment Solution, Prateek Bhajanka, Mitchell Schneider, Craig Lawson, April 3, 2019.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

“BY 2022, ORGANIZATIONS THAT USE THE RISK-BASED

VULNERABILITY MANAGEMENT METHOD WILL SUFFER 80%

FEWER BREACHES.*”

31

“Can you actually fix anything?”

32

/

Clo

ud

CMDB and Ticketing Secu

rity

An

alyt

ics

Identity and Access ManagementMobile Device Management

Network Access Control

Technology Ecosystem

Tenable & Trend Micro

33

Scan & locate

vulnerabilities

Export Vuln Data via API Program Tipping Point

IPS with Vuln Protection

rules

“Virtual Patching”

#cloudsec www.cloudsec.com

THANK YOURobert Healey | Tenable APAC