Network Situational AwarenessMichael McKay, CISSP, CISA, Consulting Security EngineerOctober 7, 2015
2
5 Steps to Effective VM Program
“Organizations that operationally implement applicable IT controls through a vulnerability management program will achieve the strongest security posture.”
Step Goal1 Validate Network
Address SpaceDiscover entire scope of IP address space in use with the environment
2 Determine Network Edge
Understand the boundary of the network under management
3 Discover & Profile Endpoints
Understand the presence of all devices on the network
4 Identify Vulnerabilities
Evaluate and comprehend network vulnerabilities for remediation
5 Mitigate Risk
Remediate risks in priority order with patches/changes or accept lesser risks.
3
Job 1—Know What You Don’t KnowComprehensive network inventory is prerequisite to effective security
4
What devices do younot know about?
Device DiscoveryAutomate Critical Security Control 1
WirelessServers Firewalls Net Devices Cloud / Hybrid Virtualized
What devices do you know about?What’s on your network?
Desktops
5
Application DiscoveryAutomate Critical Security Control 2
Inventory known and discover unknown applications on your network
Identify which ports are open on your network assets
Automatically tag assets with specific applications installed
Enable further automation by dynamically assigning rule sets
Detects 18k+ operating systems, applications & protocols
Tripwire IP360 Network Discovery and Host Profiling Configurable Active Discovery of Defined Address Spaces
ICMP
TCP
Port scans for TCP and UDP ports Identification of services and applications on open ports Credentialed access for deeper discovery of applications and other host info More than 2,800 operating systems More than 16,000 applications Precedes vulnerability testing Tripwire IP360 permits unlimited host and application discovery
7
Application-centric Vulnerability Detection
IIS 3.0 and 4.0 SSL "Error Message" Vulnerability IIS 4 Redirect Remote Buffer Overflow Vulnerability IIS 4 Web Server Available IIS 4.0 IISADMPWD Proxied Password Attack IIS 4.0/5.0 File Permission Canonicalization Vulnerability IIS 4.0/5.0 Malformed File Extension DoS Vulnerability IIS Administrative Pages Cross Site Scripting Vulnerabilities IIS IIS Chunked Encoding Transfer Heap Overflow Vulnerability IIS Escape Character Parsing Vulnerability IIS Failure To Log Undocumented TRACK Requests Vulnerability
Sendmail Address Prescan Memory Corruption VulnerabilitySendmail DNS Map TXT Record Buffer Overflow VulnerabilitySendmail File Locking Denial Of Service VulnerabilitySendmail Header Processing Buffer Overflow Vulnerability Sendmail Long Ident Logging Circumvention Weakness
Efficient, Accurate, Non-intrusive, and automated application inventory
Tripwire IP360 Unlimited Discovery Licensed Vulnerability Scanning
8
Information at your fingertipsTripwire IP360: Focus
A new browser vulnerability has application dependencies and no patch is available yet.
• Where are the clients on your network that are running the vulnerable browser with the application version?
Inventory of Authorized and Unauthorized Hardware and Software
• What application versions are running?• Perimeter Networks?• Datacenter?• Internal Network?
9
Host Application Inventory
Network Discovery Challenges Errors and Omissions in Network Definitions
• Incomplete/inaccurate network documentation
• Entry errors when defining Network Configurations
• Network additions and changes not communicated to vulnerability management
• Device Profiler and network connectivity issues
Unmanaged & Unsecured Devices• BYOD & IPv6
Disappearing Network Edge• Cloud & Mobility
Corporate Change• M&A, Consolidation & Outsourcing
11
The End Result:
Up to 30% Gap in Network Visibility
“You can’t defend what you don’t know.”Mark Orndorff, Director of Mission Assurance and Network OperationsDefense Information Systems Agency
12
Network Element Government Manufacturing Financial Technology
Assumed Device Count ~150,000 ~60,000 ~800,000 ~100,000
Discovered Devices ~170,000 89,860 842,400 ~114,000
Visibility Gap ~12% ~33% ~5% ~12%
Unknown Networks 3,278 24 771 433
Unauthorized Devices 520 n/a n/a 2,026
Non-Responding Networks 33,256 4 16,828 45
Established VM Program Yes Yes Yes Yes
The Gap – By the NumbersGap in Enterprise Visibility
13
What Does the Gap Really Mean?
Network change and complexity outpacing policy and procedures
Organizations can only manage and secure what they know
How much risk does this gap introduce?
An effective Vulnerability Management strategy must incorporate comprehensive Network Situational Awareness, in order to
actively reduce overall risk
14
How to Close the Network Discovery Gap
Integrate Vulnerability Management into Network and Systems Change Control Procedures
Perform Tripwire IP360 Discovery Scans for the entire Enterprise Address Space
• Challenging for highly-segmented networks or duplicated address ranges
Leverage additional data from other enterprise network discovery tools like Lumeta IPsonar
15
Configuring an Address Space Discovery Scan
16
Configuring an Address Space Discovery Scan
17
Define a Discovery-Only Network
18
The Tripwire Technology Alliance Program
A robust ecosystem of security technology partners to provide customers with complete solutions for advanced cyber threat protection.
Threat Intelligence: Blue Coat, Check Point, Cisco, CrowdStrike, iSIGHT Partners, Lastline, Palo Alto, Soltra
Analytics & SIEM: Agiliance, Allgress, Brinqa, CAaNES, HP, IBM, ID Expers, Kenna, LockPath, McAfee, netForensics, NetIQ, RSA, RSA-Archer, Solutionary, Splunk, symantec, Trusted Integration
IT Service Management: BMC, CA, Cherwell Software, HP, IBM, Landesk, Microsoft, ServiceNow
Network Security: CAaNES, Certes Networks, Core Security, F5, FireMon, HP, IBM, Lancope, Lumeta, RedSeal, RSA, Skybox, SourceFire
Identity Management: Alert Enterprise, Centrify, CyberArk, Hitachi ID, Microsoft, Xceedium
Platform: Cisco, F5, HP, IBM, Intigua, Microsoft, NetApp, Novell, Oracle, Quantum, Red Hat, Sybase, VMware
19
Case Study: Lumeta / Tripwire Integration
Initial use case focused on closingthe visibility gap
IPsonar discovers all availablenetwork space
IPsonar provides relevanthost metadata
Intelligence delivered throughopen APIs to Tripwire IP360
Tripwire IP360 performs comprehensive hostprofiling and vulnerability scanning
Provides enterprise scalability and uncomplicated deployment Implementation of additional integration and automation underway
20
Continuous Network Situational AwarenessThe Foundation of Comprehensive Vulnerability Management
DISCOVERNetworks & DevicesEdge & Boundaries
Profiles & Vulnerabilities
COMPREHENDAssess & Score
Prioritize & TrendVisualization & Reporting
MITIGATEReduce Risk
Minimize Threat SurfacePrevent Intrusion
21
Tripwire / Lumeta Benefits
Eliminate Gaps in Network Intelligence
Maximize Visibility and Control
Enhance Security
Reduce Risk
tripwire.com | @TripwireInc
Thank you!
Top Related