Automating Critical Security Controls for Threat Remediation and Compliance
Download as PPTX, PDF0 likes1,035 views
The document discusses best practices for automating the top 20 critical security controls using Qualys security apps, emphasizing the importance of basic security hygiene to prevent cybersecurity incidents. It highlights the increasing costs and complexities of cybercrime, such as ransomware, and stresses the need for mature security programs with effective teams and processes. Key recommendations include continuous vulnerability management, securing configurations, and understanding asset inventories to minimize risks.
Automating Critical Security Controls for Threat Remediation and Compliance
- 1. Center for Internet Security Top 20 Critical Security Controls Best Practices for Automating the Top 20 Controls with Qualys Security Apps Tim White Director of Product Management, Qualys, Inc. John Pescatore SANS Senior Analyst
- 2. Cybersecurity Key Trends • High visibility security incidents have greatly increased Board of Directors’ interest in cybersecurity • That is not always a good thing… • Business damage not just from breaches • 80%+ of incidents are traced to lack of basic security hygiene • Another way to look at it: Enterprises with mature inventory, visibility, confirmation management and privilege management processes rarely make the news. Source: PaloAlto Networks
- 3. Not Just Breaches - Ransomware Source: Kaspersky
- 4. Cost of Downtime • Hard costs of downtime range from $100/min to $6,000+/min • Average outages range from 2.3 hours to 8+ - with multi- day outages frequent • FedEx and Maersk claim $300M cost! Source: AppDynamics
- 5. Cybercrime Growth • Cybercrime impact is growing faster than most other forms of crime and fraud: • Identity theft for new account fraud • “Ransomware” – hold information hostage • Denial of service – hold Internet connection hostage • Industrial espionage • The vast majority of asset misappropriation (insider threats) are enabled by IT vulnerabilities. • Cybercrime attack techniques are often adopted by nation states.
- 6. Why Do Some Do Better Than Others? • 980 breaches in 2016 • What did the other 9,020 of the F10000 do differently? • (781 in 2015) • On average, 36K records exposed per breach • What did those who limited breach size do differently? • (Average = 215K in 2015) • Almost invariably, the organizations with the least cyber incident impact have the strongest CISOs and security teams. Source: Identity Theft Resource Center
- 7. Defining a Strong Security Team/Program • Mature = Effective and efficient • Key indicators: • Basic security hygiene • Security Operations Center processes and tools • “Business Security Analysts” • Integration into procurement, M&A, supply chain decisions • Cross-industry participation
- 8. Cybersecurity Frameworks Center for Internet Security Critical Security Controls
- 9. Basic Security Hygiene ROI Example
- 10. WannaCry • On Friday May 12th 2017, several organizations were affected by a new Ransomware strain. • Attacks were very successful in part because it used a SMB vulnerability to spread inside networks – despite rumors, it was not phishing-driven. • The vulnerability was patched by Microsoft in March for supported versions of Windows. • The exploit, known under the name ETERNALBLUE, was released in April as part of a leak of NSA tools. • Variants were quickly seen spreading.
- 11. Petya/NotPetya • Petya was ransomware with weak encryption that hit in March 2016, mostly delivered via emailed Dropbox links • On 27 June 2017, European power companies, banks and airports began being hit by wipe/ransomware that seemed related to Petya but wasn’t • Later reports indicated a compromised Ukrainian tax software package (MEDoc) update was the major infection vector. • EternalBlue/Mimikatz/WMI/PsExec usage
- 12. Locky/Dropbox Source: SANS Internet Storm Center
- 13. Lessons Learned – Top Level • Phishing dominates, but not 100% • Basic security hygiene still matters: • Patching/Vulnerability Management (Critical Security Control 1, 4) • Turnoff unneeded services/block at boundary (CSC 9, 12) • Network segmentation (CSC 4, 12) • Backup (CSC 10) • AppSec (CSC 18) • Special Issues • Detecting and monitoring accepted use of outdated operating systems – legacy apps, appliances, embedded systems • Excrement hits the ventilator differently for ransomware vs. breach or DDoS • Tabletop exercises to walk through detect/react/contain/restore
- 15. Basic Security Hygiene 1. Know what you have (Inventory) 2. Limit what you don’t NEED (EOL, Services, Networks, Rights) 3. Update Your Software 4. Secure Default Configurations 5. Employ Process Controls (DR/Backup, Email, Vendors) 6. Secure Web Apps
- 16. 1. Inventory Your Systems 2. Inventory and Restrict Software 3. Secure Configurations 4. Continuous Vulnerability Management 5. Review Rights & Permissions
- 17. Configuration Assessment Challenges Automation and best practices are key to locking down IT systems globally and consistently! • Hundreds of security settings • Complex & Dynamic IT Environments • Spot-checking doesn’t scale • Gold images suffer from configuration drift • Assessing devices in compliance scope is insufficient
- 18. Petya leverages weak user rights configuration to spread to other systems Adding Domain Admins or Authenticated Users to local Administrators Groups UAC Control Validation Recent attacks leveraging misconfiguration: Petya
- 19. Benefits of Automated Assessment
- 20. Prioritize and Remediate • Categorize Your Controls • Identify Critical Applications and Systems • Establish Initial Baseline and Remediation Plan • Handle Exceptions • Execute – but be realistic • Your work is never done!
- 21. 15 of the Top Controls have Configuration Assessment Components!
- 22. Assess and Secure Your Web Applications Simplify application security with a rational process New Application Known Application Secured Application Identify Vulnerabilities Security Policy? Virtual-Patch Templates and Custom Rules WAF Auto-Updates
Editor's Notes
- #2: Trends like the increased use of cloud computing by businesses and their vendors introduce new complexities in reducing risk and assessing security across the supply chain. Demonstrating continuous risk reduction and compliance with internal policies and external regulations, fixing violations and configuration drift, centrally managing exceptions, and documenting progress are all common challenges. The Center for Internet Security’s (CIS) Critical Security Controls (CSCs) were selected and prioritized by leading security experts to stop today’s most common and serious cyber threats. By implementing these controls, organizations can improve their security posture and reduce the risk of threats to critical assets, data, and network infrastructure. In this webcast, SANS Senior Analyst John Pescatore and Tim White, Director of Product Management for Qualys Policy Compliance (PC), will discuss how you can achieve continuous security and compliance, and leverage Qualys solutions to address all 20 CSCs. The presentation will encompass: An overview of the CIS Critical Security Controls, including ongoing updates Success patterns organizations have demonstrated for using the controls to their advantage How an automation can reduce the staffing load to determine whether controls are in place and effective How to prioritize remediation efforts Real-world examples of recent attacks that leveraged misconfigured systems
- #19: The attack vector uses WMI and psexec to spread using the infected user’s permissions. If the user has administrative rights over other systems, those systems can also become infected. It is highly recommended that administrative permissions be restricted for workstation users. A common misconfiguration is to add “Domain Users” or “Authenticated Users” to the “Administrators” group to quickly grant all workstation users administrative access to their workstation. This allows the users to access other workstations with full administrative permissions. In this type of situation, the malware can spread without the need for a software vulnerability. Group Policy can be used to remove these groups and ensure that they are not added. There have also been reports that a variant of Petya also attempts to obtain the local administrative password. In this case, that password could potentially be used to further spread to other systems with the same local admin password. It is recommended that all systems have different local admin passwords, through the use of a tool such as Microsoft’s LAPS. SCA can be used to ensure that systems are configured securely and are hardened according to CIS bechmarks. SCA hosts number of controls which can be used to identify members of the local Administrators group across Windows workstations and servers. Additionally, SCA helps in assessing the Windows 'User Account control' (UAC) configurations through number of UAC controls to make sure UAC is configured so that the trojans such as Petya are shown the standard UAC request for privilege escalation and won’t be able to run any further.
- #20: Audit != Compliance, compliance ongoing Stitch in time saves nine Transparent, Repeatable Process Scale to ALL Assets Audit Efficiency Metrics = Enforceability
- #21: Control Criticality Buckets – Critical, Mandatory, Important, Low, Informational Talk about Risk Formulas – go off on a tangent here and discuss how everything ends up “average” “critical” Remediation takes time – set exceptions for less critical controls/systems, but set an expiration Build Security Controls Into Your Processes! Demo: Criticality Criticality Levels Control Customization Policy Customization Demo: Dashboards Policy Summary Template customization PCI DSS v3 Compliance Report Scorecard Template Scorecard Report Edit Report Schedule Show Notifications