bridging the divide between security and operations teams · session id: #rsac jonathan c. trull....
TRANSCRIPT
![Page 1: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Jonathan C. Trull
Bridging the Divide between Security and Operations Teams
SP01-T07
CISOQualys
@jonathantrull
![Page 2: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/2.jpg)
#RSAC
The Great Divide
2
![Page 3: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/3.jpg)
#RSAC
Major Constraints on Ops and Security Teams
3
![Page 4: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/4.jpg)
#RSAC
Attack-Defend Cycle (OODA Loop)
4
![Page 5: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/5.jpg)
#RSAC
ATTACKS
80%
More than 80% of attacks target known vulnerabilities
79%
PATCHES79% of vulnerabilities have patches available on day of
disclosure
Most breaches exploit known vulnerabilities
5
![Page 6: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/6.jpg)
#RSAC
OperationsSecurityReduce downtime80% of downtime due to
misconfigurations
Close Vulnerabilities193 days to patch known vulnerabilities
6
![Page 7: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/7.jpg)
#RSAC
Laws of Vulnerabilities
Half-Life – time interval for reducing occurrence of a vulnerability by halfPrevalence – turnover rate of vulnerabilities in the “Top 20” list Persistence – total lifespan of vulnerabilitiesExploitation – time interval between an exploit announcement and the first attack
https://community.qualys.com/blogs/laws-of-vulnerabilities
7
![Page 8: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/8.jpg)
#RSAC
Half-Life
29.5 Days
8
![Page 9: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/9.jpg)
#RSAC
Prevalence
8 critical vulnerabilities retained a constant presence in the Top 20
Exploit Kits continuously target the same applications:Java Runtime EnvironmentAdobe FlashAdobe ReaderInternet Explorer
9
![Page 10: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/10.jpg)
#RSAC
Persistence
Indefinite
Stabilize at 5-10%
10
![Page 11: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/11.jpg)
#RSAC
Exploit Kits Increase Successful Attacks
Average < 10 days
Critical < 48 hours
Exploit kits offer money back guarantees
11
![Page 12: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/12.jpg)
#RSAC
Vulnerability & Compliance Scanning
Automated Remediation
SecOpsintegration
SecOps Integration
If <trigger> then <action>
12
![Page 13: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/13.jpg)
#RSAC
Security Teams Portal13
![Page 14: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/14.jpg)
#RSAC
Risk from the Security Team’s Standpoint14
![Page 15: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/15.jpg)
#RSAC
The SecOps Portal15
![Page 16: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/16.jpg)
#RSAC
Remediation16
![Page 17: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/17.jpg)
#RSAC
How to schedule vulnerabilities to be fixed using patches
Emergency FixRequest Approval
“Go Fix It button”
Select what to remediate
Scheduling & Approvals17
![Page 18: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/18.jpg)
#RSAC
How to select and schedule vulnerabilities that can be fixed using configuration packages.
Use a Config package
Configuration Packages18
![Page 19: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/19.jpg)
#RSAC
Job results for remediation group actions
Results19
![Page 20: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/20.jpg)
#RSAC
Morningstar Case Study
Decreased configuration compliance audit cycle from 2 months to 5 days
Reduced audit and patch time by 97%
Reduced compliance audit time from 5 days to 12 minutes per system
Provided 100% SOX compliance
20
![Page 21: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/21.jpg)
#RSAC
State of Michigan Case Study
Heartbleed – vulnerability in OpenSSL
Needed to quickly patch servers spread across the State
Connected VM and Patch Management solutions to remediate Heartbleed in record time
21
![Page 22: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/22.jpg)
#RSAC
Advantages of Bridging the Divide
Significant decrease in configuration audit cycles
Significant reduction in approval and patch deployment time frames
Reduce audit remediation from months to hours
Enhanced ability to report/communicate meaningful information to business stakeholders
22
![Page 23: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/23.jpg)
#RSAC
Bridging the Divide
Arm the security and Ops teams with the right tools for the job
Communicate vertically and horizontally within your Organization
Essential to remove fear, uncertainty, and doubtEmbed security staff within key operational functions – e.g., CAB
23
![Page 24: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/24.jpg)
#RSAC
Bridging the Divide (Cont)
Orchestrate/automate infrastructure securityContinuously enforce controls/changesValidate changes through logs/audit trail
Perform continuous compliance monitoringAll systems all the time
Automate remediation based on key triggers/risksIf <trigger> then <action>
24
![Page 25: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/25.jpg)
#RSAC
Bridging the Divide (Cont)
Measure the security and Ops teams’ performance by the half-life results & treatment of the persistence law
Include results in HR performance reviews / bonuses
Integrate VM/CM solution with patch & configuration management systems, asset inventory systems, ticketing systems, configuration systems (BMC BladeLogic / Chef / Puppet), and reporting systems
25
![Page 26: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/26.jpg)
#RSAC
Bridging the Divide (Cont)
Focus patching efforts on those things that will hurt you most
Select a VM/CM solution with strong APIs, integration, and that limits resources spent on system administration
Learn to speak the language of the Ops team
26
![Page 27: Bridging the Divide between Security and Operations Teams · SESSION ID: #RSAC Jonathan C. Trull. Bridging the Divide between Security and Operations Teams. SP01-T07. CISO. Qualys](https://reader031.vdocuments.us/reader031/viewer/2022022603/5b5ccc4c7f8b9a65028c8d11/html5/thumbnails/27.jpg)
#RSAC
Apply What You Have Learned Today
Next week you should:Review the process by which vulnerabilities and misconfigurations are identified and delivered to your operations teams for action/remediation
In the first three months following this presentation you should:Identify opportunities to integrate threat and vulnerability systems with key operational systems (ticketing, CMDB, GRC, patch and configuration management)In cooperation with Ops, define a core set of “if-then” rules that will automatically trigger remediation
Within six months you should:Define a set of agreed upon remediation metrics appropriate for different governance layers and begin tracking those metricsAutomate 20% of your vulnerability and configuration management workflow
27