infosec 2014: tech talk - non-disruptive vulnerability discovery
DESCRIPTION
Presented by Alastair Williams, Technical Director, EMEATRANSCRIPT
Alastair Williams
Technical Director, EMEA
Risk Analytics for Cyber Security
© 2013 Skybox Security Inc. 2
Common Use Cases for Skybox
Enabled by Risk Analytics
Firewall Compliance
Configuration management
Change management
Network visibility
Vulnerability discovery
Risk assessment
Prioritization
Remediation planning
Continuous Monitoring
Security Intelligence
Attack prevention
Risk reports
Cyber Threat
Management
Network
Security
Management
Vulnerability
Management
© 2013 Skybox Security Inc. 3
Threat, Vulnerability & Risk Management –
Skybox Model
Threats Config data and routing tables
Vulnerabilities Layer 3 Devices
Assets
© 2013 Skybox Security Inc. 4
Prioritise Discover
Up-to-date, less disruption
Analyse Remediate and Track
Scanless vulnerability detection
Import all 3rd party VA scanners
Threat intelligence
Vulnerability Profiling
Asset Classifications
Vulnerability context
Attack simulation
Network context
Threat Origins
Risk exposures
Geo or technology
Attack vectors
Heat maps
Find areas of greatest impact
Reduce risk exposure
Manage effectively over time
Vulnerability and Threat Management
with Skybox
Remediation planning
Ticketing and workflow
Dashboards and reporting
© 2013 Skybox Security Inc. 10
Traditional Discovery Method: Active Scan
Skybox
Analytics
• Potential load to the network
• Issues with network firewalls and
host firewalls
• Sensitive areas with no permission
to scan
• Scans are too long so “round
robin” approach is required
© 2013 Skybox Security Inc. 11
Next Generation: Vulnerability Discovery
Microsoft
Vulnerabilities
Daily
Sync
Products
Microsoft
Missing
Patches
Patches
Invention:
Use rule-driven approach for translating product banners into standard CPE format
Example: Microsoft Corporation | Microsoft SQL Server 2005 (64bit) | 9.4.5000.00
=>
cpe:2.3:a:microsoft:sql_server::2005:sp4:::::x64:
=>
CVE-xxxx-xxxx
Non-Microsoft
Vulnerabilities
© 2013 Skybox Security Inc. 12
Risk Control - Objective Vulnerability
Analysis
Identify relevant vulnerabilities
Analyse Infrastructure Vulnerabilities
– Consider Vulnerability Density
– Consider Vulnerability Age
Identify Exposed Vulnerabilities
– Asses Business Impact
– Consider Deeper Exposures
Identify the critical few %
Prioritise Remediation to maximise risk reduction
© 2013 Skybox Security Inc. 13
Vulnerability Profiling
Unique Technology Advantage
Prioritize Vulnerabilities by Multiple Factors
Attack Vectors Virtual pen test
Target concentrations of
vulnerabilities to meet SLA’s
Target attack vectors against
critical assets
Exposure Analysis
Target specific attack vectors
MS Security Bulletins
Business Units
Technical Groups
Vulnerability Hot Spots
© 2013 Skybox Security Inc. 14
Skybox Attack Simulation
© 2013 Skybox Security Inc. 21
Summary
Augment your scanner with Risk Control to get better
discovery – analysis and remediation reporting.
Discover vulnerabilities across your entire enterprise –
especially in places you currently don’t scan
Discover vulnerabilities within days of announcement,
not weeks or months