threat impact analysis without crash testing the network
DESCRIPTION
TRANSCRIPT
![Page 1: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/1.jpg)
www.redsealnetworks.com
Threat Impact Analysis Without Crash Testing The Network
Virtual Attack Simulation For Proving Security Control Effectiveness
Dr. Mike Lloyd | CTO | April 2013
![Page 2: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/2.jpg)
www.redsealnetworks.com
Continuous Monitoring:- The right idea- At the right time- Mandated
Why? How? What’s special about
network security? Lessons learned
Agenda
© 2013 RedSeal Networks, Inc. All rights reserved.2
![Page 3: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/3.jpg)
www.redsealnetworks.com
What problem?
Billions of $$$ in IT security spending
90% of Organizations say they have been breached
in the last 12 months**Perceptions About Network Security, Ponemon Institute,
© 2013 RedSeal Networks, Inc. All rights reserved.3
![Page 4: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/4.jpg)
www.redsealnetworks.com
Lack of control leads directly to breach
97% of attacks could have been avoided through “consistent application of simple or intermediate controls”
- Verizon Data Breach Investigations Report, 2012
© 2013 RedSeal Networks, Inc. All rights reserved.4
![Page 5: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/5.jpg)
www.redsealnetworks.com
We’ve got data- Lots of it
Making sense of it is hard- Skills shortage- Sheer scale
Hard to prioritize actions Hard to demonstrate effectiveness Compliance is pain with little gain
What we hear from CISO’s
© 2013 RedSeal Networks, Inc. All rights reserved.5
![Page 6: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/6.jpg)
www.redsealnetworks.com
Dynamic compliance
© 2013 RedSeal Networks, Inc. All rights reserved.6
![Page 7: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/7.jpg)
www.redsealnetworks.com
Main idea is simple:- Asset Inventory- Policy- Check the assets (and repeat)
Not too bad for physical assets Doors
- List all doors- Require card reader on external doors- Check
Desktops are a bit harder- Can you find them all?- Policy gets more technical- Testing is downright fiddly
SCAP, FDCC have worked hard on this problem
Continuous Monitoring 101
© 2013 RedSeal Networks, Inc. All rights reserved.7
![Page 8: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/8.jpg)
www.redsealnetworks.com
Network security is the same, right?- List all network gear- Write configuration rules- Test them
Any problems with this?
Network security
© 2013 RedSeal Networks, Inc. All rights reserved.8
![Page 9: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/9.jpg)
www.redsealnetworks.com
How not to do it
Check the outcome, not the details
© 2013 RedSeal Networks, Inc. All rights reserved.9
![Page 10: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/10.jpg)
www.redsealnetworks.com
Networks are about pairs- Can A attack B?
Hosts can be checked- Lots of work, but possible
For the network, square it- 10,000 hosts => 100
million questions Well outside human range Far too many interactions
Networks are different
© 2013 RedSeal Networks, Inc. All rights reserved.10
![Page 11: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/11.jpg)
www.redsealnetworks.com
Gather& Map
TestElements
Test theSystem
MeasureRisk
Four gears
© 2013 RedSeal Networks, Inc. All rights reserved.11
![Page 12: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/12.jpg)
www.redsealnetworks.com
You can’t manage what you can’t see
Network configuration stores vary widely- Some have a chosen CMDB vendor- Some have many- Some have none
All have problems
First gear: gather & map
© 2013 RedSeal Networks, Inc. All rights reserved.12
1
![Page 13: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/13.jpg)
www.redsealnetworks.com
Every network store has gaps Maps make it obvious Good news: it’s possible
to “bootstrap” The data you have can
tell you what’s missing- Report on “known unknowns”
Lesson 1: Everyone has Dark Space
© 2013 RedSeal Networks, Inc. All rights reserved.13
Disconnected objects
![Page 14: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/14.jpg)
www.redsealnetworks.com
RedSeal includes over 100basic single-device tests- Vendor supplied passwords- Insecure management protocols- Industry-wide best practice checks
We find around 10 issues per device Lesson 2: all configurations need to be
checked But element testing isn’t enough …
Second gear: test elements
© 2013 RedSeal Networks, Inc. All rights reserved.14
2
![Page 15: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/15.jpg)
www.redsealnetworks.com
Testing elements is easy Testing whole systems is hard, for humans Automation works, if you can tell the
machine what your objectives are
Third gear: test the system
© 2013 RedSeal Networks, Inc. All rights reserved.15
3
![Page 16: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/16.jpg)
www.redsealnetworks.com
Main PKI site, plus disaster recovery Strict access controls expected
Zone defense in practice
Internet
Cert Authority
Cert Admins
WAN to Extranet
DR Site
© 2013 RedSeal Networks, Inc. All rights reserved.16
![Page 17: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/17.jpg)
www.redsealnetworks.com
Testing the system end to end
People set the objectives Automation to compare to the “as built”
Red arrow means something is wrong
Unexpected access
© 2013 RedSeal Networks, Inc. All rights reserved.17
![Page 18: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/18.jpg)
www.redsealnetworks.com
Drill down to see the exception
Many interacting elements Something went wrong
© 2013 RedSeal Networks, Inc. All rights reserved.18
![Page 19: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/19.jpg)
www.redsealnetworks.com
Pin-point root cause
In this case, three gaps- One for a telecommuter who left 8 years ago- Two more for “temporary” testing
Lost among thousands of details
Access Found
“Subway Map”showing path
Flow through one hop
Specific rules
© 2013 RedSeal Networks, Inc. All rights reserved.19
![Page 20: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/20.jpg)
www.redsealnetworks.com
How did this happen?
A network built with care- By people who knew what
they were doing Repeated audits, over years How did the error survive? Complexity Lesson 3: zone defense is easy for
computers
© 2013 RedSeal Networks, Inc. All rights reserved.20
![Page 21: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/21.jpg)
www.redsealnetworks.com
Once you understand access,you can prioritize vulnerabilities
Run attack simulations See what’s easiest to break into Score using Risk = Value * Ease of Exploit
Fourth gear: measure risk
© 2013 RedSeal Networks, Inc. All rights reserved.21
4
![Page 22: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/22.jpg)
www.redsealnetworks.com
Virtual Attack Simulation: a real example
Internet
DMZ
Main Site
© 2013 RedSeal Networks, Inc. All rights reserved.22
![Page 23: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/23.jpg)
www.redsealnetworks.com
• Attackers can reach these exposed servers
Step 1 – Vulnerabilities exposed in DMZ
© 2013 RedSeal Networks, Inc. All rights reserved.23
![Page 24: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/24.jpg)
www.redsealnetworks.com
• Just a few pivot attacks are possible
Step 2 – Some attack paths sneak in
© 2013 RedSeal Networks, Inc. All rights reserved.24
![Page 25: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/25.jpg)
www.redsealnetworks.com
• Attackers can get in if they find this first!
Step 3 – Attack fans out
© 2013 RedSeal Networks, Inc. All rights reserved.25
![Page 26: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/26.jpg)
www.redsealnetworks.com
How easily canattackers get in?
Risk metric dashboards
How big is my attack surface?
How much is undocumented?
© 2013 RedSeal Networks, Inc. All rights reserved.26
![Page 27: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/27.jpg)
www.redsealnetworks.com
Lesson 4: Metrics that matter
Defensive posture CAN be measured This drives to better outcomes
- Measure posture => improved posture You can sleep better
- Demonstrate effectiveness, not busyness
© 2013 RedSeal Networks, Inc. All rights reserved.27
![Page 28: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/28.jpg)
www.redsealnetworks.com
Making lemonade
Continuous Monitoring is now possible- And a good idea- And mandated
Automation is far easier than human effort
But you still need to write rules There’s another process you can leverage
- Change Review Board
© 2013 RedSeal Networks, Inc. All rights reserved.28
![Page 29: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/29.jpg)
www.redsealnetworks.com
Optimized change process
Big win: record intent up front, in Risk Assessment Use software as “catcher’s mitt”, detect drift
Change request
Compliancereport
“I want”
Enterprise
Implementation“How”
Network Ops
Riskassessment
Continuousmonitoring
“Yes”
“Yes, but”
“OK”“Not OK”Security Oversight
© 2013 RedSeal Networks, Inc. All rights reserved.29
![Page 30: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/30.jpg)
www.redsealnetworks.com
Optimized change process
Change request
Compliancereport
“I want”
Enterprise
Implementation“How”
Network Ops
Riskassessment
Continuousmonitoring
“Yes”
“Yes, but”
“OK”“Not OK”Security Oversight
Auto-compute details
Continuous monitoringAutomated assessment
© 2013 RedSeal Networks, Inc. All rights reserved.30
![Page 31: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/31.jpg)
www.redsealnetworks.com
Conclusions
© 2013 RedSeal Networks, Inc. All rights reserved.31
Continuous Monitoring is:1. A good idea
2. Mandatory
3. Impossible with human effort alone
4. Easy with automation Networks multiply the complexity Automated risk assessment is key
Gather& Map
TestElements
Test theSystem
MeasureRisk
![Page 32: Threat Impact Analysis Without Crash Testing the Network](https://reader034.vdocuments.us/reader034/viewer/2022042713/548c51b5b47959d30c8b6365/html5/thumbnails/32.jpg)
www.redsealnetworks.com