how to manage risk in the age of digital transformation if...
TRANSCRIPT
How to Manage Risk in the Age of Digital Transformation
If Visible Then Can Be Secured
Emir Arslanagic, CISSP #4763 Regional Account Manager SEE
[email protected] +387.62.654.080
Cyber Security Risk History or Reality
199x - …
CIS Controls
6 of top 10 in Healthcare 7 of top 10 in Telecommunications
Blue Chip Global Customers Base
Based on Forbes Global 2000 Classification
8 of top 10 in Consumer Staples
5 of top 10 in Industrial & Materials
9 of top 10 in Software 9 of top 10 in Major Banks
5 of top 10 in Energy & Utilities
DAIMLER
70% of the Forbes Global 50 and 25% of the Forbes Global 2000 standardized on Qualys 9,300+ Customers
5 of top 10 in Insurance
10
8 of top 10 in Technology
8 of top 10 in Consumer Discretionary
Qualys Snapshot
Shared Cloud
Private Cloud
FEDRAMP Certified
HHS
Agency ATO
ICT Assets and Apps are everywhere…
On Premise
VMware
Endpoints Cloud
7
Every ICT Asset is possible Attack Vector
Vulnerabilities are growing …
Cyber-threats are getting focused ...
Where is the problem? In scope & time! avg: 1000 IP avg: 20 SW components
avg: 20 per/IP critical: 4 per /IP
avg: 2 per/IP actual: 1 per/IP
avg: +300 contr./IP. critical: 100 contr./IP
Attack Surface: 20.000 ICT Asset components 20.000 Vulnerabilities (20% critical) 1.000 Actual Threats (Malware & Exploits) 100.000 Critical configuration security
t l
Modern approach & solution: Data centralization / normalization / prioritization (Big)Data analytics / automation / workflow Dashboards / Alerts / Tickets / Integrations Cloud based architecture
Example of typical CEE Enterprise:
Moving from Waterfall to Agile Metodology
So what to do – prioritization of controls ?
12
SANS / CIS Critical Security Controls - Version 6.1 – Aug. 2016
Source: https://www.cisecurity.org/critical-controls
Security Data Analytics around ICT Assets
VULNERABILITY MANAGEMENT
+ THREAT
ASSESSMENT +
PATCH PRIORITIZATION
COMPLIANCE MANAGEMENT
+ SELF-AUDIT
BENCHMARKING +
CONFIGURATION HARDENING
DASHBOARDS | ALERTS | TICKETS | WORKFLOWS | INTEGRATIONS
MAPPING TO BUSINESS PROCESSES & BUSINESS APPLICATIONS
ASSET MANAGEMEMNT
+ HW & SW
INVENTORY +
CONTINUOUS VIEW & SEARCH
13
Asset Discovery, Centralization & Correlation
Continuous Discovery
Real-time Distributed
Data Collection
Data Analytics Correlation Backend
Continuous Security
& Compliance
14
Real-Time Correlation of Active Threats, Patches, Zero-Days, ...
Agile Methodology Will Deliver Visibility & Accountability
AssetView
ElasticSearch
Instant Query across millions of IT Assets Unified Assets’ View Dynamic and customizable dashboards
Vulnerability Risk Analysis
dashboard
Synchronization with
Splunk, ServiceNow
& Others
16
AssetView Brings 2s Visibility Across Millions of IT Assets
17
• Can be deployed via:
> Compact command line installer
> Embedded in VM and cloud master images
> Installed/managed by Software Distribution Tools
> Deployed with Group Policy (Windows)
• Single cloud console to manage agents
• Qualys Platform API for Agent management
• HTTPS Proxy support for communications
Cloud Agent Qualys Cloud Agent
• Light-weight agent (2 MB) for:
> on-premise servers
> dynamic cloud environments
> branch offices behind NAT gateways
> roaming / remote end-users
• Built to scale to millions of devices
• Centrally managed, self updating
Simplifies Deployments - Consolidates Multiple Security Functions into a single
lightweight agent
• Inventory global assets
• Discover vulnerabilities
• Monitor critical patches and remediations
• Detect compliance misconfigurations
• Track active exploits against vulnerabilities
VM & Policy Compliance • Automated VM & PC, Continuous Monitoring
• Supports Windows, RedHat, MAC OS, UNIX, AIX
• XML-based APIs integrate reporting data with GRC, SIEM, ERM, IDS
and other security and compliance systems
• Integrates with existing IT ticketing systems
• Centrally manages user logins with SAML-based enterprise SSO
• Built-in library of extensively used policies certified by CIS, including
COBIT, ISO, NIST, ITIL, HIPAA, FFIEC, NERC-CIP and User Defined
Regulatory Cross Reference.
• FISMA Compliant. Use SCAP content streams. Compliant with SCAP
version 1.2: XCCDF 1.2, OVAL 5.10, CCE 5, CPE 2.3, CVE, and CVSS
2, OCIL 2.0, CCSS 1.0, Asset Identification 1.1, ARF 1.1, TMSAD 1.0
• Compliant with United States Government Configuration Baseline
(USGCB), replaces the Federal Desktop Core Configuration (FDCC)
• Scanning Accuracy => 3+ Billion scans per year, exceeds Six Sigma
99.99966% Accuracy
ThreatPROTECT
• Live Intelligence feed enabling real-time correlation of Active threats against your vulnerabilities
• Visualizes critical threats to your environment
• Measures and reports on Threats in real time
• Automated Alerts / Notifications
• Multiple Dashboards modified via widgets for any user’s Situational Awareness & Reporting
Web Application Scanning (WAS)
• Detect, identify, assess, track and remediate OWASP Top 10 risks, WASC threats, CWE weaknesses, and web application CVEs.
• Application discovery and cataloging
• Integrates with software development lifecycle allowing scans at any time by developers, QA and security teams with full visibility on web app security.
• Scalable, high-accuracy progressive scanning saves time
• Supports Selenium to enable complex authentication or workflow sequences for better scan coverage.
• Highly customized reporting provides the big picture and drills into the details.
Malware Detection(MD)
• Qualys MD is included with Qualys WAS for comprehensive detection of hidden malware.
• MD proactively scan your websites for malware, providing automated alerts and in-depth reporting to enable prompt identification and resolution
• Get immediate notification of zero-day malware detection.
• Supports regularly scheduled scanning for continuous monitoring of websites
Web Application Firewall (WAF)
• Next-generation cloud-based service combines scalability and simplicity to web application security.
• Automated, adaptive approach quickly and efficiently blocks attacks on web server vulnerabilities, prevents disclosure of sensitive information, and control where and when applications are accessed
• Prevents breaches by hardening web applications against current and emerging threats.
• Qualys WAF works together with Qualys WAS to provide true, integrated web application security
• Create “virtual patch” rules to address Qualys WAS findings, enable rapid resolution of false positives, and customize security rules for your environment
Security Assessment Questionnaire (SAQ)
• Collect and analyze information about your organization easily & quickly
• Automates the process of collecting operational business process data to report on regulatory compliance and third-party risks.
• Alleviates auditing nightmares – Unifies technical and business process assessments onto a single platform, reducing complexity and accelerating audits
• Intuitive, web-based UI to create questionnaire templates or leverage pre-built templates covering compliance standards such as ISO, NIST, & FISMA.
• Use a variety of workflow options such as simple information gathering and assign reviewer and/ or approver as needed.
Continuous Monitoring (CM)
• Targeted alerts from continuous monitoring are immediately directed to the appropriate staff for accelerated responses.
• Frees teams from the delay of waiting for scheduled scanning windows and sifting through long reports.
• Continuous monitoring immediately and proactively identifies critical security issues such as:
• Unexpected hosts/OSes. • Expiring SSL certificates. • Inadvertently open ports and services. • Severe vulnerabilities on hosts or in
applications. • Undesired software on perimeter systems.
Payment Card Industry (PCI)
• PCI Compliance provides businesses, online merchants and Member Service Providers highly-automated way to achieve compliance with the Payment Card Industry Data Security Standard (DSS)
• Discovers and maps all devices on your network to help determine which are in scope for PCI.
• Accurate, prioritized scan results with detailed instructions for remediation of vulnerabilities
• Automatically submits quarterly scan results and documentation to acquirer.
• Approved by the PCI Council, fulfills quarterly network and application scanning requirements of PCI DSS. The most accurate, easiest-to-use solution for PCI compliance testing, reporting and submission.