Network Situational AwarenessMichael McKay, CISSP, CISA, Consulting Security EngineerOctober 7, 2015

2

5 Steps to Effective VM Program

“Organizations that operationally implement applicable IT controls through a vulnerability management program will achieve the strongest security posture.” 

Step Goal1 Validate Network

Address SpaceDiscover entire scope of IP address space in use with the environment

2 Determine Network Edge

Understand the boundary of the network under management

3 Discover & Profile Endpoints

Understand the presence of all devices on the network

4 Identify Vulnerabilities

Evaluate and comprehend network vulnerabilities for remediation

5 Mitigate Risk

Remediate risks in priority order with patches/changes or accept lesser risks.

3

Job 1—Know What You Don’t KnowComprehensive network inventory is prerequisite to effective security

4

What devices do younot know about?

Device DiscoveryAutomate Critical Security Control 1

WirelessServers Firewalls Net Devices Cloud / Hybrid Virtualized

What devices do you know about?What’s on your network?

Desktops

5

Application DiscoveryAutomate Critical Security Control 2

Inventory known and discover unknown applications on your network

Identify which ports are open on your network assets

Automatically tag assets with specific applications installed

Enable further automation by dynamically assigning rule sets

Detects 18k+ operating systems, applications & protocols

Tripwire IP360 Network Discovery and Host Profiling Configurable Active Discovery of Defined Address Spaces

ICMP

TCP

Port scans for TCP and UDP ports Identification of services and applications on open ports Credentialed access for deeper discovery of applications and other host info More than 2,800 operating systems More than 16,000 applications Precedes vulnerability testing Tripwire IP360 permits unlimited host and application discovery

7

Application-centric Vulnerability Detection

IIS 3.0 and 4.0 SSL "Error Message" Vulnerability IIS 4 Redirect Remote Buffer Overflow Vulnerability IIS 4 Web Server Available IIS 4.0 IISADMPWD Proxied Password Attack IIS 4.0/5.0 File Permission Canonicalization Vulnerability IIS 4.0/5.0 Malformed File Extension DoS Vulnerability IIS Administrative Pages Cross Site Scripting Vulnerabilities IIS IIS Chunked Encoding Transfer Heap Overflow Vulnerability IIS Escape Character Parsing Vulnerability IIS Failure To Log Undocumented TRACK Requests Vulnerability

Sendmail Address Prescan Memory Corruption VulnerabilitySendmail DNS Map TXT Record Buffer Overflow VulnerabilitySendmail File Locking Denial Of Service VulnerabilitySendmail Header Processing Buffer Overflow Vulnerability Sendmail Long Ident Logging Circumvention Weakness

Efficient, Accurate, Non-intrusive, and automated application inventory

Tripwire IP360 Unlimited Discovery Licensed Vulnerability Scanning

8

Information at your fingertipsTripwire IP360: Focus

A new browser vulnerability has application dependencies and no patch is available yet.

• Where are the clients on your network that are running the vulnerable browser with the application version?

Inventory of Authorized and Unauthorized Hardware and Software

• What application versions are running?• Perimeter Networks?• Datacenter?• Internal Network?

9

Host Application Inventory

Network Discovery Challenges Errors and Omissions in Network Definitions

• Incomplete/inaccurate network documentation

• Entry errors when defining Network Configurations

• Network additions and changes not communicated to vulnerability management

• Device Profiler and network connectivity issues

Unmanaged & Unsecured Devices• BYOD & IPv6

Disappearing Network Edge• Cloud & Mobility

Corporate Change• M&A, Consolidation & Outsourcing

11

The End Result:

Up to 30% Gap in Network Visibility

“You can’t defend what you don’t know.”Mark Orndorff, Director of Mission Assurance and Network OperationsDefense Information Systems Agency

12

Network Element Government Manufacturing Financial Technology

Assumed Device Count ~150,000  ~60,000 ~800,000 ~100,000 

Discovered Devices ~170,000  89,860 842,400 ~114,000

Visibility Gap ~12% ~33% ~5% ~12%

Unknown Networks 3,278 24 771 433

Unauthorized Devices 520  n/a n/a  2,026

Non-Responding Networks 33,256 4 16,828 45

Established VM Program Yes Yes Yes Yes

The Gap – By the NumbersGap in Enterprise Visibility

13

What Does the Gap Really Mean?

Network change and complexity outpacing policy and procedures

Organizations can only manage and secure what they know

How much risk does this gap introduce?

An effective Vulnerability Management strategy must incorporate comprehensive Network Situational Awareness, in order to

actively reduce overall risk

14

How to Close the Network Discovery Gap

Integrate Vulnerability Management into Network and Systems Change Control Procedures

Perform Tripwire IP360 Discovery Scans for the entire Enterprise Address Space

• Challenging for highly-segmented networks or duplicated address ranges

Leverage additional data from other enterprise network discovery tools like Lumeta IPsonar

15

Configuring an Address Space Discovery Scan

16

Configuring an Address Space Discovery Scan

17

Define a Discovery-Only Network

18

The Tripwire Technology Alliance Program

A robust ecosystem of security technology partners to provide customers with complete solutions for advanced cyber threat protection.

Threat Intelligence: Blue Coat, Check Point, Cisco, CrowdStrike, iSIGHT Partners, Lastline, Palo Alto, Soltra

Analytics & SIEM: Agiliance, Allgress, Brinqa, CAaNES, HP, IBM, ID Expers, Kenna, LockPath, McAfee, netForensics, NetIQ, RSA, RSA-Archer, Solutionary, Splunk, symantec, Trusted Integration

IT Service Management: BMC, CA, Cherwell Software, HP, IBM, Landesk, Microsoft, ServiceNow

Network Security: CAaNES, Certes Networks, Core Security, F5, FireMon, HP, IBM, Lancope, Lumeta, RedSeal, RSA, Skybox, SourceFire

Identity Management: Alert Enterprise, Centrify, CyberArk, Hitachi ID, Microsoft, Xceedium

Platform: Cisco, F5, HP, IBM, Intigua, Microsoft, NetApp, Novell, Oracle, Quantum, Red Hat, Sybase, VMware

19

Case Study: Lumeta / Tripwire Integration

Initial use case focused on closingthe visibility gap

IPsonar discovers all availablenetwork space

IPsonar provides relevanthost metadata

Intelligence delivered throughopen APIs to Tripwire IP360

Tripwire IP360 performs comprehensive hostprofiling and vulnerability scanning

Provides enterprise scalability and uncomplicated deployment Implementation of additional integration and automation underway

20

Continuous Network Situational AwarenessThe Foundation of Comprehensive Vulnerability Management

DISCOVERNetworks & DevicesEdge & Boundaries

Profiles & Vulnerabilities

COMPREHENDAssess & Score

Prioritize & TrendVisualization & Reporting

MITIGATEReduce Risk

Minimize Threat SurfacePrevent Intrusion

21

Tripwire / Lumeta Benefits

Eliminate Gaps in Network Intelligence

Maximize Visibility and Control

Enhance Security

Reduce Risk

tripwire.com | @TripwireInc

Thank you!