riskiq across the globe june 2019 · riskiq across the globe customer stories and partner...
TRANSCRIPT
RiskIQ Across the GlobeCustomer Stories and Partner Integrations
Benjamin PowellTechnical Marketing Manager
© 2018 RiskIQ | Confidential Information 2
Benjamin PowellTechnical Marketing Manager (CEH)
Background• Worked in IT over 30 years.• Focused on Security 15 years.• I have personally worked in IT in
the following industries:– State government– International Airport– Port District– Education– Biotech– Financial services– Manufacturing– Software development
Fun Fact:Be careful when you tell people in Cyber Security your hobby is spearfishing.
© 2018 RiskIQ | Confidential Information 3
The Problem: Internet Visibility
• The Blind Spot for most organizations is the Internet – the scale and velocity is extremely difficult for security teams to monitor
• Companies have spent budgets building up internal visibility and prevention
• Need a way to automate internal data collection with discovery capabilities to determine what’s happening on the internet
• Organizations want a way to analyze inventory for threats and prevent or stop them before it hits their company, partners, and customers
Discovery
Enrichment
Inventory
Insights
Risks
Orchestrate
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
Orchestrate
Continuously discover, catalogue and map every
asset on the internet
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
OrchestrateData is enriched with RiskIQ historical, 3rd
party, and human intelligence
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
Orchestrate
Identify an organization’s attack surface—exposed,
public facing assets (including rogue
assets)
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
Orchestrate
Insights
Curated set of facts on threats, vulnerabilities, & any information requiring
investigation or action
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
Orchestrate
Curated set of facts on threats, vulnerabilities, & any
information requiring investigation or action
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
OrchestrateManage the
investigation and remediation of
prioritized incidents
Best Practices for Attack Surface Management
Discovery
Enrichment
Inventory
Insights
Risks
Orchestrate
ILLUMINATE
Best Practices for Attack Surface Management
© 2018 RiskIQ | Confidential Information 12
5 Steps to Reduce Risk to Your Attack Surface
1. Create an up-to-date inventory of Internet facing assets owned by the business • Including web, mobile, social assets and those from 3rd-parties
2. Identify threats and vulnerabilities in inventory assets• Address detected threats (hosted malware, blacklisted IPs)• Patch critical vulnerabilities or use mitigating controls
© 2018 RiskIQ | Confidential Information 13
5 Steps to Reduce Risk to Your Attack Surface (cont)
3. Reduce number of orphaned assets or those lacking clear ownership4. Limit exposure to partner and third party components5. Monitor all digital channels for potential impact to the organization
• Brand infringing assets designed to deceive employees and customers• Includes web, mobile, social, dark web locations for mention of brand, specific
keywords or partners• Actively monitor and take down infringing assets
© 2018 RiskIQ | Confidential Information 14
Best Practices In Protecting Against JavaScript Attacks1. Gain immediate awareness of your attack surface, include 3rd
parties 2. Minimize 3rd party libraries on payment pages3. Implement appropriate security controls in Javascript:
a. iframe sandboxingb. CSP (Content Security Policy)c. SRI (Subresource Integrity Checking)
4. Continuous auditing and monitoring for on everything listed above
© 2018 RiskIQ | Confidential Information 15
Customer Stories - Benefits of Attack Surface Management
• Increase efficiencies in your security programs
• Reducing mean time to respond to incidents
• Reducing false positives and free staff to work on other projects and
tasks
• Make your existing tools more efficient with RiskIQ
© 2018 RiskIQ | Confidential Information 16
Customer Stories from around the world• Inventory analysis of website similarities in the organization's large
dynamic inventory to improve vulnerability program.
• Orchestration with rules, automation and internal processes to create and maintaining an up to date dynamic inventory.
• Automation of abuse box submissions with use of OCR to extract URLs from submitted SMSishing images.
• Automation of event creation from Digital Footprint insights and alerting on changes in open ports
• Partner Integrations
© 2019 RiskIQ | Confidential Information 17
• Wasting money on unnecessary vulnerability scanning of websites that are virtually the same
• No way to find and classify similar websites
• No way to detect if changes create unique, non similar websites
• Fear of impacting website services from excessive vulnerability scanning
• Continuous discovery of new websites and changes to existing
• Identify websites to cluster and only vulnerability scan one cluster, not every website
• Integration with vulnerability scanner to initiate workflow from RiskIQ
• An efficient way to discover new and changed assets
• Automating workflow to initiate vulnerability scanning of selected websites
• Optimized spending with vulnerability to minimize wasteful vuln scanning costs
• Reduced risk of impacting website services
• 97% reduction in vulnerability scanning needs!
97% Reduction in Vulnerability Scanning
ResultsChallenges Solution Details
Very large entertainment organization
© 2019 RiskIQ | Confidential Information 18
Asset Clustering - Solution Overview
● RiskIQ analyzes the structure of web applications through virtual user collection in order to assign a signature value
● Signature values support the notion of thresholds and can then be used to create clusters of similar web applications within a footprint
● Customers can gain access to raw information describing the clusters, counts per cluster, centroids (core node), and assets within each cluster
© 2019 RiskIQ | Confidential Information 19
WEB APPLICATIONS AREEXPENSIVE TO MAINTAIN
Do you know how many web applications you truly have in your attack surface?
© 2019 RiskIQ | Confidential Information 20
Code Sharing Amongst Applications
● Frameworks produce common HTML structures
● Configurations may overlap despite aesthetic differences
● Code and images can be abstracted via summaries to find similarities
100,000
8,000
5,900386
Initial number of hosts
Hosts with a web application
Similar characteristic groupings
Unique clusters of hosts
Clustering Process
RiskIQ Web Application Clustering
Dramatically Reduce Your Scanning Volume to Save Money
Gain visibility into the total number of unique web
applications in use by the organization
Prioritize scanning efforts based on changes to hosts within a given cluster or a
new cluster discovery
Save money by reducing vulnerability and testing
operations against assets within the same cluster
Assess the impact of a new vulnerability or web
application adjustment by clusters affected
© 2019 RiskIQ | Confidential Information 24
Raw Output
© 2019 RiskIQ | Confidential Information 25
25 Security Hygiene: Customer Example
CONTEXT CHALLENGES SOLUTION
• Health information technology company based in North Kansas City, Missouri
• $5.4 billion revenues and 29,200 employees• CISO completed his largest initiative to implement
basic security hygiene for internal assets, then shifted focus to external assets
• Basic security controls did not extend to external, internet assets
• Many internal-only assets were misconfigured open to the internet
• Project to build own tools to discover and inventory internet assets would be a massive undertaking in terms of time, resources, and cost
• CISO uses RiskIQ Digital Footprint to gain automated visibility into all internet assets in order to implement basic security hygiene
• Security has the facts to work with IT to proactively address risks from Shadow IT
• RiskIQ’s external, internet visibility is a part of the Cerner’s security architecture inside and outside the firewall
Digital Footprint
© 2019 RiskIQ | Confidential Information 26
26 Security-IT Collaboration: Customer Example
CONTEXT CHALLENGES SOLUTION
• Global financial services company based in New York City
• $37 billion revenues and 59,000 employees• Competition with Expanse, Security Scorecard,
and BitSight
• Large Security organization with multiple teams, philosophies, controls, and tools makes timely coordination problematic
• Security must also collaborate with IT Operations to remediate
• Fragmented and siloed organizations do not have the same facts for proactively identifying, prioritizing, and solving security problems
• Security organization uses RiskIQ as a centralized platform for Security and IT teams to collaborate and share information
• American Express implements security hygiene outside the firewall, monitors the internet for new threats such as Magecart, & SMSishing, and minimizes its internet attack surface, all while reducing costs
• RiskIQ’s external, internet visibility is a part of American Express’s security architecture inside and outside the firewall
RiskIQ Platform
© 2019 RiskIQ | Confidential Information 27
© 2019 RiskIQ | Confidential Information 28
© 2019 RiskIQ | Confidential Information 29
© 2019 RiskIQ | Confidential Information 30
© 2019 RiskIQ | Confidential Information 31
2019-04-25
42587054
2 : http://paypalv2.com/
http://paypalv2.com/
paypalv2.com
© 2019 RiskIQ | Confidential Information 32
32 ServiceNow-RiskIQ: Customer Example
CONTEXT CHALLENGES SOLUTION
• Enterprise cybersecurity company based in Santa Clara, California
• $2.4 billion revenues and 5,900 employees• Security Incident Response use case: Security
Operations team works in RiskIQ External Threats and in ServiceNow Security Operations
• Manual process to bring RiskIQ’s external, internet visibility of phish, mobile apps, and domains into ServiceNow for action
• Costly use of full-time equivalent resources• Slow security incident response
• ServiceNow-RiskIQ integration enables a seamless, automated process to bring RiskIQ events into ServiceNow for remediation
• Faster security incident response• RiskIQ’s external, internet visibility is an
integrated part of Palo Alto Network’s security architecture inside and outside the firewall
External Threats
© 2019 RiskIQ | Confidential Information 33
33 Secure Digital Initiatives
Organizations are pursuing digital initiatives that need to be secure, so IT and Security need to work together.
Security leaders who have full visibility into their organizations’ external, internet assets can add value to their digital initiatives.
They have the facts to: • Balance business goals and risks• Proactively identify problems earlier• Work with IT leaders to prioritize and solve problems
Not a fact-based approach
A fact-based approach
© 2019 RiskIQ | Confidential Information 34
34 ServiceNow-RiskIQ Joint Solution
Security
IT
Now Platform
Security Operations
Assets
Security
Events
Events
Events
Security and IT can work together faster and proactively to: • Implement security hygiene outside the firewall • Address external cyber threats• Minimize their organization’s internet attack surface
Digital Footprint
External Threats
Visibility Remediation
IT Service Management
DF Asset Integration with ServiceNow
© 2019 RiskIQ | Confidential Information 36
RiskIQ-DF: Asset Inventory List
© 2019 RiskIQ | Confidential Information 37
ServiceNow: Asset Inventory Sync Configuration
Select Asset Types to sync from RiskIQ-DF to ServiceNow platform. Can configure custom filters for syncing.
© 2019 RiskIQ | Confidential Information 38
ServiceNow: Asset Inventory List
RiskIQ-DF assets in custom ServiceNow table
© 2019 RiskIQ | Confidential Information 39
ServiceNow: Asset Record
Link to asset details in RiskIQ-DF
© 2019 RiskIQ | Confidential Information 40
RiskIQ-DF: Asset Details
DF/ET Event Integration with ServiceNow
© 2019 RiskIQ | Confidential Information 42
RiskIQ-DF/ET: Events Dashboard
DF events: Malware, SSL, Web Compliance, and Infrastructure
ET events: Phish, Domain Infringement, Rogue Mobile App, Content, and Social
© 2019 RiskIQ | Confidential Information 43
ServiceNow: Event Sync Configuration
Select Event Types to sync from RiskIQ-ET to ServiceNow platform. Can configure custom filters for syncing.
© 2019 RiskIQ | Confidential Information 44
ServiceNow: Events List
RiskIQ-ET events in custom ServiceNow table
© 2019 RiskIQ | Confidential Information 45
ServiceNow: Event Record
Link to event details in RiskIQ-DF/ET
© 2019 RiskIQ | Confidential Information 46
RiskIQ-DF/ET: Event Details
Cause of event
© 2019 RiskIQ | Confidential Information 47
ServiceNow: IT Incidents or Security Incidents
Events appear as Incidents in ServiceNow IT Service Management’s Incident Management application or as Security Incidents in ServiceNow Security Operations’s Security Incident Response application. Note that event data mapping to incident record fields may be limited in this beta version.
Can configure prioritization in ServiceNow
© 2019 RiskIQ | Confidential Information 48
• Help support the organization by providing Intel to deliver a clear focused Attack Surface Management Program.
• What are the priorities today?
• What do you want to be tomorrow?
• Digital Footprint – (Mixture of Premium & Enterprise) Over 250k assets in the inventory.
• Passive Total Enterprise with API access
• Digital footprint Mapped• Delivery of tailored use cases
generated from Digital Footprint insights.
• Identified “Known” vs “Unknown” led to the creation of “Prune Logic” removing assets automatically that do not belong to the organization
• Changes in open ports in inventory
• GDPR Scans• Better understanding of their risk
landscape of their Attack Surface
• Actioning events with integration of Swimlane
Empower people to experience the world
ResultsChallenges Solution Details
Very large Travel Organization
Partner Integrations
© 2018 RiskIQ | Confidential Information 50
www.eclecticiq.com
EclecticIQ has paid and integrated PassiveTotal API endpoints into their threat platform. Joint customers are able to access this content within the EclecticIQ platform.
Graph based implementation for interacting with data. Seems to use d3js, pivots off of entities for additional insight, and has intel type cards to provide additional enrichment for entities. Uses PassiveTotal API. Integrates the following capabilities: Malware Lookup, PDNS, WHOIS.
Currently ElecticIQ is adding additional RiskIQ advanced data sets to their integration to increase functionality.
© 2018 RiskIQ | Confidential Information 51
www.polarity.io
Polarity is a memory augmentation platform created on the principle that people are the most integral component of the incident response process. It provides a new way for centralized or distributed Incident Responders to utilize a collective memory by delivering critical intelligence to the right team members
only when it is relevant to what they are working on. Polarity drives responders to make better and faster decisions, increasing productivity, and reducing the risk of a data breach going undetected – on unnecessarily prolonged. Polarity works by analyzing the content of a user’s screen and notifying the user about intelligence of interest helping to ensure that Incident Responders never miss the critical intelligence that could have been integral to combating a cyber intrusion.
Integration
Organizations with access to RiskIQ SIS (Security Intelligence Services) can now instantly leverage the rich Internet Data and Attack Analytics via Polarity to augment existing workflows regardless of the specific tool or application. In the following example, a SOC analyst is analyzing network packet data
for evidence of suspicious activity and receives a real time notification via the Polarity Heads Up Display (HUD) that a domain artifact has relevant information available via RiskIQ SIS. The detailed information is then seamlessly presented within the Polarity Overlay Window as illustrated below:
© 2018 RiskIQ | Confidential Information 52
ProtectWise acts a SIEM for customers by ingesting local network traffic and helping surface suspicious events. They have developed an integration with PassiveTotal. ProtectWise has paid RiskIQ for the right to use our SIS data (including the blacklist) within their platform.
They also can enrich event data utilizing the PassiveTotal API.
Recently acquired by Verizon
www.protectwise.com
© 2018 RiskIQ | Confidential Information 53
www.demisto.comDemisto is a Collaborative and Automated Security Operations Platform. Demisto Enterprise is the first Security Operations Platform to combine intelligent automation and collaboration into a single ChatOps interface. Demisto’s automation is provided by DBot who interacts with your team via ChatOps for playbook-based workflows, cross-correlation, and information sharing, helping security teams scale while working and learning the way humans are wired to –together.
Our integration automates enrichment of alerts as playbook tasks: passive DNS information, SSL certificate data, WHOIS data, IOC intelligence, and so on.
Runs search and query operations on WHOIS, SSL, and OSINT data based on keywords and metadata.
Leverage hundreds of Demisto product integrations to further enrich RiskIQ data and coordinate response across security functions.
Run thousands of commands (including for RiskIQ) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Benefits
● Orchestrate threat discovery, intelligence, and mitigation actions through playbooks.
● Reduce time to resolution by using one platform to collaborate, investigate, and document.
● Shorten decision-making cycle by automating key tasks with analyst review.