threat impact analysis without crash testing the network

www.redsealnetworks.com

Threat Impact Analysis Without Crash Testing The Network

Virtual Attack Simulation For Proving Security Control Effectiveness

Dr. Mike Lloyd | CTO | April 2013


Continuous Monitoring:- The right idea- At the right time- Mandated

Why? How? What’s special about

network security? Lessons learned

Agenda

© 2013 RedSeal Networks, Inc. All rights reserved.2


What problem?

Billions of $$$ in IT security spending

90% of Organizations say they have been breached

in the last 12 months**Perceptions About Network Security, Ponemon Institute,



Lack of control leads directly to breach

97% of attacks could have been avoided through “consistent application of simple or intermediate controls”

- Verizon Data Breach Investigations Report, 2012



We’ve got data- Lots of it

Making sense of it is hard- Skills shortage- Sheer scale

Hard to prioritize actions Hard to demonstrate effectiveness Compliance is pain with little gain

What we hear from CISO’s



Dynamic compliance



Main idea is simple:- Asset Inventory- Policy- Check the assets (and repeat)

Not too bad for physical assets Doors

- List all doors- Require card reader on external doors- Check

Desktops are a bit harder- Can you find them all?- Policy gets more technical- Testing is downright fiddly

SCAP, FDCC have worked hard on this problem

Continuous Monitoring 101



Network security is the same, right?- List all network gear- Write configuration rules- Test them

Any problems with this?

Network security



How not to do it

Check the outcome, not the details



Networks are about pairs- Can A attack B?

Hosts can be checked- Lots of work, but possible

For the network, square it- 10,000 hosts => 100

million questions Well outside human range Far too many interactions

Networks are different



Gather& Map

TestElements

Test theSystem

MeasureRisk

Four gears



You can’t manage what you can’t see

Network configuration stores vary widely- Some have a chosen CMDB vendor- Some have many- Some have none

All have problems

First gear: gather & map


1


Every network store has gaps Maps make it obvious Good news: it’s possible

to “bootstrap” The data you have can

tell you what’s missing- Report on “known unknowns”

Lesson 1: Everyone has Dark Space


Disconnected objects


RedSeal includes over 100basic single-device tests- Vendor supplied passwords- Insecure management protocols- Industry-wide best practice checks

We find around 10 issues per device Lesson 2: all configurations need to be

checked But element testing isn’t enough …

Second gear: test elements


2


Testing elements is easy Testing whole systems is hard, for humans Automation works, if you can tell the

machine what your objectives are

Third gear: test the system


3


Main PKI site, plus disaster recovery Strict access controls expected

Zone defense in practice

Internet

Cert Authority

Cert Admins

WAN to Extranet

DR Site



Testing the system end to end

People set the objectives Automation to compare to the “as built”

Red arrow means something is wrong

Unexpected access



Drill down to see the exception

Many interacting elements Something went wrong



Pin-point root cause

In this case, three gaps- One for a telecommuter who left 8 years ago- Two more for “temporary” testing

Lost among thousands of details

Access Found

“Subway Map”showing path

Flow through one hop

Specific rules



How did this happen?

A network built with care- By people who knew what

they were doing Repeated audits, over years How did the error survive? Complexity Lesson 3: zone defense is easy for

computers



Once you understand access,you can prioritize vulnerabilities

Run attack simulations See what’s easiest to break into Score using Risk = Value * Ease of Exploit

Fourth gear: measure risk


4


Virtual Attack Simulation: a real example

Internet

DMZ

Main Site



• Attackers can reach these exposed servers

Step 1 – Vulnerabilities exposed in DMZ



• Just a few pivot attacks are possible

Step 2 – Some attack paths sneak in



• Attackers can get in if they find this first!

Step 3 – Attack fans out



How easily canattackers get in?

Risk metric dashboards

How big is my attack surface?

How much is undocumented?



Lesson 4: Metrics that matter

Defensive posture CAN be measured This drives to better outcomes

- Measure posture => improved posture You can sleep better

- Demonstrate effectiveness, not busyness


http://uratexblog.com/wp-content/uploads/2011/10/Sleeping-with-Music1.jpg


Making lemonade

Continuous Monitoring is now possible- And a good idea- And mandated

Automation is far easier than human effort

But you still need to write rules There’s another process you can leverage

- Change Review Board



Optimized change process

Big win: record intent up front, in Risk Assessment Use software as “catcher’s mitt”, detect drift

Change request

Compliancereport

“I want”

Enterprise

Implementation“How”

Network Ops

Riskassessment

Continuousmonitoring

“Yes”

“Yes, but”

“OK”“Not OK”Security Oversight



Optimized change process

Change request

Compliancereport

“I want”

Enterprise

Implementation“How”

Network Ops

Riskassessment

Continuousmonitoring

“Yes”

“Yes, but”

“OK”“Not OK”Security Oversight

Auto-compute details

Continuous monitoringAutomated assessment



Conclusions


Continuous Monitoring is:1. A good idea

2. Mandatory

3. Impossible with human effort alone

4. Easy with automation Networks multiply the complexity Automated risk assessment is key

Gather& Map

TestElements

Test theSystem

MeasureRisk

threat impact analysis without crash testing the network

Technology