20 Critical Security Controls and QualysGuard

64
Session ID: Session Classification: Andrew Wild Qualys SPO1-T19 Intermediate Automating the 20 Critical Security Controls Wolfgang Kandek Qualys

TAGS:

description

Implementation of the 20 Critical Security Controls using QualysGuard

Transcript of 20 Critical Security Controls and QualysGuard

Page 1: 20 Critical Security Controls and QualysGuard

Session ID:

Session Classification:

Andrew WildQualys

SPO1-T19Intermediate

Automating the 20 Critical Security Controls

Wolfgang KandekQualys

Page 2: 20 Critical Security Controls and QualysGuard

2011 – the Year of Data Breaches

Page 3: 20 Critical Security Controls and QualysGuard

2012 – proceeded almost the same

Page 4: 20 Critical Security Controls and QualysGuard

2012 – proceeded almost the same

Page 5: 20 Critical Security Controls and QualysGuard

2012 – proceeded almost the same

Page 6: 20 Critical Security Controls and QualysGuard

2013 – started in a similar Way

Page 7: 20 Critical Security Controls and QualysGuard

2013 – started in a similar Way

Page 8: 20 Critical Security Controls and QualysGuard

2013 – started in a similar Way

Page 9: 20 Critical Security Controls and QualysGuard

2013 – started in a similar Way

Page 10: 20 Critical Security Controls and QualysGuard

• Open System Administration Channels• Default and Weak Passwords• End-user has Administrator Privileges• Outdated Software Versions• Non-hardened Configurations

► Flaws in System Administration

Background

Page 11: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry expert input

Solution

Page 12: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS with widespread industry input

Solution

Page 13: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry expert input• International participation

Solution

Page 14: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry input• International participation

Solution

Page 15: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry input• International participation

Solution

Page 16: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry input• International participation

• Prioritized

Solution

Page 17: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry input• International participation

Solution

Page 18: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• With widespread industry expert input• International participation

• Prioritized• Automation is critical to success

Solution

Page 19: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry input• International participation

• Prioritized• Automation is critical to success

Solution

Page 20: 20 Critical Security Controls and QualysGuard

• 20 Critical Controls• Owned by SANS

• with widespread industry input• International participation

• Prioritized• Automation is critical to success

• 90 % Risk Reduction at US DoS• 85 % Incident Reduction at DSD

Australia

Solution

Page 21: 20 Critical Security Controls and QualysGuard

Solution

Page 22: 20 Critical Security Controls and QualysGuard

• QualysGuard • Vulnerability Management• Policy Compliance• Web Application Scanning• PCI• Malware Detection

• SaaS Solution• Browser-based, Multi-tenant• Public and Private Cloud• Scanning, Reporting, Ticketing• Extensive API

Qualys

Page 23: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Size of Network• Machine Types• Location

CC1: Hardware Inventory

Page 24: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Size of Network• Machine Types• Location

CC1: Hardware Inventroy

Page 25: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Size of Network• Machine Types• Location

CC1: Hardware Inventory

Page 26: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Size of Network• Machine Types• Location

• New Equipment Detection• Authorized• Unauthorized

CC1: Hardware Inventory

Page 27: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Size of Network• Machine Types• Location

• New Equipment Detection• Authorized

• Unauthorized►

CC1: Hardware Inventory

Page 28: 20 Critical Security Controls and QualysGuard

• Automation• Scans are scheduled• Delta Reports are scheduled• Reports can be e-mailed• Alerting on newly discovered hosts

• Via API• Integration into Asset Management Systems

• Via API• Coming: ticket generation on newly

discovered hosts

CC1: Hardware Inventory

Page 29: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels

• Blacklisting

CC2: Software Inventory

Page 30: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions

• Patch Levels

CC2: Software Inventory

Page 31: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels

• Blacklisting• Whitelisting

CC2: Software Inventory

Page 32: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions

• Patch Levels• Blacklisting• Whitelisting

CC2: Software Inventory

Page 33: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels

• Blacklisting• Whitelisting• Interactive Search

CC2: Software Inventory

Page 34: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions

• Patch Levels• Blacklisting• Whitelisting• Interactive Search

CC2: Software Inventory

Page 35: 20 Critical Security Controls and QualysGuard

• Asset Visibility• Operating Systems• Applications• Versions

• Patch Levels• Blacklisting• Whitelisting• Interactive Search

CC2: Software Inventory

Page 36: 20 Critical Security Controls and QualysGuard

• Automation• Scans are scheduled• Reports are scheduled• Reports can be emailed• Alerting on Exceptions

• Via API• Integration into Asset Management Systems

• Via API• Coming: Ticket generation on Exceptions

CC2: Software Inventory

Page 37: 20 Critical Security Controls and QualysGuard

• Configuration Validation• SCAP/FDCC

CC3: Secure Base Configurations

Page 38: 20 Critical Security Controls and QualysGuard

• Configuration Validation• SCAP

CC3: Secure Base Configurations

Page 39: 20 Critical Security Controls and QualysGuard

• Configuration Validation• SCAP/FDCC• Cyberscope Reporting• CIS

CC3: Secure Base Configurations

Page 40: 20 Critical Security Controls and QualysGuard

• Configuration Validation• SCAP• Cyberscope Reporting

• CIS

CC3: Secure Base Configurations

Page 41: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 42: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 43: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 44: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 45: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

• Authenticated Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 46: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 47: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning

CC4: Continuous Vulnerability Assessment/Remediation

Page 48: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

• Authenticated Scanning• Verify Patching

CC4: Continuous Vulnerability Assessment/Remediation

Page 49: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching

CC4: Continuous Vulnerability Assessment/Remediation

Page 50: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning

• Authenticated Scanning• Verify Patching• Report on Unauthorized Services

CC4: Continuous Vulnerability Assessment/Remediation

Page 51: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services

CC4: Continuous Vulnerability Assessment/Remediation

Page 52: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services

CC4: Continuous Vulnerability Assessment/Remediation

Page 53: 20 Critical Security Controls and QualysGuard

• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services

CC4: Continuous Vulnerability Assessment/Remediation

Page 54: 20 Critical Security Controls and QualysGuard

• Automation• Scans are scheduled• Reports are scheduled• Reports are emailed• Alerting on Vulnerabilities• Tickets for Vulnerabilities, Remediation SLA

and Confirmation• Integration into Asset Management Systems

• Via API

CC4: Continuous Vulnerability Assessment/Remediation

Page 55: 20 Critical Security Controls and QualysGuard

• CC6: Application Software Security• Automated Web Application Scans

• CC7: Wireless Device Controls• Wireside Detection

• CC11: Control of Network Ports• Scans and Reports for authorized and

unauthorized Ports and Services

• CC16: Account Monitoring• Controls for Admin accounts, password

policies, account lockout settings

Other Critical Controls

Page 56: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer

VulnerabilitiesCVE-2012-4969 (Sep/12)/KB2794220 (Dec/12)

• Mitigated by use of EMET

Policy Dynamics

Page 57: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer

VulnerabilitiesCVE-2012-4969 (Sep/12)/KB2794220 (Dec/12)

• Mitigated by use of EMET

Policy Dynamics

Page 58: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer

VulnerabilitiesCVE-2012-4969 (Sep/12)/KB2794220 (Dec/12)

• Mitigated by use of EMET

Policy Dynamics

Page 59: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer

VulnerabilitiesCVE-2012-4969 (Sep/12)/KB2794220 (Dec/12)

• Mitigated by use of EMET

Policy Dynamics

Page 60: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer

VulnerabilitiesCVE-2012-4969 (Sep/12)/KB2794220 (Dec/12)

• Mitigated by use of EMET• Audit the Deployment

Policy Dynamics

Page 61: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer Vulnerabilities

CVE-2012-4969• Mitigated by use of EMET• Audit the Deployment

Policy Dynamics

Page 62: 20 Critical Security Controls and QualysGuard

• Ability to add tactical controls• Example: Recent Internet Explorer

VulnerabilitiesCVE-2012-4969 (Sep/12)/KB2794220 (Dec/12)

• Mitigated by use of EMET• Audit the Deployment

• User Defined Registry Check

Policy Dynamics

Page 63: 20 Critical Security Controls and QualysGuard

• Functionality to assess Controls exist• Automation available, but frequently API

integrations is needed• Offerings are improving with better

workflow coming

Summary

Page 64: 20 Critical Security Controls and QualysGuard

Thank You

Andrew Wild – [email protected]

Wolfgang Kandek –

[email protected]

http://laws.qualys.com


Critical Security Controls€¦ · Agenda Security Controls –the Good, the Bad, the Ugly Emerging Security Controls –Critical Security Controls Methodology and Contributors Supporting

Critical Security Controls€¦ · Agenda Security Controls –the Good, the Bad, the Ugly Emerging Security Controls –Critical Security Controls Methodology and Contributors Supporting

Critical Controls for Cyber Security

Critical Controls for Cyber Security

QUALYSGUARD® SCANNER APPLIANCE USER GUIDE

QUALYSGUARD® SCANNER APPLIANCE USER GUIDE

Auditing Policy Compliance Qualysguard Cis Benchmarks 33609

Auditing Policy Compliance Qualysguard Cis Benchmarks 33609

Addressing the SANS Top 20 Critical Security Controls for ... · PDF fileA Mapping to the SANS Top 20 Critical Security Controls ... 1 The CIS Critical Security Controls for Effective

Addressing the SANS Top 20 Critical Security Controls for ... · PDF fileA Mapping to the SANS Top 20 Critical Security Controls ... 1 The CIS Critical Security Controls for Effective

QualysGuard(R) Evaluator’s Guide - Europe5 | … QualysGuard QualysGuard UI 6 QualysGuard Quick Tour Searchable Data Lists Searchable data lists allow you to easily find and take

QualysGuard(R) Evaluator’s Guide - Europe5 | … QualysGuard QualysGuard UI 6 QualysGuard Quick Tour Searchable Data Lists Searchable data lists allow you to easily find and take

CRITICAL CONTROLS - PRODUCT OVERVIEW

CRITICAL CONTROLS - PRODUCT OVERVIEW

QualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring

QualysGuard InfoDay 2014 - QualysGuard Continuous Monitoring

IMPLEMENTING CIS CRITICAL SECURITY CONTROLS FOR ...

IMPLEMENTING CIS CRITICAL SECURITY CONTROLS FOR ...

QualysGuard InfoDay 2012 - BrowserCheck

QualysGuard InfoDay 2012 - BrowserCheck

The Critical Security Controls · Critical Security Controls for Effective Cyber Defense Version 6.1 August 31, 2016 ... The CIS Critical Security Controls are a relatively small

The Critical Security Controls · Critical Security Controls for Effective Cyber Defense Version 6.1 August 31, 2016 ... The CIS Critical Security Controls are a relatively small

Controls of Super Critical 3 rd Feb 2009 CONTROLS OF SUPER CRITICAL BOILERS Presentation By AJAY SHUKLA Sr.Faculty PMI,

Controls of Super Critical 3 rd Feb 2009 CONTROLS OF SUPER CRITICAL BOILERS Presentation By AJAY SHUKLA Sr.Faculty PMI,

20 critical security controls

20 critical security controls

SANS Top 20 Critical Controls Report

SANS Top 20 Critical Controls Report

The Center for Enterprise Critical Controls

The Center for Enterprise Critical Controls

35 Critical Security Controls

35 Critical Security Controls

QualysGuard Quick Tour

QualysGuard Quick Tour

QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall

QualysGuard InfoDay 2014 - QualysGuard Web Application Security a Web Application Firewall

Automate Your Internet Security QualysGuard

Automate Your Internet Security QualysGuard

Improve your revenue agency information systems security ... · SANS Top 20 Security Critical Security Controls Description of Controls Critical Controls continued: 11.Limitation

Improve your revenue agency information systems security ... · SANS Top 20 Security Critical Security Controls Description of Controls Critical Controls continued: 11.Limitation