SlideShare una empresa de Scribd logo

Tips to Remediate your Vulnerability Management Program

BeyondTrust
BeyondTrust

In this presentation from her webinar, renowned cybersecurity expert Paula Januszkiewicz delves into what a truly holistic vulnerability management program should look like. When all parts are correctly established and working together, organizations can dramatically dial down their risk exposure. This presentation covers: - The key phases and activities of the vulnerability management lifecycle - The tools you need for an effective vulnerability management program - How to prioritize your VM needs - How an effective VM program can help you measurably reduce risk and meet compliance objectives You can watch the full webinar here: https://www.beyondtrust.com/resources/webinar/tips-remediate-vulnerability-management-program

Software
1 de 61
Descargar para leer sin conexión
Tips to Remediate Your Vulnerability Management Program Paula Januszkiewicz CQURE: CEO, Cybersecurity Expert CQURE Academy: Trainer MVP: Enterprise Security Microsoft Regional Director (not working at Microsoft ;)) www.cqureacademy.com paula@cqure.us @CQUREAcademy @paulaCQURE CONSULTING
What does CQURE do? CQURE Consulting: Extensive IT Security Audits and Penetration Tests of all kinds Configuration Audit and Architecture Design Social Engineering Tests Advanced Troubleshooting and Debugging Data Analysis Emergency Response Services R&D & Publications CQURE Academy (education): 40 authored deep – dive trainings Technical education offline (mainly in New York or via our partners worldwide) Technical education online (over 1 million views) Management security awareness training series
Awareness >> Behavior >> Culture must aim for a responsible security culture.
I know the traffic rules…. Awareness comes with experience I know the traffic rules….
Does it guarantee that I am a good driver? Behavior comes with awareness
Culture comes with understanding
We have the best security solutions…
…but the security landscape has changed.
Unmanaged & Mobile Clients Sensitive Workloads Cybersecurity Reference Architecture Intranet Extranet Azure Key Vault Azure Security Center • Security Hygiene • Threat Detection System Management + Patching - SCCM + Intune Microsoft Azure On Premises Datacenter(s) NGFW IPS DLP SSL Proxy Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) IaaS/Hoster $ Windows 10 EPP - Windows Defender Office 365 ATP • Email Gateway • Anti-malware EDR - Windows Defender ATPMac OS Multi-Factor Authentication MIM PAMAzure App Gateway Network Security Groups Windows Information Protection AAD PIM Azure Antimalware Disk & Storage Encryption Endpoint DLP Shielded VMs SQL Encryption & Firewall Hello for Business Azure Information Protection (AIP) • Classification • Labelling • Encryption • Rights Management • Document Tracking • Reporting Enterprise Servers VPN VPN Domain Controllers VMs VMs Certification Authority (PKI) Incident Response Vulnerability Management Enterprise Threat Detection Analytics Managed Security Provider OMS ATA SIEM Security Operations Center (SOC) Logs & Analytics Active Threat Detection Hunting Teams Investigation and Recovery WEF SIEM Integration IoT Identity & Access 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) UEBA Windows 10 Security • Secure Boot • Device Guard • Credential Guard • Remote Credential Guard • Windows Hello Managed Clients Legacy Windows Office 365 Security Appliances Intune MDM/MAM Conditional Access Cloud App Security Information Protection Windows Server 2016 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, … Software as a Service Analytics & Reporting ATA Privileged Access Workstations Internet of Things ASM Lockbox Admin Forest
According to the industry’s statistics, by 2019 the market will need 6 mln security professionals. But only 4 to 5 million of them will have the needed qualifications. *Source: Financial Times
SECURITY IN THE ENTERPRISE = ORGANIZATIONAL PROCEDURES WE FOLLOW + VULNERABILITY MANAGEMENT + INSECURE CONFIGURATION MANAGEMENT
And here come some statistics… *Based on Trustwave Global Security Report 2013/2014
Vulnerability Management – What’s This?
Security Scopes DEFENDING AGAINST MODERN SECURITY THREATS SECURED DEVICES SECURED IDENTITIES INFORMATION PROTECTION THREAT RESISTANCE
Secured Identities
What is the most successful path for the attack right now?
:) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
“PASS THE HASH” ATTACKS Today’s security challenge
User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Pass-The-Hash Technique Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
Virtual Secure Mode Virtual Secure Mode (VSM) Kernel Credential Guard Hypervisor Hardware Windows Kernel Apps VirtualTPM Hyper-Visor CodeIntegrity
Information Protection
Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
Classic Data Protection API Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion: OS greatly helps us to protect secrets
Cached Logons: It used to be like this… Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
Cached Logons There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
Learning Points for Secured Idenities Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
Threat Resistance
Lack of SMB Signing (or alternative) Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
SMB2/3 client and SMB2/3 server signing settings Setting Group Policy Setting Registry Key Required * Digitally sign communications (always) – Enabled RequireSecuritySignature = 1 Not Required ** Digitally sign communications (always) – Disabled RequireSecuritySignature = 0 * The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”. ** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”. Server – Required Server – Not Required Client – Required Signed Signed Client – Not Required Signed* Not Signed** Effective behavior for SMB2/3: * Default for Domain Controller SMB traffic. ** Default for all other SMB traffic.
Allowing unusual code execution Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
Old protocols or their default settings
Secured Devices
Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA
IIS Configuration In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next Generation (CNG) providers by default: IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider, IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Are managed by Windows Process Activation Service that knows how to read secrets Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
Secured Devices vs. Trusting solutions without knowing how to break them Key learning points: ✓ The best operators won't use a component until they know how it breaks ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
Reason 1: Security is both a Reality and Feeling For End User Security is a feeling Success lies in influencing the “feeling” of security
Reason 2: Not every attack(er) is that smart Control efficiency Risk severity/ Attacker Smartness/ Attack Efficiency Technology & Processes Awareness & Competence Automatic security controls – AV, Updates Technology + Human – Firewall configuration, Choosing a secure Wifi Human – Recognizing a zero day attack, Phishing mails, Not posting business information in social media The very smart attacker 1 2 3 4 People exaggerate risks that are spectacular or uncommon
Reason 3: Technology…yes, but humans… of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors?
InformationSecurityFramework GovernanceManagement Context and Leadership Information Security Charter Culture and Awareness Information Security Organizational Structure Prevention Identity and Access Management Identity Security Data Security Hardware Asset Management Data Security & Privacy Infrastructure Security Network Security Evaluation and Direction Security Risk Management Security Strategy and Communication Security Policies Endpoint Security Malicious Code Application Security Cloud Security Vulnerability Management Cryptography Management Physical Security HR Security HR Security Change and Support Configuration and Change Management Vendor Management Compliance, Audit, and Review Security Compliance Management External Security Audit Internal Security Audit Management Review of Security Detection Security Threat Detection Log and Event Management Measurement Metrics Program Continuous Improvement Response and Recovery Security Incident Management Information Security in BCM Security eDiscovery and Forensics Backup and Recovery A best-of-breed security framework
Security framework should integrate several best practices to create a best-of-breed security framework ISO 27000 series CIS – Critical Security Controls COBIT 5 NIST SP800- 53 SECURITY FRAMEWORK Comprehensive standard providing best practices associated with each control Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations Comprised of a concise list of 20 controls and sub- controls for actionable cyber defence A process and principle structured security best practice framework Best-of-Breed Information Security Framework
Summary: Cybersecurity Questions
The 11 key cyber security questions 1. Do we treat cyber security as a business or IT responsibility? 2. Do our security goals align with business priorities? 3. Have we identified and protected our most valuable processes and information? 4. Does our business culture support a secure cyber environment? 5. Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.) 6. Do we focus on security compliance or security capability? 7. Are we certain our third-party partners are securing our most valuable information? 8. Do we regularly evaluate the effectiveness of our security? 9. Are we vigilant and do we monitor our systems and can we prevent breaches? 10.Do we have an organized plan for responding to a security breach? 11.Are we adequately resourced and insured?
Summary: Technologies
1: Privileged Access Management Access Monitoring / Effective Access We need to know about who and where has access to Access should be role driven
2: Incident Response Plan Action list In case of emergency situation: allows to act reasonably and according to the plan Increases chances that evidence is gathered properly Allows to define responsibilities for recovery Discussions provide management with understanding of security Jump Bag: preserving evidence Disk data: Disk2VHD, WinDD, FTK Imager Memory dumps: DumpIT, Mdd, Mandiant tools, LiME, OSXPMem Centralization of the event logs Pre-incident steps: use Sysmon for better knowledge about processes and network
3: Whitelisting Code execution prevention It is an absolute necessity taking into consideration the current security trends PowerShell is a new hacking tool Scripting languages are the biggest threat Ransomware can be in a form of PowerShell script Just Enough Administration: PowerShell should be blocked for users and limited for helpdesk to use the necessary commands It is necessary to know what executes on your servers Sysmon is perfect for this AppLocker / DeviceGuard in the audit mode
4: Hardware-based Credentials Protection Virtual Secure Mode (VSM) VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D) Implements Credential Guard where derived credentials that VSM protected LSA Service gives to Windows are non-replayable VSM runs the Windows Kernel and a series of Trustlets (Processes) within it
5: Automation Level Master PowerShell implements great automation (and hacking tool) Some solutions are managed by Powershell only (Nano, IoT) Experience shows that administrators try to avoid it – especially these ones with great experience There are so many custom modules available: PowerForensics, AccessControl etc. You can create your own customized modules
6: Testing Yourself When You Can
Retina Enterprise Vulnerability Management Alex DaCosta BeyondTrust
RETINA VULNERABILITY MANAGEMENT POWERBROKER PRIVILEGED ACCOUNT MANAGEMENT 59 PRIVILEGE MANAGEMENT ACTIVE DIRECTORY BRIDGING PRIVLEGED PASSWORD MANAGEMENT AUDITING & PROTECTION ENTERPRISE VULNERABILITY MANAGEMENT BEYONDSAAS CLOUD-BASED SCANNING NETWORK SECURITY SCANNER WEB SECURITY SCANNER BEYONDINSIGHT CLARITY THREAT ANALYTICS BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM EXTENSIVE REPORTING CENTRAL DATA WAREHOUSE ASSET DISCOVERY ASSET PROFILING ASSET SMART GROUPS USER MANAGEMENT WORKFLOW & NOTIFICATION THIRD-PARTY INTEGRATION
Demo
Quick Poll + Q&A Time Thank you for attending!

Recomendados

The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 

Recomendados

The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxArrow ECS UK
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide Protect724manoj
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...Symantec
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 

Más contenido relacionado

La actualidad más candente

Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safeJens Albrecht
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxArrow ECS UK
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide Protect724manoj
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM AlienVault
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultAlienVault
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...Symantec
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 

La actualidad más candente (20)

Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Privileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safePrivileged Account Management - Keep your logins safe
Privileged Account Management - Keep your logins safe
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptx
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 
Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide Firewall Monitoring 1.1 Security Use Case Guide
Firewall Monitoring 1.1 Security Use Case Guide
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
IDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDSIDS for Security Analysts: How to Get Actionable Insights from your IDS
IDS for Security Analysts: How to Get Actionable Insights from your IDS
 
Creating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVaultCreating Correlation Rules in AlienVault
Creating Correlation Rules in AlienVault
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 

Similar a Tips to Remediate your Vulnerability Management Program

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討Timothy Chen
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsBeyondTrust
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczPaula Januszkiewicz
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud SecurityMongoDB
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise MongoDB
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Adnene Guabtni
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesInformation Technology
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS VulnerabilitiesSecurityTube.Net
 

Similar a Tips to Remediate your Vulnerability Management Program (20)

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Enterprise Cloud Security
Enterprise Cloud SecurityEnterprise Cloud Security
Enterprise Cloud Security
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise Securing Your Enterprise Web Apps with MongoDB Enterprise
Securing Your Enterprise Web Apps with MongoDB Enterprise
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 
Microsoft Operating System Vulnerabilities
Microsoft Operating System VulnerabilitiesMicrosoft Operating System Vulnerabilities
Microsoft Operating System Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 

Más de BeyondTrust

10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)BeyondTrust
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseBeyondTrust
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin PrivilegesBeyondTrust
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?BeyondTrust
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutUnix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutBeyondTrust
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)BeyondTrust
 
Mitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT SystemsMitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT SystemsBeyondTrust
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskBeyondTrust
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsBeyondTrust
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksBeyondTrust
 
Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)BeyondTrust
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessBeyondTrust
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...BeyondTrust
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...BeyondTrust
 
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce RiskBeyondTrust
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointBeyondTrust
 

Más de BeyondTrust (20)

10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your Enterprise
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutUnix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
 
Mitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT SystemsMitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT Systems
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
 
Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
 
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
Managing Unix Accounts in Today's Complex World: Stop the Shadow IT and Be Mo...
 
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think Like a Cybercriminal to Reduce Risk
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
 

Último

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 

Último (20)

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 

Tips to Remediate your Vulnerability Management Program

  • 1. Tips to Remediate Your Vulnerability Management Program Paula Januszkiewicz CQURE: CEO, Cybersecurity Expert CQURE Academy: Trainer MVP: Enterprise Security Microsoft Regional Director (not working at Microsoft ;)) www.cqureacademy.com paula@cqure.us @CQUREAcademy @paulaCQURE CONSULTING
  • 2.
  • 3. What does CQURE do? CQURE Consulting: Extensive IT Security Audits and Penetration Tests of all kinds Configuration Audit and Architecture Design Social Engineering Tests Advanced Troubleshooting and Debugging Data Analysis Emergency Response Services R&D & Publications CQURE Academy (education): 40 authored deep – dive trainings Technical education offline (mainly in New York or via our partners worldwide) Technical education online (over 1 million views) Management security awareness training series
  • 4.
  • 5. Awareness >> Behavior >> Culture must aim for a responsible security culture.
  • 6. I know the traffic rules…. Awareness comes with experience I know the traffic rules….
  • 7. Does it guarantee that I am a good driver? Behavior comes with awareness
  • 8. Culture comes with understanding
  • 9. We have the best security solutions…
  • 10. …but the security landscape has changed.
  • 11. Unmanaged & Mobile Clients Sensitive Workloads Cybersecurity Reference Architecture Intranet Extranet Azure Key Vault Azure Security Center • Security Hygiene • Threat Detection System Management + Patching - SCCM + Intune Microsoft Azure On Premises Datacenter(s) NGFW IPS DLP SSL Proxy Nearly all customer breaches Microsoft’s Incident Response team investigates involve credential theft 63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 DBR) IaaS/Hoster $ Windows 10 EPP - Windows Defender Office 365 ATP • Email Gateway • Anti-malware EDR - Windows Defender ATPMac OS Multi-Factor Authentication MIM PAMAzure App Gateway Network Security Groups Windows Information Protection AAD PIM Azure Antimalware Disk & Storage Encryption Endpoint DLP Shielded VMs SQL Encryption & Firewall Hello for Business Azure Information Protection (AIP) • Classification • Labelling • Encryption • Rights Management • Document Tracking • Reporting Enterprise Servers VPN VPN Domain Controllers VMs VMs Certification Authority (PKI) Incident Response Vulnerability Management Enterprise Threat Detection Analytics Managed Security Provider OMS ATA SIEM Security Operations Center (SOC) Logs & Analytics Active Threat Detection Hunting Teams Investigation and Recovery WEF SIEM Integration IoT Identity & Access 80% + of employees admit using non-approved SaaS apps for work (Stratecast, December 2013) UEBA Windows 10 Security • Secure Boot • Device Guard • Credential Guard • Remote Credential Guard • Windows Hello Managed Clients Legacy Windows Office 365 Security Appliances Intune MDM/MAM Conditional Access Cloud App Security Information Protection Windows Server 2016 Security Secure Boot, Nano Server, Just Enough Admin, Device Guard, Credential Guard, Remote Credential Guard, Hyper-V Containers, … Software as a Service Analytics & Reporting ATA Privileged Access Workstations Internet of Things ASM Lockbox Admin Forest
  • 12. According to the industry’s statistics, by 2019 the market will need 6 mln security professionals. But only 4 to 5 million of them will have the needed qualifications. *Source: Financial Times
  • 13. SECURITY IN THE ENTERPRISE = ORGANIZATIONAL PROCEDURES WE FOLLOW + VULNERABILITY MANAGEMENT + INSECURE CONFIGURATION MANAGEMENT
  • 14. And here come some statistics… *Based on Trustwave Global Security Report 2013/2014
  • 16. Security Scopes DEFENDING AGAINST MODERN SECURITY THREATS SECURED DEVICES SECURED IDENTITIES INFORMATION PROTECTION THREAT RESISTANCE
  • 18. What is the most successful path for the attack right now?
  • 19. :) THE ANATOMY OF AN ATTACK Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 20. HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs :) Healthy Computer User Receives Email User Lured to Malicious Site Device Infected with Malware
  • 21. User Lured to Malicious Site Device Infected with Malware HelpDesk Logs into Device Identity Stolen, Attacker Has Increased Privs ceives il
  • 22.
  • 24. User: Adm... Hash:E1977 Fred’s Laptop Fred’s User Session User: Fred Password hash: A3D7… Sue’s Laptop Sue’s User Session Pass-The-Hash Technique Malware Session User: Administrator Password hash: E1977… Malware User Session User: Adm… Hash: E1977 User: Sue Hash: C9DF User: Sue Password hash: C9DF… File Server User: Sue Hash:C9DF 1 3 4 1. FRED RUNS MALWARE, HE IS A LOCAL ADMINISTRATOR 2. THERE IS A PASS THE HASH SESSION ESTABLISHED WITH ANOTHER COMPUTER 3. MALWARE INFECTS SUE’S LAPTOP AS FRED 4. MALWARE INFECTS FILE SERVER AS SUE 2
  • 25. Virtual Secure Mode Virtual Secure Mode (VSM) Kernel Credential Guard Hypervisor Hardware Windows Kernel Apps VirtualTPM Hyper-Visor CodeIntegrity
  • 27. Class names for keys from HKLMSYSTEMCCSControlLsa HKLMSECURITYCache HKLMSECURITYPolicySecrets HKLMSECURITYPolicySecrets
  • 28. Classic Data Protection API Based on the following components: Password, data blob, entropy Is not prone to password resets! Protects from outsiders when being in offline access Effectively protects users data Stores the password history You need to be able to get access to some of your passwords from the past Conclusion: OS greatly helps us to protect secrets
  • 29. Cached Logons: It used to be like this… Before the attacks facilitated by pass-the-hash, we can only rejoice the "salting" by the username. There are a number pre-computed tables for users as Administrator facilitating attacks on these hashes.
  • 30. Cached Logons There is actually not much of a difference with XP / 2003! No additional salting. PBKDF2 introduced a new variable: the number of iterations SHA1 with the same salt as before (username).
  • 31. Learning Points for Secured Idenities Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
  • 33. Lack of SMB Signing (or alternative) Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
  • 34. SMB2/3 client and SMB2/3 server signing settings Setting Group Policy Setting Registry Key Required * Digitally sign communications (always) – Enabled RequireSecuritySignature = 1 Not Required ** Digitally sign communications (always) – Disabled RequireSecuritySignature = 0 * The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”. ** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”. Server – Required Server – Not Required Client – Required Signed Signed Client – Not Required Signed* Not Signed** Effective behavior for SMB2/3: * Default for Domain Controller SMB traffic. ** Default for all other SMB traffic.
  • 35. Allowing unusual code execution Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
  • 36. Old protocols or their default settings
  • 38. Services Store configuration in the registry Always need some identity to run the executable! Local Security Authority (LSA) Secrets Must be stored locally, especially when domain credentials are used Can be accessed when we impersonate to Local System Their accounts should be monitored If you cannot use gMSA, MSA, use subscription for svc_ accounts (naming convention) Conclusion: Think twice before using an Administrative account, use gMSA
  • 39. IIS Configuration In contrast to the earlier IIS versions, IIS 10.0 is set to use two new Cryptography API: Next Generation (CNG) providers by default: IISWASOnlyCngProvider and IISCngProvider. We still have: IISWASOnlyRsaProvider, AesProvider, IISWasOnlyAesProvider and RsaProtectedConfigurationProvider, DataProtectionConfigurationProvider CNG stores shared private keys in the %ALLUSERSPROFILE%Application DataMicrosoftCryptoKeys Worker Processes (w3wp.exe) Their identity is defined in Application Pool settings Are managed by Windows Process Activation Service that knows how to read secrets Passwords for AppPool identity can be ’decrypted’ even offline They are stored in the encrypted form in applicationHost.config Conclusion: IIS relies it’s security on Machine Keys (Local System)
  • 40. Secured Devices vs. Trusting solutions without knowing how to break them Key learning points: ✓ The best operators won't use a component until they know how it breaks ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
  • 41.
  • 42. Reason 1: Security is both a Reality and Feeling For End User Security is a feeling Success lies in influencing the “feeling” of security
  • 43. Reason 2: Not every attack(er) is that smart Control efficiency Risk severity/ Attacker Smartness/ Attack Efficiency Technology & Processes Awareness & Competence Automatic security controls – AV, Updates Technology + Human – Firewall configuration, Choosing a secure Wifi Human – Recognizing a zero day attack, Phishing mails, Not posting business information in social media The very smart attacker 1 2 3 4 People exaggerate risks that are spectacular or uncommon
  • 44. Reason 3: Technology…yes, but humans… of course! Aircrafts have become more advanced, but does it mean that pilot training requirements have reduced? Medical technology has become more advanced, but will you choose a hospital for it’s machines or the doctors?
  • 45. InformationSecurityFramework GovernanceManagement Context and Leadership Information Security Charter Culture and Awareness Information Security Organizational Structure Prevention Identity and Access Management Identity Security Data Security Hardware Asset Management Data Security & Privacy Infrastructure Security Network Security Evaluation and Direction Security Risk Management Security Strategy and Communication Security Policies Endpoint Security Malicious Code Application Security Cloud Security Vulnerability Management Cryptography Management Physical Security HR Security HR Security Change and Support Configuration and Change Management Vendor Management Compliance, Audit, and Review Security Compliance Management External Security Audit Internal Security Audit Management Review of Security Detection Security Threat Detection Log and Event Management Measurement Metrics Program Continuous Improvement Response and Recovery Security Incident Management Information Security in BCM Security eDiscovery and Forensics Backup and Recovery A best-of-breed security framework
  • 46. Security framework should integrate several best practices to create a best-of-breed security framework ISO 27000 series CIS – Critical Security Controls COBIT 5 NIST SP800- 53 SECURITY FRAMEWORK Comprehensive standard providing best practices associated with each control Provides a detailed list of security controls along with many implementation best practices intended for US federal information systems and organizations Comprised of a concise list of 20 controls and sub- controls for actionable cyber defence A process and principle structured security best practice framework Best-of-Breed Information Security Framework
  • 48. The 11 key cyber security questions 1. Do we treat cyber security as a business or IT responsibility? 2. Do our security goals align with business priorities? 3. Have we identified and protected our most valuable processes and information? 4. Does our business culture support a secure cyber environment? 5. Do we have the basics right? (For example, access rights, software patching, vulnerability management and data leakage prevention.) 6. Do we focus on security compliance or security capability? 7. Are we certain our third-party partners are securing our most valuable information? 8. Do we regularly evaluate the effectiveness of our security? 9. Are we vigilant and do we monitor our systems and can we prevent breaches? 10.Do we have an organized plan for responding to a security breach? 11.Are we adequately resourced and insured?
  • 50. 1: Privileged Access Management Access Monitoring / Effective Access We need to know about who and where has access to Access should be role driven
  • 51. 2: Incident Response Plan Action list In case of emergency situation: allows to act reasonably and according to the plan Increases chances that evidence is gathered properly Allows to define responsibilities for recovery Discussions provide management with understanding of security Jump Bag: preserving evidence Disk data: Disk2VHD, WinDD, FTK Imager Memory dumps: DumpIT, Mdd, Mandiant tools, LiME, OSXPMem Centralization of the event logs Pre-incident steps: use Sysmon for better knowledge about processes and network
  • 52. 3: Whitelisting Code execution prevention It is an absolute necessity taking into consideration the current security trends PowerShell is a new hacking tool Scripting languages are the biggest threat Ransomware can be in a form of PowerShell script Just Enough Administration: PowerShell should be blocked for users and limited for helpdesk to use the necessary commands It is necessary to know what executes on your servers Sysmon is perfect for this AppLocker / DeviceGuard in the audit mode
  • 53. 4: Hardware-based Credentials Protection Virtual Secure Mode (VSM) VSM isolates sensitive Windows processes in a hardware based Hyper-V container VSM protects VSM kernel and Trustlets even if Windows Kernel is fully compromised Requires processor virtualization extensions (e.g.: VT-X, VT-D) Implements Credential Guard where derived credentials that VSM protected LSA Service gives to Windows are non-replayable VSM runs the Windows Kernel and a series of Trustlets (Processes) within it
  • 54. 5: Automation Level Master PowerShell implements great automation (and hacking tool) Some solutions are managed by Powershell only (Nano, IoT) Experience shows that administrators try to avoid it – especially these ones with great experience There are so many custom modules available: PowerForensics, AccessControl etc. You can create your own customized modules
  • 55. 6: Testing Yourself When You Can
  • 56.
  • 57.
  • 59. RETINA VULNERABILITY MANAGEMENT POWERBROKER PRIVILEGED ACCOUNT MANAGEMENT 59 PRIVILEGE MANAGEMENT ACTIVE DIRECTORY BRIDGING PRIVLEGED PASSWORD MANAGEMENT AUDITING & PROTECTION ENTERPRISE VULNERABILITY MANAGEMENT BEYONDSAAS CLOUD-BASED SCANNING NETWORK SECURITY SCANNER WEB SECURITY SCANNER BEYONDINSIGHT CLARITY THREAT ANALYTICS BEYONDINSIGHT IT RISK MANAGEMENT PLATFORM EXTENSIVE REPORTING CENTRAL DATA WAREHOUSE ASSET DISCOVERY ASSET PROFILING ASSET SMART GROUPS USER MANAGEMENT WORKFLOW & NOTIFICATION THIRD-PARTY INTEGRATION
  • 60. Demo
  • 61. Quick Poll + Q&A Time Thank you for attending!