QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting SANS TOP 20 Critical Controls
1.
Marek
Skalicky,
CISM,
CRISC
Managing
Director
for
Central
Eastern
Europe
QualysGuard Security & Compliance Suite
supporting SANS TOP 20 Critical Controls
Qualys
GmbH
September,
2013
2. SANS
TOP-‐20
CriBcal
Security
Controls
Critical Controls for Effective Cyber Defense
To secure against cyber attacks, organizations must vigorously defend their
networks and systems from a variety of internal and external threats. They
must also be prepared to detect and thwart damaging follow-on attack
activities inside a network that has already been compromised. Two guiding
principles are: "Prevention is ideal but detection is a must" and "Offense
informs defense."
The Goal of the Critical Controls
The goal of the Critical Controls is to protect critical assets, infrastructure, and
information by strengthening your organization's defensive posture through
continuous, automated protection and monitoring of your sensitive information
technology infrastructure to reduce compromises, minimize the need for
recovery efforts, and lower associated costs.
Strong emphasis on "What really Works" - security controls where products,
processes, architectures and services are in use that have demonstrated real
world effectiveness.
3. SANS
TOP-‐20
CriBcal
Security
Controls
Brief History of TOP-20 CSC
• In 2008, the Office of the Secretary of Defense asked the National Security
Agency for help in prioritizing the myriad security controls that were available for
cybersecurity with strong emphasis on "What really Works”.
• The request went to NSA because NSA best understood how cyber attacks
worked and which attacks were used most frequently.
• A consortium of U.S. and international cyberdefense agencies quickly grew, and
was joined by experts from private industry and around the globe.
• Surprisingly, the clear consensus of the consortium was that there were only 20
Critical Controls that addressed the most prevalent attacks found in
government and industry. This then became the focus for an initial draft
document. The draft of the 20 Critical Controls was circulated in 2009 to several
hundred IT and security organizations for further review and comment.
• Over 50 organizations commented on the draft. They endorsed the concept of a
focused set of controls and the selection of the 20 Critical Controls.
• Last release - Version 4.1, March, 2013
4. SANS
TOP-‐20
CriBcal
Security
Controls
5 critical principles ofeffective cyber defense system as reflected in the
Critical Controls are:
1. Offense informs defense: Use knowledge of actual attacks that have compromised
systems to provide the foundation to build effective, practical defenses. Include only
those controls that can be shown to stop known real-world attacks.
2. Prioritization: Invest first in controls that will provide the greatest risk reduction and
protection against the most dangerous threat actors, and that can be feasibly
implemented in your computing environment.
3. Metrics: Establish common metrics to provide a shared language for executives, IT
specialists, auditors, and security officials to measure the effectiveness of security
measures within an organization so that required adjustments can be identified and
implemented quickly.
4. Continuous monitoring: Carry out continuous monitoring to test and validate the
effectiveness of current security measures.
5. Automation: Automate defenses so that organizations can achieve reliable, scalable,
and continuous measurements of their adherence to the controls and related metrics.
5. SANS
TOP-‐20
CriBcal
Security
Controls
Critical Security Controls key-consortium members (US Federal agencies)
7. Qualys
soluBon
for
Very-‐High
to
Mid-‐High
SANS
CriBcal
Controls
•
•
•
•
VMVM
Vulnerability
Management
PP
Po
Com
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PCIPCI
PCI
Compliance
WASWAS
Web Application
Scanning
MM
Ma
Detecti
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PP
Com
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PP
Com
VMVM
Vulnerability
Management
PP
Po
Com
VMVM
Vulnerability
Management
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PCIPCI
PCI
Compliance
WASWAS
Web Application
Scanning
MM
Ma
Detecti
VMVM
Vulnerability
Management
VMVM
Vulnerability
Management
PP
Po
Com
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PP
Com
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PP
Com
VMVM
Vulnerability
Management
8. CC1:
Inventory
of
Authorized
and
Unauthorized
Devices
Goal:
EffecBve
asset
management
ensures
that
assets
are
discovered,
registered,
classified,
and
protected
from
aPackers
who
exploit
vulnerable
systems
accessible
via
the
Internet.
How
QualysGuard
supports
this:
VM
gives
full
asset
visibility
over
live
devices
with
network
mapping:
Size
of
Network
Machine
Types
LocaBon
VM
detects
authorized
and
unauthorised
devices:
Authorized
Unauthorized
VM
offers
full
support
for
automaBon
Scans
are
scheduled
(conBnuous,
daily,
weekly
etc)
Delta
reports
for
changes
AlerBng,
BckeBng
API
for
integraBon
for
example
with
Asset
management
tools
VMVM
Vulnerability
Management
9. CC1:
Inventory
of
Authorized
and
Unauthorized
Devices
VMVM
Vulnerability
Management
10. Goal:
EffecBve
soXware
management
ensures
that
soXware
are
discovered,
registered,
classified,
and
protected
from
aPackers
who
exploit
vulnerable
soXware.
How
QualysGuard
supports
this:
VM
&
POL
gives
full
soXware
visibility
with
scanning:
OperaBng
Systems
ApplicaBons
Versions
Patch
Level
VM
&
POL
gives
BlacklisBng
of
unauthorised
soXware
and
services
VM
&
POL
gives
WhitelisBng
of
authorised
soXware
and
services
VM
provides
InteracBve
Search
VM
&
POL
offers
full
support
for
automaBon
Scheduled
scans
&
reports
Email
reports
AlerBng
on
excepBons
TickeBng
API
for
IntegraBon
with
Asset
Management
tools
CC2:
Inventory
of
Authorized
and
Unauthorized
SoXware
VMVM
Vulnerability
Management
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
11. CC2:
Inventory
of
Authorized
and
Unauthorized
SoXware
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
12. CC3:
Secure
Base
ConfiguraBon
Goal:
EffecBve
configuraBon
management
ensures
assets
are
configured
based
on
industry
standards
and
protected
from
aPackers
who
find
and
exploit
misconfigured
systems.
How
QualysGuard
supports
this:
ConfiguraBon
validaBon
of
each
system
Build
in
controls
catalogue:
CIS,
SCAP,
FDCC
User
Defined
Controls
Golden
image
policy
ReporBng
on
deviaBon
from
the
baseline
With
full
support
for
automaBon
Scheduled
scans
&
reports
Email
reports
AlerBng
on
excepBons
TickeBng
API
for
IntegraBon
with
GRC
tools
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
14. CC4:
ConBnuous
Vulnerability
Assessment/RemediaBon
Goal:
EffecBve
vulnerability
management
will
ensure
that
assets
are
monitored
for
vulnerabiliBes
and
are
patched,
upgraded
or
services
disabled
to
protect
from
exploit
code.
How
QualysGuard
supports
this:
Scheduled
&
On
demand
Vulnerability
Scanning
ConBnuous
Vulnerability
Assessment
AuthenBcated
Scanning
Patch
VerificaBon
Report
on
Unauthorized
Services
With
full
support
for
automaBon
Scheduled
scans
&
reports
Email
reports
AlerBng
on
excepBons
TickeBng
with
SLA
metrics
and
confirmaBon
API
for
IntegraBon
with
IPS,
SIEM
etc
VMVM
Vulnerability
Management
16. CC5:
Malware
Defenses
Goal:
The
processes
and
tools
used
to
detect/prevent/correct
installaBon
and
execuBon
of
malicious
soXware
on
all
devices.
How
QualysGuard
supports
this:
Vulnerability
Scan
can
detect
installed
Malware
by
running
malicious
services
AuthenBcated
Vulnerability
Scan
can
detect
installed
Malware
in
file-‐system
and
registries
Vulnerability
Report
will
report
discovered
Malware
Web
ApplicaBon
Scan
now
contains
Malware
DetecBon
Scan
for
web
applicaBons
StaBc
signatures
and
Behavioural
Analyses
of
HTML
code
Malware
Scan
of
web
apps
prevent
clients
from
being
infected
by
corporate
web
sites
VMVM
Vulnerability
Management
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PCIPCI
PCI
Compliance
WASWAS
Web Application
Scanning De
18. CC6:
ApplicaBon
SoXware
Security
Goal:
EffecBve
applicaBon
security
ensures
that
developed
and
3rd
party
delivered
applicaBons
are
protected
from
aPackers
who
inject
specific
exploits
to
gain
control
over
vulnerable
machines.
How
QualysGuard
supports
this:
Scheduled
&
On
demand
Web
ApplicaBon
Scanning
OWASP
TOP-‐10
and
WASC
TOP-‐10
VulnerabiliBes
supported
Web
applicaBon
discovery
(web
crawling)
User
-‐
AuthenBcaBon
support
Fully
unaPended
and
automated
Part
of
development
lifecycle
With
full
support
for
automaBon
Scheduled
scans
&
reports
TickeBng
with
SLA
metrics
and
confirmaBon
API
for
IntegraBon
with
WAF
WAF
provides
acBve
protecBon
of
corporate
data
and
reputaBon
provided
via
web
applicaBon
interface
PrevenBon
with
WAS
and
ProtecBon
with
WAF
available
in
the
same
UI
and
integrated
security
suite
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PCIPCI
PCI
Compliance
WASWAS
Web Application
Scanning Dete
19. CC6:
ApplicaBon
SoXware
Security
VMVM
Vulnerability
Management
PCPC
Policy
Compliance
PCIPCI
PCI
Compliance
Web
WASWAS
Web Application
Scanning
MDSMDS
Malware
Detection Service
20. CC7:
Wireless
Device
Control
Goal:
The
processes
and
tools
used
to
track/control/prevent/correct
the
security
use
of
wireless
local
area
networks
(LANS),
access
points,
and
wireless
client
systems.
How
QualysGuard
supports
this:
• VM
Network
Mapping
can
discover
Wireless
hotspots,
segments
and
wireless
devices
connected
via
IP
ranges.
• VM
Vulnerability
Scanning
can
discover
over
30
vulnerabiliBes
specific
for
various
wireless
hotspots
plaeorms
and
vendors
• API
integraBon
with
AirTight
Wireless
Security
Appliance
provides
integrated
reporBng
VMVM
Vulnerability
Management
22. SANS
TOP
20
CriBcal
Controls
-‐
REMINDER
•
•
•
•
QualysQuard Security and
Compliance Suite delivers
High and Very High effect
on Cyber-Attack Mitigation!