Engineering better security
SECURITY DATA & ANALYTICS IT CONTROL & VISIBILITY “Vastly expanding attack surface”
ATTACKER SOPHISTICATION & REACH “Weaponization of cyber attacks”
TIME 控制安全风险——漏洞管理系统
Know Your Network Manage Risk Effectively Simplify Your Compliance 了解您的网络 有效管理风险 简单处理合规需求
Confidential and Proprietary 3 了解业务需求 RealContext™ • 自动归类 • 定义资产的重要性 • 设定修补和资产的责任人
Confidential and Proprietary 4 自适 的安全 应 攻击暴露面管理
• 自动发现新的资产加入网络 DHCP • 跟踪网络和信息资产的风险变 化 VMWARE • 了解所有外部资产
MOBILE
AWS Sonar Labs Integration
5 自适应安全 Emergent Threats
• 自动扫描整个网络的情况 • 自动触发扫描任务,基于设定的 搜索条件,比如CVSS分数。 • 不需要人工干预
Zero Day
Confidential and Proprietary 6 自动工作流
TRIGGER ACTION ACTION ACTION Discover asset Scan asset for Assign high Create ticket in via DHCP vulnerabilities criticality tag ServiceNow
When new asset If asset has risk If asset is is discovered score > 500 Windows server New Intuitive User Interface
8 漏洞验证n_MetaSploit Pro Validate with Metasploit • 安全地漏洞验证机制 • 专注在已知的安全风险 • 闭环的漏洞管理
Confidential and Proprietary 9 TRADITIONAL VULNERABILITY MANAGEMENT 漏洞告警列表 清晰、直观、可操作
ID Title Occurrences
MS05-43 Microsoft Windows DCOM RPCSS Service Vulnerabilities 14352 MS04-61 Microsoft Windows DCOM RPC Interface Buffer Overrun Vuln 11253 MS05-72 Microsoft Windows ASN.1 Library Integer Handling 2456 MS03-32 Windows TCP/IP Remote Code Execution 522 AP04-32 Apache Tomcat Directory Traversal 414 AW01-34 APR-util Library Integer Overflow 255 AP04-16 Apache 1.3 and 2.0 Web Server 116 FT01 ProFTPD 1.3 2xc2 and Prior_mod SQL Injection 98 VZ02 OpenVZ Multiple Vulnerabilities 64 HPJ01 HP NonStop Servers and Java 55 HW08 Huawei Multiple Device Bypass 32 MS04-47 Microsoft Messenger Service Buffer Overrun Vulnerability 28 RHL013 Red Hat Linux Instance 1.3 Multiple Vulnerabilities 28 PP32-1 Plug and Play Remote Access Vulnerability 19 SMOSL1 SQL_mod remote Once Single Access 18
Confidential and Proprietary 10 合规分析和报告 Policy Scanning & • 自定义所需要的报告 Reporting PCI HIPAA SOX NERC COMPLAINT • 国际认可的各类合规报告: • PCI Compliance Reports Pass Pass
Fail Pass
Pass
Confidential and Proprietary 11 Web 风险控制 _创新的黑盒测试 Gartner 评测排名 Rapid7's offering earned the highest rating for Web AST due to DAST features. These include its "universal translator," which enables testing of various types of exposed back-end interfaces, such as JSON, REST, SOAP, XML-RPC, Google Web Toolkit (GWT) RPC and Action Message Format (AMF). These features also include its enterprise capabilities — enterprise console, RBAC, one-click vulnerability verification, bug- tracking integration and extensive WAF integration.
Gartner, Critical Capabilities for Application Security Testing - Joseph Feiman, Neil MacDonald, August 17, 2015
13 Covers more Universal Translator_转换器 technologies than any other DAST Web 3.0 & Mobile Scanner. (JSON, REST, AMF, SOAP) Web 2.0 (AJAX)
JavaScript
Application Frameworks
CGI EXPOSURE GAP EXPOSURE Static Other Testing Tools Pages 扫描覆盖: 先进的网页抓取 • You cannot attack what you cannot crawl
• Crucial to crawl entire site • Limit manual training time • Designed for human users, creates challenges for crawling ‒ JavaScript & AJAX . Dynamic links & pages
‒ Form input validation . Requires valid data • 扫描需求的变化 早已不是“HTML based” 的应用 今天的Web应用有更多的动态内容,更加复杂 通过Universal Translator进行扫描
Start
Parse HTML & Javascript Modify URO with attack Find new links, and inputs payloads Parses many formats into a common description
Attack Requests sent
color=Blue” onmouseover=“alert(123) Mobile & Web services JSON, REST, AMF, SOAP
URO - Universal Request object
Type: JSON Inputs - http.cookie[0].session, 98734njfaius282 - filters[0].item, Shirt - filters[1].color, Blue Responses analyzed for vulnerability discovery 覆盖Web应用的流程
• Must attack while respecting the workflow
#1 #2 #3 #4 #5 #6 #7 Add item View Cart Checkout Shipping Billing Confirm Receipt to cart info info order
Error mysql_error: You have an error in your SQL syntax; near 'Smith'' at line 10
Attack Detect Clean Clean Clean Clean Clean ‘Last name’ Vulnerability
• Proper attacking must follow the expected workflow • Only NTOSpider is able to automate this testing process Reporting: 详细呈现抓取过程
• 不能只呈现内容给审计人员 • 要给开发人员呈现更多内容 – Enables those with better understanding of the application to assess the completeness of the scan Reporting: 关联分析
• Consolidates numerous vulnerabilities into “Root causes” • Facilitates prioritization, coordination and tracking of remediation Reporting: 呈现攻击内容
• Easy to communicate source of problem to developers • Provides simple and usable data for all levels of the process Reporting: 呈现攻击内容
• Easy to communicate source of problem to developers • Provides simple and usable data for all levels of the process, including reproducing attacks WAF / IPS联动
Sourcefire F5 DenyAll Barracuda ModSecurity Imperva NitroSecurity
Confidential and Proprietary 23 Defect Tracking联动
Jira HP Quality Center RSA Archer
Confidential and Proprietary 24 DevOPS / SDL联动
Selenium Jenkins Hudson Bamboo Burp Fiddler WebScarab Paros Swagger Coverity Checkmarx
Confidential and Proprietary 25 Attacks类别
Passive Attacks: Apache Struts Detection Active Attacks: ASP.NET ViewState security Apache Struts 2 Framework File Inclusion Session Strength Auto Complete Attribute Checks Forced Browsing Source Code Disclosure Browser Cache directive (leaking Arbitrary File Upload Form Session Strength SQL Injection sensitive information) ASP.Net Misconfiguration Heartbleed Check SQL Injection Authentication Browser Cache directive (web Blind SQL Injection HTTP Response Splitting Bypass application performance) Brute Force (Form Auth) HTTPS Downgrade SSL Strength Cookie Attributes Brute Force (HTTP Auth) Java Grinder (downloads jar files, Un-Validated Redirect Credentials stored in clear test in Business Logic Abuse Attacks extracts and decompiles class files Web Beacon cookies Cross-Origin Resource and examines their content for Web Service Parameter Cross Site Scripting (DOM-Based) Sharing (CORS) security-related code) Fuzzing E-Mail Disclosure Cross-Site Request Forgery LDAP Injection XML External Entity Attack Information Disclosure in (CSRF) OS Commanding XPath Injection Comments Cross Site Scripting Parameter Fuzzing Information Disclosure in (XSS,Reflected) Predictable Resource Location Response Cross Site Scripting Reflection Analysis Information Disclosure in Scripts (XSS,Simple) Reverse Proxy Information Leakage in Form Cross Site Tracing (XST) Server Configuration Submission Custom Directory Module Server Side Include Injection ( SSI) Information Leakage in Custom Parameter Module Session Fixation Responses Directory Indexing Privacy Disclosure Expression Language Profanity Injection Secure and Non-Secure Content Mix Sensitive Data Exposure Incident Detection and Response 尽可能缩短窗口期…
DAY 1 DAY 2 DAY 3 DAY 206 DAY 234 attacker threat threat threat threat gains entry detectedmalwarecontained detected contained
? ? ?
1. Detect compromise the same day 2. Scope the complete incident fast 3. Quickly hand off to remediation team
Confidential and Proprietary 28 终端数据收集 • Active Directory • LDAP • DHCP • DNS • VPN • IDS / IPS • Web Proxy • Firewall • E-mail Servers • Security Console • Enterprise Cloud Applications • Intruder Traps Single, Integrated Experience
29 InsightIDR Solution Architecture
Remote Endpoints Network Events
Real-Time Security Endpoint Team Events SSL InsightIDR Attacker Analytics Intruder On-Premise SSL Traps Insight Platform Collectors
• User Behavior • Machine • Fully Searchable Analytics Learning Data Set Applications
Enterprise Existing Cloud Apps Security Solutions, Alerts, and Events Mobile Devices 事件源
FOUNDATIONAL EVENT SOURCES VALUE-ADD EVENT SOURCES
LDAP › DNS Microsoft Active Directory LDAP › VPN › IDS / IPS Active Directory › Web Proxy Microsoft Active Directory Domain › Firewall Controllers › E-mail Servers › Security Console DHCP › Enterprise Cloud Applications Cisco iOS › Intruder Traps Infoblox Trinzic ISC dhcpd Microsoft DHCP
31 DNS Cisco IronPort IDS / IPS Okta ISC Bind9 Fortinet FortiGate Cisco Sourcefire Salesforce.com Infoblox Trinzic Intel Security (fka McAfee) Web Dell iSensor Microsoft DNS Reporter Dell SonicWall Advanced Malware MikroTik Sophos Secure Web Gateway HP TippingPoint FireEye NX PowerDNS Squid McAfee IDS Palo Alto Networks WildFire Watchguard XTM Metaflows IDS Data Exporters WebSense Web Security GatewaySecurity Onion SIEMs/Log Aggregators FireEye Threat Analytics Platform Snort HP ArcSight HP ArcSight & ArcSight Logger E-mail IBM QRadar Splunk Microsoft ActiveSync (mobile Rapid7 Intel Security (fka McAfee) devices) Windows Agentless Endpoint NitroSecurity VPN Microsoft Exchange Monitor LogRhythm Cisco ASA VPN Outlook Web Access Mac Agentless Endpoint Monitor Splunk F5 Networks FirePass Honeypot & Honey Users Fortinet FortiGate Firewall Metasploit Virus Scanners Juniper SA Check Point Firewall Nexpose McAfee ePO Microsoft IAS (RADIUS) Cisco ASA Firewall & VPN Sophos Enduser Protection Sophos Enduser Protection Microsoft Network Policy Server Cisco Meraki Symantec Endpoint Protection Symantec Enduser Protection Microsoft Remote Web Access Fortinet Fortigate OpenVPN Juniper Netscreen Cloud Services Application Monitoring SonicWALL Firewall & VPN Palo Alto Networks Firewall AWS Cloud Trails Atlassian Confluence SonicWALL Box.com Microsoft SQL Server Web Proxy Sophos Firewall Duo Security Barracuda Web Filter Stonesoft Firewall Google Apps Blue Coat Proxy Watchguard XTM Office 365
32 攻击链条
Infiltration and Reconnaissance Lateral Mission Target Maintain Persistence • Get user list Movement • Access critical Presence • Phish users • Scout targets • Access data • Deploy • Use leaked • Find machines with • Upload data to backdoors credentials vulnerabilities credentials external location • Continued • Connect to • Collect more check-ins for network passwords future use • Anonymize • Increase access privileges • Deploy backdoors
33 有效打断攻击链条
Infiltration Recon- Lateral Mission Target Maintain Infiltration and Reconnaissance Lateral Mission Target Maintain and naissance Movement • Access critical Presence Persistence • Detect network Movement • Detect suspicious Presence Persistence data • Detect phishing • scansGet user list • DetectAccess intruders access to critical • DetectDeploy malicious • attemptsPhish users • Scout targets switchingmachines with • Uploaddata data to processesbackdoors • IdentifyUse leaked malware • Find identitiescredentials •externalMonitor datalocation • Continued • Alertcredentials on leaked vulnerabilities • DetectCollect unusual more traffic and cloud check-ins for • credentialsConnect to authenticationspasswords usage future use • Monitornetwork inbound • IdentifyIncrease malware • connectionsAnonymize • Identifyprivileges privilege access escalation • Deploy • Detect password backdoors guessing attempts & pass- the-hash
34 信息筛选
Enriched, User & Raw Relevant Notable Suspicious Attributed Asset Events Activity Behaviors Behaviors Events Behaviors Alert Explore
Search
35 Search - It’s All About The Context • Would you like to search through this? 09 2016 21:10:54 R7-BOS-5545 : %ASA-6-302014: Teardown TCP connection 406359796 for outside:52.2.119.185/443 to INSIDE:10.1.86.49/57672 duration 0:00:14 bytes 4510 TCP FINs
• Or THIS? { "timestamp": "2016-03-09T21:10:54.000Z", "asset": “kx240-2543.acme.com“, "user": “Ronald Serpico“, "source_address": "52.2.119.185“, "source_port": "443", "destination_address": "10.1.86.49", "destination_port": "57672", "direction": "INBOUND", "incoming_bytes": "4510", "outgoing_bytes": "0", "geoip_organization": "Amazon.com", "geoip_country_code": "US", "geoip_country_name": "United States", "geoip_city": "Ashburn", "geoip_region": "VA“ } 更好的解决方案交付 Rapid7 Threat legacy Attack Remediation Exposure Management: compliance Simulation Analytics focus Know your weak points Vulnerability IT Prioritize what matters & Patch Workflow Optimize remediation Reporting Integration
Vulnerability Management Threat Exposure Management
RAPID7 TECHNOLOGY: vulnerability management attack simulation web application assessment
Confidential and Proprietary 38 Incident Risk-based Response Rapid7 Security legacy Program & Breach Advisory Services: compliance Assessment Readiness focus Quantify Security Status 3 Year Gain Executive Penetration Program Alignment Testing Roadmap Make Measurable Progress Check-box Compliance Testing Security Advisory Services
RAPID7 TECHNOLOGY: Security Assessment Program Development
Confidential and Proprietary 39 NASDAQ: RPD
Delivering Security Data & Analytics that revolutionize the practice of cyber security
5,100+ 37% 99 800+ Customers Fortune 1000 Countries Employees