Next Generation- What every IT Security Professional needs to Know

By

Tasawar Jalali (MBA, CISSP, CEH)

8/18/15

Index

Introduction ...... 3

Need for Vulnerability Management Solution ...... 3

Standards and Regulations ...... 5

True Next Generation Vulnerability Management ...... 5

Active Scanner (AS) ...... 6

Active Agent (AA) ...... 6

Why Continuous Monitoring (CM) ...... 7

Qualys Continuous Monitoring ...... 7

Rapid7 Continuous Monitoring ...... 8

Tenable Continuous Monitoring ...... 8

Active Agents ...... 9

Qualys - Cloud Agent ...... 9

Rapid7 - UserInsight ...... 9

Tenable – Nessus Agent ...... 9

Conclusion ...... 10

Introduction

We’re in a cyber-war, and Internet remains an untamed frontier. Cyber-attacks are becoming more and more sophisticated, complex, and destructive with every passing week. Bolstering your Cybersecurity is necessary, but is also expensive and difficult to manage. Preventative cyber security is not keeping criminals out, and successful hacks often take months to detect. Organizations need to be proactive in their threat and vulnerability management efforts.

In even modest size networks making sure that all assets are running all the security patches can be a nightmare. A single host that that is missing patches or that didn't get patches installed correctly can compromise the security of the entire network. No single security solution can make a network safe from all attacks. Firewalls, Anti-Virus, and IPS’s can't protect computer systems from being compromised with zero-days and APT's. Antivirus can't protect workstations from being infected by polymorphic . As per McAfee, 100% of the companies that got hacked in 2014 had anti-virus and firewalls in place. So it's only matter of time when an organization will be compromised. It's imperative that each organization deploys balanced defense in depth strategy and a strong Vulnerability Management (VM) solution that plays a vital role in first line of defense.

Fig-1: Next Generation-Vulnerability Management

Need for Vulnerability Management Solution

There are numerous security solutions available in the market today i.e. Perimeter security, Endpoint security, Vulnerability Management (VM), , VPN, Anti-Virus, Anti- Malware, SIEM, WAF, IDS/IPS, PKI, SSO, etc. All these tools can produce Terabytes of data on a daily basis, which can strain already data fatigued SOC teams. Simply providing a dump of data into an already strained organization doesn’t help to narrow the security problem, it actually compounds it. It requires rich contextual real-time visibility into the new emerging threat-scape and this is impossible to achieve unless you have some sort of real-time continuous monitoring solution. We will focus on VM solution in this paper and how a Next Generation Vulnerability Management (NG-VM) solution can help meet the security challenges organizations are experiencing today and how such solution can help identify, detect, protect and respond to emerging threats like zero-day exploits and Advanced Persistent Threats (APT’s).

According to a report published by Ponemon Institute of Research early this year, despite having multilayer defense-in-depth architecture in place, organizations are experiencing average of 51 security breaches every year because of a failure in malware detection and each response to such failure costs approx. $62,000. Having a traditional Network Scanner that scans for known Malware and Vulnerabilities based on signatures is not good enough anymore. According to the same survey, 70% respondents say that it was most likely that their organization is infected by web-borne malware that was undetected.

Fig 2: Traditional Scanner

A comprehensive organizational Cybersecurity program requires that enterprises also engage in a continuous internal and perimeter vulnerability management. The traditional Vulnerability Management (VM) philosophy mandated against open source tools like NMAP, OpenVAS, Nikto, Metasploit, SAINT, SARA, Nessus to drive their Vulnerability Management program, which offer sporadic updates, poor reporting capabilities, no technical support and limited plugins that don’t support wide array of mobile devices, applications, operating systems and network devices. However, NG-VM must offer much more than regular updates and accurate reporting. In addition to supporting above-mentioned features, organizations must be armed with NG-VM’s that detect zero-hour macro malware and APT’s and offer prevention that a traditional signature based VM can’t offer, which relies on plugins and heuristic based malware detection methods. Standards and Regulations

Defense Information Systems Agency (DISA), a U.S. Department of Defense (DoD) division that provides IT and communications support to the President, Vice President, Secretary of Defense, and military services replaced the outdated Secure Configuration Compliance Validation Initiative (SCCVI) suite of software, which lacked continuous monitoring capability by a new standard called Assured Compliance Assessment Solution (ACAS). The ACAS solution not only provides the required automated network vulnerability scanning, configuration assessment, application vulnerability scanning, device configuration assessment, network discovery, centralized console, SCAP compliant but must also monitors network traffic in real-time. Such continuous monitoring looks for new hosts, new applications and new vulnerabilities without requiring the need for active scanning and hence avoids generating additional network traffic and detects new threats in a real-time. Defense Information Systems Agency (DISA) selected Tenable as the Assured Compliance Assessment Solution (ACAS) in 2012.

National Institute of Standards and Technology (NIST) has played a significant role in Cybersecurity since 1972 with the development of the Data Encryption Standard (DES). In Feb 2013 by the Executive Order (EO) 13636, NIST was directed to develop a framework that reduces cyber risks to critical infrastructure. This initiative led to publication of first framework on February 2014. The core of Framework consists of five key functions - Identify, Protect, Detect, Respond and Recover with multiple sub-categories. CM is one of the required categories under core function Detect (DE.CM - Security Continuous Monitoring).

NIST publication 800-137, “ Continuous Monitoring (ISCM) for Federal Information Systems and Organizations” indicates “continuous monitoring (CM) as a critical component of information security that maintains ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”

SANS Top 20 Critical Security Control lists asset management as critical security control-1. Having an accurate inventory is absolutely a must, but meeting the full spirit of this control can be an arduous task. However, the good news is that there is a solution to address this problem.

True Next Generation Vulnerability Management

NG-VM solutions need to include much more than reporting. In today’s world characterized by advanced persistent threats (APT’s) and Zero-Hour threats, a more comprehensive NG- VM strategy is needed — a strategy that combines traditional scanning with real-time vulnerability Identification, Detection, Prevention and Reporting capabilities. It would include Active Scanners (AS), Active Agents (AA), Central Console (CC), and Continuous Monitoring (CM) with the linkage between the technical indicators or Indicators of Compromise (IOC’s) (e.g., IP addresses and domains associated with threats or hashes that “fingerprint” malicious files), adversaries, their motivations and intents, and information about what is being targeted.

Fig 3: Next Generation Vulnerability Management Solution

Active Scanner (AS)

A vulnerability scanner or Active Scanner (AS) as cited in this paper, is software application that assesses security vulnerabilities in networks or host systems and produces a set of scan results. AS can assess wide array of vulnerabilities across the network that may include computers, network systems, operating systems, and software applications. AS can actively manage (inventory, track, and correct) all hardware devices on the network. Additionally AS can help identify rogue machines, which might endanger overall system and network security. However, traditional scanners cannot identify rogue machines in real-time especially when workforces are equipped with all sort of mobile gadgets. This is absolutely must feature a NG-VM must have. We will address this issue in this paper.

Active Scanners (AS) can be deployed on the perimeter networks as an Appliance or SaaS solution in combination with internal scanners that can be an HW or virtual appliance or a Software solution. Active Agent (AA)

Active Agents are installed across all devices in the network and should be able to identify, detect, collect and report any changes to the systems and report such changes in a real-time to the Central Console (CC). AA’s must be tied into CTI sources through intelligent correlation engine, which can interpret IOC’s and Observables in real-time and not only detect APT’s and Zero-Day exploits but also be able to prevent and block such threats. Budding Endpoint solution provider Crowdstrike, which recently secured $100Million from Google Capital, provides real-time visibility and protection into APT’s, techniques and procedures (TTPs), and Zero-day exploits and does an excellent job at providing visibility and protection to such threats. However, such solution does not offer any asset management and real-time visibility into security posture of enterprise network. With most of the major VM vendors already offering agents, they are in perfect position to build such intelligence into their products. Why Continuous Monitoring (CM)

Continuous Monitoring is the process of constantly and persistently monitoring network assets, vulnerabilities, and security configurations in real-time in an effort to reduce the network’s attack surface and mitigate Cyber-threats. Usually in a promiscuous mode, CM device can be set inline, attached to a spanning port of a switch. The idea is to allow access to all packets you wish the CM to monitor. It’s imperative that any CM solution integrates Cyber Threat Intelligence and correlates and detects emerging threats in real-time as well.

Some vendors have interpreted continuous monitoring to mean more-frequent scanning. Others have added the ability to run continuous active scans, where as soon as one scan finishes, another one starts in hopes of capturing new devices and vulnerabilities. Such solutions provide visibility and protection against vulnerabilities in Applications, OS’es, misconfigurations and Malware threats but can’t provide a real-time perspective into threat landscape within your internal network. Traditional scanners can’t give you visibility of systems that might be compromised by determined Cyber Adversaries who may use custom malware, zero-day exploits, APT’s, and advanced TTP’s to compromise a system. Although many professional vulnerability management tools offer real-time updates as new threats emerge but most don’t offer a solution that can detect advanced emerging threats - threats that are not reported to the guardians of security and are lose out in the wild and untamed internet.

Three major VM vendors were evaluated for this paper - Qualys, Rapid7 & Tenable Network Security against following two key features, which are critical components of NG-VM.

- Continuous Monitoring - Active Agent

I omitted Active Scanner & Reporting for the sake of keeping this paper brief plus both these features were equally competitive among all three vendors. Qualys, however, excels in reporting but as shown in our lab tests, there were lot of duplicates and repeats, hence adding to data fatigue. All three scanners have frequent updates, rich plugin DB & very low false positives and false negatives. Qualys performed better in terms of time to scan.

Qualys Continuous Monitoring

Qualys claims their Continuous Monitoring is based on a next-generation cloud service that gives their customers an ability to identify threats and monitor unexpected changes in networks before they turn into breaches. When I reached out to Qualys reps with the same question, they explained that their Continuous Monitoring module was developed to takes feeds from a) external vulnerability scans, b) internal vulnerability scans and c) Cloud Agent and provide user- customizable policies that alert on certain configuration changes. This means that they gather scan data from all scanners and agents during frequent scans. There is no continuous monitoring. It is just aggregation of frequent scan data. This obviously does not offer any real-time visibility into zero-day’s and APT’s but leads to unnecessary traffic on already enervated networks. As per report published by McAfee Labs in 2014, there are 387 new threats that emerge every minute, or more than 6 every second. Even if we were to run scans every one-hour although that would not be practical in a large enterprise but it’s still not be possible to keep up with the rapidly emerging threat-scape of the wild Internet. Given such a colossal number of threats that organizations have to fend for, it will be a herculean task to identify and report real-time APT’s and Zero-day threats by performing frequent scans. Continuous scanning does not equate to continuous monitoring. Qualys’s claim of CM solution is little misguiding and specious.

Rapid7 Continuous Monitoring

In a recently published white paper “Rapid7 Continuous Monitoring Solutions” by Rapid7, states, “continuous monitoring is a core practice in any comprehensive cyber security program”. It seems from this report Rapid7 does understand the criticality of CM. In the same report it reads, “by building out a continuous monitoring regimen, an organization will be able to exercise “NEAR” real-time control over their assets, configurations, and vulnerabilities”. Their claim of real-time monitoring and control is referring to use of open source tool Metasploit, which performs penetration testing and organizations can achieve “NEAR” real-time visibility into their physical and virtual assets. Organizations will achieve “NEAR” real-time, actionable information about their security programs. Their proposition revolves around Metasploit and Nexpose scanner integration to offer “NEAR” real-time continuous monitoring, which is again misleading. There is no continuous monitoring but on demand continuous scanning and penetration testting. Rapid7’s version of “NEAR” time CM Vulnerability Management solution is like securing your house with a sophisticated alarm system but without locking every door and window before going on vacation because I nearly secured my house. As a security professional, I would want something more than “NEAR” such solution if I am investing top $$ into VM solution.

Tenable Network Security Continuous Monitoring

Tenable Network Security comes close to continuous monitoring and takes CM to the next level by not only aggregating scan data like Qualys and Rapid7 does but also combines various components into their single console known as Security Center. Nessus’s Passive Vulnerability Scanner (PVS) eliminates network blind spots by continuously monitoring (sniffing) network traffic in real-time to discover active assets, identify cloud applications, and detect anomalous activity.

PVS runs in a promiscuous mode and is installed off a span port on the network so that all traffic entering and leaving is seen by PVS. PVS can be configured to sniff an entire network or just a particular server. The PVS detects many applications through plugin and protocol analysis. At a lower level, the PVS also detects open ports and outbound ports in use on the monitored networks. By default, the PVS will detect any TCP server on the protected network if it sees a TCP “SYN-ACK” packet. Tenable’s PVS can be configured to detect both encrypted and interactive sessions. As per Gartner, by 2017 half of all the network attacks will be SSL based. So this feature is vital in providing visibility into APT’s and Zero-Day exploits that use SSL and other forms of encrypted channels to compromise the networks. This gives Tenable’s PVS a big edge over the competition.

Active Agents

All three companies have Active Agents in form or the other that can be installed on systems; however, their support of different platforms and how they function varies significantly.

Qualys - Cloud Agent

Qualysguard Agent stores a snapshot of security and compliance metadata about the target system and uploads it to the Qualys Cloud. Qualys has agents for Windows but as of today they don’t have agents for Linux and Mac. As per our interaction with their team at Black Hat, they are releasing support for other OS’es in Q3-Q4 of 2015. The new agent that’s scheduled to be released later this year is supposed to have a small memory footprint and won’t be resource intensive.

Rapid7 - UserInsight

Rapid7 UserInsight provides visibility into user activity across on-premise, cloud and mobile environments. UserInsight also integrates with ActiveSync to monitor mobile devices and cloud services such as SalesForce and Box. UserInsight offers visibility when users are accessing corporate resources even if they’re not on a corporate network or are using their own devices.

However, UserInsight digresses from the core philosophy of VM. Instead of scanning and identifying Vulnerabilities, UserInsight tracks user behavior and user privileges, which doesn’t tie into core philosophy of VM. Rapid7’s UserInsight supports most of the Windows and Linux versions but does not offer support for Mac OS X.

Tenable – Nessus Agent

Tenable’s Nessus Agents are lightweight programs that are installed locally on a host. Agents collect vulnerability, compliance, and system data and report that information back to a Nessus Manager system. Nessus Agents currently support 32 and 64-bit editions of the most common operating systems including Windows, Linux and Mac OS.

All of these agents, however, lack integration with real-time Cyber Threat Intelligence (CTI).

Conclusion

Vulnerability Management solution is likely here to stay and is growing more mature and important. VM vendors must seriously work towards integrating Active Agents, Continuous Monitoring and CTI feeds and data into their traditional scanner offerings. Organizations should be enabled to utilize AS’s that can tie into AA’s, CM and solid threat intelligence program. A dynamic threat intelligence capability will help ensure that security operations can also keep up with the rapidly evolving Internet and offer better detection, prevention, and response capabilities. It’s imperative that vendors follow standard formats (OpenIOC, STIX, TAXII, CYBOX) when integrating CTI into their NG-VM offerings. The process of threat collection, consumption and utilization will continue to improve as adoption of such new technologies by VM vendors grows and more enterprise organizations embrace the technology.

While Qualys is busy developing Asset Management solution and Rapid7 is building Userinsight that detects user behavior, Tenable has a an edge over the two with it’s CM and Active-Agents that can be deployed across different platforms like Windows, Linux and Mac OS. Tenable Network Security comes pretty close to the definitions and requirements published in NIST 800-137, DISA’s Assured Compliance Assessment Solution (ACAS) and NIST Cybersecurity Framework EO 13636. VM vendors need to step up their game and work towards integrating Active Scanners (AS), Active Agents (AA), Continuous Monitoring (CM), and Logging/Reporting (CC) with Cyber Threat Intelligence (CTI) in real-time. If Tenable adds prevention capabilities within their AA’s, they can take VM industry head-on.

If your budget allows investing in NG-VM, it’s important to ensure that such solution consists of three key components – Active Scanner, Active Agents and Continuous Monitoring. Watch for rapid advancements in the field of NG-VM solutions that not only offers Active Scanners with reporting capability but also real-time threat detection and prevention capabilities from vendors and the security community alike in coming months and years.