Engineering better security SECURITY DATA & ANALYTICS IT CONTROL & VISIBILITY “Vastly expanding attack surface” ATTACKER SOPHISTICATION & REACH “Weaponization of cyber attacks” TIME 控制安全风险——漏洞管理系统 Know Your Network Manage Risk Effectively Simplify Your Compliance 了解您的网络 有效管理风险 简单处理合规需求 Confidential and Proprietary 3 了解业务需求 RealContext™ • 自动归类 • 定义资产的重要性 • 设定修补和资产的责任人 Confidential and Proprietary 4 自适 的安全 应 攻击暴露面管理 • 自动发现新的资产加入网络 DHCP • 跟踪网络和信息资产的风险变 化 VMWARE • 了解所有外部资产 MOBILE AWS Sonar Labs Integration 5 自适应安全 Emergent Threats • 自动扫描整个网络的情况 • 自动触发扫描任务,基于设定的 搜索条件,比如CVSS分数。 • 不需要人工干预 Zero Day Confidential and Proprietary 6 自动工作流 TRIGGER ACTION ACTION ACTION Discover asset Scan asset for Assign high Create ticket in via DHCP vulnerabilities criticality tag ServiceNow When new asset If asset has risk If asset is is discovered score > 500 Windows server New Intuitive User Interface 8 漏洞验证n_MetaSploit Pro Validate with Metasploit • 安全地漏洞验证机制 • 专注在已知的安全风险 • 闭环的漏洞管理 Confidential and Proprietary 9 TRADITIONAL VULNERABILITY MANAGEMENT 漏洞告警列表 清晰、直观、可操作 ID Title Occurrences MS05-43 Microsoft Windows DCOM RPCSS Service Vulnerabilities 14352 MS04-61 Microsoft Windows DCOM RPC Interface Buffer Overrun Vuln 11253 MS05-72 Microsoft Windows ASN.1 Library Integer Handling 2456 MS03-32 Windows TCP/IP Remote Code Execution 522 AP04-32 Apache Tomcat Directory Traversal 414 AW01-34 APR-util Library Integer Overflow 255 AP04-16 Apache 1.3 and 2.0 Web Server 116 FT01 ProFTPD 1.3 2xc2 and Prior_mod SQL Injection 98 VZ02 OpenVZ Multiple Vulnerabilities 64 HPJ01 HP NonStop Servers and Java 55 HW08 Huawei Multiple Device Bypass 32 MS04-47 Microsoft Messenger Service Buffer Overrun Vulnerability 28 RHL013 Red Hat Linux Instance 1.3 Multiple Vulnerabilities 28 PP32-1 Plug and Play Remote Access Vulnerability 19 SMOSL1 SQL_mod remote Once Single Access 18 Confidential and Proprietary 10 合规分析和报告 Policy Scanning & • 自定义所需要的报告 Reporting PCI HIPAA SOX NERC COMPLAINT • 国际认可的各类合规报告: • PCI Compliance Reports Pass Pass Fail Pass Pass Confidential and Proprietary 11 Web 风险控制 _创新的黑盒测试 Gartner 评测排名 Rapid7's offering earned the highest rating for Web AST due to DAST features. These include its "universal translator," which enables testing of various types of exposed back-end interfaces, such as JSON, REST, SOAP, XML-RPC, Google Web Toolkit (GWT) RPC and Action Message Format (AMF). These features also include its enterprise capabilities — enterprise console, RBAC, one-click vulnerability verification, bug- tracking integration and extensive WAF integration. Gartner, Critical Capabilities for Application Security Testing - Joseph Feiman, Neil MacDonald, August 17, 2015 13 Covers more Universal Translator_转换器 technologies than any other DAST Web 3.0 & Mobile Scanner. (JSON, REST, AMF, SOAP) Web 2.0 (AJAX) JavaScript Application Frameworks CGI EXPOSURE GAP EXPOSURE Static Other Testing Tools Pages 扫描覆盖: 先进的网页抓取 • You cannot attack what you cannot crawl • Crucial to crawl entire site • Limit manual training time • Designed for human users, creates challenges for crawling ‒ JavaScript & AJAX . Dynamic links & pages ‒ Form input validation . Requires valid data • 扫描需求的变化 早已不是“HTML based” 的应用 今天的Web应用有更多的动态内容,更加复杂 通过Universal Translator进行扫描 Start Parse HTML & Javascript Modify URO with attack Find new links, and inputs payloads Parses many formats into a common description Attack Requests sent color=Blue” onmouseover=“alert(123) Mobile & Web services JSON, REST, AMF, SOAP URO - Universal Request object Type: JSON Inputs - http.cookie[0].session, 98734njfaius282 - filters[0].item, Shirt - filters[1].color, Blue Responses analyzed for vulnerability discovery 覆盖Web应用的流程 • Must attack while respecting the workflow #1 #2 #3 #4 #5 #6 #7 Add item View Cart Checkout Shipping Billing Confirm Receipt to cart info info order Error mysql_error: You have an error in your SQL syntax; near 'Smith'' at line 10 Attack Detect Clean Clean Clean Clean Clean ‘Last name’ Vulnerability • Proper attacking must follow the expected workflow • Only NTOSpider is able to automate this testing process Reporting: 详细呈现抓取过程 • 不能只呈现内容给审计人员 • 要给开发人员呈现更多内容 – Enables those with better understanding of the application to assess the completeness of the scan Reporting: 关联分析 • Consolidates numerous vulnerabilities into “Root causes” • Facilitates prioritization, coordination and tracking of remediation Reporting: 呈现攻击内容 • Easy to communicate source of problem to developers • Provides simple and usable data for all levels of the process Reporting: 呈现攻击内容 • Easy to communicate source of problem to developers • Provides simple and usable data for all levels of the process, including reproducing attacks WAF / IPS联动 Sourcefire F5 DenyAll Barracuda ModSecurity Imperva NitroSecurity Confidential and Proprietary 23 Defect Tracking联动 Jira HP Quality Center RSA Archer Confidential and Proprietary 24 DevOPS / SDL联动 Selenium Jenkins Hudson Bamboo Burp Fiddler WebScarab Paros Swagger Coverity Checkmarx Confidential and Proprietary 25 Attacks类别 Passive Attacks: Apache Struts Detection Active Attacks: ASP.NET ViewState security Apache Struts 2 Framework File Inclusion Session Strength Auto Complete Attribute Checks Forced Browsing Source Code Disclosure Browser Cache directive (leaking Arbitrary File Upload Form Session Strength SQL Injection sensitive information) ASP.Net Misconfiguration Heartbleed Check SQL Injection Authentication Browser Cache directive (web Blind SQL Injection HTTP Response Splitting Bypass application performance) Brute Force (Form Auth) HTTPS Downgrade SSL Strength Cookie Attributes Brute Force (HTTP Auth) Java Grinder (downloads jar files, Un-Validated Redirect Credentials stored in clear test in Business Logic Abuse Attacks extracts and decompiles class files Web Beacon cookies Cross-Origin Resource and examines their content for Web Service Parameter Cross Site Scripting (DOM-Based) Sharing (CORS) security-related code) Fuzzing E-Mail Disclosure Cross-Site Request Forgery LDAP Injection XML External Entity Attack Information Disclosure in (CSRF) OS Commanding XPath Injection Comments Cross Site Scripting Parameter Fuzzing Information Disclosure in (XSS,Reflected) Predictable Resource Location Response Cross Site Scripting Reflection Analysis Information Disclosure in Scripts (XSS,Simple) Reverse Proxy Information Leakage in Form Cross Site Tracing (XST) Server Configuration Submission Custom Directory Module Server Side Include Injection ( SSI) Information Leakage in Custom Parameter Module Session Fixation Responses Directory Indexing Privacy Disclosure Expression Language Profanity Injection Secure and Non-Secure Content Mix Sensitive Data Exposure Incident Detection and Response 尽可能缩短窗口期… DAY 1 DAY 2 DAY 3 DAY 206 DAY 234 attacker threat threat threat threat gains entry detectedmalwarecontained detected contained ? ? ? 1. Detect compromise the same day 2. Scope the complete incident fast 3. Quickly hand off to remediation team Confidential and Proprietary 28 终端数据收集 • Active Directory • LDAP • DHCP • DNS • VPN • IDS / IPS • Web Proxy • Firewall • E-mail Servers • Security Console • Enterprise Cloud Applications • Intruder Traps Single, Integrated Experience 29 InsightIDR Solution Architecture Remote Endpoints Network Events Real-Time Security Endpoint Team Events SSL InsightIDR Attacker Analytics Intruder On-Premise SSL Traps Insight Platform Collectors • User Behavior • Machine • Fully Searchable Analytics Learning Data Set Applications Enterprise Existing Cloud Apps Security Solutions, Alerts, and Events Mobile Devices 事件源 FOUNDATIONAL EVENT SOURCES VALUE-ADD EVENT SOURCES LDAP › DNS Microsoft Active Directory LDAP › VPN › IDS / IPS Active Directory › Web Proxy Microsoft Active Directory Domain › Firewall Controllers › E-mail Servers › Security Console DHCP › Enterprise Cloud Applications Cisco iOS › Intruder Traps Infoblox Trinzic ISC dhcpd Microsoft DHCP 31 DNS Cisco IronPort IDS / IPS Okta ISC Bind9 Fortinet FortiGate Cisco Sourcefire Salesforce.com Infoblox Trinzic Intel Security (fka McAfee) Web Dell iSensor Microsoft DNS Reporter Dell SonicWall Advanced Malware MikroTik Sophos Secure Web Gateway HP TippingPoint FireEye NX PowerDNS Squid McAfee IDS Palo Alto Networks WildFire Watchguard XTM Metaflows IDS Data Exporters WebSense Web Security GatewaySecurity Onion SIEMs/Log Aggregators FireEye Threat Analytics Platform Snort HP ArcSight HP ArcSight & ArcSight Logger E-mail IBM QRadar Splunk Microsoft ActiveSync (mobile Rapid7 Intel Security (fka McAfee) devices) Windows Agentless Endpoint NitroSecurity VPN Microsoft Exchange Monitor LogRhythm Cisco ASA VPN Outlook Web Access Mac Agentless Endpoint Monitor Splunk F5 Networks FirePass Honeypot & Honey Users Fortinet FortiGate Firewall Metasploit Virus Scanners Juniper SA Check Point Firewall Nexpose McAfee ePO Microsoft IAS (RADIUS) Cisco ASA Firewall & VPN Sophos Enduser Protection Sophos Enduser Protection Microsoft Network Policy Server Cisco Meraki Symantec Endpoint Protection Symantec Enduser Protection Microsoft Remote Web Access Fortinet Fortigate OpenVPN Juniper Netscreen Cloud Services Application Monitoring SonicWALL Firewall & VPN Palo Alto Networks Firewall AWS Cloud Trails Atlassian Confluence SonicWALL Box.com Microsoft SQL Server Web Proxy Sophos Firewall Duo Security Barracuda Web Filter Stonesoft Firewall Google Apps Blue Coat Proxy Watchguard XTM Office 365 32 攻击链条 Infiltration and Reconnaissance Lateral Mission Target Maintain Persistence • Get user list Movement • Access critical Presence • Phish users • Scout targets
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages40 Page
-
File Size-