Next Generation-Vulnerability Management What every IT Security Professional needs to Know By Tasawar Jalali (MBA, CISSP, CEH) 8/18/15 Index Introduction .............................................................................................................................. 3 Need for Vulnerability Management Solution ............................................................... 3 Standards and Regulations .................................................................................................. 5 True Next Generation Vulnerability Management ....................................................... 5 Active Scanner (AS) .......................................................................................................................... 6 Active Agent (AA) .............................................................................................................................. 6 Why Continuous Monitoring (CM) ............................................................................................... 7 Qualys Continuous Monitoring .................................................................................................................. 7 Rapid7 Continuous Monitoring ................................................................................................................. 8 Tenable Network Security Continuous Monitoring .......................................................................... 8 Active Agents ...................................................................................................................................... 9 Qualys - Cloud Agent ...................................................................................................................................... 9 Rapid7 - UserInsight ...................................................................................................................................... 9 Tenable – Nessus Agent ................................................................................................................................ 9 Conclusion ............................................................................................................................... 10 Introduction We’re in a cyber-war, and Internet remains an untamed frontier. Cyber-attacks are becoming more and more sophisticated, complex, and destructive with every passing week. Bolstering your Cybersecurity is necessary, but is also expensive and difficult to manage. Preventative cyber security is not keeping criminals out, and successful hacks often take months to detect. Organizations need to be proactive in their threat and vulnerability management efforts. In even modest size networks making sure that all assets are running all the security patches can be a nightmare. A single host that that is missing patches or that didn't get patches installed correctly can compromise the security of the entire network. No single security solution can make a network safe from all attacks. Firewalls, Anti-Virus, and IPS’s can't protect computer systems from being compromised with zero-days and APT's. Antivirus can't protect workstations from being infected by polymorphic malware. As per McAfee, 100% of the companies that got hacked in 2014 had anti-virus and firewalls in place. So it's only matter of time when an organization will be compromised. It's imperative that each organization deploys balanced defense in depth strategy and a strong Vulnerability Management (VM) solution that plays a vital role in first line of defense. Fig-1: Next Generation-Vulnerability Management Need for Vulnerability Management Solution There are numerous security solutions available in the market today i.e. Perimeter security, Endpoint security, Vulnerability Management (VM), Encryption, VPN, Anti-Virus, Anti- Malware, SIEM, WAF, IDS/IPS, PKI, SSO, etc. All these tools can produce Terabytes of data on a daily basis, which can strain already data fatigued SOC teams. Simply providing a dump of data into an already strained organization doesn’t help to narrow the security problem, it actually compounds it. It requires rich contextual real-time visibility into the new emerging threat-scape and this is impossible to achieve unless you have some sort of real-time continuous monitoring solution. We will focus on VM solution in this paper and how a Next Generation Vulnerability Management (NG-VM) solution can help meet the security challenges organizations are experiencing today and how such solution can help identify, detect, protect and respond to emerging threats like zero-day exploits and Advanced Persistent Threats (APT’s). According to a report published by Ponemon Institute of Research early this year, despite having multilayer defense-in-depth architecture in place, organizations are experiencing average of 51 security breaches every year because of a failure in malware detection and each response to such failure costs approx. $62,000. Having a traditional Network Scanner that scans for known Malware and Vulnerabilities based on signatures is not good enough anymore. According to the same survey, 70% respondents say that it was most likely that their organization is infected by web-borne malware that was undetected. Fig 2: Traditional Scanner A comprehensive organizational Cybersecurity program requires that enterprises also engage in a continuous internal and perimeter vulnerability management. The traditional Vulnerability Management (VM) philosophy mandated against open source tools like NMAP, OpenVAS, Nikto, Metasploit, SAINT, SARA, Nessus to drive their Vulnerability Management program, which offer sporadic updates, poor reporting capabilities, no technical support and limited plugins that don’t support wide array of mobile devices, applications, operating systems and network devices. However, NG-VM must offer much more than regular updates and accurate reporting. In addition to supporting above-mentioned features, organizations must be armed with NG-VM’s that detect zero-hour macro malware and APT’s and offer prevention that a traditional signature based VM can’t offer, which relies on plugins and heuristic based malware detection methods. Standards and Regulations Defense Information Systems Agency (DISA), a U.S. Department of Defense (DoD) division that provides IT and communications support to the President, Vice President, Secretary of Defense, and military services replaced the outdated Secure Configuration Compliance Validation Initiative (SCCVI) suite of software, which lacked continuous monitoring capability by a new standard called Assured Compliance Assessment Solution (ACAS). The ACAS solution not only provides the required automated network vulnerability scanning, configuration assessment, application vulnerability scanning, device configuration assessment, network discovery, centralized console, SCAP compliant but must also monitors network traffic in real-time. Such continuous monitoring looks for new hosts, new applications and new vulnerabilities without requiring the need for active scanning and hence avoids generating additional network traffic and detects new threats in a real-time. Defense Information Systems Agency (DISA) selected Tenable as the Assured Compliance Assessment Solution (ACAS) in 2012. National Institute of Standards and Technology (NIST) has played a significant role in Cybersecurity since 1972 with the development of the Data Encryption Standard (DES). In Feb 2013 by the Executive Order (EO) 13636, NIST was directed to develop a framework that reduces cyber risks to critical infrastructure. This initiative led to publication of first framework on February 2014. The core of Framework consists of five key functions - Identify, Protect, Detect, Respond and Recover with multiple sub-categories. CM is one of the required categories under core function Detect (DE.CM - Security Continuous Monitoring). NIST publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations” indicates “continuous monitoring (CM) as a critical component of information security that maintains ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” SANS Top 20 Critical Security Control lists asset management as critical security control-1. Having an accurate inventory is absolutely a must, but meeting the full spirit of this control can be an arduous task. However, the good news is that there is a solution to address this problem. True Next Generation Vulnerability Management NG-VM solutions need to include much more than reporting. In today’s world characterized by advanced persistent threats (APT’s) and Zero-Hour threats, a more comprehensive NG- VM strategy is needed — a strategy that combines traditional scanning with real-time vulnerability Identification, Detection, Prevention and Reporting capabilities. It would include Active Scanners (AS), Active Agents (AA), Central Console (CC), and Continuous Monitoring (CM) with the linkage between the technical indicators or Indicators of Compromise (IOC’s) (e.g., IP addresses and domains associated with threats or hashes that “fingerprint” malicious files), adversaries, their motivations and intents, and information about what is being targeted. Fig 3: Next Generation Vulnerability Management Solution Active Scanner (AS) A vulnerability scanner or Active Scanner (AS) as cited in this paper, is software application that assesses security vulnerabilities in networks or host systems