Skybox Security 14 October 2015 Best Practices for Reducing Your Attack Surface
© 2015 Skybox Security Inc.
Speakers
Michelle CobbSkybox Security
VP of Worldwide Marketing
Alastair WilliamsSkybox Security
Technical Director, EMEA
© 2015 Skybox Security Inc.
Agenda
Overview of How to Reduce Your Attack Surface
-- Michelle Cobb, Skybox Security
Demo: Skybox Overview
-- Alastair Williams, Skybox Security
© 2015 Skybox Security Inc.
Skybox Security Overview
Powerful platform uses attack surface
visibility and intelligence to address:
– Firewall and change management
– Network visibility and compliance
– Vulnerability and threat management
Over 500 Global 2000 Customers
Risk Analytics for
Cyber Security
© 2015 Skybox Security Inc.5
ConsumerHealthcareTechnologyEnergy &
Utilities
Government
& Defense
Service
Providers
Different customers with common challenges
Financial
Services
© 2015 Skybox Security Inc.
Most breaches are preventable
No visibility of
the environment
Lack of actionable
intelligence
Disjointed security
tools and data
Lack of expertise
97% of breaches are avoidable through standard controls
Organizations don’t understand their attack surface
© 2015 Skybox Security Inc.
Step 1: Increase Your Understanding of Your
Attack Surface
It might not
be as easy
as you think.
© 2015 Skybox Security Inc.
Your Attack Surface Has Many Layers
ASSETS
• Servers
• Workstations
• Networks
© 2015 Skybox Security Inc.
Your Attack Surface Has Many Layers
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
ASSETS
• Servers
• Workstations
• Networks
© 2015 Skybox Security Inc.
Your Attack Surface Has Many Layers
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
NETWORK TOPOLOGY
• Routers
• Load Balancers
• Switches
ASSETS
• Servers
• Workstations
• Networks
© 2015 Skybox Security Inc.
Your Attack Surface Has Many Layers
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
NETWORK TOPOLOGY
• Routers
• Load Balancers
• Switches
ASSETS
• Servers
• Workstations
• Networks
VULNERABILITIES
• Location
• Criticality
© 2015 Skybox Security Inc.
Your Attack Surface Has Many Layers
SECURITY CONTROLS
• Firewalls
• IPS
• VPNs
NETWORK TOPOLOGY
• Routers
• Load Balancers
• Switches
ASSETS
• Servers
• Workstations
• Networks
VULNERABILITIES
• Location
• Criticality
THREATS
• Hackers
• Insiders
• Worms
Source: Skybox Security
© 2015 Skybox Security Inc.
Traditional Means Are a
Good Start
Penetration testing– True test of network security
– Performed infrequently at
preplanned time
Vulnerability scanning
– Detect vulnerabilities on a
regular basis
– Lack network context
Step 2: Evaluate Critical Threats to Your
Network
© 2015 Skybox Security Inc.
Attack Simulation to Find and Minimize Risks
VisualizeCorrelate, Prioritize
Exploitable Vulnerabilities
CVE-1234
CVE-0123
MS12074
CVE-4567
CVE-5678
© 2015 Skybox Security Inc.
Attack Simulation to Find and Minimize Risks
VisualizeCorrelate, Prioritize
Understand Controls
Security Controls
Access paths
Policy violations
Unauthorized changes
© 2015 Skybox Security Inc.
Attack Simulation to Find and Minimize Risks
VisualizeCorrelate, Prioritize
Understand Controls
Identify Attack Vectors
High-risk vector
© 2015 Skybox Security Inc.
Step 3: Stay on Top of New Threats
Heartbleed, POODLE, Schannel, and
Sandworm were all observed being
exploited within a month of CVE
publication date3
The Media is Playing a Role in Your Security
© 2015 Skybox Security Inc.
Identify Critical Unremediated Vulnerabilities
99.9% of the exploited
vulnerabilities were
compromised more than
a year after the CVE was
published 3
Top Ten Most
Exploited
1. CVE-2002-0012
2. CVE-2002-0013
3. CVE-1999-0517
4. CVE-2001-0540
5. CVE-2014-3566
6. CVE-2012-0152
7. CVE-2001-0680
8. CVE-2002-1054
9. CVE-2002-1931
10. CVE-2002-1932
Mitigation Options
• Patching
• Removal
• Configuration
• IPS
• Firewall rules
© 2015 Skybox Security Inc.
Scanless Vulnerability Detection:
Identify Vulnerabilities Without a Scan
Vulnerability Deduction
Product Catalog(CPE)
OS version & patch levelApplication versions
Vulnerability List
(CVE)
VulnerabilityDatabase
Pro
du
ct
Pro
fili
ng
Asset / Patch
Management
Networking
Devices
Active
Scanner
© 2015 Skybox Security Inc.
Determine Impact of a New Threat in Hours
Typical scanner Analytical Scan
250 hosts/hour
100,000host/hour
© 2015 Skybox Security Inc.
Monitor Firewalls and Network Devices for
Security Gaps
Complete visibility of
– Hosts, devices, zones
– Firewall rules (ACLs)
– Routing, NAT, VPN
Analysis
– Risky access paths
– Access policy compliance
– Rule usage
– Platform configuration
Firewall allows
port open from
the internet
© 2015 Skybox Security Inc.
Step 5: Assess Risk of Planned Changes
Change Management - Optimize Workflow
Technical
Details
Change
Request
Risk
Assessment
Change
Implementation
Reconcile
and Verify
Automate the change
management process
Monitor changes
Assess risk before change is made
Identify devices involved
Deliver access path information immediately
Handle exceptions
Reconcile changes
© 2015 Skybox Security Inc.
Summary
1. Increase your understanding of your attack surface– Achieve a holistic understanding of your network
2. Evaluate critical threats to your network– Perform regular analysis to help prioritization
3. Stay on top of new threats– Use methods of quick detection
4. Close network device security gaps– Buy yourself time for future threats
5. Assess risk of proposed changes– Don’t introduce future problems