Tripwire Mind the Cyberthreat Gap White Paper

WHITE PAPERCONFIDENCE:SECURED

ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

TONY BRADLEY, CISSP-ISSAP, MICROSOFT MVP EDITOR-IN-CHIEF OF TECHSPECTIVE

MIND THE GAPUSING VULNERABILITY MANAGEMENT TO ADDRESS

THE ENTERPRISE CYBERTHREAT GAP

2 Mind the Gap: Using Vulnerability Management to Address the Enterprise Cyberthreat Gap

If an organization does not have enough information about suspicious activ-ity or security events on its network, that is obviously a problem. For most enterprises today, though, the opposite is true: there is such an overwhelming amount of information that it is dif-ficult to properly correlate, analyze, and understand whats going on. Attackers continue to get more organized, and more sophisticated over time, and a lack of qualified IT staff leaves organizations at a distinct disadvantage.

THREE MAJOR CHALLENGESThere are three primary challenges facing IT professionals today. The first contributing factor is information overload, and a lack of a single source of truth. Enterprises rely on disparate specialized security toolsantivirus, firewalls, intrusion detection/prevention, patch management, etc. SIEM (Security Information and Event Management) platforms are ostensibly designed to address this problem, but because these different systems dont share data it is difficult to effectively aggregate security information. There is no single vendor that can truly manage everything

INTRODUCTIONThe problem for most enterprises today is information overload. Attacks are becoming more sophisticated, and increasing at a pace that IT professionals simply cant keep up with. A data breach is a matter of when, not if, and what separates a minor incident from a catastrophic event is the ability to minimize the cyberthreat gap, and address issues more effectively and efficiently.

This paper will discuss the security challenges facing enterprises today, and how to deal with them. Specifically, the paper will describe how automated vulnerability management can be an effective tool for reducing the cyberthreat gap, and minimizing the potential damage from a data breach incident.

end-to-end, so organizations need enter-prise integration. Businesses need to be able to unify data from separate silos in order to make effective decisions in a timely manner.

Another factor is a lack of business context. IT departments do not have unlimited resources, so its impossible to immediately resolve every single issue. Some applications or servers are more business critical than others, and deserve more attention and protection. If all assets are treated as equal its impossible to effectively allocate IT resources to reduce the cyberthreat gap and mini-mize the impact of an attack, so its important to determine which assets matter most and focus on those. Risk has to be managed within the scope of business context to filter out noise and focus on the critical assets.

The third factor is the motives and motivations of the adversaries that enterprises face. While organizations have to identify and patch every vulner-ability and defend against every possible attack, attackers only have to find one exploit that works. A patient adversary

has time on his or her side, and a suc-cessful data breach may play out over an extended period of days, weeks, or months. Enterprises need reliable data collection that can identify changes that are indicators of compromise, eliminates blind spots and enables fast and effective decisions.

THE ENTERPRISE CYBERTHREAT GAP How much damage can be done, or how much data can be compromised by an attacker in a day? How about a month? Mandiant (now part of FireEye) reports that it takes an average of 243 days to discover an APT (Advanced Persistent Threat), and a Ponemon study revealed that it typically takes 123 days to com-pletely resolve a breach. Thats a whole year from the time an attacker infiltrates the network until the compromise is detected and the threat is eradicated. A year. Add to that the fact that most organizations dont actually even dis-cover their own data breaches, and its obvious that enterprises have a problem.

One of the keys to better security is to give up on the idea that complete secu-rity is an achievable goal. It isnt a matter of if your organization will be compro-mised, its a matter of when, and its best to work under the assumption that you are in a constant state of compromise. Instead of hiding behind the illusion of security, work to understand the nature and behavior of the threats, and then implement solutions that help identify and resolve incidents more quickly.

Tripwires Enterprise Cyberthreat Gap model was created to illustrate the differ-ent phases of the Cyberthreat Lifecycle, and provide IT professionals with a means of addressing the escalating security risks. It is critical to discover a breach, determine when the initial breach occurred, and identify how long your data has been exposed.

3Mind the Gap: Using Vulnerability Management to Address the Enterprise Cyberthreat Gap

Tripwire breaks the lifecycle down into three phases:

Detection GapThe amount of time it takes to discover an actual compromise and identify its naturethe longer it takes to detect, the greater the likelihood of loss (or not being able to figure out what really happened) Remediation GapThe time it takes after detection to understand the scope and severity of the attack, and take steps to minimize damage Prevention GapThe time it takes to put measures in place to avoid future attacks, such as implementing additional monitoring or patching vulnerabilities (75 percent of breaches could be prevented by remediating known vulnerabilities)

DETECTION GAPThe Detection Gap is the time between when a breach actually occurs and when it is detected. It is crucial for an enter-prise to be able to limit this gap, because every day that a breach goes undetected is an opportunity for the attackers to wreak more havoc and compromise more data.

IT professionals need to be able to answer the question, Have we been breached? There are red flagsindicators of compromisethat enterprises should be looking for, like rogue, unknown devices suddenly popping up on the network, or new applications installed that shouldnt be there, or network equipment taken offline or uninstalled.

The challenge is how to effectively answer that question and minimize the Detection Gap. Many attacks are smart enough to not make waves. They take their time infiltrating and compromising the network in order to fly under the radar and evade detection. The best way

to identify sophisticated attacks is often through detecting sequence of small changes that play out over time.

Organizations should have tools in place to detect changes and events of inter-est in real-time, and alert IT personnel about rogue hosts or applications as they happennot just a report after the fact. To reduce the signal to noise ratio, the tools also need to be able to incorporate vulnerability or risk assessment informa-tion, and correlate suspicious activity with vulnerable hosts.

Its also important to view activity through the lens of behavioral context How? Patterns often emerge that provide indicators of risk that can assist in early detection, and speed up the response time when an actual incident occurs.

RESPONSE GAPOnce an attack is detected, the next order of business is the Response Gaplimiting the damage by minimizing the time between the discovery and remediation.

Organizations need immediate access to information that enables them to answer crucial questions about the attack. If the breach was a result of a vulnerability being exploited, IT personnel need to be able to quickly determine which machines are vulnerable. Why? Because if attackers are successful in exploiting a vulnerability on one machine, theyre likely able to exploit it on others. Time is of the essence in this scenario, and waiting to run a new vulnerability scan is not a viable option.

If your log monitoring tool alerts you to suspicious activity on your network, you need to have the right information at your fingertips to answer urgent and important questions: Who owns the machine? What applications does it run?

Which ports are open? What vulner-abilities does it have?

In order to minimize the Response Gap, you need to be able to find, isolate, and mitigate affected machineskeeping in mind the business context of the assets so the most critical systems are treated as a higher priority. You need to know who owns responsibility for the target host, and what its business purpose is so that the right people can be notified, and decisions can be made quickly.

An ideal platform for addressing the Response Gap enables an organization to quickly answer all of the above questions by searching through historical scan and inventory and forensic data. It should be able to look back in time during the window when no patch or signature was available, and identify changes made so damage can be isolated and resolved. Ideally, it should also provide some context about whom and when the attack originated from, and an ability to quickly shut down login credentials that appear to be exhibiting suspicious or malicious behavior.

PREVENTION GAPThe final piece of closing the Enterprise Cyberthreat Gap is the Prevention Gap. You need to put preventive measures in place to avoid future attacks and reduce the odds of a successful attack occurring.

How do you address the Prevention Gap? For starters, you should reduce the overall attack surface by shutting off or disabling unused devices, services and applications. Next, you need to maintain an accurate and up to date inventory of every device and application on the network. Every IP-based asset running on your net-workservers, desktops, laptops, routers, switches, firewalls, printers, etc.should be catalogued, along with a profile of the operating system, applications, current ver-sions and the open ports on each device.

4 Mind the Gap: Using Vulnerability Management to Address the Enterprise Cyberthreat Gap

Conduct a scan of remote and third-par-ty (supply chain, vendors, and partner) networks. Dont ignore scanning hard to reach places (like your network perimeter and remote offices) that could provide an easy back door for attack-ers, and be thorough by scanning both managed and unmanaged devices and systems. Web applications are a frequent and easy target for attackers, so identify and fix unpublished vulnerabilities in those.

Finally, prioritize remediation. You should have a scoring and reporting system that takes into account both the vulnerabilities and general risk for a given system, as well as its role within a business context. Each asset should have a unique score that helps you prioritize remediation efforts, so allocate resources to mitigate or recover mission critical systems first.

USE VULNERABILITY MANAGEMENT TO CLOSE THE CYBERTHREAT GAPA comprehensive vulnerability manage-ment platform like Tripwire IP360 plays a central role in establishing an effective program to address the Cyberthreat Gap. There are four ways vulnerability management facilitates closing the gap: reliable data collection, business context, security automation, and enterprise integration.

RELIABLE DATA COLLECTIONVulnerability management helps you eliminate blind spots by consistently col-lecting data from mostif not allof the devices and applications that touch your network. You can strike a bal-ance between scan accuracy and host or network impactchoosing between simple detection or active exploitation to verify a vulnerability. There is also a balance between scan speed and the amount or volume of data collected. For example, conducting a cursory scan

vs. performing a deeper scan (using credentials to allow the vulnerability scanner to log in to the host to collect more data and conduct a full port scan), or configuring the vulnerability scan-ner to perform continuous scanning vs. periodic scans.

The vulnerability management platform can also receive automated threat/cover-age feeds to stay up to date on emerging threats, as well as leverage historical data to enable instant queries, identify trends and provide forensic analysis capabilities.

BUSINESS CONTEXTA comprehensive vulnerability manage-ment platform enables you to manage security risk using the unique terms that apply to your business. Understanding the business context of the assets on your network is helpful when identifying where a system is located, or who owns it, and enables an organization to limit access for users to only the systems or data their roles require.

Another facet of business context is the monetary value of assetsthe ability to assign a specific financial value to the potential impact of an attack or exploit. A random endpoint may hold relatively little value, while an e-commerce web server could be worth millions.

You can align your vulnerability management program with your orga-nizational structure, and prioritize your efforts based on which assets are most critical to your business rather than treating every vulnerable machine as an equal priority.

SECURITY AUTOMATIONAutomation is a key factor in effective security. There are simply too many vul-nerabilities and too many new exploits to expect IT personnel to keep up with it all manually. Automating manual

processes (such as report generation, data analysis in spreadsheets, and data cor-relation) increases efficiency and allows your organization to more effectively reduce risk. The vulnerability manage-ment platform provides automation to continuously check for new vulnerability risks, rogue hosts or unauthorized appli-cations, and automatically prioritize risks to take immediate action.

ENTERPRISE INTEGRATIONAs we mentioned at the beginning of this paper, part of the problem facing enterprises is that there are too many discrete security tools that dont commu-nicate with each other. A vulnerability management platform like Tripwire IP360 can integrate with other security solutions to unify information silos, and combine vulnerability, configuration and event data to share data and business context to enable further automation. You can strengthen your overall security postureand get more from your exist-ing investment in securityby sharing refined intelligence between different security controls. For example, if you mesh vulnerability management with a security configuration management plat-form like Tripwire Enterprise, you can combine change, policy and risk data to immediately discern between good changes and the bad ones that adversely affect security.

TRIPWIRE IP360The attackers seem to have an advantage because they have time on their side, and they only have to find one exploit that works to compromise your data. There are simply too many threats, and too much information for IT personnel to manage it effectively. Its overwhelming.

Employ a vulnerability management system like Tripwire IP360 to help you automate as much as possible, and close the Enterprise Cyberthreat Gap.

u Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service provid-ers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security auto-mation through enterprise integration. Tripwires portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u

SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG u FOLLOW US @TRIPWIREINC ON TWITTER

2014 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved. WPMTG1a 201501

ABOUT TRIPWIRETripwire delivers advanced threat, security and compliance solutions used by over 9,000 organizations, including over half of the Fortune 500. Tripwire enables enterprises, service providers and government agencies around the world to detect, prevent and respond to cyber-security threats.

Tripwire discovers every asset on an organizations network and delivers high-fidelity visibility and deep intelligence about these endpoints. When combined with business-context, this valuable information enables immediate detection of breach activity and identifies other changes that can impact security risk.

Tripwire solutions also deliver action-able reports and alerts and enable the integration of valuable endpoint intel-ligence into operational systems like change management databases, ticketing systems, patch management and security solutions including SIEMS, malware detection and risk and analytics. These

integrations are part of our Technology Alliance Program and they ensure our customers have robust, accurate informa-tion to make their organizations more cyber-secure.

Tripwire is built on a foundation of innovation and deep security exper-tise. While Tripwires founder, Gene Kim, was a graduate student at Purdue University, he created an initial version of the software in 1992 and pioneered many techniques still used in intrusion detection.

With widespread support from corpo-rate, education, and government security professionals, Tripwire, Inc. was founded in 1997 to bring these innovations to the commercial market. In 2000, Tripwire contributed source code to the open source community to enable Open Source Tripwire a tool that remains in use today. Tripwire continues invest in heavily in innovation and holds over 20 security innovation patents.

In 2005, Tripwire released the first version of Tripwire Enterprise, the com-panys flagship product, designed to help organizations control IT configurations, a common attack vector used by cyber-criminals to gain unauthorized access to critical systems. In 2010 announced the release of Tripwire Log Center, a log and security information and event management (SIEM) solution that cor-relates critical changes to configurations and events, making it possible to rap-idly identify sophisticated and targeted cyber-attacks.

Innovation and growth continued with the acquisition of nCircle in 2013. The acquisition added solutions that assess risks from vulnerabilities to complement the companys award winning product portfolio. Today, Tripwires integrated portfolio of award winning security solu-tions includes configuration and policy management, file integrity monitoring, vulnerability management and log intel-ligence. Tripwire is the second largest provider in the Security Vulnerability Management market as measured by IDC, delivering trusted cybersecurity solutions that allow customers to have confidence in their cybersecurity.