Current Security Landscape

2  

PETYA:  NATO  says  a  'state  actor'  was  behind  the  massive  ransomware  a;ack  and  could  trigger  military  response  

Patching & Security Exposure – A Challenge

3  

1.  Symantec  2015  Internet  Security  Threat  Report  2.  2015  NTT  Group  Global  Threat  Intelligence  Report  3.  Na>onal  Vulnerability  Database    and  GFI  4.  Mobile  Worker  Popula>on  to    Reach  1.3  Billion  by  2015:  IDC,  eWeek  

More  VulnerabiliCes  

More  Users  Working  Outside  Firewall  

More  Than  Windows  and  MS  ApplicaCons  

6,549  new  vulnerabili>es1  

18  new  vulnerabili>es  

daily1  

76%  over    2  years  old2  

37%  of  the  global  

workforce  is  mobile4  

7  of  top  10  vulnerabili>es  on  end-­‐user  systems    

not  servers2  

80%  from  third-­‐party  applica>ons3  

OS  X,  ioS,  Linux,  Unix    highest  in  

vulnerabili>es3    

IT Security & Patching – Organizational View

Compliance  needs  Threat  Protec>on  needs  Organiza>on  Policies  

Audits  and  Base  lining  of  security  standards  Incident  Response  (security  view)  

VA  /  PT    

Patch  Management  Configura>on  Audit  revalida>on  /  impact  Incident  Response  &  remedia>on  (DC)  

Evidence  collec>on  support    

ISG  Team  

Security  Opera>ons  

Infrastructure  Opera>ons  

IT Security vs. Infrastructure Operations

5  

Help  Security  and  Opera>ons  teams  strike    an  op>mal  balance  between  risk  and  cost  

SECURITY  TEAM:  RISK    §  Remediate  vulnerabili>es  

§  Coverage  

§  Accurate  priori>es  

§  Timeliness  

§  Up-­‐to-­‐date  status  reports  

§  Compliance  

§  Incident  response  

OPERATIONS  TEAM:  IMPACT  

 

§  Patches  &  workarounds  

§  Coverage  

§  Accurate  priori>es  

§  Op>mal  process  

§  Minimal  impact  

§  Up-­‐to-­‐date  status  reports  

§  Incident  remedia>on  

6

Patching Constraints

•  Patch  overload  

•  Different  builds  

•  Complexity  of  patches  

•  Resource  constraints  

•  Tes>ng  >mescale  &  infrastructure  

•  Applica>on  dependency  

•  Lack  of  /  inadequate  configura>on  management  &  asset  inventories  

•  Scheduling  /  down>me  /  business  impact  

Patch Management: Objective

•  Ensure Compliance – Regulatory and Standards

•  Provide a relevant risk view of the VAPT reports

•  Rightly prioritize the remediation plan

Sequretek  

7  

Vulnerability Management Process Scope  DefiniCon     Working  with  the  customer  to  clearly  define  and  document  assessment  

objec>ves,    scope  and  rules  of  engagement.  

InformaCon  Gathering    

Relevant  inputs  from  client  on  asset  and  inventory  

Gather  publicly  available  informa>on  with  reference  to  iden>fied  assets  

EnumeraCon     Full  Port  Scanning  System  and  Service  

iden>fica>on  

Opera>ng  system  Fingerprin>ng  

VulnerabiliCes  IdenCficaCon  

Scan  policy  configura>on  

Iden>fica>on  of  vulnerabili>es  associated  with  the  target  host  

Result  Analysis   Scan  results  verifica>on  

Addi>onal  manual  discovery,  tes>ng    if  any  

False  posi>ve  elimina>on  

Analysis  &  ReporCng    

Analysis  of  business  impact  of  the  risks  

iden>fied  

Report  Genera>on  

Comprehensive  report  with  recommenda>ons  on  

mi>ga>on  

Sequretek  Tools  help  automaCng  result  analysis,  re-­‐prioriCzing  vulnerabiliCes  and  remediaCon  process  

•  Iden>fy  the  Cri>cal  and  High  classified  vulnerabili>es  (Exploit  /  Malware  available,  PoC  available  and  others)  

•  Apply  the  recommenda>ons  given  by  the  OEMs  on  a  test  environment.  •  Automate  Patch  Management  roll  out  

Vulnerability    Assessment    

Vulnerability    Re-­‐

classificaCon    

Vulnerability    Research    

Patching  Advisory  

Patching  

Re-­‐classificaCon    parameters:  •   Impact  &  applicability  on  Client’s  environment  • Presence  of  Known  exploits  for  the  vulnerability  • Risk classification & Qualita>ve  Impact  of  exposure    

Patching  RecommendaCons:  • Applicability  of  patches  • Patch  Op>misa>on      

Applica>ons    

Servers      

Infrastructure    

Vulnerability Management Program

Sequretek methodology on providing advisory on VAPT reports

•  Most  VAPT  reports  categorise  High,  Cri>cal,  Medium,  Low  Vulnerability  based  on  generic  design,  flaws/  misconfigura>ons,  its    degree  of  difficulty  to  exploit  

•  It  fails  to  categorise    the  Vulberability  based  on:  •  Impact  on  Client’s  environment  •  Applicability  of  Vulnerability  to  client’s  environment  •  Presence  of  Known  exploits  for  the  vulnerability  •  Qualita>ve  Impact  of  exposure  to  organisa>on  if  exploited  

•             Default  report  generally  provides  very  high  number  of  Cri>cal/High  vulnerabili>es  without  providing  clear  visibility  on  the  impact  and    risk  exposure  to  the  organisa>on. •  Following  is  the  example  of  sequretek  re-­‐classificaCon  which  helps  OrganisaCon  to  prioriCse    and  take  necessary  acCon  

on  Risk  

Name  of  File   IP   Risk   No  of    Patch  to    be  applied  

Default   SQTK   cri>cal  

high  

medium  

low+no  ne  

high  

medium  

low+no  ne  

Unix   xxx.xxx.xxxx.xxx   234   45   23   9   4   4   303 3  

Sequretek  

10  

• Total IP count/ No. Of servers - 29 •Total critical and high vulnerability as per the Client report – 5647 •Total high vulnerability by SQTK ( known malware/ known exploit) – 123 •Total patch to apply to fix all high vulnerability – 40

Sqtk-­‐  High   any  malware  or  exploit  is  ac>ve  on  given  vulnerability  

Sqtk-­‐Medium   for  any  vulnerability  if  the  proof  of  concept  is    given  by  research  team  

Sqtk-­‐  low     vulnerability  is  present  but  no  PoC  /  Exploit    

Sample Recommendation Unix  Server  •  Two  classes  of  Cri>cal  and  High  vulnerability  exist  in  this  server.  Both  relate  to  vulnerable  version  of  components  installed  

on  the  system.    Vulnerabili>es  associated  with  these  components  date  back  to  2012,  there  are  known  4  exploits  and  also  there  is  a  possibility  of  the    existence  of  other  malicious  code  targe>ng  these  vulnerabili>es.  The  vulnerabili>es  associated  with  OpenSSL  are  also  fairly  serious  as    exploit  codes  are  known  to  exist  that  target  this  vulnerable  version.  

•  The  BMC  Server  Automa>on  RSCD  Agent  Weak  ACL  XML-­‐RPC  Arbitrary  Command  Execu>on  vulnerability  reported  as  cri>cal  needs  to  be    examined  further.  This  is  possibly  being  flagged  as  a  vulnerability  as  the  exports  file  on  this  target  allows  the  Nessus  server  to  connect,    which  allows  execu>on  of  the  xmlrpc  code.  If  the  exports  file  does  not  allow  the  Nessus  server  to  connect  and  a  scan  is  carried  out    again,  there  is  a  possibility  that  the  server  is  not  vulnerable.  The  actual  exploit  is  when  you  can  run  the  xmlrpc  code  while  the  client    system  is  not  allowed  to  connect  to  the  target  via  the  exports  file.  

•  While  a  few  vulnerabiliCes  relaCng  to  AIX  6.1  TL  8  relate  to  issues  of  IP  V6,  these  can  be  ignored  for  the  present  if  IP  V6  has  not  been    enabled  in  the  environment.  

RecommendaCon  –  Patch  the  vulnerable  components,  AIX  6.1  TL  8,  AIX  Java,  AIX  OpenSSL  from  the  IBMM  AIX  website.  Detailed    Steps  men>oned  in  Mi>ga>on  report  

Sequretek  

11  

Benefits

•  Organiza>on  specific  Risk  and  impact  Analysis  of  VA    

•  Automated  &  granular  mi>ga>on  Steps  to  remedia>ng  vulnerabili>es  based  on  the    installa>on  in    the  Client  Environment  

•  Maintain  risk  register  based  on  thoroughly  examined  vulnerability  data  

Sequretek  

12  

13

VA to Patching – Patch Operations Team

Security  face  for  Infrastructure  opera>ons  •  SPOC  for  any  tasks  involving  IT  security  and  compliance  maoers  •  Liaise  within  the  Infrastructure  team  to  accomplish  >mely  and  impacpul  results  •  Liaise  with  ISG  and  Security  Opera>ons  team  to  reduce  /  eliminate  security  issues  and  

vulnerabili>es    

Patch  Management  Ownership  •  N,  N-­‐1,  N-­‐2  patch  compliance  for  approved  environment  based  on  organiza>on  risk  matrix  •  Complete  ownership  of  the  process  •  Automa>on  tool  opera>onal  ownership  for  patch  automa>on  •  Complete  plaporm  and  databases  coverage    

Compliance  repor>ng    •  Patch  compliance  •  Configura>on  audit  compliance    

Incident  Remedia>on  and  risk  mi>ga>on    •  Work  with  infrastructure  team  for  incident  response  ,  closure  and  RCA  (if  needed)        

   

14

Role mapping to ITIL

Service Operation

Event  Management  

Incident  Management  

Problem  Management  

Service Strategy

Business  Requirements  

IT  Policies  &  Strategies  

Service Transition Change  Management  

Asset  &  Config  Mgmt  

Service Design

Service  Level  Mgmt  

Availability  Mgmt  

Info  Security  Mgmt  

Patch Management

Sequretek Approach to Patch Management - DART

15  

Patch    Management  Team  

Server  &  DB  Administrators    

Security  Team  

Transform  

Compliance    ReporCng  

Risk  Assessment  

RemediaCon  Strategy  

16

Determine phase

Iden>fica>on   VA  Reports   Security  Bulle>ns  

OEM  Releases  &  updates    

Risk  Assessment   Level  of  importance    

Dependency  map  

Comparison  with  installed  environment    

Determine  type   Advisories  (Severity  1)  

Alerts  (Severity  2)  

Updates  (Severity  3)  

Learn  as  soon  as  possible  about  

poten>al  updates  Perform  Ini>al  Evalua>on   Assign  Priority   Promptly  no>fy  

concerned  team  

Goal  

Key  Tasks  

Building an Offline Patch Repository – using automation tools

1.    Preparatory  tasks  •  Defining  role-­‐based  permissions  •  Configuring  Global  Configura>on  parameters  •  (Windows  only)  Defining  the  loca>on  of  Microsoq  Windows  installa>on  media  for  Microsoq  

Office  patch  deployment    

2.    Building  an  offline  patch  repository  •  Downloading  patch  downloader  u>li>es    •  Preparing  configura>on  files  for  downloading  patch  content  •  Downloading  patches  to  the  offline  patch  repository  

 3.    Patching  tasks  

•  Crea>ng  and  upda>ng  a  patch  catalog  •  Crea>ng  and  running  a  Patching  Job  and  a  Remedia>on  Job  

18

Analyze phase

Impact  Analysis   Security  impact   Environment  impact  

Applica>on  impact  

Tes>ng     Test  /QA  Environment  

Pilot  group  roll  out  

Roll  back  plan  test  

Pilot  Patch   Advisories  (Severity  1)  

Alerts  (Severity  2)  

Updates  (Severity  3)  

Iden>fy  full  scope   Assess  poten>al  impact   Deliver  Remedia>on  strategy  

Goal  

Key  Tasks  

Performing Patch Analysis

•  Run  a  patching  job  by  comparing  with  patch  catalogue  to  iden>fy  missing  patches  on  your  servers    

 •  Analyze  the  configura>on  of  target  servers  and  determine  the  required  

patches  

•  Download  the  payload  from  the  vendor  sites  to  the  Patch  Repository  

•  Package  the  payload  as  per  the  tools  and  create  a  Deploy  Job  for  each  to  apply  the  patch  at  target  servers  

•  Test  the  packages  on  test  /  QA  environment  

•  Prepare  a  detailed  roll  back  plan  by  plaporm  and  by  patch  package  

20

Remediate phase

Patch  /  Soqware  roll  out   Trigger  schedule   Create  payload  

packages  Schedule  deploy  

jobs  

Review  &  roll  back  (if  needed)  

Validate  deployment    

Observe  behavior  

Roll  back  (if  needed)  

Report   Compliance  report  

Alerts  (Severity  2)  

Updates  (Severity  3)  

Apply  patches  on  >mely  basis   Apply  soqware  updates  in  a  manner  that  appropriately  mi>gates  the  risk  involved  

Goal  

Key  Tasks  

Platform specific Release Vehicles

Monthly  Releases  •  Rollout  triggered  by  VA  report  and  security  team  requirements  •  All  new  Severity  1  &  2  updates  released  within  the  past  month  (based  on  impact  analysis)  •  Includes  separate  scheduling  for  all  plaporms    

Bi-­‐annual  Releases  •  Rollout  to  begin  as  per  organiza>on  schedules  •  All  new  Severity  2  &  3  updates  released  since  prior  release  cycle  •  Includes  separate  scheduling  for  all  plaporms  

 Out-­‐of-­‐band  Releases  

•  No  set  rollout  schedule    •  Used  for  Severity  1  updates  only  •  System  availability  requirements  •  System  redundancy  requirements  

21  

Remediate Phase – Phased Rollouts

22  

Release  Date  

Test  Group  (Lab)  

Pilot  Group  (IT)  

Produc>on  Group  #1  

Produc>on  Group  #2  

Produc>on  Group  #3  

23

Transform phase

Proac>ve  compliance  repor>ng  

Dashboards  &  Analy>cs  

Excep>on  register    

Regulatory  repor>ng  

On  going  evalua>on  &  fine  tuning  

process  Lessons  learnt   Data  analysis   Process  fine  

tuning  

Con>nuous  improvement  

Create  automa>on  

Eliminate  residual  risk  

Incident  remedia>on  

Goal  &  Key  Tasks  

Striking an Optimal Balance

24  

SECURITY  Risk  

OPERATIONS  Impact  

Vulnerabili>es  •  Coverage  •  Timeliness    •  Risks  •  Compliance  

Patches  &  Workarounds  •  Coverage  •  Accurate  priori>es  •  Op>mal  process  •  Minimal  impact  

Sequretek  helps  Security  and  Opera>ons  teams  strike  an  op>mal  balance  between  risk  mi>ga>on  and  cost  to  mi>gate  

Thank You!

25  

KMBL  Approach  to  VA  and  Patch  

Kotak  Bank  Environment  •  Data  Center  Loca>ons:  

 1.  Primary  DC  –  Mumbai                                  2.  DR                      –  Chennai  

•  1300+  branches  

•  2000+  servers    

•  500+  databases    

SERVER  VARIENTS   DATABASE  VARIENTS  

AIX   Oracle  

RHEL   My  SQL  

Microsoq  windows   Sybase  

Oracle  Linux   DB2  

ESXi   SQL  

Kotak  Bank  environment  complexity  

•  Con>nuous  Audits:  Regulatory,  Internal,  Business  

•  Internal  RISK  advisory  team  to  manage  IT  RISK  

•  Complexity  on  new  genera>on  and  legacy  applica>ons  

•  Complexity  of  mul>ple  teams  managing  the  en>re  RISK  process:      IT  Security,  Security  opera>ons,  Infrastrcuture  opera>ons  and  data  center  opera>ons  

•  Applica>on  performance  impact  analysis  while  closing  Vulnerabil>es  and  Patching.  

PRIORITY   INTERNET  EXPOSED  APPLICATION  

INTRANET  APPLICATION  

High   3  weeks   1  Month  

Medium   1  Month   2  Months  

Low   3  Months   3  Months  

Stringent VA cycles & Patch SLAs

Patch  SLA  

•  VA  prepara>on  and  schedule  for  the  en>re  environment  –  monthly,  quarterly,  yearly  schedule  

•  VA  runs  and  research  •  VA  verifica>on  and  exploit  simula>on  (wherever  applicable)  •  Repor>ng  and  preparing  patch  requirements  •  Remedia>on  follow  up  and  closure  

VA  SLA  

Sample:  TradiConal  VA  report  summary  

Sample:  New  VA  report  summary  

Sample:  New  VA  report  details  

Summary:  Benefits  to  Kotak  Bank  

•  Revised  VA  report  provides:  •  Beoer  RISK  Management  •  Clear  details  on  ac>onable  VA  •  Manages  the  RISK  profile  

•  VA  and  other  risks  clearly  Ced  to  patch  management  process  

•  Automated  Patch  Management  process  to  fix  VulnerabiliCes  

•  Common  Enterprise  report  and  dashboard  on  VulnerabiliCes  and  patches  

Thank You!