Our product team has just put the finishing touches on the newest release of Retina CS, our award-winning Threat Management Console. Version 3.1 expands our market leadership in innovation for helping IT secure the technologies being widely deployed today.
As it has been since halfway through 2011, Retina CS remains the only unified vulnerability and compliance management solution that integrates security risk discovery, prioritization, remediation, and reporting across your entire IT infrastructure, be it the traditional (server, desktop) or the rapidly expanding (cloud, mobile and virtualization). More [...]
It has been roughly a year since we released our original paper titled “In Configuration We Trust.” The goal of that research was to try to draw awareness to the fact that a lot of security improvement can be made simply by how you architect your network and configure your operating systems and applications. These recommendations can not only help stop the run-of-the-mill drive-by attacks but also even some of the more sophisticated, dare we say APT, attacks. We’ve updated that research, which can be found here, and have also added a new tool into the mix. Why did we do all this? Let’s talk about that. More [...]
Customer conversations are the best part of my job. I really enjoy talking with users and buyers of security technology, especially in today’s hyperactive threat and attack climate. Most often these conversations are with customers proactively planning updates to their security strategy, or with prospects that have matured to a level where their tools need to be upgraded to enterprise solutions. However, there is small percentage of organizations we speak with who have come to eEye as a result of breach or a failed audit. One of *those* conversations was the impetus for this post.
Recently we hosted a webinar with VMware, “Close Your Virtual App Security Gap”. If you haven’t had a chance to check out the materials from that webcast, you can find the slides here. It was a great session, where the eEye and VMware ThinApp product teams talked about virtual app security and how virtual apps can easily be added to your enterprise security strategy.
Not surprisingly, the subject matter brought a large number of attendees to the webinar, and with them, came great questions. We held a random drawing of those who participated in the Q&A, and Jason Miller of LexisNexis was our winner. Congratulations Jason!
Earlier today, George Hulme reported on a recently-introduced piece of legislation, the Personal Data Protection and Breach Accountability Act of 2011 (or PDPBAA for short, which sounds like how my last is pronounced sometimes), geared toward protecting customer data from theft or loss. Senator Richard Blumenthal (D-CT) hopes that this new bill will “prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers’ data before breaches occur”. That sounds good; I think we’d all like that. But as with any type of legislation, the devil is in the details. More [...]
The Security Content Automation Protocol (SCAP, pronounced S-cap) is a suite of open standards that when referenced together, deliver an automated vulnerability management, measurement, and policy compliance evaluation for network assets. The first version of the suite specification focused on standardizing communication of endpoint related data and to provide a standardized approach to maintaining the security of enterprise systems. It provides a means to identify, express and measure security data in standardized ways such that products from multiple vendors can consume or produce SCAP content for correlation of security information. Each standard within the specification is individually maintained and provides revisions and updates independent of the SCAP specification. More [...]
Prioritizing Vulnerability Assessment and Remediation Steps: A New Users Guide to Getting Started – Part 1
New users to vulnerability assessment often ask the same question: “How do I get started”? While this may sound incredibly generic for a security engineer, many companies have never had a vulnerability management process in place and are trying to comprehend the problems of missing patches, remediation prioritization, and risk acceptance. As a basic recommendation, I put together these three examples for a conservative vulnerability assessment rollout that should help anyone with the potential challenges of a new process. The methodology takes into consideration the sensitivity of vulnerability information and the cautiousness of performing network scans on targets that may be susceptible to faults.
The examples in this blog outline three approaches to a deployment that can be cross implemented to discover the health of the environment in phases.
Example One – Critical Vulnerabilities Only
eEye Digital Security’s Retina Solution allows for the customization of scanning by Smart Groups and Report Templates. By managing Smart Groups and Templates, scan targets can be limited to testing of only critical vulnerabilities that can adversely affect the environment. This will reveal areas where sensitive data and system compromises could negatively affect the infrastructure. This essentially looks for the “low hanging fruit” of critical vulnerabilities that should be remediated first.
Figure 1, Audit Groups Sorted by High Severity
This approach has several advantages over full audit scanning:
- Vulnerabilities that could be exploited with little to no user intervention will be accurately identified
- The volume of potential compliance data and information messages will be reduced
- Business units and security teams can focus on the highest priority items that could interrupt normal business operations
This approach allows for targeted scanning of devices with only the highest severity items to identify:
- How well patch management processes are functioning to meet regulatory requirements
- Which devices with sensitive data can be comprised with minimal to no intervention
- Devices that contain severe vulnerabilities and are potentially end of life can be identified for replacement
This approach has a few disadvantages:
- Low severity compliance related audits will be missed
- Basic audits for usernames, groups, rogue services and process will not be identified
- Web application and database based vulnerabilities may be excluded
Example Two – Statistical Sampling
Many regulatory compliance initiatives including the PCI DSS allow for statistical sampling of assets to perform an effective vulnerability management strategy. In order for this approach to be successful, a sample of all types of devices must be represented in a group of approximately 10% of the environment. In addition, proof of image standardization for hosts like desktops is required to validate the statistical sampling approach. Deviations in the standard build are not acceptable and must be locked down.
Please consider the following:
- All operating systems in the environment
- All applications in the infrastructure
- All hardware and network devices and printers
- The scope of the devices in the assessment sample
All of the devices type above must be included in the target group. No version or platform can be excluded. The sample can be scanned with all audits or targeted vulnerabilities to report on the trends within the environment.
Figure 2, Sample Set of Scanned Assets for Statistical Sampling, Desktops Only
Statistical Sampling has several advantages:
- Limited targets and risk to production devices
- Validation of compliance management initiatives and image standardization
- Rapid scan times compared to evaluating the entire infrastructure
- Consolidated reports based on samples
In contrast, the disadvantages to this approach:
- No rogue asset identification
- Bottom “n” vulnerabilities and “one offs” are not identified, but are still susceptible to an attack
- If deviations do occur in the images, they will be missed and invalidate the premise for this type of assessment
Example Three – Targeted Scanning Based On Business Function
Many devices in an environment provide supporting functions to a business, but have no direct connectivity to critical information. Consider a web application. Only the web server and supporting infrastructure should have access to any middleware and databases. A web application vulnerability assessment scan will reveal any flaws and any users can only penetrate the target through this single entry point. Therefore, assessing every workstation that only interfaces with critical data via the web is overkill. A better approach follows the “where is the gold approach”. The business must identify where all of the critical business systems are and group them accordingly. Scans of these devices will target all possible entry points and should only occur during a predefined and acceptable scan window.
This approach informs all parties that a network scan is going to occur (in case of a fault or outage) and that all critical systems are free from high rated risks.
Figure 3. Hosts Grouped by Domain and Displayed in a Topology View
Advantages to this approach:
- Scans occur only at acceptable times
- Systems housing sensitive data (in scope) are validated to be risk free
Disadvantages for targeted scanning:
- Non critical systems are not assessed and could be used as a beach head to infiltrate an organization
- The manual process of identifying hosts may lead to missing systems for targeted scans
- No rogue asset detection
The examples in this blog can be cross implemented to discover the health and vulnerability status of the environment in phases and ensure that the information collected is actionable and manageable for any organization beginning a new vulnerability management process.
eEye Professional Services are available to assess the risk and compliance objectives with any of these processes, and can provide a phased rollout approach to meet your business requirements. Based on our experience with clients of a similar size, and the overall security and business goals of your organization, eEye is confident that our solutions and services can meet your needs.
>> To learn more about what the new Retina CS can do for you, please visit us eeye.com/new
>> If you are interested in upgrading to the new Retina CS, please contact your sales rep or email us at email@example.com
About every two years, I indulge myself with a new laptop. This time, I waited almost three years and will be retiring my old Dell XPS M1330 for a new Alienware M15x. I wanted raw horsepower for virtual machines in a laptop format and was not as concerned about battery life (since I carry an iPad for notes and email) or weight since I travel with a Targus TSB700 rolling backpack.
I started collecting all of the software I needed to rebuild my system and realized I have a quite a few solutions to install in order to meet my day-to-day work requirements. This includes everything from Microsoft Office 2010 and Nero 10, to all the solutions eEye offers and of course, gigabyte upon gigabyte of virtual machine sessions. This made me think about how many of these solutions are now bundles and suites compared to the standalone products of years ago. MS Office 2010 contains all the programs I need from word processing to presentations, and Nero, all the tools I could ever need to create promotional DVDs, website videos, and even system backups. As these tools add more features, they cover additional areas required by me for daily work in lieu of even more and more point solutions.
As solutions add more features, consider this example: a recent presales Request For Proposal (RFP) queried all the different regulatory standards and assessment standards we are able to support. These include out-of-the-box assessments, dedicated reports, flexible dashboards and best practices to help automate these processes. After a few minutes of digging around, I compiled this short list (not really short):
- SCAP – Security Content Automation Protocol
- CVE – Common Vulnerabilities and Exposures
- CVSS – Common Vulnerability Scoring System
- OVAL – Open Vulnerability and Assessment Language
- XCCDF – The eXtensible Configuration Checklist Description Format
- CCE – Common Configuration Enumeration
- CPE – Common Platform Enumeration
- STIG – Security Technical Implementation Guides
- IAVA – Information Assurance Vulnerability Alert
- FDCC – Federal Desktop Core Configuration
- USGCB – The United States Government Configuration Baseline
- CIS – The Center for Internet Security
- PCI – Payment Card Industry Security Standards Council
- HIPAA – The Health Insurance Portability and Accountability Act
- GLBA – The Gramm-Leach Bliley Act
- SOX – Sarbanes-Oxley Act
- ITIL –Information Technology Infrastructure Library
- COBiT – Common Objectives for Information and related Technology
- FERC-NERC – Federal Energy Regulatory Commission
- ISO – International Organization for Standardization
- MASS 201 – Commonwealth of Massachusetts 201
- NIST 800-53 – Recommended Security Controls for Federal Information Systems and Organizations
- BugTraq – Bugtraq
I realized after creating the list, that while many vendors offer point solutions for some of these standards and regulations, eEye offers all of these in one solution: Retina. For the same reason we use MS Office as a comprehensive tool for daily operations, Retina provides a single comprehensive tool for unified vulnerability management and meets the most common regulatory standards facing businesses today.
Now, if I had to go back and find point solutions for each, my cost would skyrocket and my learning curve would ramp up exponentially. I have seen companies use one solution for PCI and another for Configuration Compliance and Benchmarks (FDCC, CIS, USGCB, etc.). And many use a third solution for internal vulnerability assessment (rarely the same vendor due to cost), a fourth for patch management, and maybe even a fifth for any government requirements like STIGS and IAVAs or special projects.
There are many standards out there and so many different requirements, it is no wonder that security costs are rising and users are required to work harder to meet these regulations. To address this problem, eEye can provide a solution to these initiatives in a single tool and lower the cost of ownership. Wouldn’t you benefit from a single tool that can solve these requirements verses the alternatives?
Marc and I just returned from the N-able 2010 Partner Summit in Scottsdale, Arizona. While there, we took part in the announcement of N-able’s Remote Audit Manager, a collaboration between eEye Digital Security and N-able. Remote Audit Manager utilizes eEye’s award winning Retina Network Security Scanner to allow MSPs to provide vulnerability assessment, configuration compliance and regulatory compliance solutions to their customers.
We had a great time presenting the solution during the conference, with Marc participating in a panel discussion as well as a solution overview talk that wrapped up the show. Marc and I also delivered a technical briefing that provided some in-depth details on the different components of Remote Audit Manager. The joint talk went great, considering it has been several years since Marc and I have been on stage together – although as usual, we ran long trying to get as much information across as possible.
Overall, there was a lot of great interest in the solution, with tons of traffic during the expo and lots of side conversations between sessions. We both had a great time, and look forward to following up with everyone we talked to.
For more information, check out the eEye Press Release.