Achieving Advanced Security Use Cases by Integrating Key Security Solutions with a VMS

cases I work for digital fence and I do API integrations so we're gonna check it off my name is Danny Danny Santander I came from Tucson Arizona I also work with digital defense doing API integrations I just started maybe not even a year ago I'm working on their enterprise risk assessment tool and now I'm full-time with Gunnar doing an API Tammy yeah so let's get into it first let's talk about vulnerability management exactly what is vulnerability management it's basically the process of identifying classifying and providing any mitigation solutions for vulnerabilities found these vulnerabilities could be any weaknesses or flaws within an asset on a network or any sensitive information that is exploited or exposed to a threat

vulnerabilities can be detected through vulnerability scanners that scan the network analyzing any information and any threats on your network frequent scanning ensures new vulnerabilities are found you're only able to find these new vulnerabilities once you scan your network so it's very important to scan frequently and often and let's get into some benefits and limitations of vulnerability management systems some benefits is that it's up to date scans for known vulnerabilities this means we're constantly updating our dictionary where the scanners searching for vulnerabilities know so if there's a zero-day vulnerability its word getting that update as soon as possible quantify the risk status of devices what we do is when we scan for vulnerabilities we categorize them on a

scale of either low medium high or critical easy to automate scans and reports which you can schedule scans you can schedule specific scans you can schedule a range of IPs on Network some limitations is proposing solutions but does not apply them so we propose mitigating solutions of the vulnerability management system itself doesn't remediate them and apply it the mitigations vulnerabilities are only made known once scan this is what I mentioned earlier you're only able to find the vulnerabilities once you scan your network so in between scans vulnerabilities may emerge and that could be a problem we'll get into that later historical correlation of vulnerabilities is a challenge meaning that if you find a vulnerability within

an asset on your network it might be difficult for you to trace back trace backwards to that asset to see if when or how it got vulnerable

let's talk about the frequency and how important that is in frequency of vulnerability scanning disadvantages this is on a time schedule throughout the year so let's say you're only scanning quarterly so four times a year so in January you scan and you find four vulnerabilities you decide to mitigate those vulnerabilities February you have none but in March there's three vulnerabilities that have popped up that you're unaware of because you haven't scanned you're only scanning and March January and April so once you scan in April you'll see seven vulnerabilities compared to zero when you're mitigated all four since January and so on and so forth if you don't scan May June those vulnerabilities new bullying booties may

emerge that you're unaware of until July you mitigate some but new vulnerabilities emerge and so on and so forth so it's very important to scan your assets on the network frequently now getting to the historical correlation of vulnerabilities let's say again one on a timeline of one year going into quarters part of one two three four let's say in the first quarter you update a software software X which has a zero-day vulnerability no one knows about it yet it's unknown except some attackers or hackers they're the ones that have the ability to gain access and control into your system so vulnerability management's aren't detected have not detected this vulnerability yet on the new update of

software X 1/4 - you have an attacker that exploits the vulnerability and the system is now infected on quarter 3 still the vulnerability is unknown since 0 day but there is a patch or it's been updated and the software is removed so a vulnerability doesn't show up but it was still vulnerable and quarters 1 2 & 3 before the patch a quarter for the vulnerability now is finally public people know about it people are aware about it you scan in quarter for the vulnerability pops up everyone knows about it it's on your system now though if you here's where the historical correlation comes in to the fact for the challenge you're not able to go back and

check if it was vulnerable in quarter one since it was undetected so those are the challenges we have owner ability imagine it systems and now we're gonna get into some integration causes in cases starting off with network access control so network access control device just like the vulnerability management system is a security solution that on its own is great and with network access control you are able to enact policies on your network this allows you to keep new hosts off only let certain people on or certain IPS into critical sections of your system anywhere that is important for security purposes you know you kind of restrict access to it don't let anything get anywhere and devices maybe refused access

completely if like I said you had a new host who joins your network and you're unsure whether they're secure yet maybe it's some guest laptop that just hops on you don't know what they're going to be trying to do here we get into the benefits and limitations of a network access control system some of the benefits are you can restrict as I was talking about who gets onto your network you can remove assets if you know they pose risk so if someone does have an own vulnerability on their laptop you can go ahead and kick them off you can identify all devices that connect to your network just keeping logs there's many ways to keep that some limitations are that

vulnerable hosts may still be given access you're never sure if a laptop is secure on its own through this system so they could be you know an authorized user but still be vulnerable and get access to your system access can be denied to authorized users if they do have some other limiting factor due to a policy restricts their access then they no longer can make changes and then limited capability to make access decisions what this is is basically there's a few guidelines rules policies that you can make that say either you have access or you don't it's it's a black or white there's no gray scenario there where it can kind of think for itself and and decide if this user

should be on the network or should not so here we have a basic diagram of network access control you have all your hosts or assets down on the bottom and a network access control device that limits them from being able to talk to other parts of your network so they're kind of restricted to their own area they're kind of quarantined off of any other part of the network in their own section so next we're going to talk about why the integration between a vulnerability management system and a network access control device makes an even better security solution so the use cases for this is that a VM solution is able to identify vulnerabilities on devices and if you pair that with the

ability to lock people out of your network it's a pretty powerful tool if someone has a critical vulnerability that could let someone exploit it and gain access to your network they can be restricted access and no longer allowed onto the network by providing risk status is how that's going to happen importing the vulnerability data into the network access control gives it more decision-making than its limited already black and white scenario and now has the option of if they're infected if they pose a risk of my system if they might harm any way any other device on the network don't let them in so new devices that connect to the network as well can now be instead of permanently denied

access can instead through the vulnerability management system have a scan launched on them automated sends it to the vulnerability management system and it then goes down looks at the device and says if it's clear or not so we have a diagram of this going through right here the vulnerability management system were describing as frontline VM and going through we have a new device connects to the network it's currently unknown we're not sure if there's any vulnerabilities on it it could pose a risk potentially what the network access control is going to do is ask the vulnerability management system if there are any known IDs about this host if it knows about it if it's vulnerable at all

it's gonna go ask its scanner to perform a scan on this device which it goes down to and looks at scans the ports checks if there's any malicious data coming out of it and then returns to the scanner and then back into the vulnerability management system once it's there it can then continue back to the network access control and communicate between the two if it is a risk or if it's not if it's safe to let onto the network it accepts it in so now that device has access in an automated fashion that doesn't pose a risk and so now we're on to the next case so here's another security solution that might benefit from implementing with vulnerability

management security information and event management usually call us in and what exactly is a sim it's used to collect manage analyze and prioritize any type of security related data from logs events from and also provides real time threat analysis ticketing and incident responses since systems deploy collector agents either remotely or on-premise based to gather data from various asset sources within the network

these send collectors once they collect the log information the data they send the events to the centralized management console which is then prioritized on a set of rules created by the user now to get into some benefits and limitations of a sim the sim can increased efficiency which means by assembling security data or relevant event logs and from multiple sources across your network it might be easier for IT compliance on the bottom to create reports real-time security incidents responds quickly reduce the impact of any security threats automated also some limitations of a sim too much noise data you're constantly collecting log data from all your assets within the network there's a lot of information to process

some of that data is not even actionable for threat management you see it requires a lot of maintenance and monitoring you need a professional to sift through this data to create rules to constantly constantly be looking at the alerts and events populated by the sim lack of necessary information pulley design rules connected to the last point attacks necessarily don't leave log data and not all attacks that's where sim can help you integrated with let's get into the actual network of a sim so say you have a set of assets that are connected to the internet usually behind some firewall on a network these assets individually send event or log data to your sim connector once sent the

sim connector sends that data to the SIM database or the sim server the centralized management connector and it prioritizes those events some benefits of integrating with vulnerability management is vulnerability management identifies vulnerabilities on the network alongside the sim technology again not always the sim will be picking up vulnerabilities those vulnerabilities might not leave log data or not have log data send vulnerability information to the Sims centralized management system this way so what's the bone but vulnerabilities are sent to the system you're able to prioritize those vulnerabilities along with the log data and here's the integration diagram of some network with vulnerability management we have our same network with the access behind firewall on the network sending event log data to a sim

connect connector that's in connector sending data to the send database except now we have about vulnerability management scanner connected to the network this will scan all assets on your network send any data including vulnerability data host data open port data scanning data to frontline vulnerability management and return that will send that data to the integration with sim through the connector and then to the database to get prioritized we have our next one so our next use case is called our esoteric one and this is kind of a more advanced one kind of still a researching topic for us one that we're looking into is deception technology because it's kind of considered up-and-coming almost a new

way viewing security in your system of not just mitigating everything because somehow an unknown will happen and they will get through your system so these in the deception technology case is meant to provide fake hosts fake assets on your system that kind of don't act as honey pots to kind of lure in there they look real they act real they're receiving a real data back and forth but they're fake so any penetration that gets to them is receiving fake data instead of your critical data that you have on your system so it provides awareness of malicious activity within your internal network by once it is alerted by itself to whether someone is hacking into it accessing it

unauthorized it kind of quarantines itself from the rest of the network and it doesn't alert them it just sits there and monitors logs how they're attacking what they're doing to get into your system in order to kind of in an automated way block that next time so it's not a shield upfront it's it's let them in but don't let them get your critical data decoys are contained in real assets on your network so once we get into the drawbacks on this that's one of them is that you do have to use more resources with this kind of integration or with this kind of technology that if you need a bunch of decoys in order to kind of protect your

real assets it increases your resource loaded almost exponentially just because for one realize that you may want ten decoys just for the amount of security that could provide maybe more all right and so here we have just kind of a little diagram because the decoys as we call them surround the host and and so just you know shields up Red Alert protect your system by having fakes there some benefits of this are you allowed to monitor the attacker as they come in instead of fully rebuffing them and letting them try again with something new that you may not know you instead capture them watch them and log that behavior for next time you can lure attackers away from your

important assets with the idea that it's real data they're getting into and possibly mitigating the fact that they would get to a real system next time some limitations are that they do again require additional resources in order to have all these extra decoy hosts you must have similar levels of activity on your network to these hosts in order to have the idea that they are real that you're communicating with them that your data is being transferred to them and they do little to prevent attacks from occurring they are decoys and so if they do hit the real one that it got through data so through deception technology this is how it works is the attacker initially gets

into your system and moves along laterally until it finds a decoy host which it then gets trapped at and is monitored it's a trap and so once they're there they're kind of stuck they're not allowed to move any further into your network and our monitor so the use case of integrating it with a vulnerability management system to create a better security solution is that a VM can provide additional vulnerability data to these decoy assets so when they're being created they kind of are smarter now in a way of they know what vulnerabilities are on your system and what the attackers might be trying to exploit to get in and so that's what they're looking for now instead of maybe

everything they're more refined on to certain topics and that allows decoys to be placed closer to expected intrusion points so you can't always mitigate a frontline vulnerability and sometimes it has to be left open so you can place decoys near where you know you have issues in your system you can conserve resources by possibly having less decoys now you know the vulnerabilities of your system and what channels attackers are more than likely to use so in conclusion we're just going to kind of wrap through some more of the use case stuff on these and the benefits of why we're going through these integrating with different security solutions to make a better version because vulnerability management on its

own is great network access controls are great deception technology Sims they're all great everyone uses them we're talking about how to use them together though because you're using two really great systems but not putting them together is kind of wasting the data from both using them together it allows you to form a more complete security on your system so yeah so when you're integrating with vulnerability management with other security solutions you're also combining remedies or remediations and even also solutions to mitigate those that vulnerability management cannot an example might be for sim sims don't need to be scheduled to be scanning your network they don't need a set time or a range they're just constantly logging data and as with

vulnerability management you need to set those scans you need to scan to find these vulnerabilities before vulnerability management it can also provide solutions to mitigate those type of vulnerabilities where sims are just basically sort of like a ticketing system but they're more of an alerting system learning you hey we found this in your logs so there's advantages to both but there's even bigger benefits when you're integration when you're integrating with both of those solutions

so I'm gonna jump back to the network access control real quick so with the network access control integration - vulnerability management the key point here to go over is that the scans on the system are automated so before everything that you had to do was kind of user based giving access to everyone are they authorized does the user have credentials are they vulnerable in your system is the system they're bringing gonna be a threat by integrating two key security solutions it allows this to become automated and kind of without the human error to it and bringing in secure hosts only allowing access to only those that you actually want on your network and are there any questions

all right well thank you for your time [Applause]