Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
QualysGuard Vulnerability
Management Housekeeping
Please turn your phones to vibrate Breaks are generally every hour Free Lunch around 11:30am Introductions
1/3/13
QualysGuard Vulnerability
Management Topics Covered
Getting Started With QualysGuard Introduction to QualysGuard SaaS Architecture The QualysGuard Vulnerability Management Engine The QualysGuard KnowledgeBase Con guring a QualysGuard Solution Mapping Asset Management Scanning Reporting User Management Understanding Saved Searches Search Lists and Customizing Option Pro les Remediating EXAM
QualysGuard Software-as-a-Service
Bringing Security and Compliance together Satisfying the needs of all constituents with a single solution No Software to Deploy or Maintain!
1/3/13
QualysGuard Lifecycle
1. 2. 3. 4. 5. 6. Discover
Priori.ze
Assets
Assessment
Repor.ng
Remedia.on
Verica.on
1/3/13
QualysGuard
Vulnerability Management (VM) Engine
QualysGuard VM Engine
Key Concepts
At the end of this section, you should be able to understand: The QualysGuard Vulnerability Management Engine Work ow of the Mapping and Scanning Functions
1/3/13
QualysGuard VM Engine
Core Engine
Manages the operation
Modules
Speci c tests based on Information gathered Responsible for collecting data from the hosts
Information
Data collected by modules Used to determine necessary modules
QualysGuard VM Engine
Host Discovery Module Requires : {IP ADDRESS} Task : Checks if remote host is alive Produces : {HOST STATUS:HOST DEAD?} TCP Port Scanner Module Requires : {HOST STATUS:ALIVE} (host can be reached from Internet) Task : Finds all open TCP ports Produces : {TCP Open Ports} TCP Service Detection Module Requires : {TCP Open Ports} (at least one open TCP port) Task :Detects which service is running on an open TCP port Produces : {Services, OS}
1/3/13
1/3/13
Service Discovery Detection by valid protocol negotiation Non-destructive tests Exceptions Services running on non-standard ports Services using non-standard (unpredictable) banners
Note: QualysGuard VM can detect more than 600 different services on TCP and UDP ports. To review these services go to the Help > About Section.
1/3/13
10 0.000689 target -> qualys TCP ssh > 3346 [SYN, ACK] Seq=0 Ack=1 Win=17187 Len=0 MSS=1460 11 0.000708 qualys -> target TCP 3346 > ssh [RST] Seq=1 Len=0 12 0.000742 target -> qualys TCP ssh > 3347 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 13 14 15 16 17 18 0.000751 0.000845 0.000864 3.000233 3.000682 3.000705 qualys -> target target -> qualys qualys -> target qualys -> target target -> qualys qualys -> target TCP 3347 > ssh [RST] Seq=1 Len=0 TCP ssh > 3348 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 TCP 3348 > ssh [RST] Seq=1 Len=0 TCP 3349 > ssh [SYN] Seq=0 Len=0 MSS=4073 WS=0 TSV=2841124084 TSER=0 TCP ssh > 3349 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 TCP 3349 > ssh [RST] Seq=1 Len=0
Authenticated scanning is obviously more accurate, as the host simply tells us what it is (uname -a, Windows registry, cat /etc/redhat-release, etc).
1/3/13
QualysGuard VM
Main Goals
Asset Discovery Map (Domains and/or Netblocks)
Provides full information on your domains (DNS records, topology) Identi es all active hosts located in your Internet/Intranet perimeter
QualysGuard VM
Asset Discovery Map
3 Step Process
Network Discovery
Domain or Netblock
Host Discovery
Detects all active hosts
1/3/13
QualysGuard VM
Asset Discovery Map Network Discovery Methodology
Domain Lookup <whois> DNS Zone Transfer DNS Brute Force (www.qualys.com, ftp.qualys.com, mail.qualys.com) Reverse DNS Lookups in class C range Router and Firewall detection
Perform live host sweep (enabled by default) Ignore rewall generated RST and SYN-ACK packets
QualysGuard VM
Vulnerability Scan First Steps Similar to Mapping
Host Discovery Checks for availability of target hosts. One response from the host indicates the host is "alive" Port Scanning Finds all open TCP and UDP ports on target hosts Based on Scan settings Device Identi cation Attempts to identify the operating system on the rst open port
10
1/3/13
QualysGuard VM
Vulnerability Scan
Vulnerability Detection Module launching
Speci c vulnerability modules loaded based on information gathered in previous phases
Signatures
Template-based vulnerability signatures Active (but non-intrusive) tests for almost all detections Specially crafted request to distinguish between patched and un-patched versions Multiple tests validate each others results to con rm the vulnerability
The KnowledgeBase
11
1/3/13
KnowledgeBase
The Central Repository
12
1/3/13
KnowledgeBase
Severity
KnowledgeBase
Severity Levels
13
1/3/13
KnowledgeBase
CVSS
Remotely exploitable vulnerabilities get priority using CVSS http://www. rst.org/cvss/ Common Vulnerability Scoring System allows the vulnerability to include additional metrics to determine if there is a greater potential for risk Defacto rating system for PCI
KnowledgeBase
Mitre
The KnowledgeBase correlates Vulnerabilities and CVE
http://cve.mitre.org/ OVAL (Write your own Vulnerabilities and import them) is available at http://oval.mitre.org
14
1/3/13
KnowledgeBase
Anatomy of a QID
What is a QID? A numeric identi er given to vulnerabilities, potential vulnerabilities or information gathering items. Used by other QualysGuard components:
Option pro les Report Templates Remediation Rules Asset Search Risk Analysis
KnowledgeBase
Anatomy of a QID
Threat de nes the inherent threat within the vulnerability Impact de nes what could happen should the vulnerability be exploited Solution how to x the issue Compliance if there are compliance concerns Results what was returned when we probed for information
Disabled Vulnerabilities are still scanned but they are not reported or ticketed
15
1/3/13
KnowledgeBase
Editing Vulnerabilities
Change Severity Levels Threat Impact Solution have user comments eld Updates from the service not overridden Edited Vulnerabilities are noted in Scan results
KnowledgeBase
Search
Use the search functionality to nd vulnerabilities by QID, title, user con gurations and other criteria
16
1/3/13
KnowledgeBase
Demo
17
1/3/13
Asset Mapping
18
1/3/13
Map Preferences
Domains/Netblocks
Asset Groups
QualysGuard Basics
Why Map the Network? Shows an overall view of your corporate assets
19
1/3/13
Asset Management
Asset Groups
Logical or physical divisions of the enterprise architecture Asset groups can be based on:
Device type Priority or criticality Geographic location Ownership (department)
20
1/3/13
(Workstations / Desktops)
(Workstations / Desktops)
(Workstations / Desktops)
CHICAGO
LONDON
TOKYO
(Servers)
(Servers)
(Servers)
(Desktops)
(Desktops)
(Desktops)
CHICAGO
LONDON
TOKYO
21
1/3/13
Asset Management
Asset Groups Extending their use Business Info allows for your enterprise to expand the use of the Asset Groups.
Set the Business Impact for the Risk Analysis Set the Asset Tags for further categorization Allows for more granular Scorecard Reports
Asset Management
Risk Management
Security Risk is a technical security score, calculated using Vulnerability Severity Levels Number of Con rmed/Potential Vulnerabilities Average or Highest Severity Business Risk is displayed in status (auto) reports for each asset group (typically requires sorting by asset group) Combines Security Risk and Business Impact. Helps prioritize vulnerabilities among your hosts.
22
1/3/13
Asset Management
Risk Management
Two factors
Security Risk Business Impact Business Impact is a con gurable attribute of an Asset Group
Five levels
Titles are freely con gurable For each Business Impact level, a weight is assigned for each Security Risk
23
1/3/13
Host Info
(Scanner)
Network 10.0.30.16/28
01001
10.0.30.20
?
10.0.30.19 10.0.30.17 10.0.30.18
Workstation 10.0.30.16/28
Server 10.0.30.16/28
Workstation 10.0.30.16/28
24
1/3/13
25
1/3/13
26
1/3/13
27
1/3/13
Vulnerability Scanning
Asset Groups
Asset Tag
28
1/3/13
Vulnerability Scan
On Demand
29
1/3/13
Vulnerability Scan
Scheduled
Allows the automation of the scanning process
The data from a scheduled scan is not available within the subscrip.on (scan reports and .ckets) un.l a user logs in.
30
1/3/13
QualysGuard VM
How often to Map? How often to Scan?
How Often Should I Map? Discovery is not a one time process. A Discovery strategy assists in overall asset management.
How Often Should I Scan? Qualys updates its vulnerability database as vulnerabilities emerge.
How often to either map or scan your environment should be determined by your security team and added to your corporate Security Policy
31
1/3/13
QualysGuard Reporting
32
1/3/13
QualysGuard
Key Concepts
At the end of this section, you should be able to: Understand Reporting Basics Create Report templates for your audience: Sort data in the most ecient manner for your audience
Assets
Search Lists
IP addresses
Asset Groups
Assets
Asset Tags
33
1/3/13
QualysGuard Reporting
Makes Map and Scan data readable Create a report of pertinent data Raw data is cumbersome Many Report Types: Scan Reports Remediation Reports Patch Reports Map Reports Scorecards Uses a central repository for users to store reports for multiple viewers
QualysGuard Reporting
Report Templates
QualysGuard has a set of standard templates that assist in reporting on scans, maps, and remediation
34
1/3/13
Customized Reporting
Data Types
Status vs. Run Time Data
Status reports (Auto) utilize all cumulative (normalized) scan data for the reports - Vulnerability Management Run Time (Manual) allows user to choose speci c scan data. Suggested for PCI reports
Customized Reporting
Display Options
This: Produces:
35
1/3/13
Customized Reporting
Display Options
36
1/3/13
Scheduled Reporting
37
1/3/13
38
1/3/13
Subscription Set Up
Report Share
Report Share is a centralized location for storing and sharing reports When enabled for subscription, Managers specify the maximum amount of report data that each user may save Managers have the option to enable secure PDF distribution of reports
found within my workstation network. My support team says the report is too long, but they need to know what the vulnerability is and how to x it, in terms of priority how can we accomplish this?
39
1/3/13
40
1/3/13
Adobe
Reade
r 9.1
Host A
Windows 7
iDefense Feed
DCOM
enable
Predictive Engine
Host B
41
1/3/13
42
1/3/13
User Management
User Roles & Permissions
Dierent Roles Each Role has its own permission set Each User can get extended permissions
Types of Roles
Manager Unit Manager Scanner Reader Contact
User Management
User Permission Hierarchy
Most privileged Managers Unit Managers Scanners
Remediation Reporting
Least privileged
43
1/3/13
as Manager.
44
1/3/13
Subscription Set Up
Security
Set security to prevent unauthorized users Set security options related to how users access the system, user-de ned passwords, and session time outs
User Management
Business Units
New User Role: Business Unit Manager Not Mandatory Business Units cannot include other business units Business Unit attributes: Business Unit Manager(s) Asset Groups Users Comments
45
1/3/13
User Management
Business Units
Create Business Unit in Users Section Add Asset Groups to the Business Unit Assign Scanner & Reader Users (optional) First User is promoted to BU Manager
User Management
Business Unit Manager
Privileges: Perform all vulnerability management functions:
Map, Scan Remediation Reporting
Manage assets, add users, and publish template reports within their Business Unit Extended Permissions : Add assets Create pro les Purge host information Create/edit con guations (remediation policy, authentication records/vaults, virtual hosts) Manage compliance, web applications Manage virtual appliances Restrictions: Can only be in one Business Unit Can only be created if the Business Unit has been established Limited to Asset Groups de ned in their Business Unit May not have rights to run speci c reports via the API
46
1/3/13
User Management
Business Units
47
1/3/13
48
1/3/13
Search Lists
Bene ts
Dynamic List updates when new QIDs meet the search criteria No limitation to the number of QIDs in search list
49
1/3/13
Search Lists
Static Saved Searches
Static searches are good in cases where a speci c set of QIDs needs to be excluded
Search Lists
Saved Search Object Information
Detailed information about a saved search is available anywhere the is shown General Info, the KB criteria, and all QIDs that match the criteria are shown Also shown is a list of all report templates, option pro les and remediation rules where the list is used
50
1/3/13
Search Lists
Use Cases
Create an automatically updated report for Microsofts Patch Tuesday vulnerabilities Create remediation rules that link the application having the vulnerability with the right person to x it Exclude vulnerabilities from scanning when they may interrupt normal operation of a host Create a self updating report on only vulnerabilities that have a patch available Create a report that contains a static list of authentication QIDs to validate successful QualysGuard authentication.
51
1/3/13
52
1/3/13
53
1/3/13
Although recommended in some cases, in general it is better to attach a saved search to a Report or Remediation Rule.
54
1/3/13
Option Pro le
Authenticated (Trusted) Scanning
Connect to service to extract more meaningful data Discover vulnerabilities not detected by untrusted scan Con rm Potential Vulnerabilities
Authentication Vaults
In large organizations where thousands of machines are scanned regularly for vulnerabilities, managing passwords is a challenge.
Some organizations are reluctant to let their credentials leave the network
55
1/3/13
56
1/3/13
Remediation tickets can be created/viewed from within reports that contain the work ow action icon (e.g., High Severity and Technical Reports). QualysGuard automatically marks Open tickets as Closed/Fixed (when vulnerability is no longer detected).
57
1/3/13
Remediation
Create a new Rule
Ticket Assignment A speci c user Asset Owner The user who launched the scan Set Deadline for remediation
58
1/3/13
Remediation
Manual Ticket Creation & Veri cation
Manual Trouble ticket generation
From Automatic Report From Host Information
OpSonal
59
1/3/13
Thank You
60