LAS VEGAS – In the 1950s, British transportation expert John Glen Wardrop popularized several theories related to network equilibrium models that are useful for predicting traffic patterns and congestion. To prove the theories, he used a tool to help collect data – cables that registered when cars drove over it.

Fast forward 60 years and the same principles are being applied to solving traffic jams on a different type of network – corporate networks. In the area of network security, QualysGuard Vulnerability Management is the default solution to show corporations the risk posture of their networks, Ward Holloway, vice president of business development at FireMon, said in a session at Qualys Security Conference 2013 on Friday. “It’s effective at its job, the backbone of you being able to assess risk in your environment, like a data cable,” he said.

photo credit: Buzrael

“But as network security practitioners, you may be working with a complex (environment), multiple data centers around the world, different connections to different partners, tens of thousands of remote connections. When you run a scanner it’s not unusual to be told there are 85,000-90,000 vulnerabilities in an entire infrastructure,” Holloway said. “Which one do you focus on and fix first?”

Similar to traffic engineering, it helps to see the full context of the environment. Upstream, there may be a firewall that blocks all SQL coming into the segment, for example. Or there could be a low-value asset, say a Windows machine running a legacy, outdated billing application, which doesn’t need immediate patching. However, due to a firewall misconfiguration, the server is reachable from the outside, potentially putting valuable financial data at risk.

To address this, FireMon offers an automated traffic management system for risk in corporate environments that allows customers to take the Qualys data and overlay it with the knowledge of the network layout, the switches and routers and intrusion prevention systems to see “exactly how data travels through the network,” according to Holloway. For instance, a corporation could find out that “out of 5,000 vulnerabilities, there’s only 400 you need to worry about that are actually reachable right now,” and of those, only 30 are vulnerable to remote code execution, so fix them first.

Now that’s one way to keep bad guys out of the network.

LAS VEGAS — At a reception late last week at Qualys Security Conference 2013, I talked to a Qualys customer who said Qualys does a great job at vulnerability scanning, in fact, too great of a job in the opinion of some of his IT staff. As QualysGuard identifies vulnerabilities, you must triage the problems to fix them.

We all know that what you don’t know can definitely hurt you when it comes to computer security. With QualysGuard data in hand, it is important to determine: Which issues are the most important? What can be done to remediate them effectively and efficiently? The answers to these questions depend on the customer’s specific networks and operations, which only the customer can truly understand.

photo credit: James Lumb

QualysGuard is integrated with tools that can help customers prioritize their remediation steps. Corey Bodzin, solution manager for RSA, gave an overview of RSA’s Archer Risk Management solution, which helps organizations assess and resolve risks identified by Qualys. Marlene Veum, director of security for product development IT at Oracle, talked about how organizations can find the “actionable needle in the compliance haystack” by using Oracle Application Express.

With Archer, IT admins can pull the technical data into one place, set up a workflow and rules, prioritize issues and measure outcomes to make the best business decisions possible. Maybe a proof-of-concept that has been ignored should now be paid attention to because it’s being used in active watering hole attacks targeting the customer’s industry. “Something has changed that makes me want to respond differently,” Bodzin said in this scenario. “Archer sees that it’s flagged and that it’s part of the PCI data world… Now I’ve got to go in and ask people what are you going to do and address this change.” Archer can also help admins measure the results, find out what the average remediation time, for instance. “If an issue is 45 days old but it took 28 days to make a decision, then we need to fix it,” Bodzin said. The outcomes can be published in Archer dashboards and viewed by executives as a part of the company’s overall IT, operational and financial risk. “Qualys grabs the technical bits and Archer helps grab the human bits,… and make good business decisions in a timely fashion,” he said.

Meanwhile, Oracle’s system helps companies pull data from other sources within the company to put the Qualys data into context. Qualys “is so good at collecting information that that’s the challenge — how do you deal with it?” Veum said. By pulling in asset, system and network information, and establishing a baseline, an organization can get better understand its environment. It’s important to “have the ability to see we have a problem and to share the information with people who can act on it,” she said. Oracle Application Express, a free html-based tool that works with Oracle Database, has an executive dashboard for executives to see consolidated scans broken down by line of business and viewable by project status, scan summary and categories like vulnerability type.

Having data on vulnerabilities is just one part of managing risk; you need to know enough about your network to decide how to act on the information. These tools in the Qualys ecosystem can help organizations get the most out of their vulnerability data.

LAS VEGAS – Qualys founder and CEO Philippe Courtot has a vision for the future, and if he succeeds you might not even see it.

Basically, he’s working to make security a part of the fabric of the IT infrastructure on which companies run their businesses. And to make things easier on people using the systems, the security should be painless and out of sight, and just do its work in the background.

“The challenge is to bring security into this new infrastructure and make it invisible,” he said in his keynote at the Qualys Security Conference 2013 today. Security should not be a burden for anyone, otherwise it’s a failure.

Qualys’ aim is to “build continuous security into the fabric of the cloud. In the mainframe world, it took 10-15 years to build security into their infrastructure,” he said. “In the cloud security world we had to do everything again, and the challenge is to bring security into that infrastructure.”

About five years ago or so, Qualys adopted a philosophy from an unlikely source — Goldman Sachs. The financial services firm had a security model in which it used different enterprise security tools to ensure the security of the entire infrastructure and treated vulnerabilities as a part of compliance. It might seem counter-intuitive, but that approach is more dynamic and effective, Courtot said. If a device if misconfigured, in violation of an internal policy or external regulations, it can be addressed more quickly than dealing with disparate enterprise software solutions that have different update cycles, for example.

“At the core, you define your assets, then provide them attributes, fingerprint them…” he said. “Now you can have two different views, from compliance and security. You want to have the ability to report, to look at trending, have alerts and integrate with another solution, and deliver all of it on a global scale. That’s what Qualys is all about. It’s our fundamental belief that this is the right model — to build security into the fabric of the cloud.”

Courtot also teased some new features that are coming up from Qualys. The company already is using its cloud protection architecture to bring security to a range of platforms, such as Amazon Web Services, Azure and vCloud, and it is increasing scalability, working to expand the capabilities of protecting against network threats, focusing on Web application security and expanding the notion of continuous monitoring of the perimeter.

LAS VEGAS — When John Streufert was CISO at the U.S. State Department he saw that the agency was losing a lot of money and wasting a lot of employee time trying to defend against cyber attacks. And despite all the audits and reports, the defense wasn’t working – the bad guys were getting in and stealing data.

Video: John Streufert Keynote at QSC

So, he overtook a move to continuous monitoring of the network that was able to reduce as much as 90% of the security risk, he said in a keynote at the Qualys Security Conference 2013 today. Specifically, they were able to identify the worst problems in minutes rather than years, to fix the worst problems in days as opposed to months, and get costs down to about $200 million compared to $600 million per year.

Now, Streufert is bringing that same game plan to the Department of Homeland Security where he is director of federal network resilience.  “We are in the process of making a shift in the federal government as to how we handle our security challenges,” he said. “Continuous Diagnostics and Mitigation can stop 85% of cyber related attacks” and report on attacks in near real time, as well as enable system administrators to respond to exploits much faster.

The system can help the agency avoid being low-hanging fruit.  According to CSIS and Verizon reports: 75% of attacks use known vulnerabilities that could be patched; more than 90% of successful attacks require only the most basic techniques; and 96% of them could be avoided if there had been simple or intermediate controls in place.

At the State Department the statistics of the environment before the changes made for a strong economic case, Streufert said:

• Every three days there were trillions of security events; millions of attempted attacks; thousands new flaws introduce; and hundreds of successful attacks.

• Every three months there were over 10,000 successful attacks; terabytes of data stolen; 7,200 reports written; and hundreds of labor hours wasted.

• Every three years there are thousands of assessments and other reports written, each requiring 3-9 months to prepare and out-of-date the moment they are printed; and the data provide only a snapshot in time versus real-time identification and mitigation of problems.

These manual processes, reports and audits cost between $600 million and $1.9 billion a year, or $1,400 per page, and result in the equivalent of 438 feet of paperwork. They also consume as much as 65% of the overall IT security effort in the agencies involved, according to Streufert.

He was asked to go to DHS to work on moving the agency from a cybersecurity defense strategy modeled on process and compliance to one focused on continuous diagnostics and mitigation. The first phase will be completed this year, the second phase next year and the final phase in 2015. The cost will be about $600 million over three years.

Update: See attachments for data sheet describing the US Department of Homeland Security Continuous Diagnostics and Mitigration Program.

Attachments

Continuous Diagnostics and Mitigation Program 175.4 K