基于風險的漏洞管理簡介.pdf

《基于風險的漏洞管理簡介.pdf》由會員分享，可在線閱讀，更多相關《基于風險的漏洞管理簡介.pdf（67頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveDavid Brothers,Technical Solutions ArchitectbrosdavidBRKSEC-1639Vulnerability Management with Cisco KennaAn Introduction to Risk-based Vulnerability Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App

2、 Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until Ju

3、ne 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-16393Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionsMost relevant Use Cases for Kenna.VMKenna Data AggregationKenna PrioritizationManaging Risk with KennaCisco Portfol

4、io IntegrationsOther Use Cases for Ciscos KennaConclusionBRKSEC-16394 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicDallas,Texas Area30 years in IT industry12 years in Cyber Security7 years at Kenna SecurityVuln Mgmt Practitioner prior to KennaLikes to stay active and travelLinked

5、In-https:/ BrothersTechnical Solutions ArchitectBRKSEC-16395 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVulnerability Scanning and Management is a very mature,commoditized and uninspiring technology.Its a“pain in the neck”for most people involved in the tasks around V

6、ulnerability management.Lets revive VM.Kennas risk-based approach makes Vulnerability Management more effective for SecOps,more efficient and target-oriented for ITOps(asset owners)and more measurable for IT Management.Mission StatementBRKSEC-16396 2023 Cisco and/or its affiliates.All rights reserve

7、d.Cisco Public#CiscoLiveThe Use Cases of Ciscos Kenna SecurityWhy customers investing in Kenna Security?AggregationIngesting all your vulnerability dataDistributionGet the information to the right peopleReportingProvide a holistic view to your riskPrioritizationApplying our Intelligence to your data

8、Enriching DataIngesting existing asset dataBRKSEC-16397 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Use Cases of Ciscos Kenna SecurityStep 1 Putting it all in one placeAggregationIngesting all your vulnerability dataAggregation Vulnerability scanners Qualys,Tenable

9、,Rapid7 Dynamic Application Security Testing Appspider,Qualys WAS Static Application Security Testing Checkmarx,Veracode,BlackDuck Pen Test data w3af,Netsparker,Acunetix Bug Bounty data HackerOneDistributionGet the information to the right peoplePrioritizationApplying our Intelligence to your dataEn

10、riching DataIngesting existing asset dataReportingProvide a holistic view to your riskBRKSEC-16398 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Use Cases of Ciscos Kenna SecurityStep 2 Normalization,Correlation,Risk-based ScoringPrioritizationApplying our Intelligen

11、ce to your data Based on Real-Time Global Threat and Exploit Intelligence 18+data sources Zero-day threats Malware Exploit Volume and Velocity 10+years of vulnerability data science De-duplication of scanner vulnerabilities Adding Kenna vulnerability intelligence Fixes,related Malware,Exploits Apply

12、 SLAs to all ingested vulnerabilitiesPrioritization AggregationIngesting all your vulnerability dataEnriching DataIngesting existing asset dataDistributionGet the information to the right peopleReportingProvide a holistic view to your riskBRKSEC-16399 2023 Cisco and/or its affiliates.All rights rese

13、rved.Cisco Public#CiscoLiveThe Use Cases of Ciscos Kenna SecurityStep 3 Adding asset details to the pictureEnriching DataIngesting existing asset dataAggregationIngesting all your vulnerability dataDistributionGet the information to the right peoplePrioritizationApplying our Intelligence to your dat

14、a Enrich vulnerability data with asset information CMDB,general asset information stored anywhere(XLS,CSV etc.)Defining asset priorities Risk bump for internet facing assets Asset ownership information Asset tags Department Location ApplicationEnriching Data ReportingProvide a holistic view to your

15、riskBRKSEC-163910 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Use Cases of Ciscos Kenna SecurityStep 4 Structure the Data,Provide access to Stakeholders,Use TicketingDistribution Get information to the right peopleAggregationIngesting all your vulnerability dataEnr

16、iching DataIngesting existing asset data Structuring all data as needed with Risk Meter groups Efficient dissemination of data to remediation teams/leadership etc.Use Ticketing System integration to distribute vulnerability information Establish”Self-Service”approach with the Kenna platform Smart Re

17、mediation Actionable measurements that guide remediation efforts and resource allocationDistributionPrioritizationApplying our Intelligence to your dataReportingProvide a holistic view to your riskBRKSEC-163911 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Use Cases

18、of Ciscos Kenna SecurityStep 5 Measure Success,Find Weaknesses in RemediationReporting Providing a holistic view to your riskAggregationIngesting all your vulnerability dataEnriching DataIngesting existing asset dataPrioritizationApplying our Intelligence to your data A fully automated workflow that

19、 produces the essential cyber risk reporting and evaluation Real time threat data provides visibility to organizations real risk exposure Detailed,holistic reports and benchmarks help keep your organization aligned Enables executives to make data-driven decisions on security resource investmentRepor

20、tingDistributionGet the information to the right peopleBRKSEC-163912 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-163913Risk-based vulnerability management(RBVM)Cisco Vulnerability ManagementEnterprise Enterprise DataDataGlobal Threat Global Threat IntelIntelReal

21、 risk reduction risk reduction with less effortless effortVisibilityVisibility of risk across the businessBusiness-wide language for risklanguage for riskData Science|Scale|Expertise520740330Unified DashboardRisk-Based PrioritizationRemediation GuidanceReporting&BenchmarkingVulnerability Intelligenc

22、e*AggregationIngesting all your vulnerability dataDistributionGet the information to the right peopleReportingProvide a holistic view to your riskPrioritizationApplying our Intelligence to your dataEnriching DataIngesting existing asset dataKenna Data AggregationAggregationIngesting all your vulnera

23、bility data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveModes of Data Ingestion to KennaNative ConnectorsNative ConnectorsBuilt-in to Kenna.VM user interfaceAPI-basedConfiguration and Scheduling via Kenna.VM user interfaceQuick and easy,usually done in minutesKenna Too

24、lkitKenna ToolkitStandalone container providing translations for the Kenna Data ImporterAPI-basedMainly used for pre-release integrationsCustomer-hosted for evaluationsKenna-hosted for production deploymentsKenna Data ImporterKenna Data ImporterNative generic connector for data ingestion based on th

25、e Kenna JSON formatJSON-basedMainly used in conjunction with the Kenna ToolkitFoundation to develop custom made integrationsAggregationIngesting all your vulnerability dataBRKSEC-163915 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCustomer premiseScanner ConsoleKenna To

26、olkit Container(on-prem)Modes of Kenna Data IngestionNative vs on-prem Kenna Toolkit vs hosted Kenna ToolkitKScanner Cloud PlatformCustomer premiseScanner ConsoleKenna virtual Tunnel VM(.iso)AggregationIngesting all your vulnerability dataNative ConnectorsScanner Cloud PlatformKenna Data ImporterCus

27、tomer premiseScanner ConsoleScanner Cloud PlatformKenna Data ImporterHosted Kenna Toolkit ContainerBRKSEC-163916 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFull List of Connectors(as of today)#Product NameProduct NameTypeTypeDeploymentDeployment1 1Acunetix ConnectorAc

28、unetix ConnectorDASTDASTNativeNative2 2Aqua Container ScanningAqua Container ScanningContainersContainersToolkitToolkit3 3AWS GuarddutyAWS GuarddutyConfigConfigToolkitToolkit4 4AWS InspectorAWS InspectorConfigConfigToolkitToolkit5 5BeyondSecurity AVDSBeyondSecurity AVDSNativeNative6 6Bitsight APIBit

29、sight APIFootprintingFootprintingToolkitToolkit7 7BlackDuck APIBlackDuck APISCASCANativeNative8 8BlackDuck JSONBlackDuck JSONSCASCANativeNative9 9BrakemanBrakemanSASTSASTNativeNative1010 Bugcrowd API ConnectorBugcrowd API ConnectorBug BountyBug BountyNativeNative1111 Burp Suite ProBurp Suite ProDAST

30、DASTNativeNative1212 Checkmarx API ConnectorCheckmarx API ConnectorSCASCANativeNative1313 Checkmarx XML ConnectorCheckmarx XML ConnectorSCASCANativeNative1414 Cherwell ConnectorCherwell ConnectorTicketingTicketingNativeNative1515 Contrast Assess IAST API ConnectorContrast Assess IAST API ConnectorIA

31、ST/SCAIAST/SCAToolkitToolkit1616 Crowdstrike SpotlightCrowdstrike SpotlightNG AV AgentNG AV AgentNativeNative1717 EclypsiumEclypsiumScannerScannerPartnerPartner1818 EdgescanEdgescanToolkitToolkit1919 ExpanseExpanseFootprintingFootprintingToolkitToolkit2020 Fortify XML XML FileFortify XML XML FileSAS

32、TSASTNativeNative2121 HackerOne API ConnectorHackerOne API ConnectorBug BountyBug BountyNativeNative2222 HCL AppScan EnterpriseHCL AppScan EnterpriseDASTDASTNativeNative2323 HCL AppScan StandardHCL AppScan StandardDASTDASTNativeNative2424 Imperva WAF Outbound ConnectorImperva WAF Outbound ConnectorW

33、AFWAFNativeNative2525 JIRAJIRATicketingTicketingNativeNative2626 LaceworkLaceworkToolkitToolkit2727 McAfee Vuln ManagerMcAfee Vuln ManagerAV AgentAV AgentNativeNative2828 Microfocus Static Code AnalyzerMicrofocus Static Code AnalyzerSASTSASTNativeNative2929 Microfocus WebInspectMicrofocus WebInspect

34、DASTDASTNativeNative3030 MSFT Defender ATPMSFT Defender ATPAV AgentAV AgentNativeNative3131 MSFT Defender TVMMSFT Defender TVMAV AgentAV AgentNativeNative3232 Nessus ImporterNessus ImporterScannerScannerNativeNative3333 Nessus XMLNessus XMLScannerScannerNativeNative3434 NetsparkerNetsparkerDASTDASTN

35、ativeNative3535 NMAPNMAPFootprintingFootprintingNativeNative3636 OpenVas XML ConnectorOpenVas XML ConnectorScannerScannerNativeNative3737 Outpost24 AppSec SuiteOutpost24 AppSec SuiteDASTDASTNativeNative#Product NameProduct NameTypeTypeDeploymentDeployment3838 Outpost24 OutscanOutpost24 OutscanScanne

36、rScannerNativeNative3939 Outpost24 SWATOutpost24 SWATNativeNative4040 Prisma Cloud Compute EditionPrisma Cloud Compute EditionContainersContainersNativeNative4141 Prisma Cloud Compute SaaS Prisma Cloud Compute SaaS ContainersContainersNativeNative4242Qualys AssetViewQualys AssetViewScannerScannerNat

37、iveNative4343 Qualys VM ConnectorQualys VM ConnectorScannerScannerNativeNative4444 Qualys WAS Connector(findings)Qualys WAS Connector(findings)DASTDASTToolkitToolkit4545 Qualys WAS Connector(traditional)Qualys WAS Connector(traditional)DASTDASTNativeNative4646 Rapid7(NTO)AppSpider File ConnectorRapi

38、d7(NTO)AppSpider File ConnectorDASTDASTNativeNative4747 Rapid7 InsightVMRapid7 InsightVMScannerScannerNativeNative4848 Rapid7 Nexpose XML ConnectorRapid7 Nexpose XML ConnectorScannerScannerNativeNative4949Remedy Remedy TicketingTicketingNativeNative5050 RiskIQ API Connector RiskIQ API Connector Foot

39、printingFootprintingToolkitToolkit5151 SaltStack SaltStack Patch Mgmt.Patch Mgmt.PartnerPartner5252 Security Scorecard API Connector Security Scorecard API Connector FootprintingFootprintingToolkitToolkit5353 ServiceNow ServiceNow TicketingTicketingNativeNative5454 ServiceNow CMDBServiceNow CMDBTick

40、etingTicketingNativeNative5555 ServiceNow VR AppServiceNow VR AppTicketingTicketingNativeNative5656 Snyk.io Snyk.io AppSecAppSecToolkitToolkit5757 Sonatype API Connector Sonatype API Connector SCASCANativeNative5858 Synack Synack Bug BountyBug BountyPartnerPartner5959 Tanium Comply File ConnectorTan

41、ium Comply File ConnectorScannerScannerNativeNative6060 Tenable.ioTenable.ioScannerScannerNativeNative6161 Tenable Nessus XML Tenable Nessus XML ScannerScannerNativeNative6262 Tenable SecurityCenter API Tenable SecurityCenter API ScannerScannerNativeNative6363 Tripwire Tripwire ScannerScannerNativeN

42、ative6464 Trustwave(Cenzic)Hailstorm Trustwave(Cenzic)Hailstorm DASTDASTNativeNative6565 Veracode API(findings)Veracode API(findings)SASTSASTToolkitToolkit6666 Veracode API(traditional)Veracode API(traditional)SASTSASTNativeNative6767 Veracode DAST(findings)Veracode DAST(findings)DASTDASTToolkitTool

43、kit6868 Veracode DAST(traditional)Veracode DAST(traditional)DASTDASTNativeNative6969 Veracode SCA(findings)Veracode SCA(findings)SCASCAToolkitToolkit7070 Veracode SCA(traditional)Veracode SCA(traditional)SCASCANativeNative7171 Veracode XML ConnectorVeracode XML ConnectorSASTSASTNativeNative7272 w3af

44、 File Connectorw3af File ConnectorDASTDASTNativeNative7373 WhiteHat Sentinel API ConnectorWhiteHat Sentinel API ConnectorDASTDASTNativeNative7474WhiteHat Source API ConnectorWhiteHat Source API ConnectorSASTSASTNativeNative7575 ZAPZAPDASTDASTNativeNativeFor Your Reference For Your ReferenceBRKSEC-16

45、3917 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKenna Data IngestionCloud vs On-PremiseKScanner Cloud PlatformDirect Cloud ConnectorsCustomer premiseScanner ConsoleKenna virtual Tunnel VM(.ova)Customer premiseScanner ConsoleKenna Agent for Linux(.rpm)Encrypted via HTT

46、PsAggregationIngesting all your vulnerability dataEncrypted Virtual TunnelBRKSEC-163918 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntegrating on-premise DeploymentsKenna Virtual TunnelKenna Virtual TunnelLinux-based virtual appliance,provided as an OVA imageWorks for

47、 all modern VM hypervisorsConfigured and controlled by the Kenna platformConnects to local scanner deployments to export the dataCreates a virtual tunnel(OpenVPN)to upload the data to Kenna securelyKenna AgentKenna AgentA software image that installs on your own OSOnly supported for the following on

48、-premise solutions:Nexpose,Nessus,Sonatype,BlackDuckConfigured and controlled locallyOS supported:RHEL or derivative(RHEL 7+,CentOS 7+,Fedora 28+)Direct ConnectionDirect ConnectionProvide direct access to the on-premise deployment from Kenna SaaS platformOn-premise management must be reachable from

49、Kenna cloudNot recommended due to obvious reasonsAggregationIngesting all your vulnerability dataBRKSEC-163919Kenna Data PrioritizationPrioritizationApplying our Intelligence to your data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Vulnerability Problem Number of V

50、ulnerabilities increase by 15 to 20%per yearOrganizations are able to fix less than 20%of found VulnerabilitiesIssue#1:Prioritization is a MUST!Issue#2:Number of Vulns is constant!If the number of existing open vulns actually do not change Whats a helpful measure to prioritize vulnerability remediat

51、ion efforts?What is a meaningful benchmark for success in VM?BRKSEC-163921 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Vulnerability Problem CVE Per Year22BRKSEC-1639PrioritizationApplying our Intelligence to your datahttps:/cve.icu/intro.html 2023 Cisco and/or its

52、 affiliates.All rights reserved.Cisco Public#CiscoLiveWhy Exploitability of Vulnerabilities is relevant?Exploitability:Exploitability:Whats the likelihood that a given vulnerability will be exploited within a window of time?Kenna Security,the Cyentia Institute,and others have been collaboratingKenna

53、 Security,the Cyentia Institute,and others have been collaboratingExploit Prediction Scoring System(EPSS),maintained by a Special Interest Group at FIRST.orgEPSS is an open,data-driven effort for predicting whether and when vulnerabilities will be exploited in the wild https:/www.first.org/epss/Cyen

54、tia also performed a realCyentia also performed a real-world analysis of 3 billion vulnerabilities managed world analysis of 3 billion vulnerabilities managed across 500+organizations and 55 sources of external intelligenceacross 500+organizations and 55 sources of external intelligenceThis research

55、 is also leveraging Kennas Vulnerability IntelligenceResults:https:/ Findings for Exploitation RelevanceKey Findings for Exploitation RelevanceThe chance of a vulnerability being exploited in the wild is 7x higher when exploit code existsThe volume of exploitation detections jumps five-fold upon rel

56、ease of exploit codeBRKSEC-163923PrioritizationApplying our Intelligence to your data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy Exploitability of Vulnerabilities is relevant?Exploitability:Exploitability:Whats the likelihood that a given vulnerability will be exp

57、loited within a window of time?Kenna Security,the Cyentia Institute,and others have been collaboratingKenna Security,the Cyentia Institute,and others have been collaboratingExploit Prediction Scoring System(EPSS),maintained by a Special Interest Group at FIRST.orgEPSS is an open,data-driven effort f

58、or predicting whether and when vulnerabilities will be exploited in the wild https:/www.first.org/epss/Cyentia also performed a realCyentia also performed a real-world analysis of 3 billion vulnerabilities managed world analysis of 3 billion vulnerabilities managed across 500+organizations and 55 so

59、urces of external intelligenceacross 500+organizations and 55 sources of external intelligenceThis research is also leveraging Kennas Vulnerability IntelligenceResults:https:/ Findings for Exploitation RelevanceKey Findings for Exploitation RelevanceThe chance of a vulnerability being exploited in t

60、he wild is 7x higher when exploit code existsThe volume of exploitation detections jumps five-fold upon release of exploit codeBRKSEC-163924PrioritizationApplying our Intelligence to your data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat about CVSS?A Poor Predictor

61、 of ExploitabilityCVSS is a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity BUT,most reported vulnerabilities are never acted upon by hackers133602113,6563,7166793,5737,9071,8651,6251573,8151,46121,79020,4085,14714,48013,7736,7205

62、,78805,00010,00015,00020,00012345678910Exploit ExistsNo Known ExploitNumber of CVEsCVSS Base ScoresSource:Kenna/CyentiaRemediation Strategy CVSS 7+Remediation Strategy CVSS 7+PrioritizationApplying our Intelligence to your dataBRKSEC-163925 2023 Cisco and/or its affiliates.All rights reserved.Cisco

63、Public#CiscoLiveMost vulns are never exploitedKey Findings for riskKey Findings for risk-based Vulnerability Prioritizationbased Vulnerability PrioritizationOnly 23%of published vulnerabilities have associated exploits or published exploit codeLess than 2%of published vulnerabilities have observed e

64、xploits in the wild0.6%of CVEs just have executed exploits in the wild1.2%of CVEs have published and observed exploits21.2%of CVEs just have an exploit publicly released77%of CVEs have no published or observed exploitComparison of CVEs with exploit code and/or observed exploits in the wild relative

65、to all published CVEsSource:Kenna/CyentiaPrioritizationApplying our Intelligence to your dataBRKSEC-163926 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScanner Prioritization Prioritization capabilities Limited external Threat Intel No additional Threat Intel,no Talos N

66、o exploit prediction capabilitiesVulnerabilities&WeaknessesKennas Risk-based PrioritizationFiltering out the Noise Highlighting real RiskCVSS Score Static and does not measure risk Measures technical severity Not a predictor of exploitation Scanner Score Marginal improvement upon CVSS Usually CVSS-b

67、ased without Threat Intel No exploit prediction capabilitiesKenna Risk Scores Predictive,dynamic Incorporates a broad array of threat intel Including unique volume and velocity data Uses modern data science techniques(ML)CVSSCVSSScannerScannerScanner AddScanner Add-ononKennaKennaThe Vulns that Matte

68、rPrioritizationApplying our Intelligence to your dataBRKSEC-163927Managing Risk with KennaDistributionGet the information to the right peopleReportingProvide a holistic view to your riskEnriching DataIngesting existing asset data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

69、oLiveEnriching the Vulnerability DataVulns will be enriched by Kenna Exploit and Threat Intelligence,but Assets need enrichments tooKenna provides dedicated attributes for the most important Asset informationAsset Owner(optional,empty by default,provided by Asset data)Asset Priority(optional,set to

70、10 by default,provided by Asset data)Operating System(optional,usually provided by the scanner source)Type(optional,usually provided by the scanner source)Application Identifier(optional,usually provided by the scanner source)Any additional information must be imported to Asset TagsTag sources inclu

71、de vulnerability management tools,CMDB,asset inventory,spreadsheets,etc.Tags are important to have more granularity for slicing of data in Risk MetersEnriching DataIngesting existing asset dataBRKSEC-163929 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTagging CaveatsUse

72、rs can create and manage tags directly in the Kenna Platform(not recommended due to Tag Reset issues)Use API/KDI to import from external sources is recommendedAsset Updater script(see Kenna sample scripts)https:/ Kenna Toolkit taskhttps:/ help to clarify tags:OS-Owner:John/SW-Owner:JaneTags are addi

73、tive only by default,Tags are not replaced or updatedTag Reset Option on Connectors&KDI removes all tags no matter how createdOnly works if customer has 1 connector or few enough that runs can be perfectly timed Can turn on via UI but off only via consoleWorks one asset at a time as they are found b

74、y the scanner which maintains reporting integrityTo coordinate with many scanners,have to do a full tag wipe and run all connectors and scripts simultaneously so they can complete before the nightly reporting runFor Your Reference For Your ReferenceBRKSEC-163930 2023 Cisco and/or its affiliates.All

75、rights reserved.Cisco Public#CiscoLiveKenna Searches and FiltersSearches and FiltersPowerful capabilities to structure your vulnerability dataAttributes can be combined with logical operators(AND,OR)Check for the existence of a term(_exists_,-_exists_)Flexible date operators(2y,7d,ranges)Can be used

76、 with Asset and Vulnerability terms in conjunction for more advanced and granular searches i.e.,priority:10 AND vulnerability_score:80 AND _exists_:fixFiltersFilters are selectable UI elementsEasy to use,predefined,not comprehensive SearchesSearches are flexible custom query stringsMore complex,adap

77、tive,comprehensiveDistribution Get information to the right peopleBRKSEC-163931 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKenna Risk MetersA Risk Meter is a saved search query or“Group”At-a-glance look at your vulnerability data for the assets and vulnerabilities mat

78、ching the queryRisk Meters provide a way to easily view the state of different areas of your businessDetailed reports attached to each Risk MeterUnderstand your Risk Posture for a particular areaReport on Risk Reduction/Remediation Progress Ability to easily measure and report on risk reduction,resi

79、dual risk,and overall program status Provide more succinct and digestible views of actionable remediation tasks(Top Fixes)Allows for customized dashboard views that only show stakeholders the Risk Meters that apply to themDistribution Get information to the right peopleBRKSEC-163932 2023 Cisco and/o

80、r its affiliates.All rights reserved.Cisco Public#CiscoLiveKenna Risk MetersDashboards Dashboard ViewsHierarchical Risk MetersDistribution Get information to the right peopleBRKSEC-163933 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow to leverage Risk Meters?Risk Mete

81、r StrategyHow do you want to measure and report on risk?By Platform/OSBy Business Unit/Department/TeamBusiness Application Geographical Location Executive/BoD reporting Regulatory/Compliance How do vulnerabilities get remediated?Centralized or Decentralized Review the ITOps and DevOps Org Chart Reme

82、diation Tracking and unit-level Reporting Distribution Get information to the right peopleBRKSEC-163934 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisk Meter Example Use CaseInfrastructure vs.Application Risk Meters Problem:Problem:Remediation Teams are not responsibl

83、e for all components of an asset Solution:Solution:Create Risk Meters which filter on specific Fix Titles.This type of search will catch most new vulnerabilities and direct them to the right teamThe queries will need to be adjusted for your organization,and over time,to accommodate new itemsThe quer

84、ies can be combined with any other attribute or asset tagInfrastructure Vulnerability Search(note the Infrastructure Vulnerability Search(note the-sign used as not)sign used as not)-fix_title_keyword:(Oracle OR(Microsoft AND Office)OR(Microsoft AND Word)OR(Microsoft AND Excel)OR Java OR Flash OR Acr

85、obat OR.NET OR Silverlight OR ASP.NET OR WebSphere OR Apache OR SQL OR VBScript OR(Adobe AND Reader)OR Acrobat OR Firefox OR(Google AND Chrome)Application Vulnerability Search(the positive version of the same query)Application Vulnerability Search(the positive version of the same query)fix_title_key

86、word:(Oracle OR(Microsoft AND Office)OR(Microsoft AND Word)OR(Microsoft AND Excel)OR Java OR Flash OR Acrobat OR.NET OR Silverlight OR ASP.NET OR WebSphere OR Apache OR SQL OR VBScript OR(Adobe AND Reader)OR Acrobat OR Firefox OR(Google AND Chrome)Distribution Get information to the right peopleBRKS

87、EC-163935 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisk Meter Example Use CaseHierarchical Risk MetersProblem:Problem:Reporting on what systems create majority of Risk;Identifying Sources of RiskSolution:Solution:Create Hierarchical Risk Meters which filter on speci

88、fic OS versionsQueries can be combined with any other attribute or asset tagFirst Level First Level Search for all Windows Search for all Windows os:”Windows”Second Level Second Level Search for Servers/DesktopsSearch for Servers/Desktopsos:”Server”os:”Desktop”Third Level Third Level Differentiate S

89、erver OS VersionsDifferentiate Server OS Versionsos:”2008”os:”2012”os:”2016Distribution Get information to the right peopleBRKSEC-163936 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTop Fix Groups“Top Fix GroupsTop Fix Groups”are integral part of each Risk MeterProvide

90、guidance for Asset Owners on which remediation actions will give them the biggest“bang for their buckbang for their buck”in risk score reductionGroups of up to three Fixes each leading to maximum Risk MitigationGroups of Fixes sorted in the order of Risk ReductionGroup 1 providing a Risk Reduction o

91、f 54 Points with 1 FixAdditional information about the selected Fix and the affected AssetsBRKSEC-163937Distribution Get information to the right people 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnother Risk Meter Example Use CaseProviding access to the Data that mat

92、ters to PeopleProblem:Problem:Stakeholders should be able to focus on information that is relevant to themSolution:Solution:Create Risk Meters based on your Org structure Create Roles in Kenna according to your Org structure with differentiated privilegesDistribution Get information to the right peo

93、pleBRKSEC-163938 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisk-based Service Level AgreementsRisk-based SLAs help Security and IT teams set meaningful remediation timelines Rather than arbitrary 30-60-90-day timelinesDynamic SLAs depending on Asset Priority and Kenn

94、a Risk ScoreDue Date Basis global setting to define how due dates are calculatedDetailed SLA Reporting(will be covered later)Distribution Get information to the right peopleBRKSEC-163940 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTicketing IntegrationsKenna is also ab

95、le to integrate with ticketing platforms to make it easy to get the highest risk vulnerabilities into the hands of those that will be remediating them Tickets can be created by Vulnerability,Fix or Top Fix GroupBi-directional Data flow between Kenna and Ticketing system Tickets are populated with as

96、set,vulnerability,and fix information from KennaTicket status values listed in the vulnerability filters are populated from the values configured in Ticketing systemTicket status is updated on the nightly basis and can be used as filter criteria from the right-hand search pane in the Explore viewSta

97、tus changes of Open/Closed/Deleted made to a ticket in ServiceNow as part of the remediation workflow are synced back to KennaHowever,any vulnerabilities associated with the ticket will not be marked as closed until data is retrieved from the scanning platform confirming the vulnerability is fixedDi

98、stribution Get information to the right peopleBRKSEC-163941 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTicketing IntegrationsDistribution Get information to the right peopleBRKSEC-163943Create Tickets from:VulnerabilitiesFixesTop Fixes 2023 Cisco and/or its affiliates

99、.All rights reserved.Cisco Public#CiscoLiveTicketing IntegrationsDistribution Get information to the right peopleBRKSEC-163944Pop-up Modal WindowTicket Creation AcknowledgementLinks vulns to ticket 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOrganization wide Reporting

100、 Kenna Home PageReporting Providing a holistic view to your riskBRKSEC-163945 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisk Meter ReportingVisualize your trending risk over time Displays general counts and Risk Meter score High/Low and trend Vulnerability Density me

101、asures the average number of vulnerabilities per asset in a Risk Meter group Select Date Range(30,60,90 Days,All-time)All items in the reports are updated during nightly jobs except for the following items which present live data:Mean time to Remediate New Vulnerabilities Found Total Closed Vulnerab

102、ilities Reporting Providing a holistic view to your riskBRKSEC-163946 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse Cases for Risk Meter ReportingMonitor Risk over timeLast 30 daysLast 60 daysLast 90 daysLast 120 daysGet Visibility into MTTRUnderstand how Vulnerabili

103、ties are introduced and remediatedReporting Providing a holistic view to your riskBRKSEC-163947 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample Conclusions from Risk Meter Reporting Reporting Providing a holistic view to your riskNumber of Vulns and Assets with Vul

104、ns does not change over time for most customers But Risk should go downIn this case it does not.Why?Customer is constantly closing vulnerabilitiesBut people do not fix the right vulnerabilities(SLA Reporting)We see a high number of past due dates for high Risk vulnerabilities!BRKSEC-163948Cisco Port

105、folio Integrations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZero-Day IntelPowered by Cisco TalosZeroZero-day vulnerability intelligence powered by day vulnerability intelligence powered by TalosTalos will allow customers to see intelligence on a vulnerability quickl

106、y within Kenna.VM as soon as possible(even if it is pre-CVE).The integration will also allow customers to take early action on vulnerabilities by adding Snort rules based on Talos information.Kenna has historically provided zero-day data through a partnership with Exodus,which is coming to an end.Pr

107、emier FeatureBRKSEC-163950 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntegrating Kenna into Cisco Secure EndpointPhase 1 Enriching CSE with Kenna vulnerability intelligenceKenna Risk Score and Vulnerability information in Cisco Secure Endpoint Integrating Kenna into

108、Secure EndpointCisco Secure Endpoint detects OS version and pulls Risk Score and Vulnerability details from KennaA unique Kenna Risk Score is calculated for each Device Kenna enrichments available via the Computers pageNo additional costBRKSEC-163951 2023 Cisco and/or its affiliates.All rights reser

109、ved.Cisco Public#CiscoLiveIntegrating Kenna into Cisco Secure EndpointPhase 1 Enriching CSE with Kenna vulnerability intelligenceBRKSEC-163952 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKenna.VM Cisco Secure Endpoint ConnectorPhase 2:Ingesting Vulns into KennaCisco Se

110、cure Endpoint Connector for Kenna.VM Integrating Secure Endpoint into KennaProvide the ability to connect Kenna to new or existing Cisco Secure Endpoint(Advantage&Premier)deploymentsFirst iteration of vulnerability inference in Kenna.VM based on Orbital Advanced SearchKenna frequently pulls OS and i

111、nstalled software from Endpoint and infers potential vulnerabilitiesAvailable Summer 2023BRKSEC-163953 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco OrchestrationCisco XDR Orchestration provides automated investigation,automated response,incident enrichment,and mor

112、eAlready provides built-in Kenna Atomics(Functions)to be recycled in your own workflowsBRKSEC-163955 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco-provided Orchestration ExamplesAdd Tag to Assets/Remove Tag from AssetsAdd Tag to Assets/Remove Tag from AssetsSearche

113、s Kenna for assets matching the observable provided and adds a tag to them or removes itOptionally,a casebook can be created for each assethttps:/ciscosecurity.github.io/sxo-05-security-workflows/workflows/kenna/0068-add-tag-to-assetsFixes to ServiceNow IncidentsFixes to ServiceNow IncidentsFetches

114、all Kenna vulnerabilities for a given Risk Meter groupCreates a ServiceNow ticket for each unique asset with vulns and fixeshttps:/ciscosecurity.github.io/sxo-05-security-workflows/workflows/kenna/0053-fixes-to-servicenowMore Workflows to come More Workflows to come BRKSEC-163956 2023 Cisco and/or i

115、ts affiliates.All rights reserved.Cisco Public#CiscoLiveKenna.VM and the Cisco Secure portfolioIngesting Vulnerabilities from Cisco Secure WorkloadIngesting Vulnerabilities from Cisco Secure WorkloadScript by Jason Lunde()for exporting vulnerabilities from CSW to a comma separated values fileCSV fil

116、e is easy to ingest to Kenna via CSV_to_KDI Toolkit taskhttps:/ and IoT Vulnerabilities from Cisco CyberVisionKenna.VM and IoT Vulnerabilities from Cisco CyberVisionVulnerabilities reported by CyberVision can be exported to CSVIngesting CSV files to Kenna via CSV_to_KDI Toolkit taskBRKSEC-163957Othe

117、r Use Cases for Ciscos Kenna 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Kenna.VI+?Kenna.VM provides visibility to vulnerabilities that are present in your present in your environmentenvironment(everything thats been reported by one of the scanners)Kenna.VI+pro

118、vides access to the entire vulnerability intelligence repoentire vulnerability intelligence repo in KennaSearch and browse a unified database of vulnerabilities enriched with exploit and threat metadata.Are there fixes already available?Has this vulnerability been used in a breach?Is an exploit for

119、this vulnerability published?What is the likelihood of this being exploited?Query Kenna Securitys vast exploit intelligence database via our RESTful API and export the data to use with other instruments Kenna.VI+included in Kenna Premier licenseKenna Premier licenseBRKSEC-163959 2023 Cisco and/or it

120、s affiliates.All rights reserved.Cisco Public#CiscoLiveKenna.VI+and ServiceNow VRServiceNow is superior in Ticketing,but Vulnerability Response prioritization is based on CVSS onlybased on CVSS onlyKenna KNOW+AppKenna KNOW+App enriches scan results with Kenna correlated threat intel in ServiceNow VR

121、 to drive remediation decisionsKenna Vulnerability Intel includes:Kenna Risk ScorePredicted ExploitabilityActive Net Breach Volume and VelocityExploitabilityMalware ExploitableCVE Data Descriptions,Fixes,Products,etc.BRKSEC-163960 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

122、coLiveBRKSEC-163961Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat You Get With Kenna.VMRisk-Based SLAsSet intelligent SLAs based on your risk tolerance.Peer BenchmarkingCompare your risk posture with that of your industry peers.Centralized ManagementPull i

123、n data from existing tools,like scanners,CMDB,and more.Efficient DecisionsIdentify the vulnerabilities that will truly reduce your cyber risk.Metrics-Based ReportingDeliver clear,effective reports with quantifiable metrics.IT Self-ServiceEnable IT teams to understand what to remediate,why,and how.Av

124、ailable this week during Cisco Live 2023 Las Vegas?Join us for an interactive 60-minute research session:Participate in UX research afterCisco Live 2023 Las Vegas!Sign up today:cs.co/SecurePanel 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!

125、Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live C

126、hallenge for every survey completed.BRKSEC-163966 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in L

127、absVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive69Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123469 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-1639#CiscoLive