1 / 50

Qualys Vulnerabilities, Statistics and… Malware ?

Qualys Vulnerabilities, Statistics and… Malware ?. Wolfgang Kandek CTO Qualys, Inc. Qualys Basics. Founded to automate Vulnerability Assessments Software as a Service (SaaS) with: Internet based shared scanners Scanner Appliances for internal scanning Webportal for data access.

tierra
Télécharger la présentation

Qualys Vulnerabilities, Statistics and… Malware ?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. QualysVulnerabilities, Statistics and… Malware ? Wolfgang KandekCTO Qualys, Inc. http://nullcon.net/

  2. Qualys Basics http://nullcon.net/ • Founded to automate Vulnerability Assessments • Software as a Service (SaaS) with: • Internet based shared scanners • Scanner Appliances for internal scanning • Webportal for data access

  3. VIP 2-factor or Client certificate strong authentication options http://nullcon.net/

  4. VIP 2-factor or Client certificate strong authentication options http://nullcon.net/

  5. Qualys Basics http://nullcon.net/ • Founded to automate Vulnerability Assessments • Software as a Service (SaaS) with: • Internet based shared scanners • Scanner Appliances for internal scanning • Webportal for data access • 270 employees (140 in Engineering) • 5000+ customers

  6. http://nullcon.net/

  7. IDC 2011 Report http://nullcon.net/

  8. Frost & Sullivan 2010 Report Frost & Sullivan: Vulnerability Management Market Leadership Report - Nov 2010 http://nullcon.net/

  9. Laws of Vulnerabilities http://nullcon.net/ • 2004 - 3M IPs scanned, 2M vulnerabilities • Half-life – 30 days • Prevalence – 50 % renewal annually • Persistence – unlimited for some • Exploitation – 80 % available with 60 days • 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity

  10. Laws of Vulnerabilities Half-Life = 29.5 days http://nullcon.net/

  11. Laws of Vulnerabilities http://nullcon.net/ • 2004 - 3M IPs scanned, 2M vulnerabilities • Half-life – 30 days • Prevalence – 50 % renewal annually • Persistence – unlimited for some • Exploitation – 80 % available with 60 days • 2009 - 80M IPs scanned, 680M vulnerabilities, 72M+ vulnerabilities of critical severity • Difference by OS and Application

  12. Laws of Vulnerabilities 12 http://nullcon.net/

  13. Laws of Vulnerabilities 13 http://nullcon.net/

  14. New Services http://nullcon.net/ • Policy Compliance • Configuration checks • Password length, installed SW, access rights • 20 technologies, 2000 controls • Web Application Scanning • Web Application Catalog • Batch oriented production scanning

  15. New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal HoneyNet Research Portal

  16. Blind Elephant Web App Fingerprinter http://nullcon.net/ Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc

  17. Blind Elephant Web App Fingerprinter http://nullcon.net/

  18. Blind Elephant Web App Fingerprinter http://nullcon.net/

  19. Blind Elephant Web App Fingerprinter http://nullcon.net/ Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc Goals: accuracy, speed, low resource usage Results

  20. Blind Elephant Web App Fingerprinter http://nullcon.net/ 1 Million “.com” domains

  21. Blind Elephant Web App Fingerprinter http://nullcon.net/

  22. Blind Elephant Web App Fingerprinter http://nullcon.net/

  23. Blind Elephant Web App Fingerprinter http://nullcon.net/ Fingerprint common web applications by analyzing source code Blogs, Forums, Wikis, etc Goals: accuracy, speed, low resource usage Results Available at: blindelephant.sourceforge.net

  24. New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection System

  25. Neptune Malware Detection System • Visit/crawl web site with: • Virtualized Machine • Vulnerable, but instrumented OS • Vulnerable, but instrumented Browser • Configuration • VMware • Internet Explorer 6 on Windows XP • Detours + Custom Hooks • Log everything • Detect malicious intent early, avoid infection http://nullcon.net/ http://null.co.in/

  26. Neptune Malware Detection System • Static Detection • Analyze inputs for known exploit patterns, signature based • Pro: efficient and fast, signatures easily updated and shared • Con: false positives, defeated by obfuscation, known threats only • Behavioral Detection • Monitor the browser process, check for anomalous activity • Pro: false positives low, immune to obfuscation and detect new threats • Con: success required, false negatives, expensive • Reputation and AV checks (pluggable: Google, Trend) http://nullcon.net/ http://null.co.in/

  27. Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts http://nullcon.net/ http://null.co.in/

  28. Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts http://nullcon.net/ http://null.co.in/

  29. Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts • API version • Focus on bulk user, integration, research • Single URLs, Maps, or site with crawling http://nullcon.net/ http://null.co.in/

  30. Neptune Malware Detection System • UI version • Focus on end-user, website owner • Daily scheduled scans, alerts • API version • Focus on bulk user, integration, research • Single URLs, Maps, or site with crawling • Available: qualys.com/stopmalware • Contact: pthomas@qualys.com for API access http://nullcon.net/ http://null.co.in/

  31. New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA

  32. BrowserCheck http://nullcon.net/ • https://browsercheck.qualys.com • Security check for Browsers and Plug-ins • End user focus, free and easy to use

  33. BrowserCheck http://nullcon.net/

  34. BrowserCheck http://nullcon.net/ • https://browsercheck.qualys.com • Security check for Browsers and Plug-ins • End user focus, free and easy to use • 200,000 visits – Jul 2010 / Jan 2011 • IE, Firefox, Safari, Chrome, Opera • Windows, Mac OS X and Linux

  35. BrowserCheck http://nullcon.net/

  36. BrowserCheck Stats http://nullcon.net/ http://null.co.in/

  37. BrowserCheck Stats http://nullcon.net/

  38. BrowserCheck Stats http://nullcon.net/

  39. BrowserCheck Stats http://nullcon.net/

  40. BrowserCheck Stats http://nullcon.net/

  41. BrowserCheck Stats http://nullcon.net/ • Operating System: • Windows XP – 47 % • Windows 7 – 32 % • Browser: • IE 8 – 36 % • Firefox 3.6 – 34 % • Plug-in: ? • Country:

  42. BrowserCheck Stats http://nullcon.net/

  43. BrowserCheck Stats http://nullcon.net/

  44. New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall

  45. Ironbee – Web App Firewall • Open source effort led by Ivan Ristic • Author of mod_security • WAF technology renewed • Focus on accuracy and usability • WAS and MDS (neptune) integration • Available at: www.ironbee.com • SSL Labs – SSL usage statistics V2 is coming • http://ssllabs.com http://nullcon.net/ http://null.co.in/

  46. New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal

  47. Dissect – Malware portal http://nullcon.net/ • Led by Rodrigo Branco - www.kernelhacking.com • Team in Brazil, Malware and Vulnerability Research • Malware exchange system up and running • Malware analysis in alpha • Static analysis • Runtime analysis on virtual and real machines • Integration with Neptune MDS coming in • Community oriented effort • Contact: rbranco@qualys.com

  48. New Research Activities http://nullcon.net/ Blind Elephant – Web Application Fingerprinter Neptune – Malware Detection Scanner Browsercheck – Light-weight, end-user VA IronBee – Web Application Firewall SSL Labs – World-wide SSL usage statistics Dissect – Malware Exchange/Analysis Portal HoneyNet Research Portal

  49. Honeynet • Nemean Networks acquisition • University of Wisconsin research team • Paul Barford - http://pages.cs.wisc.edu/~pb/publications.html • Honeynet/Signature/IDS system • Global Honeynet Effort • Centralized Signature generation – open-source • Snort/Suricata plug-ins – open-source http://nullcon.net/ http://null.co.in/

  50. Contacts http://nullcon.net/ Wolfgang Kandek – wkandek@qualys.com Amit Deshmukh – adeshmukh@qualys.com

More Related