Wednesday, February 1, 2017

edgescan & GDPR: Improving compliance and reducing the cost of cybersecurity

Navigating GDPR from a cyber security perspective…..

Update - September 2017
Some people still don't know where to start with GDPR. Here are some simple key points to kick you off....
  • Identify the personal data you collect and where data is stored - Is it stored appropriately how are you protecting the data from a cyber standpoint? Are your applications secure, regularly tested, designed with security in mind? Can you prove this?
  • Review your internal policies including a review of security breach response policy. - Incident response, DR and BCP. What happens if something goes badly wrong. Whats happens in the event of a breach? Do I have mitigation controls and notification procedures in place?
  • Review the type of data processing carried out, identify the legal basis for the processing and document it. - do you need all that client data you possess and do you have a legal basis for storing client data.
  • Review how you handle all applicable client's rights, including the deletion of personal data, right to be forgotten (RTBF).
  • Review if and how you seek, obtain and record client consent and whether any changes are needed. - Do clients know you are storing their data and what you are using it for? Have they consented to what you are doing? Can you prove this?
  • Review your external privacy policies and EULA's and do a refresh with necessary changes for transparency and relevancy.
  • Review and update your processor/subprocessor, third party agreements. Third party risk for up/down stream processors of your clients data. - You can outsource the service but not the risk. Do you know if your B2B partners are secure, store your client data properly and don't use it for any other reason other than what is agreed? Do they have a policy to reflect this and how is it policed? How often do they get technical security assessments of the systems used to process your clients data? How do they demonstrate this?
  • Review the lawful basis for the transfer of personal data outside the EU. If you transfer data outside of the EU are you permitted to do so by the data owner (client)?

Cyber-security, GDPR, Articles and Controls:

The new General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec which is enforceable as of May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.

The GDPR does suggest actions to take in order to be compliant such as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
From a cybersecurity standpoint this covers aspects such as technical assessment, patching and maintenance, vulnerability management, threat detection /prevention, asset and service profiling & visibility and overall better governance of an organisations digital estate and technical controls.

        EU GDPR – Article 32, Security of Processing
        Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

GDPR in effect is mandating that appropriate technical security controls are required amongst other equally important controls (citizen access and control of their data) to ensure a level of security based on the data and risk/impact of disclosure of such information.

to ensure a level of security appropriate to the risk” is an important aspect which should be considered. Given that a firm may be custodians of a users financial or Personal Identifiable Information (PII) there is a duty of care to protect the data and ensure proper authorisation and security controls surround it. 

From a technical standpoint security assessments and vulnerability management are some of the tools used to help maintain that level of assurance……

edgescan provides continuous assessment of technical systems in order to help discover vulnerabilities which may lead to breach. The “win” in using edgescan is you have an auditable history of all assessments and individual vulnerability history to demonstrate the vulnerability lifecycle to easily demonstrate compliance and continuous improvement.

The idea of a single or bi-annual assessment is becoming non-sustainable given the rate of change of systems in particularly cloud based deployments. 

The ability to continually assess security posture on an ongoing basis and exploiting a combination of automation and human intelligence is taking traction globally resulting in cost reduction and increasing rigor depending on the vendor used.

There is a trend in the industry to move towards Managed Security Services Providers (MSSP) and leveraging experts who deliver services such as vulnerability management on a fulltime basis. An MSSP should address requirements where you don’t have in-house expertise.

EU GDPR - Recitals of Interest
        Recital (78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.

Appropriate technical measures are easily confirmed and identified using edgescan as a complete security history can be reviewed for any period of time on an on-going basis.

In the case of a reasonable fast moving technical environment which undergoes change on a frequent basis e.g Cloud environment, Agile system development methodologies an annual or a bi-annual security assessment to help ensure the security of the systems in scope may seem like a reasonable approach but the risk is the rate of change of the environment and the resulting window of exposure due to the infrequency of technical security assessment.

Continuous assessment as per the edgescan service helps you maintain constant vigilance in order to assist with GDPR compliance.

        In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.....

Demonstrating compliance in relation to cyber security is easily delivered as the edgescan portal delivers a complete history of all vulnerabilities (web & infrastructure) discovered and closed over the entire licensing period. 

Many of our clients in highly regulated industries use edgescan to demonstrate to external auditor’s constant assessment approach they have adopted to cyber security.

Data Protection by default can be assessed in both pre-production environments and deployed production systems. Using edgescan to detect and mitigate vulnerabilities (via WAF integration) is core to being able to demonstrate compliance.

        Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.

You can’t improve what you can’t measure”; edgescan gives our clients the ability to continuously improve by tracking security posture at any point in time. The metrics supplied by edgescan let our clients easily focus on what is the most common vulnerability, the root cause and identify quick wins in a clear and easy fashion.

        When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

In pre-production environments edgescan gives our clients the ability to assess the security of a solution quickly and on-demand. This assists with detection of cyber security issues before a system is deployed to production, resulting in a “secure by default” posture.

        Recital (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

        This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Detecting weaknesses of the security posture in an ever-changing environment is core to what edgescan provides. Our fullstack approach to security gives our users visibility of both web application and supporting host/cloud security.
As new deployments and features are delivered edgescan automatically assesses the security posture of the deployment and associated subsystems.

This approach including validation of all discovered vulnerabilities by our experts in effect removes the need for expensive consulting firms and also improve security resilience on an ongoing basis.

        Recital (81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

edgescan’s continuous and on demand fullstack approach provides sufficient guarantees that your systems are constantly being assessed for security weaknesses. Provision of historical assessment frequency, vulnerability data and proof of continuous improvement and vigilance is what is required to be GDPR compliant. You can easily demonstrate compliance with

       Recital (83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.
        Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.
        In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

edgescan detects weaknesses in cyber security posture so you can quickly address issues as they are found. Via our API, alerting or integration you can easily and quickly understand risks by priority easily evaluate potential impacts and prevent the destructive forces of being hacked and associated fines of being non-GDPR compliant.

Want to know more:

Client reviews: Gartner Peer Insights
GDPR Document: EU GDPR

Monday, September 19, 2016

Monday, August 22, 2016

Dynamic Auto Assessment - Simple but effective

edgescan provides our clients with #fullstack security assessments but what does #fullstack mean?

#fullstack covers may layers in the OSI  inter-connectivity diagram.

From "the top down......"

Deep Coverage

Web Applications:

  1. Technical vulnerabilities (Injection attacks, scripting, error based attacks)
  2. Logical vulnerabilities
  3. Component Security (end-of-life components/plugins, insecure config)

Host Security:

  1. Patching
  2. Enabled services (Type, version, known vulnerabilities etc)
  3. Operating System Known vulnerabilities
  4. Weak protocols
  5. Weak configuration
So unlike many application-only or Host-only assessment services, edgescan discovers more possible weaknesses as a result of either via poor maintenance, configuration mistakes, deployment security, patching and also developer code....#fullstack

Wide Coverage

The holistic approach also covers ranges of IP's such as say a /24 or /16 cidr block.

Automatic Assessment:
edgescan shall assess anything that is "live" at a given point in time across the entire block. We find this helps with the use case of rogue deployments, insecure services being deployed, APT, data ex-filtration servers etc

In the age of the cloud, organisations servers are constantly being spun-up and torn-down depending on demand. Our approach to range-based assessments covers this scenario as our clients know everything live within their range shall be detected and assessed.

Automatic vulnerability assessment coupled with continuous asset profiling provides our clients with a very adaptable solution when their systems are constantly in a state of flux.

No need for messy licensing or paper work for every assessment given our licensing is range based and we don't mind how many servers are live at any point in-time they shall all be assessed and the results manually validated in our SoC...

edgescan also has alerting capability such as SMS, email and soon to be #slack alerting which shall be 2-way (think of it as a vulnerability management #slackbot). 
You and ask edgescan to alert you if certain conditions arise such as:
  1. New asset discovered
  2. New Vulnerability Discovered
  3. Change in hosting environment
  4. Assessment cycle is completed
  5. etc etc
Risk Mitigation
Via our API you can now generate web layer mitigation rules for Web Application Firewalls (WAF) on demand (CItrix Netscalar and Mod_Security). This gives you the flexibility to virtually patch discovered issues very quickly using your underused WAF :)

Tuesday, August 2, 2016

Continuous Asset Profiling - What is your attack surface?

At edgescan we have a solution called HIDE (Host Index Discovery and Enumeration) which is in effect a continuous asset profiling function it does the following:

HIDE query's entire IP ranges for our clients. This "blanket" covering of ranges gives our clients the ability to see whats "Alive" and whats enabled in seconds.
If an endpoint is decommissioned or newly deployed, HIDE detects the change and can alert users.

  • Detection of the state of all endpoints exposed to the public Internet
  • Identification the endpoint and tries to resolve any DNS associated with it
  • Enumeration the services and open ports enabled on the endpoint.
  • Automated alerts based on user defined criterion (e.g. New host discovered,  HOST dies etc).
  • Detection is via cloud API's and/or port enumeration (TCP/UDP).
Via the HIDE console you can query say across 10,000 endpoints, what system is running Linux and has port 25 open etc.

Why is HIDE "a hit" with our clients...?

Larger and growing organisations sometimes don't know what they have deployed to the public Internet.

Organisations which have migrated to the cloud may spin-up and tear-down instances on a frequent basis which can result in reallocation of IP's on a dynamic basis.

Tracking a dynamic attack surface in the case of cloud is challenging using traditional techniques and results in poor coverage and reaction time.

Even using immutable secure baseline instances in the cloud requires constant validation, this is where HIDE comes in.

The ability to provide continuous vigilance and alerting in a constantly changing environment is very attractive to most CISO's

Dynamic automated vulnerability management

As we can track the dynamic attack surface we can also deliver on-point vulnerability management such that once we discover a new instance we can immediately verify if it poses any security risk to the business. This coupled with alerting and awareness gives our clients much greater visibility of our security posture as our attack surface grows and reduces over time.

Pop over to for more information.

Wednesday, July 20, 2016

edgescan - Virtual Patching and WAF integration - Reducing "time-to-fix"

What is a Virtual Patch?

The idea of virtual patching is to apply a rule on a perimeter endpoint which mitigates/reduces the risk of the vulnerability being exploited. This can be performed without changing any application source code and is in effect applying a rule to an IDS/IPS or WAF such that it is aware and can defend against a particular attack vector and protect a system from exploitation or breach.

When you consider the numerous use cases when organizations can’t simply edit and fix the source code, the benefits of virtual patching becomes apparent.
  • It is a scalable solution as it is implemented in a single location (the firewall) vs. installing patches on all hosts.
  • It reduces/mitigates risk of breach or exploitation until a vendor-supplied patch is released or while a patch is being tested and applied.
  • The source code is not altered and hence it reduces the likelihood of code conflicts or introducing errors.
  • It provides timely protection for mission-critical systems that may not be taken offline but have an exposed vulnerability.
  • Legacy/3rd Party Apps; The code may not be available but we need to fix the vulnerability.
"Defenders are always on the back-foot as time to fix is longer than time-to-exploit. This slow reaction time creates a permanent offensive advantage to the attacker."

edgescan provides continuous vulnerability managed coupled with expert validation and support via its cloud based SaaS. It manages over 20,000 systems globally every month and provides full-stack vulnerability management to our clients. 

A new feature in edgescan gives or users the ability to generate rules for a chosen firewall vendor/version which are customized to the vulnerabilities unique to the application in question.

  • Auto-generation of firewall rules gives you the ability to patch a critical issue very quickly using your Web Application Firewall.
  • No need to change the applications source code (and maybe that's not possible).
  • Multiple web application vulnerabilities can be mitigated at the same time.
  • No need to be a firewall expert.
  • The edgescan API gives access to automating rule generation and easy deployment to pre-production / production environments.
Generating Virtual Patch rules for an entire application is as simple as hitting the "WAF Rules" button.

Rules generated for Citrix Netscalar
WAF Rules generation for a single selected vulnerability

Tuesday, April 12, 2016

Web Application security for CISO's - 6 things to consider

At edgescan we assess 1000's of systems globally across both the web site & application layers. 

We assess both pre-production and production environments deployed to data centres and the cloud alike.

From experience the job of a CISO involves much more than cybersecurity but the CISO is required to set strategic direction for many aspects of security and be an oracle of knowledge....

Many of my CISO friends and colleagues understand the need to security across the entire systems development and maintenance lifecycle and have a large list of areas to cover off and secure not to mention maintaining compliance...

  • Measuring the security maturity Level, and building an integrated approach to maintain posture
  • Balancing cost/budget and risk prioritization
  • Consolidation of metrics and trends to make informed decisions
  • Maintaining clear channels of communication with the business
  • Helping to keep security promises made to users by the business.

The following is a list of items a CISO should consider in the cybersecurity space which support some of the above responsibilities....

Establish development security touchpoints and toll gates
Formalise touch points in the system development and maintenance lifecycle, this can include:

  • Integrating simple checks for sanity; logical and behavioural checks as part of functional testing.
  • Investment in QA staff to conduct anti-pattern testing and negative abusive testing.
  • Leverage automation or managed service provision for in-line technical security validation. If you don't have the skills leverage a MSSP (Managed Security Service Provider) to conduct frequent testing and validation.

Simple fixes can result in huge dividends
The edgescan 2014 and 2015 vulnerability stats report both resulted in a number of stand-out issues which are not super complex and we have been doing similar for many years....

  • Patching and maintaining systems or using secure baseline builds in the cloud. 63% of vulnerabilities discovered on 2015 and a similar % in 2014 related to maintenance, configuration and component security/patching. 
  • A robust OS/Host/Framework/Component maintenance process will result in a high reduction of security vulnerabilities for any company.

Metrics not all the metrics but the right ones

  • Measure the most common vulnerabilities and root causes (Developer bugs/maintenance/insecure component/poor configuration). Such information can be attributed to teams and departments (development, Devops, Admin, Deployment). 
  • Metrics on technology platform with the most issues and types of issues can also shed light on where there are awareness weaknesses, technical debt or poor technology choices (unsupported systems etc).
  • Consolidated views via GRC/SEIM/BugTracking Integration is important, the last thing you need is another dashboard! 

Security solutions are investments, choose wisely

  • Given the trend towards devops and continuous integration/deployment we need to "Push Left" and catch issues earlier be they non-compliance or security vulnerabilities or both. Your solution should support integration with development and an assessment model which maps to your development methodology in terms of frequency of change and deployment model. Root cause and prevention is always better than detection and patch.
  • Pushing vulnerability data directly to development assuming validation of discovered issues has been performed. Security vulnerabilities are bugs treat them as such, track them and fix'em.
  • Scalability and Accuracy is important in order to handle the level of assessment required which is a function of change and deployment frequency.
  • Fullstack solutions - Hackers don't give a sh1t. Lets converge as per the DevOps model and treat security vulnerabilities as "Risk Items". Lets not treat application security and host/network security as separate things. They are all simply paths to being compromised.

Vulnerabilities are bridges which join assets to attackers

  • Don't fix all vulnerabilities fix the right ones. - Not all vulnerabilities are equal. understand business context of a vulnerability - risk is a human concept and can (currently) only be understood by people.
  • Vulnerabilities come and go - it's not always the developers fault and they can arise even in a static system with little change due to newly discovered issues in your supporting OS/Framework/third-party components.

3rd Party Development and Commercial Off-the Shelf Solutions

  • Do your system suppliers code securely, have a secure SDLC - ask them to prove it.
  • T&C's should cover quality, security and attribution to a secure development methodology being used.
  • Require evidence of assessment, SAST, DAST, Training, monitoring and ongoing improvement in relation to product development.

Friday, March 18, 2016

AppSec Training

Building Secure Apps...

We did a bunch of Application Security development training over the past 6 months.
You can find it here

On the 6th April we have a Secure Ruby development class running in conjunction with the IISF ( which is all but sold out.

Link to the event in April is here:

There is also a bunch of editable stuff to use in your own classes here:
Which I delivered in 2014/2015 at RSA, LASCON and RSA (EU).
Stuff delivered over the years in the EU and USA.