Monday, August 22, 2016

Dynamic Auto Assessment - Simple but effective

edgescan provides our clients with #fullstack security assessments but what does #fullstack mean?

#fullstack covers may layers in the OSI  inter-connectivity diagram.

From "the top down......"

Deep Coverage

Web Applications:

  1. Technical vulnerabilities (Injection attacks, scripting, error based attacks)
  2. Logical vulnerabilities
  3. Component Security (end-of-life components/plugins, insecure config)

Host Security:

  1. Patching
  2. Enabled services (Type, version, known vulnerabilities etc)
  3. Operating System Known vulnerabilities
  4. Weak protocols
  5. Weak configuration
So unlike many application-only or Host-only assessment services, edgescan discovers more possible weaknesses as a result of either via poor maintenance, configuration mistakes, deployment security, patching and also developer code....#fullstack

Wide Coverage

The holistic approach also covers ranges of IP's such as say a /24 or /16 cidr block.

Automatic Assessment:
edgescan shall assess anything that is "live" at a given point in time across the entire block. We find this helps with the use case of rogue deployments, insecure services being deployed, APT, data ex-filtration servers etc

In the age of the cloud, organisations servers are constantly being spun-up and torn-down depending on demand. Our approach to range-based assessments covers this scenario as our clients know everything live within their range shall be detected and assessed.

Automatic vulnerability assessment coupled with continuous asset profiling provides our clients with a very adaptable solution when their systems are constantly in a state of flux.

No need for messy licensing or paper work for every assessment given our licensing is range based and we don't mind how many servers are live at any point in-time they shall all be assessed and the results manually validated in our SoC...

edgescan also has alerting capability such as SMS, email and soon to be #slack alerting which shall be 2-way (think of it as a vulnerability management #slackbot). 
You and ask edgescan to alert you if certain conditions arise such as:
  1. New asset discovered
  2. New Vulnerability Discovered
  3. Change in hosting environment
  4. Assessment cycle is completed
  5. etc etc
Risk Mitigation
Via our API you can now generate web layer mitigation rules for Web Application Firewalls (WAF) on demand (CItrix Netscalar and Mod_Security). This gives you the flexibility to virtually patch discovered issues very quickly using your underused WAF :)

Tuesday, August 2, 2016

Continuous Asset Profiling - What is your attack surface?

At edgescan we have a solution called HIDE (Host Index Discovery and Enumeration) which is in effect a continuous asset profiling function it does the following:

HIDE query's entire IP ranges for our clients. This "blanket" covering of ranges gives our clients the ability to see whats "Alive" and whats enabled in seconds.
If an endpoint is decommissioned or newly deployed, HIDE detects the change and can alert users.

  • Detection of the state of all endpoints exposed to the public Internet
  • Identification the endpoint and tries to resolve any DNS associated with it
  • Enumeration the services and open ports enabled on the endpoint.
  • Automated alerts based on user defined criterion (e.g. New host discovered,  HOST dies etc).
  • Detection is via cloud API's and/or port enumeration (TCP/UDP).
Via the HIDE console you can query say across 10,000 endpoints, what system is running Linux and has port 25 open etc.

Why is HIDE "a hit" with our clients...?

Larger and growing organisations sometimes don't know what they have deployed to the public Internet.

Organisations which have migrated to the cloud may spin-up and tear-down instances on a frequent basis which can result in reallocation of IP's on a dynamic basis.

Tracking a dynamic attack surface in the case of cloud is challenging using traditional techniques and results in poor coverage and reaction time.

Even using immutable secure baseline instances in the cloud requires constant validation, this is where HIDE comes in.

The ability to provide continuous vigilance and alerting in a constantly changing environment is very attractive to most CISO's

Dynamic automated vulnerability management

As we can track the dynamic attack surface we can also deliver on-point vulnerability management such that once we discover a new instance we can immediately verify if it poses any security risk to the business. This coupled with alerting and awareness gives our clients much greater visibility of our security posture as our attack surface grows and reduces over time.

Pop over to for more information.