Agenda Introduction Evolving browser markers Introducing CertView Key Use Cases and Capabilities Demo Q&A 2 QSC Conference, 2018 November 16, 2018
18 QUALYS SECURITY CONFERENCE 2018 Qualys CertView Managing Digital Certificates Asif Karel Director, Product Management, Qualys, Inc. Agenda Introduction Evolving browser markers Introducing CertView Key Use Cases and Capabilities Demo Q&A 2 QSC Conference, 2018 November 16, 2018 Refresher: What does SSL give you? Confidentiality Authentication Message Integrity Non-repudiation 3 QSC Conference, 2018 November 16, 2018 Certificates are Everywhere Public-Facing Services 4 QSC Conference, 2018 Internal Services November 16, 2018 Services in Public Clouds API endpoints Machine-to-machine communication Evolving security indicators Users should expect that the web is safe by default, and they'll be warned when there's an issue1. - Security Team 5 QSC Conference, 2018 November 16, 2018 1https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html Timeline of Chrome's Evolution July 2018 (Chrome 68) All HTTP sites marked Not Secure 6 QSC Conference, 2018 November 16, 2018 Timeline of Chrome's Evolution Sept 2018 (Chrome 69) Secure sites marked neutral instead of the green Secure 7 QSC Conference, 2018 November 16, 2018 Timeline of Chrome's Evolution Oct 2018 (Chrome 70) RED Not Secure marker if user interacts with any input field 8 QSC Conference, 2018 November 16, 2018 Timeline of Chrome's Evolution https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure 9 QSC Conference, 2018 November 16, 2018 Schedule to disable TLS 1.0 / 1.1 · Chrome: Jan 2020 · Firefox/Safari: March 2020 · IE: First half of 2020 TLS 1.3 is faster and removes support for insecure features and ciphers 10 QSC Conference, 2018 November 16, 2018 SSL Pulse The Good · No SHA1 or 1024 bit keys The Bad (~35% inadequate) · Expired certificates: ~5,200 · Expiring in the next 2 weeks: ~4,500 · Weak/Insecure cipher suites: ~4,200 · SSLv2/SSLv3: ~15,000 · TLSv1.0: ~99,000 (72%) · RC4 enabled: ~22,000 (16%) 11 QSC Conference, 2018 November 16, 2018 Security Solution w/o a Certificate Management System 12 QSC Conference, 2018 November 16, 2018 High-end Security Solution w/o a Certificate Management System 13 QSC Conference, 2018 November 16, 2018 Tinkering with Security Solutions w/o a Certificate Management System 14 QSC Conference, 2018 November 16, 2018 Dangers of Incomplete Security Solutions Hiding Malicious Actions Hiding the Initial Infection · Malware · Ransomware · Virus · Trojan Before the call back to a C&C · Botnet Hiding Data Exfiltration Bypass other controls such as DLP 15 QSC Conference, 2018 November 16, 2018 Security Solutions w/o a Certificate Management system 16 QSC Conference, 2018 November 16, 2018 Current State of Most Organizations Limited Visibility 95% of organizations don't know where certs are in their networks Limited ownership information The unknown is difficult to manage Expirations Missed Unplanned outages Many more "near misses" Compliance Certificates from unapproved CAs Responding to audits are manually intensive exercises Reliance on Manual Processes Spreadsheets are error prone and out-of-date Expensive, not scalable as certificates increase Troubleshooting issues is challenging 17 QSC Conference, 2018 November 16, 2018 18 QSC Conference, 2018 The average Global 5,000 company spends about $15 million to recover from the loss of business due to a certificate outage1 1http://www.csoonline.com/article/2987186/browser-security/ expired-certificates-cost-businesses-15-million-per-outage.html November 16, 2018 Challenges of Existing Solutions Lack of.. 19 QSC Conference, 2018 November 16, 2018 Visibility Point tools, increasing effort and ownership costs Scalability Operational silos Work in on-premises or cloud-only mode Require multiple or complex deployments to cover large environments Maturity Most solutions are off-the-shelf vulnerability-only or certificate-only "tools" Single Pane of Glass We have no visibility into certificates outside the firewall We can't inspect encrypted traffic What's DevOps doing, I just found 5,000 self-signed certificates! Network is down, Certificate expired again! 20 QSC Conference, 2018 November 16, 2018 Introducing Qualys CertView Discover, inventory, monitor certificates Discover, inventory, monitor host configurations & vulnerabilities Coverage across both on-premises and cloud environments Renew certificates from the same platform 21 QSC Conference, 2018 November 16, 2018 Use Cases Outage Remediation Stop expired certificates from interrupting business Certificate Grades Baseline Normal Usage/ Full Visibility Audits and Compliance Find out if your TLS configurations are following best practices Establish a baseline to be able to detect anomalies Achieve audit success and fast remediation Certificate Renewal Renew expiring certificates 22 QSC Conference, 2018 November 16, 2018 Key Advantages of Qualys CertView 23 QSC Conference, 2018 November 16, 2018 Uses the same Qualys scanners already deployed for Vulnerability Management or Policy Compliance Qualys CertView meets much of the common use cases in version 1.0 and we're working on closing gaps quickly Certificate Enrollment/Renewal Releasing next month Simplified delivery through Qualys Cloud Platform easy for existing VM/PC customers to trial and deploy Attractive Pricing CertView Releases and Roadmap Q4 2018* CA Imports Enroll/Renew(Digicert) Approval workflow Scan Consolidation Q2 2019* Enroll/Renew (Microsoft CA/ GoDaddy) ServiceNow CMDB integration Deploy on Apache Q1 2019* APIs Alerts Assign ownership Enroll/Renew (Comodo/ Let'sEncrypt) Certificate Validation * Roadmap items are future looking; timing and specifications may change 24 QSC Conference, 2018 November 16, 2018 Q3 2019* Cloud Agent support Enroll/Renew (Entrust/EJBCA) Deploy on IIS CertView is free, it's how you use it (or not) that will cost you! -Anonymous 25 QSC Conference, 2018 November 16, 2018 DEMO CERT Certificate View Q&A 18 QUALYS SECURITY CONFERENCE 2018 Thank You Asif Karel akarel@qualys.comMac OS X 10.13.6 Quartz PDFContext PowerPoint