Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery WHO AM I? Derek Thomas Security Consultant VM, SSO/AM, SIEM Active in local INFOSEC groups Misec OWASP ISSA AGENDA 1 Common Problems 2 What are Vulnerabilities 3 Objectives of Vulnerability Management 4 Program Approach 5 Questions PROBLEMS • Limited Scope • External Network Centric • Unauthenticated Scans • Infrequent Assessments • Compliance Driven Common Themes THREATS ARE EVERYWHERE Malware Insider Hackivist Target Environmental Mobile Devices Improper Configs MINIMUM STANDARDS Regulations are setting the standard Example: NERC CIP Requires R8. Cyber Vulnerability Assessment “A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled” A simple network command like “Netstat” would satisfy this generic requirement MINIMUM STANDARDS = LIMITED INSIGHT When your goal is meeting a minimum standard you run the risk of missing valuable insight into the security posture of many aspects of your organization LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES Patch Management Security Monitoring Outdated software exists on newer assets and assets not on the domain. Detection is slow, tedious, or non-existent because there are an overabundance of false positives Change Management Incident Response Ineffective Change Management allows for rogue servers to appear on network Data breach has lead to costly damages PATH TO THE DARKSIDE Lightside Darkside Minimum Requirements Minimal Insight Vulnerabilities Exploits Suffering AVOID THE DARK SIDE WITH A VM PROGRAM Follow a defined lifecycle Proactively identify vulnerabilities Technical Process Evaluate effectiveness with testing NON-TECHNICAL VULNERABILITIES What’s the first thing that comes to your mind when you think of a vulnerability? Outdated software and insecure configurations is often the answer Non-technical vulnerabilities exist in security processes as well Understanding how each can be addressed is the key to a successful program THE “WHAT” Availability THE “HOW” Security controls can fall into 3 categories Prevention Correction Detection THE “WHY” (AVOID THE DARKSIDE) Incident Reduction Risk Reduction Minimize threat vectors Risk Reporting Tracking VM PROGRAM APPROACH Define a Plan Assign Responsibilities Define Scope Define Critical Controls Utilize a Sustainable Lifecycle Strive for Predictable and Repeatable Results DEFINE A PLAN - RESPONSIBILITIES • Assign roles and responsibilities • Who is responsible for what • Most roles are already suited for a particular person VM Project Lead Name Jane Doe • Manages VM team •Coordinates remediation Patch Management Lead Name Jenny Smith • Patch Engineer Red Team Name John Doe • Penetration Testing • Vulnerability Management DEFINE A PLAN - SCOPE What is going to be managed? Start with discovery scans Incorporate as many assets as possible Security controls should be added as well In Scope Critical Servers Medical Devices Firewall X Application Y Out of Scope DEFINE A PLAN - CRITICAL CONTROLS Vulnerabilities exist in controls What controls should be added SANS Top 20 Critical Controls SUSTAINABLE LIFECYCLE Find Test Fix 1.Find 2.Fix 3.Test Proactively search for weaknesses within the scope Remediate known vulnerabilities Verify vulnerabilities have been remediated SUSTAINABLE LIFECYCLE - FIND How are vulnerabilities found? 2 basic approaches: Automated (Semi)Manual Many tasks can be automated Manual assessments still need to be performed SUSTAINABLE LIFECYCLE – FIND AUTOMATED Automated tool performs the heavy lifting The most famous is the vulnerability scanner 7 out of 20 SANS Critical Controls can be automated in some way with a vulnerability tool Another 8 can be automated using additional tools Automate as much as possible to save time for the fun SUSTAINABLE LIFECYCLE – FIND MANUAL Remaining security controls can be manually tested Controls can be tested through various Red Team exercises The Red Team simulates attacks from a malicious party Incident Detection Incident Response People SUSTAINABLE LIFECYCLE - FIX How are vulnerabilities going to be fixed Present data in actionable form 6000 page .pdf is not very actionable Generate patch reports for patch management team Reports filtered for server IP’s can be sent to the server team SUSTAINABLE LIFECYCLE - FIX Easier said then done Use built in tools if possible Need buy in from application, system, and network team Without buy-in remediation becomes difficult SUSTAINABLE LIFECYCLE - TEST Verification of remediation efforts Verify that patches have been applied Ideally right after application Can also be performed next scan interval PREDICTABLE AND REPEATABLE RESULTS Once the program has reached a mature level the results shouldn’t be surprising The processes will mature to the point that you can accurately predict the outcomes Patches will be applied on time Malware will be detected and cleaned assets will be introduced with secure configurations PREDICTABLE AND REPEATABLE RESULTS - METRICS Vulnerability Management needs to be assessed Metrics can gauge your improvement NIST SP 800-40 provides excellent metrics 55% PREDICTABLE AND REPEATABLE RESULTS - METRICS Host Susceptibility to Attack Vulnerability Mitigation Response Time Number of patches, vulnerabilities, or network services per computer Response time for vulnerability identification, patch application, or configuration change VM Program Cost Cost of Vulnerability Management group, support, or tools VULNERABILITY METRICS NIST SP 800-40 VULNERABILITY METRICS 3 minimum 8 maximum NIST SP 800-40 CONCLUSION Approach VM as a continuous lifecycle Move beyond minimum standards to enhance visibility and insight into the current state of security Clear objectives and proper approach is fundamental to VM