Download Vulnerability Management

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Computer security wikipedia, lookup

Information security wikipedia, lookup

Enterprise risk management wikipedia, lookup

Transcript
VULNERABILITY MANAGEMENT
Moving Away from the Compliance Checkbox Towards
Continuous Discovery
WHO AM I?




Derek Thomas
Security Consultant
VM, SSO/AM, SIEM
Active in local INFOSEC groups
Misec
 OWASP
 ISSA

AGENDA
1
Common Problems
2
What are Vulnerabilities
3
Objectives of Vulnerability Management
4
Program Approach
5
Questions
PROBLEMS
• Limited Scope
• External Network Centric
• Unauthenticated Scans
• Infrequent Assessments
• Compliance Driven
Common Themes
THREATS ARE EVERYWHERE
Malware
Insider
Hackivist
Target
Environmental
Mobile
Devices
Improper
Configs
MINIMUM STANDARDS




Regulations are setting the standard
Example: NERC CIP
Requires R8. Cyber Vulnerability Assessment
“A review to verify that only ports and services
required for operation of the Cyber Assets within the
Electronic Security Perimeter are enabled”
A simple network command like “Netstat” would
satisfy this generic requirement
MINIMUM STANDARDS = LIMITED INSIGHT
When your goal is meeting
a minimum standard you
run the risk of missing
valuable insight into the
security posture of many
aspects of your
organization
LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES
Patch Management
Security Monitoring
Outdated software exists on newer assets and
assets not on the domain.
Detection is slow, tedious, or non-existent
because there are an overabundance of false
positives
Change Management
Incident Response
Ineffective Change Management allows for rogue
servers to appear on network
Data breach has lead to costly damages
PATH TO THE DARKSIDE
Lightside
Darkside
Minimum Requirements
Minimal Insight
Vulnerabilities
Exploits
Suffering
AVOID THE DARK SIDE WITH A VM PROGRAM


Follow a defined lifecycle
Proactively identify vulnerabilities
Technical
 Process


Evaluate effectiveness with testing
NON-TECHNICAL VULNERABILITIES
What’s the first thing that comes to your
mind when you think of a vulnerability?



Outdated software and insecure configurations
is often the answer
Non-technical vulnerabilities exist in security
processes as well
Understanding how each can be addressed is
the key to a successful program
THE “WHAT”
Availability
THE “HOW”

Security controls can fall into 3 categories
Prevention
Correction
Detection
THE “WHY” (AVOID THE DARKSIDE)





Incident Reduction
Risk Reduction
Minimize threat vectors
Risk Reporting
Tracking
VM PROGRAM APPROACH

Define a Plan
Assign Responsibilities
 Define Scope
 Define Critical Controls



Utilize a Sustainable Lifecycle
Strive for Predictable and Repeatable Results
DEFINE A PLAN - RESPONSIBILITIES
• Assign roles and
responsibilities
• Who is responsible
for what
• Most roles are
already suited for a
particular person
VM Project Lead
Name
Jane Doe
• Manages VM team
•Coordinates remediation
Patch Management Lead
Name
Jenny Smith
• Patch Engineer
Red Team
Name
John Doe
• Penetration Testing
• Vulnerability Management
DEFINE A PLAN - SCOPE




What is going to be managed?
Start with discovery scans
Incorporate as many assets as possible
Security controls should be added as well
In Scope
Critical Servers
Medical Devices
Firewall X
Application Y
Out of Scope
DEFINE A PLAN - CRITICAL CONTROLS



Vulnerabilities exist in controls
What controls should be added
SANS Top 20 Critical Controls
SUSTAINABLE LIFECYCLE
Find
Test
Fix
1.Find
2.Fix
3.Test
Proactively search for
weaknesses within the scope
Remediate known
vulnerabilities
Verify vulnerabilities have been
remediated
SUSTAINABLE LIFECYCLE - FIND


How are vulnerabilities found?
2 basic approaches:
Automated
 (Semi)Manual



Many tasks can be automated
Manual assessments still need to be
performed
SUSTAINABLE LIFECYCLE – FIND AUTOMATED





Automated tool performs the heavy lifting
The most famous is the vulnerability scanner
7 out of 20 SANS Critical Controls can be
automated in some way with a vulnerability tool
Another 8 can be automated using additional
tools
Automate as much as possible to save time for
the fun
SUSTAINABLE LIFECYCLE – FIND MANUAL



Remaining security controls can be manually
tested
Controls can be tested through various Red
Team exercises
The Red Team simulates attacks from a
malicious party
Incident Detection
 Incident Response
 People

SUSTAINABLE LIFECYCLE - FIX



How are vulnerabilities going to be fixed
Present data in actionable form
6000 page .pdf is not very actionable
Generate patch reports for patch management
team
 Reports filtered for server IP’s can be sent to the
server team

SUSTAINABLE LIFECYCLE - FIX




Easier said then done
Use built in tools if possible
Need buy in from application, system, and
network team
Without buy-in remediation becomes difficult
SUSTAINABLE LIFECYCLE - TEST




Verification of
remediation efforts
Verify that patches have
been applied
Ideally right after
application
Can also be performed
next scan interval
PREDICTABLE AND REPEATABLE RESULTS


Once the program has reached a mature level
the results shouldn’t be surprising
The processes will mature to the point that you
can accurately predict the outcomes
Patches will be applied on time
 Malware will be detected and cleaned
 assets will be introduced with secure configurations

PREDICTABLE AND REPEATABLE RESULTS - METRICS



Vulnerability Management needs to
be assessed
Metrics can gauge your
improvement
NIST SP 800-40 provides
excellent metrics
55%
PREDICTABLE AND REPEATABLE RESULTS - METRICS

Host Susceptibility to Attack


Vulnerability Mitigation Response Time


Number of patches, vulnerabilities, or network
services per computer
Response time for vulnerability identification, patch
application, or configuration change
VM Program Cost

Cost of Vulnerability Management group, support,
or tools
VULNERABILITY METRICS
NIST SP 800-40
VULNERABILITY METRICS


3 minimum
8 maximum
NIST SP 800-40
CONCLUSION



Approach VM as a continuous lifecycle
Move beyond minimum standards to enhance
visibility and insight into the current state of
security
Clear objectives and proper approach is
fundamental to VM