Download Vulnerability Management

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Enterprise risk management wikipedia , lookup

Information security wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
VULNERABILITY MANAGEMENT
Moving Away from the Compliance Checkbox Towards
Continuous Discovery
WHO AM I?




Derek Thomas
Security Consultant
VM, SSO/AM, SIEM
Active in local INFOSEC groups
Misec
 OWASP
 ISSA

AGENDA
1
Common Problems
2
What are Vulnerabilities
3
Objectives of Vulnerability Management
4
Program Approach
5
Questions
PROBLEMS
• Limited Scope
• External Network Centric
• Unauthenticated Scans
• Infrequent Assessments
• Compliance Driven
Common Themes
THREATS ARE EVERYWHERE
Malware
Insider
Hackivist
Target
Environmental
Mobile
Devices
Improper
Configs
MINIMUM STANDARDS




Regulations are setting the standard
Example: NERC CIP
Requires R8. Cyber Vulnerability Assessment
“A review to verify that only ports and services
required for operation of the Cyber Assets within the
Electronic Security Perimeter are enabled”
A simple network command like “Netstat” would
satisfy this generic requirement
MINIMUM STANDARDS = LIMITED INSIGHT
When your goal is meeting
a minimum standard you
run the risk of missing
valuable insight into the
security posture of many
aspects of your
organization
LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES
Patch Management
Security Monitoring
Outdated software exists on newer assets and
assets not on the domain.
Detection is slow, tedious, or non-existent
because there are an overabundance of false
positives
Change Management
Incident Response
Ineffective Change Management allows for rogue
servers to appear on network
Data breach has lead to costly damages
PATH TO THE DARKSIDE
Lightside
Darkside
Minimum Requirements
Minimal Insight
Vulnerabilities
Exploits
Suffering
AVOID THE DARK SIDE WITH A VM PROGRAM


Follow a defined lifecycle
Proactively identify vulnerabilities
Technical
 Process


Evaluate effectiveness with testing
NON-TECHNICAL VULNERABILITIES
What’s the first thing that comes to your
mind when you think of a vulnerability?



Outdated software and insecure configurations
is often the answer
Non-technical vulnerabilities exist in security
processes as well
Understanding how each can be addressed is
the key to a successful program
THE “WHAT”
Availability
THE “HOW”

Security controls can fall into 3 categories
Prevention
Correction
Detection
THE “WHY” (AVOID THE DARKSIDE)





Incident Reduction
Risk Reduction
Minimize threat vectors
Risk Reporting
Tracking
VM PROGRAM APPROACH

Define a Plan
Assign Responsibilities
 Define Scope
 Define Critical Controls



Utilize a Sustainable Lifecycle
Strive for Predictable and Repeatable Results
DEFINE A PLAN - RESPONSIBILITIES
• Assign roles and
responsibilities
• Who is responsible
for what
• Most roles are
already suited for a
particular person
VM Project Lead
Name
Jane Doe
• Manages VM team
•Coordinates remediation
Patch Management Lead
Name
Jenny Smith
• Patch Engineer
Red Team
Name
John Doe
• Penetration Testing
• Vulnerability Management
DEFINE A PLAN - SCOPE




What is going to be managed?
Start with discovery scans
Incorporate as many assets as possible
Security controls should be added as well
In Scope
Critical Servers
Medical Devices
Firewall X
Application Y
Out of Scope
DEFINE A PLAN - CRITICAL CONTROLS



Vulnerabilities exist in controls
What controls should be added
SANS Top 20 Critical Controls
SUSTAINABLE LIFECYCLE
Find
Test
Fix
1.Find
2.Fix
3.Test
Proactively search for
weaknesses within the scope
Remediate known
vulnerabilities
Verify vulnerabilities have been
remediated
SUSTAINABLE LIFECYCLE - FIND


How are vulnerabilities found?
2 basic approaches:
Automated
 (Semi)Manual



Many tasks can be automated
Manual assessments still need to be
performed
SUSTAINABLE LIFECYCLE – FIND AUTOMATED





Automated tool performs the heavy lifting
The most famous is the vulnerability scanner
7 out of 20 SANS Critical Controls can be
automated in some way with a vulnerability tool
Another 8 can be automated using additional
tools
Automate as much as possible to save time for
the fun
SUSTAINABLE LIFECYCLE – FIND MANUAL



Remaining security controls can be manually
tested
Controls can be tested through various Red
Team exercises
The Red Team simulates attacks from a
malicious party
Incident Detection
 Incident Response
 People

SUSTAINABLE LIFECYCLE - FIX



How are vulnerabilities going to be fixed
Present data in actionable form
6000 page .pdf is not very actionable
Generate patch reports for patch management
team
 Reports filtered for server IP’s can be sent to the
server team

SUSTAINABLE LIFECYCLE - FIX




Easier said then done
Use built in tools if possible
Need buy in from application, system, and
network team
Without buy-in remediation becomes difficult
SUSTAINABLE LIFECYCLE - TEST




Verification of
remediation efforts
Verify that patches have
been applied
Ideally right after
application
Can also be performed
next scan interval
PREDICTABLE AND REPEATABLE RESULTS


Once the program has reached a mature level
the results shouldn’t be surprising
The processes will mature to the point that you
can accurately predict the outcomes
Patches will be applied on time
 Malware will be detected and cleaned
 assets will be introduced with secure configurations

PREDICTABLE AND REPEATABLE RESULTS - METRICS



Vulnerability Management needs to
be assessed
Metrics can gauge your
improvement
NIST SP 800-40 provides
excellent metrics
55%
PREDICTABLE AND REPEATABLE RESULTS - METRICS

Host Susceptibility to Attack


Vulnerability Mitigation Response Time


Number of patches, vulnerabilities, or network
services per computer
Response time for vulnerability identification, patch
application, or configuration change
VM Program Cost

Cost of Vulnerability Management group, support,
or tools
VULNERABILITY METRICS
NIST SP 800-40
VULNERABILITY METRICS


3 minimum
8 maximum
NIST SP 800-40
CONCLUSION



Approach VM as a continuous lifecycle
Move beyond minimum standards to enhance
visibility and insight into the current state of
security
Clear objectives and proper approach is
fundamental to VM
Related documents
This Article argues that intellectual property law stifles critical
This Article argues that intellectual property law stifles critical
Cybersecurity of Medical Devices
Cybersecurity of Medical Devices
Overview of the SSNAPP Methodology
Overview of the SSNAPP Methodology
Vulnerability
Vulnerability
Careless Delegation of Trust
Careless Delegation of Trust
Assessing vulnerability to climate change in South East Europe
Assessing vulnerability to climate change in South East Europe
GHG Inventory review - E-Learning Module
GHG Inventory review - E-Learning Module
Acronyms abbreviations
Acronyms abbreviations
Vulnerability analysis consists of several steps: Defining and
Vulnerability analysis consists of several steps: Defining and
Predicting zero-day software vulnerabilities through data mining Su
Predicting zero-day software vulnerabilities through data mining Su
Role of Web Application Vulnerabilities in Information
Role of Web Application Vulnerabilities in Information
WA State of the Environment 2006
WA State of the Environment 2006
Tackling structural vulnerabilities to avoid conflict and state
Tackling structural vulnerabilities to avoid conflict and state
Presentation - National Forest Foundation
Presentation - National Forest Foundation
Remember to use a large enough font
Remember to use a large enough font
ppt - Vula
ppt - Vula
Climate Change Impacts in the Context of Economic Globalization
Climate Change Impacts in the Context of Economic Globalization
Presentation
Presentation
PPT - Center for Software Engineering
PPT - Center for Software Engineering
Estimating Impact and Frequency of Risks to
Estimating Impact and Frequency of Risks to
Imperva SecureSphere Database Assessment
Imperva SecureSphere Database Assessment
Static Detection of Second-Order Vulnerabilities in Web Applications 23rd USENIX Security Symposium.
Static Detection of Second-Order Vulnerabilities in Web Applications 23rd USENIX Security Symposium.