1 / 31

Vulnerability Management

Vulnerability Management. Moving Away from the Compliance Checkbox Towards Continuous Discovery. Derek Thomas Security Consultant VM, SSO/AM, SIEM Active in local INFOSEC groups Misec OWASP ISSA. Who am i ?. Agenda. 1. Common Problems. 2. What are Vulnerabilities. 3.

edmund
Download Presentation

Vulnerability Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Vulnerability Management Moving Away from the Compliance Checkbox Towards Continuous Discovery

  2. Derek Thomas • Security Consultant • VM, SSO/AM, SIEM • Active in local INFOSEC groups • Misec • OWASP • ISSA Who am i?

  3. Agenda 1 Common Problems 2 What are Vulnerabilities 3 Objectives of Vulnerability Management 4 ProgramApproach 5 Questions

  4. Problems • Limited Scope • External Network Centric • Unauthenticated Scans • Infrequent Assessments • Compliance Driven Common Themes

  5. Threats are Everywhere Malware Insider Hackivist Target Environmental Improper Configs Mobile Devices

  6. Regulations are setting the standard Example: NERC CIP Requires R8. Cyber Vulnerability Assessment “A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled” A simple network command like “Netstat” would satisfy this generic requirement http://www.nerc.com/files/CIP-007-1.pdf Minimum Standards

  7. When your goal is meeting a minimum standard you run the risk of missing valuable insight into the security posture of many aspects of your organization Minimum Standards = Limited Insight

  8. Limited Insight will not expose Vulnerabilities • Patch Management • Outdated software exists on newer assets and assets not on the domain. Security Monitoring Detection is slow, tedious, or non-existent because there are an overabundance of false positives Change Management Ineffective Change Management allows for rogue servers to appear on network Incident Response Data breach has lead to costly damages

  9. Path to the Darkside Lightside Darkside Exploits Suffering Vulnerabilities Minimum Requirements Minimal Insight

  10. Follow a defined lifecycle • Proactively identify vulnerabilities • Technical • Process • Evaluate effectiveness with testing Avoid the Dark side with a VM Program

  11. What’s the first thing that comes to your mind when you think of a vulnerability? • Outdated software and insecure configurations is often the answer • Non-technical vulnerabilities exist in security processes as well • Understanding how each can be addressed is the key to a successful program Non-Technical Vulnerabilities

  12. The “What” Integrity Confidentiality Availability

  13. Security controls can fall into 3 categories The “How”

  14. Incident Reduction Risk Reduction Minimize threat vectors Risk Reporting Tracking The “Why” (AVOID the DARKSIDE)

  15. Define a Plan • Assign Responsibilities • Define Scope • Define Critical Controls • Utilize a Sustainable Lifecycle • Strive for Predictable and Repeatable Results VM Program Approach

  16. Define a Plan - Responsibilities VM Project Lead Name Jane Doe • Assign roles and responsibilities • Who is responsible for what • Most roles are already suited for a particular person • Manages VM team • Coordinates remediation Name John Doe • Penetration Testing • Vulnerability Management Name Jenny Smith Patch Management Lead Red Team • Patch Engineer

  17. What is going to be managed? • Start with discovery scans • Incorporate as many assets as possible • Security controls should be added as well Define a Plan - SCOPE In Scope Critical Servers Medical Devices Firewall X Application Y Out of Scope

  18. Vulnerabilities exist in controls What controls should be added SANS Top 20 Critical Controls Define a Plan - Critical Controls

  19. Sustainable Lifecycle Find Test Fix 1.Find Proactively search for weaknesses within the scope 2.Fix Remediate known vulnerabilities 3.Test Verify vulnerabilities have been remediated

  20. How are vulnerabilities found? • 2 basic approaches: • Automated • (Semi)Manual • Many tasks can be automated • Manual assessments still need to be performed Sustainable Lifecycle - Find

  21. Automated tool performs the heavy lifting The most famous is the vulnerability scanner 7 out of 20 SANS Critical Controls can be automated in some way with a vulnerability tool Another 8 can be automated using additional tools Automate as much as possible to save time for the fun Sustainable Lifecycle – Find Automated

  22. Remaining security controls can be manually tested • Controls can be tested through various Red Team exercises • The Red Team simulates attacks from a malicious party • Incident Detection • Incident Response • People Sustainable Lifecycle – Find Manual

  23. How are vulnerabilities going to be fixed • Present data in actionable form • 6000 page .pdf is not very actionable • Generate patch reports for patch management team • Reports filtered for server IP’s can be sent to the server team Sustainable Lifecycle - FIX

  24. Easier said then done Use built in tools if possible Need buy in from application, system, and network team Without buy-in remediation becomes difficult Sustainable Lifecycle - FIX

  25. Sustainable Lifecycle - Test • Verification of remediation efforts • Verify that patches have been applied • Ideally right after application • Can also be performed next scan interval

  26. Once the program has reached a mature level the results shouldn’t be surprising • The processes will mature to the point that you can accurately predict the outcomes • Patches will be applied on time • Malware will be detected and cleaned • assets will be introduced with secure configurations Predictable and Repeatable Results

  27. Predictable and Repeatable Results - Metrics • Vulnerability Management needs to be assessed • Metrics can gauge your improvement • NIST SP 800-40 provides excellent metrics 55%

  28. Host Susceptibility to Attack • Number of patches, vulnerabilities, or network services per computer • Vulnerability Mitigation Response Time • Response time for vulnerability identification, patch application, or configuration change • VM Program Cost • Cost of Vulnerability Management group, support, or tools Predictable and Repeatable Results - Metrics

  29. Vulnerability Metrics NIST SP 800-40

  30. 3 minimum 8 maximum Vulnerability Metrics NIST SP 800-40

  31. Approach VM as a continuous lifecycle Move beyond minimum standards to enhance visibility and insight into the current state of security Clear objectives and proper approach is fundamental to VM Conclusion

More Related