10 steps to building an effective vulnerability management program
TRANSCRIPT
10 Steps to Effective
Vulnerability Management
» 10 Steps
» What is Vulnerability Management?
» Challenges to Effective VM
» The Problem
Contents:
Derek A. Smith
Insider Threat – Analysis and Countermeasures 3
Organizations are Feeling the
Pain
1. What causes the
damage?
95% of breaches target known vulnerabilities
2. How do you prevent the
damage? What are your
options?
RISK= Assets x Vulnerabilities x Threats
You can control vulnerabilities.
3. How do you successfully
deal with vulnerabilities? Vulnerabilities
Business complexity
Human resources
Financial resources
4. How do you make the
best security decisions?
Focus on the right assets, right threats,
right measures.
Insider Threat – Analysis and Countermeasures 5
What Is Vulnerability
Management
A process to determine whether to eliminate,
mitigate or tolerate vulnerabilities based upon
risk and the cost associated with fixing the
vulnerability.
Insider Threat – Analysis and Countermeasures 6
What Is Vulnerability
Management
At a high level, the ”intelligent
confluence” of…
Assessment What assets?
Analysis What to fix first?
Remediation Fix the problem
+ +
• Component of Risk Management
• Balance the demands of business goals and processes
Insider Threat – Analysis and Countermeasures 8
Challenges – Assessment
Traditional desktop scanners cannot handle large networks
Provide volumes of useless checks
Chopping up scans and distributing them is cumbersome
Garbage In- Garbage Out (GIGO)– volumes of superfluous data
Coverage at all OSI layers is inadequate
Time consuming and resource intensive
Finding the problem is only half the battle
Insider Threat – Analysis and Countermeasures 9
Challenges – Analysis
Manual and resource intensive process to determine
What to fix
If you should fix
When to fix
No correlation between vulnerabilities, threats and assets
No way to prioritize what vulnerabilities should be addressed
What order
Stale data
Making decisions on last quarter’s vulnerabilities
No credible metrics
Insider Threat – Analysis and Countermeasures 10
Challenges – Remediation
Security resources are often decentralized
The security organization often doesn’t own the network
or system
Multiple groups may own the asset
Presenting useful and meaningful information to relevant
stakeholders
Determining if the fix was actually made
Insider Threat – Analysis and Countermeasures 11
Challenges – Time A
sse
t C
ritica
lity
Vulnerability
discovered Exploit
public Automated
exploit
Discovery Remediation
Cost to ignore vulnerability is greater
than the cost to repair
Threat Level
Risk Threshold
Insider Threat – Analysis and Countermeasures 15
Step 1 - Identify all the assets
needing protection Identify assets by:
Networks
Logical groupings of devices
Connectivity - None, LAN, broadband, wireless
Network Devices
Wireless access points, routers, switches
Operating System
Windows, Unix
Applications
IIS, Apache, SQL Server
Versions
IIS 5.0, Apache 1.3.12, SQL Server V.7
Insider Threat – Analysis and Countermeasures 16
Asset Prioritization
Network-based discovery
Known and “unknown” devices
Determine network-based applications
Excellent scalability
Agent-based discovery
In-depth review of the applications and patch levels
Deployment disadvantages
Network- and agent-based discovery techniques are optimal
Agents - Cover what you already know in great detail
Network - Identify rogue or new devices
Frequency
Continuous, daily, weekly
Depends on the asset
Insider Threat – Analysis and Countermeasures 17
Step 2 - Vulnerability Identification
Knowing what vulnerabilities exist for each
asset and the criticality of that vulnerability
is essential in determining how best to
secure it.
Insider Threat – Analysis and Countermeasures 19
Correlate Threats
Not all threat and vulnerability data have equal priority
Primary goal is to rapidly protect your most critical assets
Identify threats
Worms
Exploits
Wide-scale attacks
New vulnerabilities
Correlate with your most critical assets
Result = Prioritization of vulnerabilities within your
environment
Insider Threat – Analysis and Countermeasures 20
Step 3 - Consistent Vulnerability
Management Use consistent, high‐frequency scanning
Reduce the volume of vulnerabilities from
any one scan
Insider Threat – Analysis and Countermeasures 21
Step 4 - Risk Assessment
Accurate and timely details on the
vulnerabilities that exist.
Employ a consistent vulnerability
management approach
Insider Threat – Analysis and Countermeasures 23
Risk Calculation
The Union of:
Vulnerabilities
Assets
Threats
Based upon the
criticality of VAT
Focus your
resources on the
true risk
Insider Threat – Analysis and Countermeasures 24
Step 5 - Change Management
Integrate change management with a
consistent vulnerability management
process
Insider Threat – Analysis and Countermeasures 25
Step 6 - Patch Management
An effective vulnerability management
program
Feedback from the patch management
program
Insider Threat – Analysis and Countermeasures 26
Step 7 – Mobile Devices
Mobile devices evade traditional
vulnerability and compliance management
methods
Integrate with Mobile Device Management
(MDM) systems or deploy technology
Insider Threat – Analysis and Countermeasures 27
Step 8 - Mitigation Management
Manage vulnerabilities in the event no
software update or fix to address the
vulnerability is available
Identify alternative ways to manage the
exposure
Insider Threat – Analysis and Countermeasures 29
Remediation / Resolution
Perfection is unrealistic (zero vulnerabilities)
Think credit card fraud – will the banks ever eliminate
credit card fraud?
You have limited resources to address issues
The question becomes:
Do I address or not?
Factor in the business impact costs + remediation costs
If the risk outweighs the cost – eliminate or mitigate
the vulnerability!
Insider Threat – Analysis and Countermeasures 30
Remediation / Resolution
Apply the Pareto Principle – the 80/20 rule
Focus on the vital few not the trivial many
80% of your risk can be eliminated by
addressing 20% of the issues
The Risk Union will show you the way
Right assets
Relevant threats
Critical vulnerabilities
Insider Threat – Analysis and Countermeasures 31
Remediation / Resolution
Patch or Mitigate
Impact on availability from a bad patch vs. the
risk of not patching
Patch or mitigate
Recommendations: QA security patches 24 hours
Determine if there are wide spread problems
Implement defense-in-depth
Insider Threat – Analysis and Countermeasures 32
Step 9 - Incident Response
The security of an organization’s systems
is only as effective as how it responds to a
security breach
Ensuring the incident response process is
alerted to the issue can provide a number
of benefits
Insider Threat – Analysis and Countermeasures 33
Step 10 - Automation
The final key to a successful vulnerability
management program is automation
Time is of the utmost importance in
detecting, assessing and remediating any
vulnerability
Manual processing of large amounts of
data is extremely time consuming and
prone to error.
Reduce the human element
Insider Threat – Analysis and Countermeasures 34
Summary
All assets are not created equally
You cannot respond to or even protect against all threats
An effective vulnerability management program focuses on
Risk
Vulnerabilities
Assets
Threats
The hardest step in a 1000 mile journey is the first –
start somewhere
Strategically manage vulnerabilities using a comprehensive
process