10 steps to building an effective vulnerability management program

10 Steps to Effective

Vulnerability Management

» 10 Steps

» What is Vulnerability Management?

» Challenges to Effective VM

» The Problem

Contents:

Derek A. Smith

The Problem

Insider Threat – Analysis and Countermeasures 3

Organizations are Feeling the

Pain

1. What causes the

damage?

95% of breaches target known vulnerabilities

2. How do you prevent the

damage? What are your

options?

RISK= Assets x Vulnerabilities x Threats

You can control vulnerabilities.

3. How do you successfully

deal with vulnerabilities? Vulnerabilities

Business complexity

Human resources

Financial resources

4. How do you make the

best security decisions?

Focus on the right assets, right threats,

right measures.

What is Vulnerability

Management?


What Is Vulnerability

Management

A process to determine whether to eliminate,

mitigate or tolerate vulnerabilities based upon

risk and the cost associated with fixing the

vulnerability.


What Is Vulnerability

Management

At a high level, the ”intelligent

confluence” of…

Assessment What assets?

Analysis What to fix first?

Remediation Fix the problem

+ +

• Component of Risk Management

• Balance the demands of business goals and processes

Challenges to Effective VM


Challenges – Assessment

Traditional desktop scanners cannot handle large networks

Provide volumes of useless checks

Chopping up scans and distributing them is cumbersome

Garbage In- Garbage Out (GIGO)– volumes of superfluous data

Coverage at all OSI layers is inadequate

Time consuming and resource intensive

Finding the problem is only half the battle


Challenges – Analysis

Manual and resource intensive process to determine

What to fix

If you should fix

When to fix

No correlation between vulnerabilities, threats and assets

No way to prioritize what vulnerabilities should be addressed

What order

Stale data

Making decisions on last quarter’s vulnerabilities

No credible metrics


Challenges – Remediation

Security resources are often decentralized

The security organization often doesn’t own the network

or system

Multiple groups may own the asset

Presenting useful and meaningful information to relevant

stakeholders

Determining if the fix was actually made


Challenges – Time A

sse

t C

ritica

lity

Vulnerability

discovered Exploit

public Automated

exploit

Discovery Remediation

Cost to ignore vulnerability is greater

than the cost to repair

Threat Level

Risk Threshold

Vulnerability Management

Lifecycle


Vulnerability

Management

Lifecycle

10 Step Approach: Implementing An Effective VM Strategy


Step 1 - Identify all the assets

needing protection Identify assets by:

Networks

Logical groupings of devices

Connectivity - None, LAN, broadband, wireless

Network Devices

Wireless access points, routers, switches

Operating System

Windows, Unix

Applications

IIS, Apache, SQL Server

Versions

IIS 5.0, Apache 1.3.12, SQL Server V.7


Asset Prioritization

Network-based discovery

Known and “unknown” devices

Determine network-based applications

Excellent scalability

Agent-based discovery

In-depth review of the applications and patch levels

Deployment disadvantages

Network- and agent-based discovery techniques are optimal

Agents - Cover what you already know in great detail

Network - Identify rogue or new devices

Frequency

Continuous, daily, weekly

Depends on the asset


Step 2 - Vulnerability Identification

Knowing what vulnerabilities exist for each

asset and the criticality of that vulnerability

is essential in determining how best to

secure it.


Correlate Threats


Correlate Threats

Not all threat and vulnerability data have equal priority

Primary goal is to rapidly protect your most critical assets

Identify threats

Worms

Exploits

Wide-scale attacks

New vulnerabilities

Correlate with your most critical assets

Result = Prioritization of vulnerabilities within your

environment


Step 3 - Consistent Vulnerability

Management Use consistent, high‐frequency scanning

Reduce the volume of vulnerabilities from

any one scan


Step 4 - Risk Assessment

Accurate and timely details on the

vulnerabilities that exist.

Employ a consistent vulnerability

management approach


Determine Risk Level


Risk Calculation

The Union of:

Vulnerabilities

Assets

Threats

Based upon the

criticality of VAT

Focus your

resources on the

true risk


Step 5 - Change Management

Integrate change management with a

consistent vulnerability management

process


Step 6 - Patch Management

An effective vulnerability management

program

Feedback from the patch management

program


Step 7 – Mobile Devices

Mobile devices evade traditional

vulnerability and compliance management

methods

Integrate with Mobile Device Management

(MDM) systems or deploy technology


Step 8 - Mitigation Management

Manage vulnerabilities in the event no

software update or fix to address the

vulnerability is available

Identify alternative ways to manage the

exposure


Remediation


Remediation / Resolution

Perfection is unrealistic (zero vulnerabilities)

Think credit card fraud – will the banks ever eliminate

credit card fraud?

You have limited resources to address issues

The question becomes:

Do I address or not?

Factor in the business impact costs + remediation costs

If the risk outweighs the cost – eliminate or mitigate

the vulnerability!



Apply the Pareto Principle – the 80/20 rule

Focus on the vital few not the trivial many

80% of your risk can be eliminated by

addressing 20% of the issues

The Risk Union will show you the way

Right assets

Relevant threats

Critical vulnerabilities



Patch or Mitigate

Impact on availability from a bad patch vs. the

risk of not patching

Patch or mitigate

Recommendations: QA security patches 24 hours

Determine if there are wide spread problems

Implement defense-in-depth


Step 9 - Incident Response

The security of an organization’s systems

is only as effective as how it responds to a

security breach

Ensuring the incident response process is

alerted to the issue can provide a number

of benefits


Step 10 - Automation

The final key to a successful vulnerability

management program is automation

Time is of the utmost importance in

detecting, assessing and remediating any

vulnerability

Manual processing of large amounts of

data is extremely time consuming and

prone to error.

Reduce the human element


Summary

All assets are not created equally

You cannot respond to or even protect against all threats

An effective vulnerability management program focuses on

Risk

Vulnerabilities

Assets

Threats

The hardest step in a 1000 mile journey is the first –

start somewhere

Strategically manage vulnerabilities using a comprehensive

process


Questions?

36

36

10 Steps to Effective Vulnerability

Management Alex DaCosta, Retina Product Manager

37

37

Demo

38

38

Poll Question

39

39

Q&A

Thank you for attending!

10 steps to building an effective vulnerability management program

Software