what's wrong with vulnerability management & how can we fix it
Post on 14-Aug-2015
197 Views
Preview:
TRANSCRIPT
What’s Wrong with Vulnerability Management, and How Do We Fix It?
Michelle Johnson CobbVP Marketing, Skybox Security
July 23, 2015
info@skyboxsecurity.comwww.skyboxsecurity.com
© 2015 Skybox Security Inc. 2
Today’s Agenda
Skybox Security and our Vulnerability Research
2015 Enterprise Vulnerability Trends Report
Analysis and Recommendations
Product Demo – Skybox Vulnerability Control
© 2015 Skybox Security Inc. 3
Skybox Security Overview
Powerful security management platform– Vulnerability and threat management– Firewall management– Network visibility and compliance
Popular Use Cases– Discover risks that can lead to attack– Analyze and prioritize vulnerabilities– Suggest remediation actions – patch,
block, reconfigure
Risk Analytics for Cyber Security
© 2015 Skybox Security Inc. 4
Skybox Vulnerability Research Team
Skybox Vulnerability Database
Research team aggregates 20+ vulnerability and threat feeds
Over 43,000 vulnerabilities on 1,400 products
Including products, vulnerabilities, IPS signatures, patches, malware patterns (worms)
Proprietary intelligence added by analysts– Exploitation pre-conditions
– Likelihood of attack
– Conflict resolution
– Vulnerabilities with no CVE
– Remediation solutions
– Cross-references
Advisories Adobe Cisco PSIRT Microsoft Security Bulletin Oracle
Scanners eEye Retina IBM Scanner IMcAfee Foundstone Qualys Guard Rapid7 Nexspose Tenable Nessus Tripwire nCircle
IPS Fortinet FortiGate HP TippingPoint IBM Proventia McAfee IPS Palo Alto Networks Cisco Sourcefire
Other CERT Mitre CVE NIST’s NVD Rapid7 Metasploit Secunia Symantec Security Focus Symantec Worms
© 2015 Skybox Security Inc. 5 5
Financial Services
Technology HealthcareGovernment & Defense
ConsumerService
ProvidersEnergy & Utilities
Global 2000 Organizations Worldwide Choose Skybox Security
© 2015 Skybox Security Inc. 6
Face it, You Have (Lots of) Vulnerabilities
Most Vulnerable Vendors 2014
Source: Skybox Vulnerabilitycenter.com, enterprise vulnerability database
5027 Vulnerabilities
(2014 Skybox enterprise vulnerability database)
Enterprise-scale network,
10K to 100K+ vulnerabilities at any time
© 2015 Skybox Security Inc. 7
How’s Your Vulnerability Management Program?
Well-coordinated process? Constant whack-a-mole?OR
© 2015 Skybox Security Inc. 8
2015 Enterprise Vulnerability Trends Report
2015 analysis based on survey conducted Dec 2014
CIO/CISO, Security & Network Managers, Risk & Compliance Managers
Goals:– VM tools used today
– Most common challenges
– Changes desired
© 2015 Skybox Security Inc. 9
Survey Demographics
974 respondents, 59 countries
66% large enterprise
17% mid-size, 17% SMB
Top 4 verticals: Financial Services 14%, ISP/Telecom 9%, Technology 7%, Gov/Defense 7%
© 2015 Skybox Security Inc. 10
Vulnerability Management Program Goals
In line with SANS critical controls guidelines for vulnerability identification, prioritization, remediation
Strong support for using vulnerability data for threat response
Surprise: PCI compliance down the list
52%
© 2015 Skybox Security Inc. 13
How often do you scan? Today vs. Ideal
Never Quarterly or less often Monthly Weekly Multiple per week0
5
10
15
20
25
30
35
40
45
50
Vulnerability Assessment FrequencyCurrent vs. Ideal
Current Frequency Ideal Frequency
© 2015 Skybox Security Inc. 14
Previous survey (2012) asked: Why don’t you scan as often as you’d like?
Source: 2012 Skybox Security Vulnerability Management Survey
© 2015 Skybox Security Inc. 15
How’s that Working for You?
Vulnerability assessment satisfaction: It’s a coin toss
CISO’s: more ownership of VM process; less likely to be satisfied with it
© 2015 Skybox Security Inc. 16
Less Satisfied with Analysis & Prioritization, and Remediation
Many respondents use 3rd party tools for analysis and prioritization– Splunk
– Excel
– Skybox Security
– SIEMs
– Internally developed tools
© 2015 Skybox Security Inc. 18
Top 10 Desired Improvements for VM
1 Update vulnerability data quickly following a new vulnerability or threat announcement
2 Include network and security context to prioritize risk more accurately
3 Reduce false positives
4 Get vulnerability data for network devices like firewalls
5 Remediate - Verify closure of vulnerabilities (track remediation)
6 Get accurate data without the need for authenticated scan
7-10 All operational improvements – reduce time to prioritize, reduce disruption, reduce time to scan, automate remediation
© 2015 Skybox Security Inc. 20
#1: Focus on VM Process Maturity
No policy? Create one. Have a policy? Make it better.
Track key metrics
Integrate with security controls
Automate the process as much as possible
© 2015 Skybox Security Inc. 21
#2 Strive for Continuous Assessment
10% 20% 30% 40% 50% 60% 70% 80% 90%0
50
100
150
200
250
300
350
Frequency and Coverage
Fre
qu
ency
x/y
ear
% of Network Scanned
Where you need to beDaily process90%+ hosts
Partner/External networksAvg. scan: every 60-90 days
<50% of hosts
Critical systems, DMZAvg. scan: every 30 days
50-75% of hosts
Source: Skybox 2012 VM Survey
© 2015 Skybox Security Inc. 22
Security ControlsFirewalls
IPS
VPNs
Network TopologyRouters
Load Balancers
Switches
AssetsServers
Workstations
Networks
VulnerabilitiesLocation
Criticality
ThreatsHackers
Insiders
Worms
#3 - Use Context to Triage Risks
© 2015 Skybox Security Inc. 23
Source: 2015 Verizon DBIR
50% of CVE’s have known exploits 1 month after publish
#4 – Go Faster. Speed up Remediation.
Contact our Sales Team for a Demo!http://lp.skyboxsecurity.com/ContactMe.html
Skybox Vulnerability Control
© 2015 Skybox Security Inc. 25
Resources
2015 Enterprise Vulnerability Management Trends Report– www.skyboxsecurity.com/resources/survey-reveals-general-diss
atisfaction-current-vulnerability-management-programs#.VbKEkPlViko
Vulnerability Center– www.vulnerabilitycenter.com
top related