copyright security-assessment.com 2004 vulnerability management explained by peter benson
TRANSCRIPT
Copyright Security-Assessment.com 2004
Vulnerability Management Explained
By Peter Benson
Copyright Security-Assessment.com 2004
By the Numbers…• 67% of senior tech executives admit their organization has
experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study
• 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center
• 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT
• $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g
Copyright Security-Assessment.com 2004
Why Vulnerability Management? • Building a strong program based on mitigating known
vulnerabilities has transformed from a security centric process to an operational necessity for business success.
• The root cause of the problem is the existence of vulnerabilities in the corporate network.
• Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.
Copyright Security-Assessment.com 2004
Why Vulnerability Management?• Patch Management is ineffective and inefficient.
• The most intelligent equation is investing in a vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.
Copyright Security-Assessment.com 2004
What is Vulnerability Management? • Dynamic best practices (Yankee Group, 2004)
– Classify. Assign network resources with a heirarchy based on criticality
– Measure. Assess security performance in reducing exposures to key vulnerabilities
– Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning.
– Audit. Regularly audit the effectiveness of integrated vulnerability processes
Copyright Security-Assessment.com 2004
Laws of Vulnerabilities
Copyright Security-Assessment.com 2004
The Law of Half Life• Lessons learned:
– You can’t patch them all at once
– Mitigate more than the remaining half of the vulnerabilities over the next month
– Improve the reduction in risk in the enterprise by shrinking the half life to less than 30 days
• Best practices: Patch within 21 days for critical systems, and a rollout procedure to other assets based on their priority level
Copyright Security-Assessment.com 2004
The Law of Prevalence• Lessons Learned:
– New critical vulnerabilities occur throughout the year
– Half of the vulnerabilities still exist in the network a year later
– Vulnerability Management is a never-ending process
• Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase
Copyright Security-Assessment.com 2004
The Law of Persistence• Lessons Learned:
– Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network
– Be alert for vulnerabilities that may be lurking in application code
• Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process
Copyright Security-Assessment.com 2004
The Law of Exploitation• Lessons Learned:
– Keep an eagle eye on key vendors for early warnings of available patches for critical resources
– Make a team decision on when to patch
– Integrate with automated patch management and configuration control systems. Verify the patch has eliminated the weakness
– Be prepared to scan for vulnerabilities on an attack basis
Copyright Security-Assessment.com 2004
Yankee Group Dynamic Best Practice ModelClassify Assets
identify andBusiness
RiskPrioritisation
MeasureCompliance,
Current Laws ofVulnerabilities,Communicate
IntegratePatch
ManagementSecurity Portals
SecurityReporting
Audit PerformanceCompliance,Performance
against Metrics
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Classify• Classify network resources
• Tier the hierarchy of assets by value to the business
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Measure• Measure your network
against the half life and persistence curves
• Measure team performance by the half life results and the treatment of the persistence law
• Use gathered metrics to communicate the security problem to Senior Management
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Integrate• Integrate with discovery systems such as network
integrity systems
• Integrate with patch management systems to confirm completion of the task
• Integrate into management reporting portals. Take the mystery out of security.
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Audit• Evaluate actual vulnerability management results
against targeted metrics
• Regularly review vulnerability management reports with the security teams
• Measure the performance of security teams by the reduction of critical vulnerabilities
Copyright Security-Assessment.com 2004
Vulnerability Management Business Models
Discovery
Analysis and Policy Compliance
Remediation
Business Prioritisation
Assessment
Model 1 Model 2
Copyright Security-Assessment.com 2004
Summary of Dynamic Best Practices
Copyright Security-Assessment.com 2004
VM and Qualys Solutions
Copyright Security-Assessment.com 2004
Business Reporting and Risk Management
Copyright Security-Assessment.com 2004
Business Reporting
Copyright Security-Assessment.com 2004
Questions?