enterprise class vulnerability management like a boss
TRANSCRIPT
![Page 1: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/1.jpg)
Enterprise Class Vulnerability Management Like A BossRockie BrockwayBusiness Risk DirectorBlack Box Network Services
![Page 2: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/2.jpg)
Bio
23 Year veteran in InfoSec/Risk
All certs have expired (including those I’ve taught)
Business Systems and Impact Analyst (Risk)
Enterprise Security Architect
Penetration/Red Team Tester
Speaker/Trainer/BSidesCLE
Musician/Woodworker/Landscaper/Hacker
[email protected]://www.linkedin.com/pub/rockie-brockway/9/634/641
@rockiebrockway
![Page 3: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/3.jpg)
Brief History Lesson
![Page 4: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/4.jpg)
The Compliance Conundrum
Sure are lots of them
Sure are a lot of tools that map out overlaps
Many are focused on protecting certain data types
Others are best practice frameworks
But at the end of the day …
![Page 5: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/5.jpg)
Information is Beautiful
Breach Business Impact Continues to Grow
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 6: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/6.jpg)
IT Spend vs. Breaches
IT/InfoSec spend increasing, breaches continue to increase
As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect
Gartner Verizon DBIR
2007 2008 2009 2010 2011 2012 2013 20142.9
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
Spend (T)
2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
Breaches
![Page 7: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/7.jpg)
Project and/or Compliance = Incorrect
Breach Business Impact Continues to Grow
Reasons:While most orgs understand data protection is a crucial strategic business issue, they continue to approach it on either
• A project by project basis and/or• From a Compliance perspective
The reality is that data security inherently relates to financial business risk and must be treated as a function of the business itself
![Page 8: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/8.jpg)
Complexity in the Enterprise
From the Enterprise to the Application, more complexity means less security
Simple, individual projects do not need “Architecture”
“Architecture” is required to successfully fit an individual project into a larger, more complex set of projects
![Page 9: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/9.jpg)
Organizing Complexity Through Architecture
The SABSA Information Systems Architecture paper lays out the following (paraphrasing):
Like the design of buildings and cities, information architecture must take into consideration:
• Organizational goals to be achieved by the systems• The environment where the systems will be built
and used• The technical capabilities required to build and
operate the systems
![Page 10: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/10.jpg)
Enterprise Security Architecture
Benefits of Enterprise Security Architecture
• Brings focus to the key areas of concern for the business
• Allows business owners to make educated security/risk decisions without having to be an infosec professional
• Enables disparate Enterprise Security groups to understand their role in the business
• METRICS!• Encourages repeatable processes• Organizes your Enterprise’s complexity• Focuses on Security, not Compliance (but still maps to
compliance, we still have auditors :P)• Reduce the likelihood your organization will contribute
to informationisbeatiful.net
![Page 11: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/11.jpg)
Enterprise Security Architecture
Security inherently relates to business risk and must be treated as a board supported function of the business
Enterprise Security Architecture aligns organizational business strategy and goals with the protection of the organization’s business critical data
![Page 12: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/12.jpg)
Process
Vulnerability Management
The set of all processes for discovering, reporting and mitigating known vulnerabilities at any layer
Vulnerability Management is typically broken down into Intelligence/Patching activities and Scanning activities
It is critical to have vulnerability accountability and ownership throughout the enterprise, with the associated metrics
![Page 13: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/13.jpg)
Process
Vulnerability Management Challenges
• Moore’s Law – Malware evolves at equal speed• Reactionary – In order for vulnerability scanning tools to be
effective, they must already know about the vulnerability• Intelligence – Having knowledge of the latest attacks and
trends and if/how they affect your assets is crucial• Communication – Effectively transferring the knowledge of
vulnerability data to the service owners• Accountability – Ensuring that the discovered vulnerabilities
are remediated/mitigated and communicated back out to the service owners
• Metrics – IS needs to be able to communicate the value of the vulnerability management program back to the business
![Page 14: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/14.jpg)
Process
Vulnerability Management Goals
• Improved intelligence for quicker decision making and response
• Buy in from all service owner/stakeholders• All primary asset types being regularly scanned
• Servers• Web Applications• Network assets• User endpoints• Network enabled printers/UPS/NAS/etc.
• Integration of existing Vulnerability Management tools with existing business ticketing systems
• Service Owner and Stakeholder reporting with associated metrics
![Page 15: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/15.jpg)
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf
![Page 16: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/16.jpg)
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 0
Cursory – Indicates that some type of organizationally defined review has been performed on the application, and that the verification requirements were not provided by ASVS
![Page 17: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/17.jpg)
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 1 (ASVS L1)
Opportunistic – Indicates that the application can adequately defend itself against application security vulnerabilities that are easy to discover
Such vulnerabilities are typically discovered with minimal to low effort, and cannot be considered a thorough inspection of the application
Threats to the application will most likely come from attackers using simple techniques and automated tools
![Page 18: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/18.jpg)
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 2 (ASVS L2)
Standard – Indicates that the application can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk
Such vulnerabilities include the OWASP Top 10 and Business Logic vulnerabilities
The majority of business applications should work towards this level
Threats to the application will most likely come from opportunistic attackers, and possibly some motivated actors
![Page 19: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/19.jpg)
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 3 (ASVS L3)
Advanced – Indicates that the application can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design
Level 3 requires an inspection of an application’s design
Level 3 is appropriate for critical applications that protect life, critical infrastructure and/or defense functions
Threats to the application will be from motivated actors and nation-states
![Page 20: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/20.jpg)
Inspiration
We can build on and improve this
![Page 21: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/21.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 0 (ASVS Vuln L0)
Cursory – Indicates that some type of organizationally defined vulnerability analysis has been performed on the organization’s application space, and that the verification requirements were not provided by this hybrid framework
• Org understands vulnerabilities should be patched
• May have some loose patching process• Not using vulnerability scanning tools
![Page 22: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/22.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 1 (ASVS Vuln L1)
Opportunistic – Indicates that the organization can adequately defend itself against application security vulnerabilities that are easy to discover
Such vulnerabilities are typically discovered with minimal to low effort, and cannot be considered a thorough inspection of the applications
Threats to the application will most likely come from attackers using simple techniques and automated tools
![Page 23: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/23.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 1 (ASVS Vuln L1)
• No dedicated Infosec/Risk group• Reliance on MS patch Tuesday alerts• Process in place for monthly MS patches on
user workstations and servers within a reasonable time frame (~45 days)
• User workstation non-MS applications based on app alerts and user willingness (Java, Flash, etc.)
• Sporadic additional “threat intelligence” (infoworld, the register, etc.)
• May have an open source vulnerability scanning tools
![Page 24: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/24.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 2 (ASVS Vuln L2)
Standard – Indicates that the organization can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk
Such vulnerabilities include the SANS Top 20 and OWASP Top 10
The majority of business applications should work towards this level
Threats to the application will most likely come from opportunistic attackers, and possibly some motivated actors
![Page 25: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/25.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 2 (ASVS Vuln L2)
• Dedicated InfoSec/Risk group• Vulnerability Intelligence feed/subscriptions• Formal monthly review of previous 30 days
worth of MS and non-MS known vulnerabilities
• Centralized CMS for vulnerability intelligence data (probably manual, could be automated)
• InfoSec/Risk group may manually enter vuln events into enterprise ticketing system
• Defined standard for reviewing intelligence with escalation processes
![Page 26: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/26.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 2 (ASVS Vuln L2)
• Commercial/Open Source tools used for enterprise scanning
• Standard for business asset scanning (off hours, no DOS, authenticated vs. unauthenticated, etc.)
• Focused on primarily WIN/*NIX and network assets
![Page 27: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/27.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 3 (ASVS Vuln L3)
Advanced – Indicates that the organization can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design
Level 3 requires inspections of in house application’s design and 3rd party risk standards
Level 3 is appropriate for critical applications that protect life, critical infrastructure and/or defense functions
Threats to the organization will be from motivated actors and nation-states
![Page 28: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/28.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 3 (ASVS Vuln L3)
• Vulnerability intelligence feeds tied to enterprise inventory systems
• InfoSec/Risk team analyzes/flags intelligence alerts in CMS systems that auto-create tickets in enterprise ticketing system
• Support teams work tickets as part of normal workflows
• Sample sets of workstation vulnerability scans• Phones/Printers/UPS/NAS devices scanned• All scan reports are auto-posted to internal
vulnerability management CMS• InfoSec/Risk team reviews scan reports and
flags for ticket creation
![Page 29: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/29.jpg)
Application
Applying ASVS 2014 to Vulnerability Management
Level 3 (ASVS Vuln L3)
• Flagged scan reports trigger ticket auto-creation in enterprise ticketing system
• Support teams work on tickets as part of normal workflows
• Stakeholder and service owner reporting
Also …
![Page 30: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/30.jpg)
Metrics!!!
![Page 31: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/31.jpg)
Metrics!!!
Vulnerability Management MetricsAccurate Asset InventoryScan Periods• How often are assets scanned?
• Internal servers• DMZ servers• Public Facing servers• User endpoints• Network infrastructure• Network enabled printers/UPS/NAS/etc
![Page 32: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/32.jpg)
Metrics!!!
Vulnerability Management MetricsScope of Scan• Discovery• Unauthenticated• Authenticated with User credentials• Authenticated with Admin credentials
Number and Types of Hosts Scanned• Percentages vs. entire asset population
Number of Vulnerabilities Discovered• Critical• High• Moderate• Low
![Page 33: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/33.jpg)
Metrics!!!
Vulnerability Management MetricsVulnerabilities by Status• New• Active• Reopened• Verified• Excepted• Pending Remediation• Fixed
![Page 34: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/34.jpg)
Metrics!!!
Vulnerability Management MetricsTime to Remediation
![Page 35: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/35.jpg)
Examples
![Page 36: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/36.jpg)
Examples
![Page 37: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/37.jpg)
Examples
![Page 38: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/38.jpg)
Examples
![Page 39: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/39.jpg)
Examples
![Page 40: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/40.jpg)
Examples
![Page 41: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/41.jpg)
Examples
![Page 42: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/42.jpg)
Examples
![Page 43: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/43.jpg)
Wrap Up
ASVS/Vulnerability Management Application Gains
Security Focused, business aligned ESA element
Implementable Framework Based on Business Need
L3 CMS/Ticketing Integration
Vulnerability Ownership and Accountability
Metrics
![Page 44: Enterprise Class Vulnerability Management Like A Boss](https://reader035.vdocument.in/reader035/viewer/2022062901/58f140771a28ab6f2c8b45c9/html5/thumbnails/44.jpg)
Q&A and References
ARCTEC PAPER http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
Application Security Verification Standard 2014https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
Contact:[email protected]@rockiebrockway