vulnerability and configuration management best practices for state and local governments jonathan...
TRANSCRIPT
Vulnerability and Configuration
Management Best Practices for State and
Local GovernmentsJonathan Trull, CISO, Qualys, Inc.
ATTACKS
80%
More than 80% of attacks target known vulnerabilities
79%
PATCHES
79% of vulnerabilities have patches available on day of
disclosure
Most Breaches Exploit Known Vulnerabilities
2
Threats vs. Vulnerabilities
3
Patch and Vulnerability Management
A security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The continuous process
of identifying, classifying, remediating, and mitigating
vulnerabilities.
4
Configuration Management
The process of evaluating, coordinating, approving, disapproving,
and implementing changes to systems and software.
Security Perspective: The process of ensuring systems are configured to prevent successful cyber attacks and stay that way.
5
Major Constraints on Security Teams
6
Attack-Defend Cycle (OODA Loop)
7
Laws of Vulnerabilities
• Half-Life – time interval for reducing occurrence of a vulnerability by half.
• Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year.
• Persistence – total lifespan of vulnerabilities
• Exploitation – time interval between an exploit announcement and the first attack
8
Half-Life
• 29.5 Days
9
Prevalence• 8 critical vulnerabilities retained a constant
presence in the Top 20
10
Persistence
• Indefinite• Stabilize at 5-10%
11
12
Exploitation
• Average: < 10 days
• Critical client vulnerabilities: < 48 hours– Exploit Kits offer money back guarantees /
Next day delivery
12
Cyber Hygiene Campaign
Multi-year effort that provides key recommendations for a low-cost security program
that any organization can adopt to achieve immediate and effective defenses against cyber
security attacks.
13
14
• Pilot of scanning baselines completed• Using Qualys, CIS provided a baseline network and app
scan, for 12 States, at the following key agencies: o healtho public safety o revenue
• Reports were sent to each State with the results and information to remediate; follow up discussions were available if needed
• Re-scans provided to remediate findings• Feedback from the pilot states has helped to improve the
process.• CIS is ready to offer the same baseline scans to other
governments, for further information, contact Kathleen
Patentreger at [email protected]
Cyber Hygiene Scans
15
Summary ResultsNetwork Based Vulnerabilities
16
Summary ResultsApplication Based Vulnerabilities
17
Summary ResultsTypes of Vulnerabilities
18
MS-ISAC Guidance
The goal of your security team is to reduce risk by identifying and eliminating weaknesses in your network assets. To do this, there are a few questions you need to ask about your organization.
19
MS-ISAC Guidance1. Do you maintain an asset inventory? Is it up to date?2. Manage the flow of information -- what machines have
access to critical information, how does that information get dispersed across your network?
3. Are your network assets classified? If not, assign them a position in a hierarchy. The systems at the top being the most critical.
4. Have you done a risk assessment on these systems? What level of risk is your organization okay with?
5. How often do you perform vulnerability assessments on these hosts?
6. How is the remediation of these hosts being tracked? How long does it take to remediate hosts on average?
7. If a host was compromised, how would you respond?
20
Case Studies
• State of New York
• University of Colorado
• State of Michigan
• State of Ohio
• Colorado Statewide Internet Portal Authority
21 21
The Great Divide
22 22
Vulnerability & Compliance
Scanning
Automated Remediation
SecOps integration
Vulnerability Information
Matched
vulnerabilities
and patches
SecOps Integration
If <trigger> then <action>
23
Best Practices• Vulnerability and configuration management
should be an essential part of any security program
• Obtain executive level support – Identify and obtain an executive level champion– Build partnerships with other execs who need the same
data– When selling security, keep it simple– Establish supporting written policies and procedures
• Communicate vertically and horizontally within your Organization– Essential to remove fear, uncertainty, and doubt
24
Best Practices Continued• Scan everything and scan often– Scan anything connected to your network– Scan your perimeter daily and servers and endpoints
weekly– Be prepared for zero days / use predictive analytics
• Use credentialed scanning
• Use metrics to drive risk reduction and program support
• Use tags to manage VM/CM processes / workflows– Use tags for business value, ownership, and
compliance
25
Best Practices Continued• Measure the security and ops teams’
performance by the half-life results & treatment of the persistence law
– Include results in HR performance reviews
• Use metrics to communicate with senior management
• Integrate VM/CM solution with patch management systems, asset inventory systems, ticketing systems, configuration systems (Chef / Puppet), and reporting systems for best results
26
Best Practices Continued• Focus patching on those things that will hurt you
most
• Select a VM/CM solution with strong APIs, integration, and that limits resources spent on system administration
• Learn to speak the language of Ops staff / Ensure VM/CM data are reported in the most useful format
27
Question and Answers
28
[email protected] @jonathantrull
Government Series Webcasts: https://lps.qualys.com/gov-webcast-series-1-2015.html
More Resources:Qualys Top 4 Security Controls
https://www.qualys.com/forms/top-4-security-controls/
Qualys Free Tools and Trialshttps://www.qualys.com/free-tools-trials/
Cyber Hygiene Toolkitshttps://www.cisecurity.org/about/CHToolkits.cfm