Next-Generation Vulnerability Management

Transcription

1 White Paper Transform Checkbox Compliance into a Powerful Risk Mitigation Tool Skybox Security whitepaper, June 2014

2 Executive Summary Vulnerability management is the process of identifying, classifying, and mitigating vulnerabilities. Today, vulnerability management is a critical aspect of every enterprise s security program. Just a single vulnerability can be exploited by an attacker and enable an entry point to the network, and most large enterprises have hundreds of thousands of vulnerabilities on their network. In fact, targeted attacks and advanced persistent threats (APTs) are the new norm of cyber security threats, which frequently use vulnerabilities to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems. Significant APTs such as Operation Aurora, LuckyCat, and DigiNotar took advantage of application and network vulnerabilities to successfully steal valuable, proprietary information. Every successful breach comes with a heavy price to the organization in compromised brand reputation, customer turnover, and time and money costs related to repairs. For example, the Gozi-Prinimalka attack campaign is responsible for a reported $5 million in theft from U.S. bank accounts. 49% of security professionals say their network is at least somewhat vulnerable to security threats. Vulnerability management is important to an organization s overall security posture, and 90 percent of firms indicate that they have an established vulnerability management program. Yet, 49 percent of security professionals say their network is at least somewhat vulnerable to security threats. 1 The reason for this disconnect is largely attributed to organizations being unable to evaluate and prioritize vulnerability data effectively. This whitepaper will explore the primary processes of the vulnerability management lifecycle, review current areas of deficiency, and introduce next-generation vulnerability management. 1 Skybox Security Vulnerability Management Survey

3 Introduction to Vulnerability Management A vulnerability is a security weakness or flaw of a component in the technology stack of an organization. Vulnerabilities may exist on network devices, servers, PCs, mobile devices, applications, or any other elements connected to the network. Attackers exploit vulnerabilities on the attack surface (the part of the technology stack that is exposed) using various techniques, including APS, malware, script kiddies, and others. Many threats will leverage other exploitable vulnerabilities further downstream, using attack vectors that are typically in the inner part of the network. With new vulnerability advisories published EVERY DAY, finding and eliminating vulnerabilities is a continuous battle. In modern networks the attack surface can be extremely large. Networks contain elements that are managed by the organization, such as the data center components, enterprise network, and PCs, and elements that are partially managed or not managed at all, such as mobile devices (BYOD), and corporate assets in a public cloud. A typical organization s network has many vulnerabilities per device or system. Therefore, even a small organization may have tens of thousands of vulnerabilities, and a Global 2000 organization would generally have vulnerabilities in the millions. With ten to twenty new vulnerability advisories published every day, finding and eliminating vulnerabilities is a continuous battle. Vulnerability Management is the term used for the process of finding, analyzing, and remediating vulnerabilities in a systematic approach. Ideally, the process is used proactively to identify and fix vulnerabilities before they can be exploited by malware or a human attacker. A comprehensive vulnerability management process is a critical component to an organization s risk management program. Multiple stakeholders have a vested interest in ensuring its success. This includes the security teams who are typically responsible for managing the lifecycle of vulnerabilities, the compliance teams who are responsible for auditing the compliance of the vulnerability management program to regulations and corporate policies, and the IT operations teams who are responsible for fixing, eliminating, and shielding the vulnerabilities. 3

4 DISCOVERY COMPLIANCE REMEDIATION MONITORING ANALYSIS & PRIORITIZATION A typical vulnerability management process entails a full lifecycle: Discovery: Creates an inventory of the assets across the network, identify the vulnerabilities of the various elements of the technology stack, and stay current on breaking threat alerts. Analysis and Prioritization: Identifies the vulnerabilities that pose the greatest risk based on the exposure to critical assets and corporate policies for vulnerability remediation. Compliance: Documents the level of business risk associated with assets, which is required or recommended by regulations such as PCI DSS 2.0, security best practices, and company policies. Remediation: Prioritizes and fixes vulnerabilities by applying patches, shielding the vulnerability from exploitation (typically by the use of Intrusion Prevention Systems), removing applications, closing firewall ports, etc. Monitoring: Continuously monitors the network for vulnerabilities to prevent potential cyber attacks and data breaches. A well-established and executed vulnerability management process is needed because of both security and compliance requirements: 1. Detective and responsive controls are not sufficient in risk reduction a. Detective controls, such as intrusion detection systems or advanced threat protection, do not block many attacks, and have inherent latency when providing a signature file following the introduction of a new vulnerability. Therefore, detective controls are unable to mitigate the risks to critical assets. b. Responsive controls, such as SIEM technologies used for incident response, typically deal with the attack after the breach has happened and major damage has been done, if they deal with the attack at all. c. Preventative approaches like vulnerability management programs reduce risks by eliminating exposure to attacks altogether and in the most cost-effective way (i.e. patching or shielding is much cheaper than recovery from a breach). For example, organizations report a reduction in risk assessment time by 90 percent and a reduction in patching work by more than 75 percent. 2. Implementing a vulnerability management program is a best practice recommendation and part of multiple compliance requirements, including the PCI DDS. Vulnerability management is a standard process in most security organizations and part of the CISO s defined responsibilities to understand and lower overall risk and improve security by reducing the attack surface. 4

5 3. Continuous monitoring mandates, such as NIST SP and NIST SP , require that the vulnerability management process be executed as often as major changes in the threat landscape and the IT environment are made. The reality is that the threat landscape and IT environments change daily (typically many times a day). Therefore the vulnerability management process should be run on a truly continuous basis. The vulnerability management process can be very useful and provide great return on investment when implemented carefully, monitored for effectiveness, and adjusted regularly. However, security professionals often report a long list of implementation, management, and operational challenges, limitations, and disruptions inherent in previous-generation vulnerability scanners. The 300-Page Report and Other Deficiencies of Current Approaches Many people use the terms vulnerability scanning, vulnerability assessment, and vulnerability management process interchangeably, but the terms are not synonymous. Vulnerability management is the complete lifecycle process. Vulnerability assessment is part of this process, and a vulnerability scanner is the tool most often used today for vulnerability discovery. A vulnerability scanner is a tool (software, appliance, or a service) that discovers vulnerabilities in some or all of the technology stack by running thousands of tests on every node in the network. The number of distinct tests can be extremely large. For example, a 10,000 node network with 1,000 tests per node will result in 10,000,000 distinct tests for vulnerabilities. There are some critical challenges with scanning technologies that significantly limit the usefulness of a Vulnerability management process that uses a scanner: Information Overload The result of a scanning process is typically a very long report that includes lists of thousands of vulnerabilities found in a small network and possibly millions of vulnerabilities in a large enterprise network. A 300-page report with long and boring tables is a common output from a scanner. Security analysts then have a choice spend days or weeks sifting through the raw data or store the report in a drawer, out of sight. 5

6 Active Scanning Challenges Active-scanners send a huge amount of packets through the network to ports used by operative applications and services, which can result in serious disruption to critical network services. To compensate, organizations often refrain from frequent scanning and limit scanning to well-defined windows. With these restrictions, it takes a long time to complete one cycle even several months in a large network often making the vulnerability data obsolete by the time a complete report is available. This leaves organizations with an unbearable trade-off disruption due to intrusive vulnerability discovery process or disruption due to a security breach. Moreover, many nodes in the expanded enterprise network cannot be scanned, such as mobile devices (especially BYOD), assets in a public cloud, SCADA devices, and medical devices. Not Actionable Scanner reports prioritize vulnerabilities based on asset importance and a pre-defined vulnerability severity ranking, typically based on the Common Vulnerability Scoring System (CVSS) scoring. This methodology does not consider the network context of each vulnerability. For example, is there a security control that prevents the exploitation and lowers the downstream risk on a critical asset? If so, then a high-severity vulnerability could actually be low risk. This naïve methodology that does not consider the network context leads administrators to fix the wrong vulnerabilities and ignore the important ones. Network context should be considered again when it comes to remediation alternatives. For example, a high priority vulnerability may be shielded by turning on an IPS signature. However, if the scanning report does not take into account that an IPS is available in a location that can prevent the exploitation, then the mitigation recommendations will not include this option and may point to more complicated, less effective alternatives. Scanning reports are oriented for a security audience and do not provide the information required for the IT operations team to perform mitigating changes, such as which patches to apply or which devices to reconfigure. In summary, organizations attempting to have a well-run vulnerability management process find that vulnerability scanners create the following challenges: Provides only partial coverage of the network. Disrupts critical services. Exposes the organization to known vulnerabilities for weeks and even months. Requires significant cost and man hours to analyze scanning reports. Does not provide clear action items for remediation. 6

7 As a result, many organizations see vulnerability management mainly as a way to check the box for compliance reporting, and not as an effective security tool. Introduction to Next-Generation Vulnerability Management As in many IT management tasks, the toughest roadblocks to improving the vulnerability management process are operational: How can vulnerability management be scalable? How can detection and remediation cycles be fast enough to minimize the exposure window? How can vulnerability discovery avoid disruption? How can the vulnerability management process be automated? How can the process ensure that security and IT operations teams are on the same page regarding risks and action items? Next-Generation Vulnerability Management (NGVM) solutions are designed to effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, remove operational roadblocks, and provide up-to-date vulnerability visibility to the organization. NON-INVASIVE VULNERABILITY DETECTOR VULNERABILITY ANALYSIS NETWORK CONTEXT WORKFLOW AND TICKETS TRADITIONAL SCANNER DATA VULNERABILITY DICTIONARY ATTACK SIMULATION REMEDIATION OPTIONS REPORTS AND METRICS Non-Disruptive, Scanless Vulnerability Discovery Next-Generation Vulnerability Management challenges the assumption that scanning is the best and only way to discover vulnerabilities. The new approach utilizes non-disruptive, scanless technology that analyzes information repositories available in every enterprise typically patch management and asset management systems to automatically and accurately deduce vulnerability data on all network nodes. 7

8 There are many benefits of a scanless discovery approach: Fast discovery cycle time enables analysis of huge networks with hundreds of thousands of nodes in hours and small networks with thousands of nodes in minutes. Non-disruptive discovery by analyzing information repositories as opposed to touching every node enables organizations to perform continuous vulnerability discovery, without the fear of network disruption. Broad coverage enables analysis of nodes that are banned from or not recommended for scanning, such as critical systems, network and mobile devices, and assets in the cloud. This scanless discovery can work in conjunction with any scanner (e.g. network vulnerability scanners, web application scanners, and database scanners), so organizations don t need to give up their other discovery techniques. However, organizations no longer need to be limited by the constraints of using vulnerability scanners as a standalone solution for vulnerability discovery. Analytics-Driven Prioritization Once fresh vulnerability data is available on a continuous basis, the next challenge is automating analysis of the vulnerabilities to focus on the critical risks and not waste time on low-risk exposures. The idea is to create a short list of action items that can be executed quickly in order to eliminate the risk of exploitation by attackers. How can organizations determine which vulnerabilities are critical and which should be skipped? There are two approaches commonly used together for prioritization: Hot Spots Analysis This approach finds groups of hosts on the attack surface with a high density of severe vulnerabilities, which can be fixed en masse by broad action items, such as patching. Attack Vectors Analysis This is a surgical approach that finds specific, high-risk attack vectors around one or a few hosts that would require quick remediation (patching, shielding, network reconfiguration) to eliminate exposure to specific targeted assets. 8

9 Approach Applicable Scenarios Examples Hot Spots Analysis Large population of exploitable hosts in the network that are on or close to the attack surface and where relatively simple action items (such as patching a large set of clients) can be applied to solve the issue. Organization has strict policy regarding remediation of vulnerabilities as a function of severity level. Patching all 1,000 instances of Java-based client applications due to a new vulnerability advisory published by Oracle that shows how remote code execution is possible leveraging a buffer overflow vulnerability. Vulnerability remediation policy requires all high severity or critical vulnerabilities on database servers to be patched within 1 week. Attack Vectors Analysis Small population of exploitable hosts that are not necessarily on the attack surface (e.g. virtualization platform in the datacenter) or where simple remediation actions are not available at that point in time (e.g. a patch cannot by applied due to software dependency or far away patch window). Concern of targeted attacks by APT and other threats that require surgical analysis and remediation of possible attack scenarios. Turning on a specific IPS signature in front of the virtualization platform management ports to avoid possible exploitation, which can be used as a temporary measure until a patch can be applied. Contextual Remediation Once a short list of action items is available, the organization needs to find the optimal remediation alternatives, communicate effectively with the relevant IT operations team, and track progress. Next-generation vulnerability management solutions do exactly that by providing the following capabilities: Context-aware remediation recommendations consider a variety of remedial actions, such as IPS signature activation, firewall configuration changes, patching, system configuration, and more. Views fit operations teams. A quote to remember: System operations don t fix vulnerabilities, they apply patches. Integrated workflow generates and tracks remediation actions. The benefits of the solution are compelling: Contextual Remediation Options Finding the optimal remediation actions in the context of the organization s network and policies allows the organization to find a quick and dirty remediation to reduce the risk until a permanent solution is available. 9

10 Operational Efficiency Orchestrating remediation with the various IT operations teams allows each to see and act upon its action items, enabling an operationally efficient remediation process. Automated Remediation Tracking Automated tracking of remediation progress provides visibility to executives on risk levels trend in the organization. The Skybox Security Solution for Vulnerability Management The Skybox Security Next-Generation Vulnerability Management solution, based on Skybox Risk Control, continuously monitors the attack surface and critical attack vectors. This feeds vulnerability data into automated risk-based prioritization and remediation, which allows security teams to immediately remediate critical vulnerabilities. Skybox Risk Control can complete vulnerability discovery, analysis, and remediation tasks in a large enterprise environment in a single work day, and complete vulnerability discovery at least 50 times faster compared to traditional vulnerability assessment with an active scanner. Enterprises and government agencies using the Skybox vulnerability management solution report breakthrough results: Nearly 100 percent reporting accuracy every day, with no disruption. False positive reduction to near-zero levels. Elimination of 99 percent of irrelevant vulnerability data. Detection of 100,000 real vulnerabilities within hours of deployment. Same-day discovery, analysis and remediation of critical risks. Effective reduction of risk, prior to exploitation for the first time. Information from metrics and dashboards is used to justify additional security resources. 10

11 How It Works Non-Disruptive, Scanless Vulnerability Discovery Skybox is the first, vendor to provide a scalable solution for scanless discovery of vulnerabilities. Skybox scanless discovery converts the product configuration and description information stored in system and security management repositories into a detailed and accurate product catalog. It then accurately accurately deduces a list of vulnerabilities present in the network environment. With this information, more than 90 percent of the vulnerabilities in a typical enterprise network can be accurately discovered, without an active scan. This approach eliminates the many challenges associated with active scanning and provides the following benefits: Continuous vulnerability discovery covers 90 percent of very large networks in less than one day, compared to traditional vulnerability management processes that take days to cover 50 percent of such networks. Comprehensive coverage enables organizations to detect vulnerabilities on previously non-scannable parts of the network, such as critical systems, network devices, and mobile devices. Vulnerability assessment delivers detection at speeds of 12,000 hosts per hour, compared to the typical 250 hosts/per hour rate with a traditional active scanner. A non-disruptive technique discovers vulnerabilities from information repositories rather than touching every node. This approach to vulnerability management implements easily and effectively reduces the attack surface. Automated Analytics-Based Prioritization Skybox Security uses multiple, complementary analytic approaches to prioritize vulnerabilities in the context of the enterprise IT infrastructure: Hot Spot analysis of the attack surface allows a quick focus on the most exposed elements of the technology stack. This analysis highlights the root cause for the exposure and provides broad-brush action items that are relevant for a large group of hosts; for example, all Microsoft Windows servers in a regional datacenter or all Microsoft Windows 7 desktops and laptops with Adobe Reader installed. Remediation Prioritization is based on risk indicators that quantify the weight (or contribution) of each vulnerability type in a given group of hosts in order to focus on the largest contributors to the organization s risk level and corporate policies to determine which vulnerabilities should be remediated and when, given their severity. 11

12 Attack Simulation analysis finds attack scenarios using chains of multiple attack vectors that lead to possible exploitation of critical assets, considering the configuration of all security controls, such as firewalls, IPS, network topology, and other factors. This analysis provides a surgical identification of critical attack vectors that must be eliminated as soon as possible to prevent an advanced targeted attack or a fast spreading malware. Remediation prioritization is based on risk metrics that quantify the likelihood of the attack vector exploitation times the potential damage to the downstream asset. The Skybox analytic approach provides organizations with significant advantages. Even for a very large network with many vulnerabilities, Skybox analytic-driven prioritization reduces the number of distinct action items by 95 percent or more, compared to active scanning alone. In addition, the Skybox analysis is done automatically, which eliminates the need to manually analyze long lists of vulnerabilities and enables the process to be completed in hours instead of weeks or months. Context-Aware Remediation With the Skybox Security context-aware remediation, IT operations teams gain visibility into the critical short-list of vulnerabilities that require immediate action. The solution then offers remediation alternatives and considers a variety of actions, such as IPS signatures activation, firewall configuration changes, patching, system configuration, and more. Skybox Security Next-Generation Vulnerability Management also provides a built-in workflow environment that supports the day-to-day operations of triage and remediation, enabling a smooth connection between the vulnerability management and IT operations groups. This valuable integration enables actionable remediation through a streamlined process: Tickets (vulnerability or remediation items to be processed) are generated automatically based on analysis results and predefined scope and priorities. Triage and vulnerability management groups can focus on the tickets that fall under their responsibility (technology, location), supported by rich, contextual analytic information. Remediation items are forwarded to the appropriate group via the ticketing system, s, or reports. Automatic fix tracking provides up-to-date ticket status and automated ticket closure. Conclusions The face of the threat landscape continues to change. And by all accounts, advanced malware and targeted attacks are succeeding in their efforts to gain access to enterprise data and systems. This makes it all the more critical to have effective vulnerability management controls in place that enable continuous discovery, prioritization, and remediation of the network s greatest at-risk vulnerabilities. 12

13 Organizations should pursue a next-generation vulnerability management solution that provides strong performance in the following areas: Non-disruptive, scanless vulnerability discovery Analytic-driven prioritization Context-aware remediation Short cycle times (i.e. one hour from start to remediation recommendations, even in large networks) With its risk analytics and extensive research and collaboration with its customers, Skybox Security has a deep understanding of vulnerability management processes and raises the bar with a nextgeneration, end-to-end vulnerability management solution that automates and integrates continuous vulnerability discovery, analysis and remediation, enabling same-day attention to critical cyber risks. Implementing next-generation vulnerability management in your budget will streamline security management processes, ensure continuous compliance, and ultimately reduce costs. Contact Skybox Security for more information and to learn what next-generation vulnerability management can do for you. Next Steps Skybox Security provides the most powerful risk analytics for cyber security, giving security management and operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall management, and continuous compliance monitoring. To learn more about Skybox Security s solution for vulnerability management, download the free trial at /trial. Additionally, you can contact your local Skybox Security representative at /contactus or view our demos at demos-videos. About Skybox Security Established in 2002 and headquartered in San Jose, California, Skybox Security is a privately held company with worldwide sales and support teams that serve an international customer base of Global 2000 enterprises and large government agencies. Skybox Security customers are some of the most securityconscious organizations in the world, with mission-critical global networks and pressing regulatory compliance requirements. Today, six of the top 10 global banks and six of the 10 largest NATO members use Skybox Security for automated, integrated security management solutions that lower risk exposure and optimize security management processes /contactus Copyright 2013 Skybox Security, Inc. All rights reserved. Skybox is a trademarks of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners. WP_NGVM_EN_