Risk Reduction and Compliance through Vulnerability Management

Transcription

1 Risk Reductin and Cmpliance thrugh Vulnerability Management

2 Vulnerability Management / Overview Intercnnected netwrks between cmpanies and their custmers, suppliers and business partners ffer significant prductivity gains yet pse serius security risks.

3 Are We Getting Better r Wrse? What is the vulnerability? Hw significant is it? Hw prevalent is it? Hw easy is it t explit? Are any f my systems affected by it? Hw quickly shuld I patch fr this vulnerability?

4 Security Trend Indicatrs Malicius Cde ( ) Vulnerabilities ( ) Spam and Spyware ( ) Phishing and Identity Theft ( ) And Time t Explitatin ( )

5 First Generatin Threats Spreading mstly via , file-sharing Human actin required Virus-type spreading / N vulnerabilities Examples: Melissa Macr Virus, LveLetter VBScript Wrm Replicates t ther recipients Discvery/Remval: Antivirus

6 Secnd Generatin Threats Active Wrms Leveraging knwn vulnerabilities Lw level f sphisticatin in spreading strategy (i.e. randmly) Nn Destructive Paylads Remedy: Identify and fix vulnerabilities

7 Third Generatin Threats Autmated attacks leveraging knwn and unknwn vulnerabilities Cllabratin f Scial Engineering and Autmated Attacks Multiple Attack Vectrs - , Web, IM, Vulnerabilities, etc Active Paylads Remedy: Security Enfrcement / NAC / NAM

8 The Changing Vulnerability Landscape Frm server t client applicatins Befre: Vulnerabilities in server applicatins: -Webserver, Mailserver, Operating System services Nw: Mre than 60% f new critical vulnerabilities in client applicatins: -Web Brwser, Backup Sftware, Media Players, Antivirus Sftware, Flash, etc

9 Vulnerability Half-life

10 Micrsft Exchange Server Buffer Overflw Vulnerability

11 External vs. Internal Half-life

12 Lingering Vulnerabilities: SNMP Writeable

13 Vulnerability Lifespan

14 Windw f Expsure

15 A Cntinuus Cycle f Infectin

16 Mapping Vulnerability Prevalence

17 The Changing Tp f the Mst Prevalent

18 Laws f Vulnerabilities Half-Life: Length f time it takes users t patch half their systems currently 19 days fr external systems Prevalence: 50% f mst prevalent replaced annually Persistence: 4% f critical vulnerabilities remain persistent and their lifespan is unlimited Fcus: 90 percent f vulnerability expsure is caused by 10 percent f critical vulnerabilities Windw f Expsure: Time-t-explit cycle is shrinking faster than the remediatin cycle Explitatin: Autmated attacks create 85% f their damage within the first 15 days frm the utbreak and have an unlimited lifetime

19 Gal fr 2006: Shrten the Half-Life f Critical Vulnerabilities by 20%

20 Cmmn Vulnerability Scring System (CVSS) Industry Standard fr cmmn scring supprted by CERT, Mitre, Cisc, Symantec, Micrsft, and Qualys CVSS prvides an industry standard vulnerability scring that allws crpratins t take int cnsideratin their wn security metrics User custmizable scring based n three criteria -Base Inherent threat f the vulnerability -Tempral Time f vulnerability s existence -Envirnmental User envirnment variables Custmer Benefits -Priritize remediatin n critical assets -Identify risk n individual hsts

21

22

23 Trends and Statistics 99 $380, , The percentage f security breaches that target knwn vulnerabilities fr which there are existing cuntermeasures. CERT Crdinatin Center The average financial lss resulting frm security vilatins. CSI/FBI The percentage f successful attacks enterprises will avid by implementing a vulnerability management prcess. Gartner The number f netwrk security incidents that ccurred in CERT Crdinatin Center The rate at which reprted security incidents have grwn each year since the year CERT Crdinatin Center

24 Cmpliance Healthcare -HIPAA regulates the security and privacy f health data, including patient recrds and all individually identifiable health infrmatin. Financial Institutins -GLBA requires IT cntrls t maintain the cnfidentiality and privacy f cnsumer financial infrmatin. Online Merchants -The Payment Card Industry, including MasterCard SDP and Visa CISP mandate the prtectin f custmer infrmatin residing with merchants, safe frm hackers, viruses and ther ptential security risks. Public Cmpanies -Sarbanes-Oxley requires effective cntrls and prcesses fr validating the integrity f annual financial reprts. Gvernment -FISMA requires that federal agencies establish riskbased infrmatin security prgrams t secure federal infrmatin. Califrnia Cmmerce -CA mandates that rganizatins ding business in Califrnia reprt any cybersecurity breaches that may have cmprised custmer infrmatin.

25 Prpsed Slutin Establish enterprise vulnerability management prgram Netwrk Admissin Cntrl (NAC) is a new trend t stp threats befre they affect the enterprise Enfrce best practices fr cnfiguratin and plicy management New standard fr priritizatin f remediatin - CVSS

26 Autmated Web-based Vulnerability Discvery "The windw between vulnerability discvery and time t explitatin is narrwing rapidly. Tday's netwrking envirnment requires cntinuus auditing with real-time vulnerability and patch updates. The key way t prvide adequate security is thrugh a Web service that is updated daily." Hward A. Schmidt, Frmer Security Advisr t the President

27 Summary and Actins We Can Take Significant prgress n imprving the remediatin cycle Predefined vulnerability release schedules are shrtening the patch cycle Need t cunter the shrinking time-texplit cycle Gal: Shrtening the Half-Life f vulnerabilities by 20% within ne year

28 Security On Demand NIS can help yu meet the security requirements f business by supplying n demand, cntinuus netwrk security audits and vulnerability management. It is delivered as an independent, third-party service. It reslves traditinal barriers and transcends the limitatins f sftware tls and prvides an end-t-end prcess fr vulnerability management.

29 Trusted Third Party Results Because it is Web-based, we maintain the peratinal integrity, KnwledgeBase, and security architecture f the cmplete netwrk auditing and vulnerability management system. Unlike userwned and perated sftware tls, ur security audit data is tamperresistant and satisfies regulatry requirements f mandates such as Gramm-Leach-Bliley, Sarbanes- Oxley, SB1386, and HIPAA.

30 Vulnerability Management \ On Demand Slutin NIS' ON DEMAND MODEL OFFERS THE FOLLOWING BENEFITS: Nearly 4000 unique vulnerability signatures 2x nearest cmpetitr Accuracy rates f % based n mre than ne millin scans per mnth N infrastructure r enterprise sftware t deply r maintain Up-t-date security checks and netwrk intelligence Measurable ttal cst f wnership Strng security mdel with 3rd party audits and certificatin

31 On Demand Benefits vs. Sftware Slutins

32 Vulnerability Management \ Lifecycle Prcess

33 Map Results (Graphic Mde)

34 Map Results (Text Mde)

35 Cmprehensive Scan Reprt

36 Reprting

37 Reprting Cnt.

38 Map Reprt

39 Remediatin

40 Remediatin Wrkflw

41 Executive Remediatin Reprting

42 Accurate and Thrugh Vulnerability Knwledgebase 5,000++ unique checks Searchable knwledgebase by CVE number, name r categry Users can custmize severity levels r disable t filter frm reprts Knwledgebase is update daily, multiple times Any false psitives reprted are investigated immediately -signatures updated within hurs

43 Benefits and Features Out-f-the-bx integratin with ticketing systems (e.g. Remedy) Out-f-the-bx integratin with patch management and sftware distributin slutins (e.g. Citadel, PatchLink), NAC (Cisc, Vernier), Pen Testing (Cre Impact), SEMs (Cisc) SANS Tp 20 Reprt prvides industry baseline Autmated MasterCard SDP / Visa CISP Cmpliance Reprting Exprt reprts t HTML, MHT, PDF, CSV and XML frmats Trusted, third-party netwrk auditing and reprting meets the cmpliance needs f HIPPA, GLBA, Calif. SB 1386 and Sarbanes-Oxley and thers

44

45 Additinal Features Distributed management t delegate assessment and remediatin t multiple users with assigned privileges Centralized cntrl fr CSO r Security Manager Trend analysis frm distributed scans Custmizable scans Windws dmain authenticatin may be enabled t allw scanner access t system variables and registry inf t detect sme vulnerabilities Scan fr specific vulnerability t reduce windw f expsure t a critical vulnerability Once created these scans may be run n-demand r scheduled

46 Summary On demand vulnerability management slutins enable rganizatins t practively identify and remediate netwrk vulnerabilities, measure and manage risk, and ensure cmpliance with n additinal sftware r infrastructure csts.