Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great)

Transcription

1 Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great) Kelly Hammons Principal Consultant, CISSP Secutor Consulting October 2 nd, % of breaches could have been avoided through simple or intermediate controls - Verizon Data Breach Investigations Report, 2012 While over 90 percent of all organizations monitor security effectiveness in some manner, only 40 percent do so constantly rather than on an as-needed basis. - Enterprise Security Group (ESG) Security Management & Operations Report, June 2012

2 How are vulnerabilities usually managed? Limited or non-existent budget Scanning too infrequently to be relevant Or scanning too aggressively Not using authentication Only scanning the perimeter Ad hoc prioritization Ignoring them Vulnerability Management Goals (or, VM Maturity Model) Comply with regulations (PCI, HIPAA, NERC CIP ) Vulnerability remediation / reduce attack surface Keep your company s name off the front page of the New York Times keep your job Asset discovery Understand your perimeter Test new systems before they re brought online Automation + Integration Produce actionable data & metrics

3 Challenges Resistance from Network Operations, Patching Team, System Owners Things *will* crash Network devices *will* become saturated Patching software won t always agree with the scanner Vulnerability Prioritization DHCP Who owns the machine and/or service? Scanning Scanner placement What is in/out of scope? Can you scan partner networks? Where do we start? What are you going to scan? Discovery scan Internal vs External IPs Ports Authentication Workstations, servers, lab, DMZ, IP phones, printers, network devices Scan frequency and windows? Who is responsible for patching? Where are the firewalls? Where do I place the scanners? How will vulnerabilities be prioritized?

4 What do I do with all of these vulnerabilities? Patch Upgrade Disable/Uninstall the service Add a client-side firewall or HIPS Modify the network fabric (routers/firewalls/ips) or ignore Prioritization CVSS Valuable hosts/data *accessibility* from a threat source What does your network look like?

5 @NTXISSA #NTXISSACSC3

6 Metrics Are you measuring busyness or addressing risk? What am I scanning? What am I *not* scanning? How many of what kind of vulnerabilities? What s different compared to last month? Pitfalls DHCP Trending Upgrading or sunsetting hosts Stale scan data Wall of shame Simple Metrics

7 A good example A great example Metrics in context February Scan Results: Asset Group Status Comments ABC Servers and Network Devices Yellow No host increase, number of Level 5 vulnerabilities is the same. DEF Servers and Network Devices Green No increase in hosts, Level 5 vulnerabilities have decreased. GHI Servers and Network Devices Yellow No host increase, number of Level 5 vulnerabilities is the same. NA Workstations Red The number of hosts and Level 5 Vulnerabilities increased. Europe Workstations Green The number of hosts increased and the number of Level 5 vulnerabilities still decreased. JKL Workstations Red The number of hosts and Level 5 Vulnerabilities increased.

8 More great examples Interoperability The whole is greater than the sum of its parts Asset Management/CMDB: Who owns this box? Patching: Discover false negatives Pen Testing: Speed up vulnerability discovery, less intrusive SIEM/IPS/IDS: Mitigate false alerts, fine-tune, add context, prioritize remediation Ticketing: Easy workflow Vector Analysis: Prioritization, discover unscanned subnets, discover *downstream* risk GRC: Fine-tune risk metrics, remediation tracking

9 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) Thank you NTX ISSA Cyber Security Conference October 2-3,