Lumension Security Vulnerability Management Solution. Automating the Vulnerability Management Lifecycle

Transcription

1 Lumension Security Vulnerability Management Solution Automating the Vulnerability Management Lifecycle November 2008

2 Table of Contents Proactive Vulnerability Management 2 Uncovering Vulnerabilities A Never-Ending Process 2 Managing the Vulnerability Lifecycle 3 Discovering Assets 4 The Security Management Console 4 Defining Discovery Jobs 4 Interpreting Discovery Results 5 Assessing and Prioritizing Risks 7 Managing Security Configurations 9 Establishing Remediation Policies 9 Mitigating Non-Patchable Risks 10 Remediating Vulnerabilities 10 Educating Users 10 Deploying Agents 10 Testing Patches 11 Deploying Patches 11 Scheduling Remediation Jobs 11 Manual and Policy-Based Remediation 12 Reporting and Monitoring 12 An Integrated Solution for Managing the Vulnerability Lifecycle 14 Expand Your Control with Lumension 14 About Lumension Security 15

3 Proactive Vulnerability Management Any computer that is exposed to the internet, unsanctioned applications, or unprotected storage devices can be infected with viruses, Trojans, worms, keyloggers, spyware, rootkits, and other malware. By preying upon vulnerabilities in operating systems and applications from ubiquitous internet browsers to and office productivity suites these infections can quickly lead to stolen data, disrupted operations, and threats to the privacy of customers and employees. In 2007 alone, well over 6,000 new vulnerabilities were reported, an average of 124 per week. Nearly 90% of those vulnerabilities could be exploited remotely 1. In addition, poorly installed or misconfigured devices can create vulnerabilities that allow data corruption, eavesdropping, and theft. Because vulnerabilities can be found literally everywhere from gateways and routers to DNS servers, web servers, desktops, and laptops many IT departments run a catch as catch can defense. But using swarms of IT personnel to constantly hunt down vulnerabilities, figure out and then apply the appropriate patches, and hope for the best is a waste of resources. Automating the vulnerability management lifecycle discovery, assessment, prioritization, remediation, and reporting lets you keep your information resources safe from external threats around the clock, freeing IT personnel to work on business-focused projects. Uncovering Vulnerabilities A Never-Ending Process Automating vulnerability management dramatically improves your defense against malware even as it increases the operating efficiency of computing resources. It patches known risks, of course, but it also addresses endpoint misconfigurations, compliance with regulatory or corporate policies, outdated or inaccurate security mechanisms, and unauthorized services and applications. Since new malware threats and configuration vulnerabilities continue to appear every day, it s critical that you automate the never-ending process of discovering assets, monitoring risks, and remediating as needed. In addition, your computing environment is constantly changing as you continuously add, replace, and modify computers, devices, servers, and software. You need a way to monitor both the ever-changing assets attached to your network and the mobile devices that interact with it devices made even more vulnerable by their ability to operate outside the firewall. With a combination of network- and agent-based scanning, you can track both networked and mobile assets. Network-based scanning performs periodic sweeps of networked assets and records the status and compliance outliers for all operating computers. Such a solution is relatively easy to deploy, as nothing needs to be installed on individual devices. However, it is likely to occasionally miss devices, such as laptops and PDAs, that are connected only periodically. Agent-based monitoring ensures that every device on which the agent is installed reports its status, configurations, vulnerabilities, and need for patches. Agents also make it possible for organizations to install and manage patches for each asset. Intermittently connected devices report when attached to the network, even through VPN or an internet connection. Devices that are always on and connected report on a specified schedule, reducing network bandwidth consumption. An integrated solution that incorporates both network- and agent-based scans and assessments offers the best of both worlds. Network scanning takes snapshots of the state of all connected assets, while agents monitor individual assets for vulnerabilities and configuration issues as well as manage installation of patches for both online and mobile devices. Such a unified system helps organizations avoid the costs of integrating and correlating databases and schemas from multiple security vendors, while making it possible to create a global report of assets and vulnerabilities. Finally, it eliminates the need for multiple security and operational IT teams, making the solution easier to deploy with a shorter learning curve for IT. 1. Aberdeen Group, Vulnerability Management, July 2008.

4 The Lumension Security Vulnerability Management Solution fully integrates asset discovery with vulnerability assessment, remediation, and reporting. By combining network-based asset discovery and agentbased vulnerability management, Lumension gives operational and security teams an integrated toolset for policy management, assessment, enforcement, compliance, and change management. Managing the Vulnerability Lifecycle Vulnerability management is a constant cycle of discovering assets, assessing vulnerabilities, and prioritizing actions to remediate risks patching where possible and mitigating everything else. The cycle continues with follow-up scanning, monitoring, and reporting to validate successful patching and compliance. Each phase sets up success for the next, increasing the efficiency and accuracy of the whole. Discover Discover all network assets Report Numerous reporting options Reporting across entire enterprise network Assess Vulnerability and configuration assessment Network & agentbased scanners with integrated view Remediate Deploy security patches Mitigate risk with custom remediations Prioritize Prioritize threats and mitigation actions Figure 1 : Vulnerability Management Lifecycle The vulnerability management lifecycle consists of five phases: Discovering assets Assessing vulnerabilities and misconfigurations and prioritizing risks Mitigating non-patchable risks Remediating vulnerabilities Reporting and monitoring The Lumension Security Vulnerability Management Solution integrates all of these phases.

5 Discovering Assets Discovering all of the computing assets and operating systems in your environment is the first step toward understanding the risks associated with existing vulnerabilities and configuration issues. Just knowing you have hundreds of un-patched systems can be useful albeit stressful but if you also know the functions of those systems (e.g., finance, marketing, production), you can start prioritizing the risks according to severity and potential impact. The Lumension Security Vulnerability Management Solution offers both network- and agent-based methods of scanning and categorizing assets. Each method has its place in a unified VM strategy. Figure 2 : The Lumension Security Management Console is the central point for scanning, assessing, prioritizing, remediating, and reporting. The Security Management Console The Lumension Security Management Console is your first line of defense, providing a view of all assets currently attached to the network. Agents installed on offline assets will check in each time these assets boot up or connect to the network. You can run a manual network discovery as needed, or set up a regular schedule. Similarly, agents will provide detailed information when desired, or can be set to report asset status on a schedule. Assets without agents can be updated with client agent software directly from the console as needed. Defining Discovery Jobs Understanding your risks and vulnerabilities begins with discovering all of your network and mobile assets. Setting up a discovery job consists of choosing the parameters for a scan based on network architecture and the assets you wish to uncover. Discovery jobs can be defined to run on virtually any schedule you choose hourly, daily, weekly, monthly or at a given time of day to limit impact on network traffic.

6 Figure 3 : To set up the discovery phase, define a job with the appropriate security credentials and range of discovery options and then define a schedule. You can probe the network using ping, ICMP, port scanning, SNMP, Windows versions, DNS names, MAC addresses, or NetBIOS names. Specify one or more of the following discovery methods to limit a scan to a specific range: IP range Wildcard scan Active Directory domain controller Name target Network neighborhood Previously discovered targets Import a list of predefined targets You can also choose to include or exclude specific ranges from a search. For example, you may wish to restrict access to a subnet of secure servers to specific security personnel. If you have multiple networks, you can set up a centralized server to act as the repository for scans from each network. For example, a company might have subnets in three regional offices plus a central database at headquarters. Each subnet scanner can send results to the central server, from which the CSO can maintain a bird s-eye view of all risks. Interpreting Discovery Results The result of a network discovery provides an overview of assets from which you can drill down for detail. Discovery scans reveal many aspects, such as asset IP addresses, MAC addresses, OS, agent status and versions, and a rating of the criticality of each asset.

7 Figure 4 : A scan of network assets can be viewed by criticality, access state, agent status, IP address, DNS, or operating system. The system assigns a criticality rating based on OS and asset types: a server is more critical than a laptop, but a switch has greater weight than a file server. Sorting by variables can expose the vulnerabilities or configuration challenges affecting a specific OS or application release. From this point, you can create groups and classify assets based on a variety of criteria: Groups defined by IP address, geography, department, or types of users Criticality by domain servers, gateways, and switches Web servers and mail servers PCs and laptops Disconnected devices If agents are installed on some or all assets, monitoring becomes a matter of each agent reporting on a regular basis not necessarily at the same time as a network scan. This enables you to keep watch over offline and mobile assets as well as over systems that are always online. Figure 5 : Discovery results show agent status (idle, offline, not installed), versions, and last check-in time.

8 Assessing and Prioritizing Risks You can use the results of the discovery phase to scan and assess the types of vulnerabilities, misconfigurations, and levels of risks on the discovered assets. For a previously un-patched network, you may want to start with small groups of critical machines, such as those in the finance department, which can be grouped by IP address or network neighborhood. Using the Lumension Security Management Console, you can define a scan job that interrogates the machines found in the discovery phase. Pre-configured scans can be customized for your assets, or you can design scan jobs from scratch to meet your needs. Figure 6 : Scan jobs are defined in the Lumension Security Management Console to interrogate the assets uncovered in the discovery phase. Some of the criteria you can use for vulnerability scans are: Vulnerability Sets, such as BSD, CERT, CIAC, CVE, NIST, NT4_0, Network Device, Password, Password Checker, Platform Independent, Policy, and QuickScan Credentials that may be required to access the machines being interrogated Ports, services, shares, users, and groups You initiate a scan job from the Management Console and it returns all the vulnerabilities found for the criteria you set for the job. Figure 7 : Focusing on groups of assets helps reveal the range and severity of vulnerabilities. Here the system highlights a DNS client that could allow spoofing.

9 Of course, the number of vulnerabilities in an environment depends on how well patched the systems are to begin with, and how much control users have over individual machines. The results of an assessment scan can be sorted by patch severity, status, CVE identifier, and CERT identifier, among other methods. The sorting capability lets you focus on high-severity warnings first. Figure 8 : A detail summary provides information on the ramifications of each vulnerability and on how to remediate the issue. The Lumension Security Management Console lets you drill down to see the details of a particular vulnerability, including links to additional descriptions of the issue from vendors and the National Institute of Standards and Technology (NIST). The detail summary of each vulnerability provides a description illustrating how the vulnerability causes damage, along with type; category; severity; identifications by CVE, Bugtraq, CERT, and CIAC; and information about available patches. The system also computes a Score, which is a weighted number (1 100), combining criticality and number of vulnerabilities. Assets with a high Score (80 100) need immediate attention. Based on the Score of affected machines and your judgment of the impact a vulnerability exploit could have on your business, you can prioritize and decide which vulnerabilities to patch on which machines, and in what order. To do so consistently and efficiently, you will need to establish your own vulnerability remediation policies.

10 Figure 9 : The Target view of a scan reveals the vulnerabilities of each machine and the Score ranking to help you prioritize remediations. Managing Security Configurations Vulnerabilities can also stem from a plethora of misconfigurations that create security gaps and performance problems that in turn lead to increasing support costs from constant rebuilding of PCs. These misconfigurations can range from common oversights, such as leaving administrator access open on a PC, to hidden registry settings in applications that leave the machine susceptible to backdoors. The Lumension solution assesses for software, operating system, and application configuration vulnerabilities resulting from incorrect installations and even from users meddling with system settings. The Lumension Security Vulnerability Management Solution leverages best practices from leading security think tanks, including the National Institute of Standards and Technology (NIST), which developed the Security Content Automation Protocol (SCAP), a repository of security content to help automate and standardize technical control compliance activities as well as vulnerability checks of both application misconfigurations and software flaws. In particular, organizations committed to meeting the Federal Desktop Core Configuration (FDCC) standard from the U.S. OMB and NIST can use Lumension Security s configuration management capabilities to scan and verify compliance with the 200+ configuration rules. The solution can monitor and report on FDCC configuration issues to help you correct and comply with these regulations. In the commercial sector, FDCC policies can be easily applied as industry best-practices. Organizations can also upload their own policies to monitor for misconfigurations in specialized software or modified operating systems. Establishing Remediation Policies Armed with the information from your discovery and assessment scans, you can prepare the policies that will guide your remediation strategy and tactics. These policies are unique to every organization, depending on size, complexity, and the need to comply with specific governmental and legal regulations. Remediation policies should also be consistent with any existing corporate policies. There are, however, basic guidelines you can follow to establish your remediation policies.

11 Determine the most critical assets for your operations: servers to keep the flow of communication going at all times, web servers for your customer-facing storefront, and database servers for your ERP system. Your internal and external service-level agreements will dictate the priority of remediation. Set timeframes for applying critical patches. For example, two weeks for all personal computers; two days for business servers. Determine vulnerability scan timeframes: daily, weekly, monthly, or by groups of assets. For example, laptops as they connect to the network, database servers every week, gateways and switches every day. Test your policy compliance with industry best-practice security configuration standards and regulations, such as FDCC, and set tolerance thresholds to remain compliant. Codifying these types of decisions will help you apply remediations in a consistent and timely manner across your organization. Mitigating Non-Patchable Risks A subset of revealed vulnerabilities and configuration issues may not be immediately patchable or even appropriate to patch. These include: Open ports that can be vulnerable to attack and should be closed Inappropriate firewall settings Autorun CDs that can load malicious code when a CD is inserted New flaws for which no patches are yet available Computers with non-compliant FDCC configurations (e.g., active guest or admin accounts) In many of these cases, you will need to change settings manually (firewalls, ports) or fine-tune configurations to alleviate the vulnerability. Other situations may require mitigating the vulnerability until a permanent fix is found. In some cases, taking an asset offline is the only prudent answer. If you are also using Lumension Security Endpoint Protection Solution, you can use application whitelisting to prevent critically vulnerable applications from launching until they are patched. Remediating Vulnerabilities You ve discovered assets and scanned them for vulnerabilities, analyzed and prioritized the vulnerability and risk reports, and mitigated where possible. Now comes the coup de grâce: remediating the vulnerabilities for which you have patches and fixes. Educating Users An important step in the implementation of any IT management system is educating personnel on what to expect with the new level of control. In the case of vulnerability management, users need to understand that patches will be rolled out as needed. In many cases, the patching process requires a reboot of a machine. Inevitably, this may cause interruptions in people s routines. Employees need to know which computers need to be left on and connected to the network. Mobile computer users will be affected when they reconnect to the network. Agents can notify the user when a patch is being downloaded, applied, and if there is a need for a reboot. Deploying Agents In order to install patches and fix configuration issues, an agent needs to be installed on each asset. You may decide to roll out the client agents during your regular updates to computers with your existing change management system, or you can deploy agents individually to assets that need remediation. 10

12 The Lumension Security Management Console provides a quick way to see if agents are installed on a specific device, and if not, an easy method to install and configure an agent on any networked machine. Testing Patches Testing your patches is a critical first step to assure not only that the patches install and work correctly, but that they do not interfere with other applications. You should have a special baseline of machines, representing the range of configurations on your network, to test the patches. Assign these to a Test Group and let the agents install patches, reboot, and then evaluate the results for application conflicts. When the remediations pass the baseline test machines, you are ready to apply them to a diverse set of employee machines. You should first set up a group of assets that include one or two machines from several departments, ensuring that they represent the range of applications and configurations found in your organization. Deploying Patches Once the remediations are installed and tested on these sample real world machines, you are ready to deploy them across the enterprise based on the risk policies you have formulated. Typically, you will patch the assets with the highest severity rating and impact on your business, and then work your way down the scale of risk. For example, if your business relies heavily on customer s, your mail servers will be at the very top of the remediation list, in concert with your policies for their maintenance downtime. Figure 10 : Focusing on specific machines or vulnerabilities to start patching the most urgent risks. Scheduling Remediation Jobs The administrator of patch deployment uses the Remediation Wizard to define each patch job. Jobs can cover hundreds of assets or just one, depending on the severity and number of machines affected. Patches cannot be distributed without the explicit authorization of the administrator. Figure 11 : With the Remediation Wizard, a few clicks let you patch a set of vulnerabilities by defining the machine to be patched, the schedule, and the reboot options. 11

13 The administrator can specify several options for deployment: Reboot schedule allows you to set reboots according to an individual agent s policies, at a specific time, or not at all. Sequential deployment minimizes network traffic by breaking up patch files as they are transmitted to agents. Parallel deployment distributes critical patches to multiple agents all at once. Quiet Mode does not alert the user of the machine that a patch is being installed and does not require user interaction. QChain installs multiple patches with one final restart (instead of rebooting after each patch). Once you define and save a patch job, it will launch according to schedule, instructing agents to download specific patch files and install them according to predefined rules. Manual and Policy-Based Remediation Most networked assets, such as servers and desktop PCs, are exposed to a constant stream of risks. Viruses and other threats are routinely uncovered by NIST and other agencies and reported as threats. The Lumension Security Vulnerability Management Solution automatically downloads the latest patch definitions and files from the Lumension Vulnerability Management Server so that assessment scans are upto-date on the latest threats. Lumension makes it easy to perform manual ad hoc remediation to fix urgent vulnerabilities, and to set up policy-based schedules for remediation (e.g., patch mail servers Saturdays at 1 AM; critical patches must be installed within 2 days) according to your established enterprise and security configuration policies. With agents installed on all your assets, threats are reported as they are detected, regardless of the network scanning cycle. Agents automatically request patches for detected vulnerabilities. The remediation administrator must approve the deployment of the patch and schedule the deployment (e.g., immediately, within 24 hours). Agents that receive a patch automatically apply them, and reboot as defined by the job s schedule. Agents are particularly valuable for laptops and other mobile devices. When a mobile or offline computer reconnects via the internet or LAN/WAN, its agents immediately request updates to newly discovered vulnerabilities, download remediation packages, install them in the proper order, and report the remediation status to the central console. Reporting and Monitoring Reporting, the final phase of the vulnerability management lifecycle, proves the value of your efforts. Customers, suppliers, and regulatory agencies require confirmation that your systems meet certain standards and verification that patching and configuration management are making your systems more secure. Reporting also serves as the foundation for ongoing monitoring and discovery. Reporting tracks trends in new and fixed vulnerabilities. A decrease in vulnerability and fast turnaround to remediation show progress and the ability to keep security risks under control. In addition, Lumension Security s integrated configuration management solution allows easy monitoring and the export of policy-driven configuration reports to demonstrate compliance with government, customers, and legal standards. Reports also provide a view into trends of vulnerability severity fewer critical warnings or rising alerts for specific operating systems or applications indicate you are on top of the situation. 12

14 Figure 12 : Reports, especially Executive Summaries, provide evidence of progress or alert you to the need for more frequent scans and remediation. Summaries and executive reports provide a foundation for reviewing enterprise security policies, dealing with criticality, and instituting changes to increase effectiveness. 13

15 An Integrated Solution for Managing the Vulnerability Lifecycle Lumension Security Vulnerability Management is ideal for IT environments consisting of heterogeneous platforms and applications. It is a cost-effective, in-depth vulnerability assessment, remediation, and security configuration management solution for managing multiple operating systems, such as Windows, Linux, UNIX, OSX, and the wide range of applications that run on them. Using open standards such as NIST and CVE, the solution ensures that as vulnerabilities continue to attack your computing environment, your system is aware of and can deal proactively with constantly evolving patches. In addition to subscription-based secure configuration contents and checklists available from the National Vulnerability Database, Lumension Security Vulnerability Management Solution embraces open standards. You can create, import, and map custom configuration policy contents and regulatory compliance schemes, such as NIST SP , NSA Security Guide, DISA Security Guide, Microsoft Security Best Practice Guide, and incorporate your own specific best practices or local regulations as appropriate. Lumension Security Vulnerability Management works hand-in-hand with the Lumension Security Data Protection and Endpoint Protection solutions to build a proactive security shield that defends your information systems and vital data. For example, patches are automatically added to a shared application whitelist, ensuring proper operation as systems are updated. In addition, the whitelist is aware of existing vulnerabilities and can block unpatched or corrupted applications from running should a threat be great enough. Expand Your Control with Lumension Lumension Security Solutions provide granular and far-reaching control of your most critical vulnerability, data protection, and endpoint security issues. As discussed in this paper, Lumension Security Vulnerability Management Solution gives enterprises an inventory and vulnerability management solution that identifies software, hardware, and services throughout your network. It monitors how assets are used or misused and closes vulnerability and configuration gaps, helping ensure compliance with configuration and security policies. With Lumension Security Endpoint Protection Solution, whitelisting guards your systems by allowing only approved processes and applications to run. It automatically protects your systems against malware and viral programs while improving total data security and overall system performance. Lumension Security Data Protection Solution for device control lets you manage storage endpoints to stop leakage of sensitive information, with detailed forensics of who is moving data and where. Lumension Security gives you control over your IT resources today. For more information, contact Lumension at or

16 About Lumension Security Lumension Security, formed by the combination of PatchLink Corporation and SecureWave S.A., is a recognized global security software solution company, providing optimal protection and control of enterprise endpoints for more than 5,100 customers and 14 million nodes worldwide. Leveraging its proven Proactive Security Model, Lumension Security enables organizations to effectively manage risk at the endpoint by delivering best-of-breed, policy-based solutions that simplify the entire security management lifecycle. This includes Vulnerability Management, Endpoint Protection, Data Protection, and Reporting & Compliance. Headquartered in Scottsdale, Arizona, Lumension has offices worldwide, including in Virginia, Florida, Luxembourg, the United Kingdom, Spain, Australia, Hong Kong, and Singapore. PatchLink, now Lumension, was founded in 1991 by Sean Moshir. Global Headquarters North Greenway Hayden Loop, Suite 100 Scottsdale, AZ United States of America phone: fax: