Vulnerability Management:

Transcription

1 Vulnerability Management: Creating a Prcess fr Results Kyle Snavely Veris Grup, LLC Summary Organizatins increasingly rely n vulnerability scanning t identify risks and fllw up with remediatin f thse risks. Hwever, in the absence f a cmplete Vulnerability Management prgram, rganizatins may fail t gain a cmplete and accurate assessment f their vulnerabilities. Likewise, rganizatins withut clear prcesses fr cmmunicating the assciated tasks and data f the scans may als fail t adequately execute patches, r they may nt track and archive the infrmatin required fr regulatry cmpliance. A Vulnerability Management prgram designed fr results takes int cnsideratin the cnfiguratin, crdinatin, and cmmunicatin necessary t successfully prtect critical data and reduce the risks t the rganizatin. WHY VULNERABILITY MANAGEMENT? Ensure prtectin f critical data Meet cmpliance regulatins Reduce risk r minimize impact by addressing vulnerabilities in a timely manner Prepare t meet future security needs f a grwing rganizatin What is Vulnerability Management? Vulnerability scanning is increasingly cmmn in rganizatins acrss industries, particularly thse wh must adhere t federal, industry, r ther regulatins regarding cybersecurity. The scans themselves are designed t discver risks thrughut the rganizatin s netwrks; hwever, scanning in the absence f a cmplete Vulnerability Management prgram can actually d as much harm as gd. Scans prduce data, but that data presents its wn set f questins, including: What updates and patches are available t the systems in the enterprise? Which devices were included in the scans? Which vulnerabilities shuld be remediated first? Wh is respnsible fr the remediatin? These questins, albeit nt an exhaustive list, cnfirm the many critical cmpnents f security that a cmprehensive vulnerability management prgram addresses. SANS Institute, an established cybersecurity training rganizatin, calls a cntinuus vulnerability assessment and remediatin prcess ne f the tp 20 Critical Security Cntrls. As much as the authr emphasizes the need fr vulnerability scanning, SANS further pints ut that if the scans are nt prperly maintained and regulated, attackers use

2 the scans as a pint f explitatin. While this may be an extreme example, it supprts a very imprtant pint: Vulnerability Management is abut much mre than scanning. Challenges f Vulnerability Management Fr many rganizatins, it is challenging enugh t implement scanning, let alne a cmplex Vulnerability Management prgram. Designing and implementing an effective prgram invlves many steps and decisin pints. The challenges begin in the planning phase, which usually assumes the existence f a thrugh and accurate device inventry. This is a large assumptin t make, since many rganizatins d nt accurately maintain an inventry f all enterprise assets. Tl selectin and cnfiguratin is a challenge at this stage as well, and it can impact the success f the Vulnerability Management prgram by freeing up resurces with autmated prcesses. VM STAKEHOLDERS CEO IT Directr Systems Administratrs Vulnerability Management Crdinatr Technical Team Supervisr Security Analysts Netwrk Engineers It is imprtant t carefully cntrl authenticated vulnerability scans and the assciated administratr accunt. Attackers will take ver ne machine with lcal privileges, and wait fr an authenticated scan t ccur against the machine. When the scanner lgs in with dmain admin privileges, the attacker either grabs the tken f the lgged-in scanning tl, r sniffs the challenge respnse and cracks it. Either way, the attacker then can pivt anywhere else in the rganizatin as dmain administratr. -SANS 1 The challenges cntinue thrughut the actual scanning prcess as all f the varius stakehlders attempt t discern wh is respnsible fr what actins, and what the pririty f a reprted vulnerability is. Once a patch is executed, the stakehlders rely n a system t track, check, and revisit the patches, as well as lg the varius firmware updates. Veris Grup has identified three critical cmpnents t cnsider fr rganizatins seeking t implement a successful and cst-effective Vulnerability Management prgram. Figure 1: VM Stakehlders The Three Cs f a Successful Vulnerability Management Prgram A Vulnerability Management prgram allws the rganizatin t plan fr the scans, but als fr the peple and the prcesses that lead t the success f the prgram. By cnfiguring the tls, resurces, and reprting mechanisms ahead f time, the prgram is ready t handle the data that the scans prduce. Hwever, thrugh the prper crdinatin f staffing and definitin f rles and respnsibilities, the rganizatin can ensure that the data results in the

3 crrect slutin in a timely manner. Finally, by cmmunicating the status, reprts, releases, and plicies assciated with the prgram, the stakehlders ensure that the data results in a secure and cmpliant rganizatin. Cnfiguratin Tls Detectin is the mst imprtant task f vulnerability management. Identifying the risks allws the rganizatin t be able t crrect the deficiency, prduce an accurate reprt fr a cmpliance audit, and reduce the level f risk. Hwever, it is imprtant t select the right tl fr the rganizatin. Sme tls, including the cmmercial detectrs Tenable Nessus, Rapid7 Nexpse, and eeye Retina with REM server integratin, have the ability t scale up depending n the size f the enterprise. Other tls will wrk better in smaller envirnment. The tl shuld als be able t utput in the specific reprting frmat required fr cmpliance purpses. The key t selecting a patch management suite is fr the sftware t supprt the majrity f the applicatins in the envirnment with the least amunt f verhead. Patching slutins (e.g., Micrsft SCCM and Altiris Patch Management) shuld als be strng in their ability t prduce status reprts and t autmate patch deplyment. The tls shuld help the rganizatin determine the manual and autmated prcesses, which are als dependent upn the type f platfrms invlved. If a tl des nt supprt a particular platfrm, remediatin n that platfrm becmes a manual prcess. Knwing this rati will help infrm the resurce needs. Prperly cnfigured remediatin and audit tls reduce the time and effrt needed t manually remediate and track enterprise vulnerabilities. Resurces COMMUNICATION Remediatin Status Mnthly & Mid- Cycle Reprts Plicy CONFIGURATION Tls Resurces Reprts COORDINATION Staffing Rles & Respnsibilities Apprpriate staffing is required fr a successful prgram. Resurce allcatin must include the verall management f the vulnerability prgram management, including auditing, as well as technical allcatins. The assigned resurces must have the crrect skillset t effectively interpret and remediate the findings in a timely manner. Figure 1: The Three Cs f VM

4 Supprt fr the prgram must als cme frm the rganizatin s management as a whle. The buy in f this key stakehlder ensures that the technical resurces are allcated the time necessary t manage the prgram and patches. Reprts Withut a system t rganize and interpret the data in the many reprts f a Vulnerability Management prgram, their value becmes mt. An effective prgram relies n an executive dashbard design t track trends and t prvide a current snapsht f the enterprise vulnerability status. This dashbard allws the Vulnerability Management crdinatr t chart available data pints, thereby prviding a different way t visualize the data. This dashbard makes it easier fr the crdinatr t spt trends and identify areas fr imprvement. In cmbinatin with this dashbard, reprting frm the detectin and patching tls delivers the mst accurate picture f an rganizatin's current risk level. The mnthly baseline enterprise scans create an nging and regularly ccurring reprt f the enterprise status. When prperly cnfigured, these reprts are generated by the tl itself and split accrding t device grupings. Frm there, the reprts either trigger an autmated respnse frm the system r signal fr persnnel t be deplyed fr the patch. Additinal scans prduce reprts that indicate the success f the patch. Mid-cycle vulnerability releases als have a rle in the reprt cnfiguratin. After a midcycle alert and subsequent remediatin, the next scheduled scan will cnfirm that the wrk is cmplete. Once remediatin, either resulting frm scan reprts r mid-cycle alerts, is cmplete, an imprtant aspect f cnfiguring the reprts is t prepare a prcess t frmat and archive the reprts fr tracking and auditability purpses. Wh is respnsible fr cmpleting these tasks is a cnnectin between this cmpnent and that f Crdinatin. Crdinatin Staffing Effective security requires cntinuus autmated mnitring f agency netwrks fr security prblems, immediate access t the Natinal Vulnerabilities Database t be able t identify prblems, and immediate mitigatin f prblems when they are fund. -CSIS, Apprpriate staffing is essential fr an effective Vulnerability Management prgram. The varius stakehlders must identify a Vulnerability Management crdinatr t versee the regularly ccurring prcesses and t becme familiar with the enterprise inventry. This persn is nt simply a technical resurce; the crdinatr will als facilitate the prcesses that help maintain the integrity f the Vulnerability Management prgram. Fr example, there may be instances where a vendr is unwilling t bring device sftware int cmpliance. The crdinatr will need t think thrugh a respnse and actin plan ahead f time t be prepared fr such a situatin. The crdinatr is als respnsible fr maintaining the executive dashbard, inventry prcess, reprt archives, and auditing dcuments. On the technical side, the respnding staff must be trained in the selected tl. They

5 shuld nt nly be able t administer the required patches, but they shuld have a slid understanding f the autmated prcesses as well. These staffing resurces als cntinuusly update the device inventry and carefully maintain recrds and tracking f remediatin actin, device updates, and device retirement. Even if all f these requirements are in place, the Vulnerability Management prgram will nt be effective if an adequate number f resurces are nt applied t the prgram. Rles & Respnsibilities Amng the Vulnerability Management stakehlders, there are varius different rles and respnsibilities. In a prgram that requires structure and cnsistency in rder t be successful, it is imprtant t define these rles (and clearly cmmunicate them, which links the "Crdinatin" cmpnent with the "Cmmunicatin" cmpnent) and the duties and tasks assciated with each. Even a simple Vulnerability Management prgram benefits frm a regularly updated prject plan that describes the varius rles and maps them t the scanning, reprting, and maintenance schedule. Particularly in an rganizatin where the resurces allcated t the Vulnerability Management prgram have ther respnsibilities, ensuring that their assigned tasks fr Vulnerability Management are clearly defined will supprt the cnsistency f the prgram. Fr example, certain resurces may be assigned t handle the scans and assciated autmated tasks while ther are respnsible fr facilitating vendr-released patches. The crdinatr may chse t be respnsible fr assigning risks r facilitating that task with senir leadership. The crdinatr may als maintain the executive dashbard and analyze the mnthly scanning reprts. Cmmunicatin Remediatin Status Once the prgram has prvided an rganizatin an assessment f its current risk level, the crdinatr can begin t clse any vulnerabilities that the detectin tls identified by implementing the selected patching tls. The cmmunicatin f the remediatin status ccurs via the Vulnerability Management dashbard. This centralized lcatin fr cmmunicating status allws all stakehlders t track which stage the remediatin is in the prcess frm detectin t risk determinatin and patching t the next successful scan. Timely and accurate cmmunicatin f remediatin status is especially imprtant t checking the success f the patch, whether manual r autmated, by the suspense date. Mnthly Reprts and Mid-Cycle Releases A cmplete picture f the Vulnerability Management prgram includes data frm the mnthly reprts and mid-cycle releases. The varius steps f the reprts and releases, explained in greater detail belw, create the infrmatin that directs the next steps in the Vulnerability Management prgram. Once again, timely and accurate cmmunicatin and tracking f the data in the reprts and releases is critical t the success f the entire prgram.

6 Plicy The Vulnerability Management prgram relies n plicies t ensure that the cnfiguratin, crdinatin, and cmmunicatin steps abve ccur as planned. Well-thught ut plicies plan fr user errrs and vendr issues. Hwever, plicies themselves d nt effect change. Effectively cmmunicating the plicies and subsequent plicy updates will ensure that the Vulnerability Management prgram runs accrding t plan. Enfrcing such plicies will als aide in preparatin fr cmpliance mnitring fr varius regulatry prgrams that require a Vulnerability Management prgram t be in place in an rganizatin. Vulnerability Management in Practice The cmpnents f the Vulnerability Management prgram base the mst critical decisins n the data frm mnthly baseline enterprise scans and mid-cycle vulnerability releases. Mnthly Baseline Enterprise Scans In the mnthly scans, the executive dashbard is ppulated with data as the prgram mves thrugh the fllwing steps: Enterprise Baseline Gruped Device Reprt Analysis f Next Steps Autmated Respnse Manual Respnse Validatin Scan Analysis Final Scan Archiving A baseline f the enterprise is created by the detectin tl based n the audits r signatures available at that pint in time. A reprt is generated thrugh the tl and is split in such a way where devices are gruped and assigned based upn the device type, gegraphical lcatin, r a cmbinatin f the tw. The reprt is sent t the respnsible persnnel fr actin. If there are autmated tls t aid with remediatin they are used t reduce the amunt f time required t patch. If n tls are deplyed in the enterprise r if the autmated tls cannt fully patch by the suspense date, persnnel are required t manually patch. After a predetermined amunt f time, a validatin scan is run against the devices which were determined t be vulnerable during the first baseline scan. Results are again passed n t the grups fr actin. A final scan is perfrmed after anther predetermined time perid. Any vulnerabilities must be patched as sn as pssible. If fr sme reasn a vulnerability cannt be remediated, the

7 subject matter expert must create a dcument which describes why the vulnerability cannt be remediated and a plan f actin t reduce risk alng with estimated dates remediatin can ccur. The VM crdinatr frmats and archives the reprting fr tracking and auditability purpses. If any plan f actin dcuments are pen, the crdinatr checks in with the respnsible teams fr status updates and t ensure that the plan is still accurate. Mid-Cycle Vulnerability Release Fr all prducts running in the enterprise, the vulnerability management crdinatr shuld receive alerts either frm the vendr r thrugh a third party service which prvides infrmatin n the latest identified issues. Vendr Vulnerability Alert Dashbard Updated Archiving Risk Assignment Next Scheduled Scan Analysis f Next Steps Suspense Date (r POA) Assests Affected Audit Cnfirmatin When a new vulnerability alert is received fr sftware r hardware, the vulnerability management crdinatr assigns a risk level and suspense date requirements t the alert fr reprting and remediatin. The alert is then disseminated t apprpriate team members fr actin. The team member respnds with the number f assets affected and a plan f actin if the time required t remediate will surpass the suspense date fr tracking purpses. The Vulnerability Management crdinatr ensures that the executive dashbard is updated with the numbers. The next scheduled scan with the mst current audit file will cnfirm the wrk has been successfully cmpleted and the pen items can be clsed ut in the tracker. If the subject matter expert is aware f any issues which wuld cause delays in remediatin f a mid-cycle vulnerability, the team member creates a plan f actin similar t the dcument referenced abve.

8 Clsing Summary Vulnerability scans are nly ne cmpnent in a successful Vulnerability Management prgram. The varius steps that ccur in the mnthly scans and mid-cycle releases must ccur within a framewrk that accunts fr the myriad ther activities assciated with identifying, remediating, and tracking the risks in any rganizatin. Specifically, balancing the cnfiguratin f tls, resurces, and reprts, the crdinatin f staffing, rles, and respnsibilities, and the cmmunicatin f remediatin status, reprts, and plicies is a careful and deliberate prcess requiring the supprt f leadership and the dedicatin f a team f qualified individuals. A high quality Vulnerability Management prgram is required fr cmpliance purpses, but it als is an indicatr f the integrity f the rganizatin as ne wh actively prtects its critical data. Kyle Snavely is a cybersecurity assciate at Veris Grup, LLC, a Vienna, VA-based cybersecurity firm and accredited FedRAMP 3PAO. Veris Grup, LLC Attn: Vulnerability Management 8229 Bne Blvd., Suite 750 Vienna, VA (703) [email protected] 1 SANS Institute (March 2013). The Critical Security Cntrls Reeder, F., Chenk, D., Evans, K., Lewis, J., and Paller, A. (Octber 2012). Updating U.S. Federal Cybersecurity Plicy and Guidance BOONE BLVD., SUITE 750 VIENNA, VA P: (703) F: (703) [email protected]