VRDA Vulnerability Response Decision Assistance



Similar documents
How To Use A Policy Auditor (Macafee) To Check For Security Issues

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

BMC Client Management - SCAP Implementation Statement. Version 12.0

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Federal Desktop Core Configuration (FDCC)

Organizational internal computer security incident responding structure : CSIRT

6. Exercise: Writing Security Advisories

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

Secunia Vulnerability Intelligence Manager

How To Monitor Your Entire It Environment

An Enterprise Continuous Monitoring Technical Reference Architecture

Security compliance automation with Red Hat Satellite

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Automating Compliance with Security Content Automation Protocol

An Approach to Vulnerability Management, Configuration Management, and Technical Policy Compliance

Continuous Monitoring

Building CSIRT Capabilities

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Building a Data Quality Scorecard for Operational Data Governance

FDCC & SCAP Content Challenges. Kent Landfield Director, Risk and Compliance Security Research McAfee Labs

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

AHS Flaw Remediation Standard

STIGs,, SCAP and Data Metrics

Software Vulnerability Assessment

Guide to Enterprise Patch Management Technologies

ICT Security Cybersecurity CYBEX Overview of activities in ITU-T with focus on Study Group 17

Towards Unifying Vulnerability Information for Attack Graph Construction

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

Pragmatic Metrics for Building Security Dashboards

DNS Security Survey for National Computer Security Incident Response Teams December 2010

Regional Seminar on Cyber Preparedness ITU s work in Cybersecurity and Global Cybersecurity Index (GCI)

Qualys PC/SCAP Auditor

Towards security management in the cloud utilizing SECaaS

Incident Management ITU Pillars & Qatar Case Study Michael Lewis, Deputy Director

Common Platform Enumeration (CPE) Technical Use Case Analysis

Toward an Ontology Architecture for Cyber-Security Standards

CERT/CC Overview & CSIRT Development Team Activities

Web Application Security. Sajjad Pourali CERT of Ferdowsi University of Mashhad

Vulnerability Management

Creating and Managing Computer Security Incident Response Teams (CSIRTs)

D. Best Practices D.2. Administration The 6 th A

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

White paper. Creating an Effective Security Operations Function

3 Web Services Threats, Vulnerabilities, and Countermeasures

Managed Incident Lightweight Exchange (MILE)

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

The Emergence of Security Business Intelligence: Risk

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Vulnerability Management Nirvana: A Study in Predicting Exploitability

Cisco Security IntelliShield Alert Manager Service

Cyber Security RFP Template

Asset management guidelines

Department of Information and Technology Management

Manage Vulnerabilities (VULN) Capability Data Sheet

Total Protection for Compliance: Unified IT Policy Auditing

Security Vulnerability Management. Mark J Cox

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

Introduction to OVAL: A new language to determine the presence of software vulnerabilities

Vulnerability Assessment Report Format Data Model

DoD Secure Configuration Management (SCM) Operational Use Cases

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Reference Ontology for Cybersecurity Operational Information

CDM Vulnerability Management (VUL) Capability

Guideline on Auditing and Log Management

Find the needle in the security haystack

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

User s Guide. Skybox Risk Control Revision: 11

Secstate: Flexible Lockdown, Auditing, and Remediation

The Value of Vulnerability Management*

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Enterprise Software Management Systems by Using Security Metrics

GFI White Paper PCI-DSS compliance and GFI Software products

Q: What is CVSS? Q: Who developed CVSS?

How to Develop an Effective Vulnerability Management Process

STREAM Cyber Security

Vulnerability Management with the Splunk App for Enterprise Security

DEVELOPING AN IT SERVICE MANAGEMENT TRAINING STRATEGY & PLAN. Version : 1.0 Date : April 2009 : Pink Elephant

Advanced Risk Analysis for High-Performing Organizations

Federal Mobile App Vetting Center for Assured Software Pilot. Nick Valletta

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

University of Wisconsin Platteville IT Governance Model Final Report Executive Summary

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

1 Introduction Product Description Strengths and Challenges Copyright... 5

Transcription:

VRDA Vulnerability Response Decision Assistance Art Manion CERT/CC Yurie Ito JPCERT/CC EC2ND 2007 2007 Carnegie Mellon University

VRDA Rationale and Design 2

Problems Duplication of effort Over 8,000 vulnerability reports in 2007 Various sources, formats, languages, contents, levels of detail, accuracy, comprehensibility Collection and analysis requires significant effort 3

Problems (2) Inconsistent response decisions Analysts may disagree Analysts apply personal prejudices Decisions may not represent organizational values 4

Problems (3) Existing metrics insufficient Most metrics output global severity values One size does not fit all. Common Vulnerability Scoring System (CVSS) Contains environmental metrics Focus on base score Values vary by organization May respond differently to the same vulnerability Use different software Use the same software in different ways Value information assets differently 5

Solution VRDA proposes to answer the question: How do I best respond to a given vulnerability report? Goals Record vulnerability data in structured format Support individualized response decision Transition organizational knowledge from human analysts to VRDA Improve response accuracy and consistency Reduce duplication of effort 6

Audience System administrators Operational responsibility for fixing systems CSIRTs Provided advice to system administrators, users Vendors Product security response teams Anybody regularly responding to vulnerability reports 7

Operational Concept 8

Components Decisions to make: Tasks Vulnerability representation: Facts Product usage: LAPTs Encoding decision-making: Decision Model 9

Tasks Decisions an organization must make Specific to each VRDA user Example tasks Publish an advisory Initiate patch process Implement workaround Ignore (don t expend effort on low priority vulnerabilities) 10

Facts Properties of vulnerabilities and their environment Assertions based on available information Vulnerability Facts inherent technical attributes World Facts about environment Constituency Facts specific to VRDA user organization Balance accuracy, completeness, granularity, cost 11

LAPTs Lightweight Affected Product Tags Problem: Constituency facts cannot be given to you LAPTs identify products affected by vulnerability Facilitates lookup of constituency facts External feed provides LAPTs for each vulnerability Cross-reference with your database 12

Decision Model Represents individualized decision-making behavior Expert system encoding organizational values Decision trees 13

Decision Model (2) Why decision trees? Observable, understandable Can be created and refined by hand Model creation Design initial model from experience Create empirical model based on recorded data 14

Related Work Structured vulnerability descriptions Common Vulnerability Scoring System (CVSS) Open Source Vulnerability Database (OSVDB) Open Vulnerability and Assessment Language (OVAL) Advisory exchange formats Common Announcement Interchange Format (CAIF) EISPP Common Advisory Format Description Deutsches Advisory Format (DAF) VULnerability Data publication and Exchange Format (VULDEF) System information Common Model of System Information (CMSI) Common Product Enumeration (CPE) 15

Related Work (2) Severity metrics Common Vulnerability Scoring System (CVSS) Security Content Automation Protocol (SCAP) National (US) Institute of Standards and Technology (NIST), MITRE Set of vulnerability management and compliance standards (CVE, CCE, CPE, CVSS, XCCDF, OVAL) 16

VRDA Usage with KENGINE 17

KENGINE VRDA implementation developed by JPCERT/CC Intend to open-source KENGINE provides consistent analysis and reasoning action Other KENGINE functions Task management LAPT management Decision tree management Reporting KENGINE Minimum resources to handle the maximum number of vulnerabilities 18

Deployment Interview user organization Determine all possible tasks Identify task dependencies Mandatory/conditional actions do not involve choice, not tasks Determine facts Select only facts necessary to make decisions about tasks Develop decision model Teach/train the system using sample VRDA data and choosing appropriate tasks Create or modify decision trees manually 19

Usage CERT/CC, JPCERT/CC publish vulnerability facts (metrics) User determines tasks, creates decision model, provides userspecific facts (metrics) KENGINE gives prioritized response decision Compare VRDA decisions with actual response, adjust decision model as necessary Graphic on all three slides with parts highlighted 20

Usage Get or create VRDA data CERT/CC and JPCERT/CC publish fact feeds Score organization-specific facts Process vulnerability reports Use the decision model Record actual decisions 21

Feedback Compare recommendations with actual decisions Refine decision making process Update decision model Facts may be missing or inaccurate Tasks may be missing 22

JPCERT/CC Operation Feed back Incident Reports Vulnerability Reports Traffic Monitoring Public monitoring Analysis Special Communication Alert JVN International CSIRT FIRST APCERT CERT/CC CPNI Vendors Hardware/software vendors, SIers Japanese partners ISPs, Organization CSIRTs Public info Security site, Community, media Incident Reports System Admin Web admin Weekly Report Workshop, awareness program Monitoring Validation Categorize Data store Triage escalation publish Feedback 23

JPCERT/CC Facts 1. Impact Constituency Facts Vulnerability Facts 2. System Importance in Japan 3. System Population in Japan World Facts 4. Usage by critical infrastructure 5. Impact to internet infrastructure 6. Access requirement 7. How complicated is the attack? 8. Incident/attack activity 9. Information accessibility (public or private report) 10. Confidence in the information source 11. Availability of remediation (patch/countermeasures) 12. Usage by JPCERT 24

Feed Operation Feed service provider Internet Intranet CSIRT users FS #2 connector Feed reader adapter FS #3 connector FS #1 FS #4 connector Light users Feed reader connector Feed reader View as web page Developers, heavy users OSS base KENGINE Data format might also available in other XML based format connector tool OSS base tool 25

KENGINE 26

Vulnerability Reports 27

Vulnerability Report Detail 28

LAPT Management 29

Task Workflow 30

Decision Tree 31

Task Deviation Report 32

Progress Report 33

Handling Volume Report 34

Future KENGINE availability JPCERT/CC intends to provide open-source Documented in Japanese and English JPCERT/CC VRDA data feeds with vulnerability and world facts Pilot program in progress Deployment consulting CERT/CC Developing pilot program Considering integration into workflow and products 35

More Information Art Manion <amanion@cert.org> Yurie Ito <yito@jpcert.or.jp> 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information