Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Similar documents
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Vulnerability Management

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Total Protection for Compliance: Unified IT Policy Auditing

How To Test For Security On A Network Without Being Hacked

Optimizing Network Vulnerability

Continuous Network Monitoring

Improving Network Security Change Management Using RedSeal

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

BIG SHIFT TO CLOUD-BASED SECURITY

How To Monitor Your Entire It Environment

IBM Security IBM Corporation IBM Corporation

The Value of Vulnerability Management*

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

SANS Top 20 Critical Controls for Effective Cyber Defense

I D C A N A L Y S T C O N N E C T I O N

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Cyber Security Management

State of Security Survey GLOBAL FINDINGS

Vulnerability management lifecycle: defining vulnerability management

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Extreme Networks Security Analytics G2 Vulnerability Manager

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

IBM Security QRadar Vulnerability Manager

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Leveraging Network and Vulnerability metrics Using RedSeal

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

FIVE PRACTICAL STEPS

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Are You Ready for PCI 3.1?

Information Security and Risk Management

Ben Hall Technical Pre-Sales Manager Barry Kew Pre-Sales Consultant

Symantec Control Compliance Suite. Overview

PCI Compliance for Cloud Applications

Cloud Infrastructure Security Management

Combating a new generation of cybercriminal with in-depth security monitoring

THE TOP 4 CONTROLS.

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

Review: McAfee Vulnerability Manager

Preemptive security solutions for healthcare

End-user Security Analytics Strengthens Protection with ArcSight

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Symantec Control Compliance Suite Standards Manager

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Speed Up Incident Response with Actionable Forensic Analytics

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Redefining SIEM to Real Time Security Intelligence

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

White Paper: Consensus Audit Guidelines and Symantec RAS

Next-Generation Vulnerability Management

STATE OF NEW JERSEY IT CIRCULAR

Risk Analytics for Cyber Security

QRadar SIEM and FireEye MPS Integration

The Emergence of Security Business Intelligence: Risk

Bringing Continuous Security to the Global Enterprise

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

How to Justify Your Security Assessment Budget

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Requirements When Considering a Next- Generation Firewall

IBM Security Intelligence Strategy

IT Security & Compliance. On Time. On Budget. On Demand.

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

IBM QRadar Security Intelligence April 2013

Sample Vulnerability Management Policy

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

2011 Cyber Security and the Advanced Persistent Threat A Holistic View

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Best Practices for Vulnerability Management

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

BeyondInsight Version 5.6 New and Updated Features

Whitepaper. Advanced Threat Hunting with Carbon Black

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

Transcription:

Vulnerability Risk Management 2.0 Best Practices for Managing Risk in the New Digital War

In 2015, 17 new security vulnerabilities are identified every day. One nearly every 90 minutes. This consistent stream of new security vulnerability discoveries are due to a number of causes from flaws in software development and improper configuration of hardware and software applications to the inevitable unintended errors made by IT users. Vulnerability risk management has re-introduced itself as a top challenge and priority for even the most savvy IT organizations as new technologies such as mobile and cloud continue to proliferate and further expand the attack surface for cybercriminals. While organizations once found it difficult to detect vulnerabilities and threats across the IT infrastructure, scanning technologies were introduced to help solve the problem. Vulnerability scanners provide the visibility into the potential risk land mines across the network, applications and endpoints. But the question of what to do next has created an overload of data tracked in spreadsheets, inefficient business processes, and communication breakdown between internal teams in charge of remediation. Today, new challenges confront IT and security professionals tasked with vulnerability and threat management. This guide will challenge organizations to rethink how they manage vulnerability risk and offer new insights to move forward. We will explore the current state of vulnerability risk management and recommend new insights to help organizations take the next step to building a successful program.

The Evolution of Vulnerability Management Security vulnerabilities have been prevalent since the invention of computer networks. In the past, organizations performed penetration testing at regular intervals to identify weaknesses across the IT infrastructure from external and internal threats. Vulnerability scanners were then introduced to provide an automated way to detect vulnerabilities on an ongoing basis. Then, government and industry stepped in as data breaches started to proliferate, passing regulations requiring organizations to institute vulnerability management programs. The term vulnerability management is often confused with vulnerability scanning. Vulnerability management is the closed-loop process which includes vulnerability scanning, but also takes into account other aspects such as remediation and risk acceptance. Today, vulnerability management has become People VRM 2.0 as much about people and process as it is about technology, and this is where many programs are failing. The problem is not detection. Prioritization, remediation, and program governance have become the new precedence. Introducing a new era: Vulnerability Risk Management 2.0. Technology Process

To Be or Not Be Hacked Should Not Be the Question Cybercriminals had a banner year in 2014. Development of malware was unprecedented with over 600 new samples created every minute. Over 1 billion records were compromised in data breaches. Even more, among known attacks, 99.9% of exploited vulnerabilities had been compromised more than a year after being published. These numbers speak volumes to the digital war that organizations must defend against today. To be or not be hacked is no longer a question of if, but rather when. The inevitable breach has become a commonly accepted reality. Vulnerability risk management calls for a new approach that moves beyond a simple exercise in patch management to one focused on risk reduction. To effectively close the window of vulnerability, organizations must begin to look at success as a measure of risk reduction, and not the number of patches applied. 603 Number of new malware pieces created every minute (Source: 2015 Internet Security Threat Report, Symantec) 01010101010 10101010101 01010101010 10101010101 01010101010 99.9 % of exploited vulnerabilities had been compromised more than a year after being published (Source: 2015 Verizon Data Breach Investigations Report) PRECISION FIND THE NEXT THREAT BIG PREDICTION THREAT BEFORE AND REMEDIATION. IT FINDS YOU. Learn NopSec more at is www.nopsec.com. changing the face of vulnerability risk managment. Learn more at www.nopsec.com.

Vulnerability Risk Management 2.0: A New Approach Much of the last decade has been spent on detecting vulnerabilities across the IT environment. This has done little to help organizations move closer to the real problem of patching the systems and applications that hackers are most likely to target. Vulnerability risk management has entered a new era, and the issues have changed. Security practitioners have moved from asking, How do I find the problem to How do I fix the problem, thus creating a need for new tools, technology, and processes to answer the question. Vulnerability risk management 2.0 comprises three core areas: prioritization, remediation, and governance. VRM 2.0 Prioritization Remediation Governance

Vulnerability Risk Management 2.0: A New Approach Prioritization In the land of cybersecurity, not all vulnerabilities are created equal. While the Common Vulnerability Scoring System, or CVSS score, provides a basis for organizations to begin the process of prioritizing threats, it is by no means the best measurement of risk on its own. Factors such as known exploits, malware attacks, and the criticality of an asset also need to be considered. Even social media is a proven indicator of vulnerability risk. For example, a critical vulnerability is mentioned an average of 748 times on social media versus 89 times for vulnerabilities classified as high risk. Some organizations do correlate CVSS scores with threat intelligence, but it is often a manual process tracked in spreadsheets and can consume valuable time and resources that can be redirected to more effective activities. Technologies such as NopSec Unified VRM can eliminate the labor-intensive tasks associated with prioritization. By transforming security into business risk, organizations can focus resources based on likelihood of breach, rather than on simple CVSS scores. Using machine learning techniques, and incorporating influences from both open source and commercial threat intelligence feeds and social media, NopSec Unified VRM saves countless hours manually correlating these factors into actionable steps. 8X Critical vulnerabilities get 8X more mentions on social media than vulnerabilities classified as high risk in

Vulnerability Risk Management 2.0: A New Approach Remediation The lack of a unified view directly contributes to the breakdown of communication between internal teams tasked with remediation. This is apparent in that it takes an average of 103 days to remediate a vulnerability, and in some cases, it is even longer. For example, one out of three vulnerabilities in the financial industry take over a year to fix. Workflow automation is essential to help accelerate the remediation process. From simple ticket and task management to notifications and patch deployment, automated remediation within a single platform can significantly reduce the time spent navigating and updating multiple systems. Synchronizing communication is also key to provide much needed visibility between internal teams. Imagine being able to assign a group of critical vulnerabilities for remediation to a system administrator including complete information on the threat, the top assets prioritized by risk, and direct links to available patches all in a single click, and from a single platform. 1 out of 3 vulnerabilities in the financial 33 % industry take over a year to remediate

Vulnerability Risk Management 2.0: A New Approach Governance The adage, You can t manage it if you can t measure it is true when it comes to evaluating the success of your vulnerability risk management program. But what does success look like? For most organizations, this will likely vary depending on the regulatory nature of their industry and overall risk management strategy. Program governance is necessary for many reasons, but two key focus areas are critical. First, for the teams actually involved in remediation, communication and goal setting is critical. For example, looking at hard metrics such as vulnerability aging can help internal teams identify the gaps and address them to improve the process. Program governance is critical to make success visible to the CISO and other key executives that have a stake in ensuring the security 01010101010101010101 10101010101010101010 and reputation of an 010101010101010101010 organization. 10101010101010101010 0101010101010101010 10101010101010101010 010101010101010101010 10101010101010101010101 010101010101010101010101 101010101010101010101010 Second, governance helps IT and security teams translate information security goals into tangible business information. This is an essential step in bridging the communication gap between the teams doing the work and C-level executives. IT and security teams demonstrate greater value when they can move from communicating the number of vulnerabilities patched to the percentage of risk removed from critical systems. Establishing the right metrics is the key to any successful governance program, but it also must have the flexibility to evolve with the changing threat landscape. In the case of vulnerability risk management, governance may start with establishing baseline metrics such as number of days to patch critical systems. As the program evolves, new, and more specific, metrics can be introduced such as number of days from discovery to resolution (i.e., time when a patch is available to actual application).

Regulatory Compliance: Friend or Foe? Government and industry regulations have compelled organizations to take action on cyber security, and nearly all of them have some flavor of vulnerability risk management requirements. So much time is spent on checking the box mentality and preparing for audits that little room is left for measuring the real risk posture of an organization. Today, 32% of organizations are spending more than onequarter of their IT security budget on addressing compliance, but has security risk been drastically reduced as a result? The debate still remains as to whether the drawbacks outweigh the benefits. Consider PCI DSS standards for vulnerability management which requires remediation of any vulnerability with a CVSS score of 6.0 or higher. This simple standard does not consider other risk factors such as the business value of an asset or the external threat environment. By eliminating this set of vulnerabilities, how much risk has actually been reduced? Remember, Heartbleed was given a CVSS score of 5.0. The perils of non-compliance and resulting fines or residual brand damage is stifling innovation and making it difficult for organizations to take a risk-based approach to vulnerability risk management. For practitioners, technologies that enable prioritized recommendations, workflow automation, and governance can help simplify compliance as well as deliver real visibility into risk reduction. (Source: SANS Institute) 25 % 32% of organizations spend more than one-quarter of their IT security budget on compliance mandates

Ready for a New Approach? Whether you are just starting to build out your vulnerability risk management program or looking to give your existing one a boost, see how NopSec Unified VRM can help bring your organization to the next level. Visit www.nopsec.com or email info@nopsec.com for more information or to request a demo today.

For additional information or to schedule a demo, visit www.nopsec.com or email info@nopsec.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information