Vulnerability Management:



Similar documents
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Change Management Process

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Information Services Hosting Arrangements

Mobile Device Manager Admin Guide. Reports and Alerts

The AppSec How-To: Choosing a SAST Tool

Chapter 7 Business Continuity and Risk Management

1.2 Supporting References For information relating to the Company Hardware Request project, see the SharePoint web site.

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Personal Data Security Breach Management Policy

Data Protection Act Data security breach management

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012

Professional Leaders/Specialists

Getting Started Guide

Project Startup Report Presented to the IT Committee June 26, 2012

Configuring, Monitoring and Deploying a Private Cloud with System Center 2012 Boot Camp

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

IN-HOUSE OR OUTSOURCED BILLING

Introduction LIVE MAPS UNITY PORTAL / INSTALLATION GUIDE Savision B.V. savision.com All rights reserved.

Getting Started Guide

State Fleet Card Oversight Usage and Responsibilities

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

MANAGED VULNERABILITY SCANNING

Data Warehouse Scope Recommendations

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

State of Wisconsin. File Server Service Service Offering Definition

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Aim The aim of a communication plan states the overall goal of the communication effort.

MaaS360 Cloud Extender

Internet and Policy User s Guide

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Job Profile Data & Reporting Analyst (Grant Fund)

Critical Success Factors for FedRAMP Assessments A 3PAO Perspective

SaaS Listing CA Cloud Service Management

Chris Chiron, Interim Senior Director, Employee & Management Relations Jessica Moore, Senior Director, Classification & Compensation

Support Services. v1.19 /

CS 360 Software Development Spring 2008 Tuesdays and Thursdays 3:30 p.m. 4:45 p.m.

Nuance Healthcare Services Project Delivery Methodology

LINCOLNSHIRE POLICE Policy Document

9 ITS Standards Specification Catalog and Testing Framework

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

GUIDANCE FOR BUSINESS ASSOCIATES

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

PROTIVITI FLASH REPORT

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Organisational self-migration guide an overview V1-5 April 2014

IT Help Desk Service Level Expectations Revised: 01/09/2012

Christchurch Polytechnic Institute of Technology Access Control Security Standard

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

HIPAA 5010 Implementation FAQs for Health Care Professionals

VCU Payment Card Policy

TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN

System Business Continuity Classification

ONGOING FEEDBACK AND PERFORMANCE MANAGEMENT. A. Principles and Benefits of Ongoing Feedback

Symantec User Authentication Service Level Agreement

South Australia Police POSITION INFORMATION DOCUMENT

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

The Allstate Foundation Domestic Violence Program 2015 Moving Ahead Financial Empowerment Grant

Gravesham Borough Council

CSAT Account Management

Cloud Services Frequently Asked Questions FAQ

Installation Guide Marshal Reporting Console

Systems Support - Extended

Session 9 : Information Security and Risk

Network Security Trends in the Era of Cloud and Mobile Computing

Maintain a balanced budget primarily the General & Park Funds

Volume THURSTON COUNTY CLERK S OFFICE. e-file SECURE FTP Site (January 2011) User Guide

How To Manage An Infrmatin Security Gvernance Prgram

Loss Share Data Specifications Change Management Plan

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

Installation Guide Marshal Reporting Console

CDC UNIFIED PROCESS PRACTICES GUIDE

Online Learning Portal best practices guide

E-Business Strategies For a Cmpany s Bard

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Security in Business and Applications. Madison Hajeb Stefan Hurst Benjamin Von Slade

Completing the CMDB Circle: Asset Management with Barcode Scanning

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

Transcription:

Vulnerability Management: Creating a Prcess fr Results Kyle Snavely Veris Grup, LLC Summary Organizatins increasingly rely n vulnerability scanning t identify risks and fllw up with remediatin f thse risks. Hwever, in the absence f a cmplete Vulnerability Management prgram, rganizatins may fail t gain a cmplete and accurate assessment f their vulnerabilities. Likewise, rganizatins withut clear prcesses fr cmmunicating the assciated tasks and data f the scans may als fail t adequately execute patches, r they may nt track and archive the infrmatin required fr regulatry cmpliance. A Vulnerability Management prgram designed fr results takes int cnsideratin the cnfiguratin, crdinatin, and cmmunicatin necessary t successfully prtect critical data and reduce the risks t the rganizatin. WHY VULNERABILITY MANAGEMENT? Ensure prtectin f critical data Meet cmpliance regulatins Reduce risk r minimize impact by addressing vulnerabilities in a timely manner Prepare t meet future security needs f a grwing rganizatin What is Vulnerability Management? Vulnerability scanning is increasingly cmmn in rganizatins acrss industries, particularly thse wh must adhere t federal, industry, r ther regulatins regarding cybersecurity. The scans themselves are designed t discver risks thrughut the rganizatin s netwrks; hwever, scanning in the absence f a cmplete Vulnerability Management prgram can actually d as much harm as gd. Scans prduce data, but that data presents its wn set f questins, including: What updates and patches are available t the systems in the enterprise? Which devices were included in the scans? Which vulnerabilities shuld be remediated first? Wh is respnsible fr the remediatin? These questins, albeit nt an exhaustive list, cnfirm the many critical cmpnents f security that a cmprehensive vulnerability management prgram addresses. SANS Institute, an established cybersecurity training rganizatin, calls a cntinuus vulnerability assessment and remediatin prcess ne f the tp 20 Critical Security Cntrls. As much as the authr emphasizes the need fr vulnerability scanning, SANS further pints ut that if the scans are nt prperly maintained and regulated, attackers use

the scans as a pint f explitatin. While this may be an extreme example, it supprts a very imprtant pint: Vulnerability Management is abut much mre than scanning. Challenges f Vulnerability Management Fr many rganizatins, it is challenging enugh t implement scanning, let alne a cmplex Vulnerability Management prgram. Designing and implementing an effective prgram invlves many steps and decisin pints. The challenges begin in the planning phase, which usually assumes the existence f a thrugh and accurate device inventry. This is a large assumptin t make, since many rganizatins d nt accurately maintain an inventry f all enterprise assets. Tl selectin and cnfiguratin is a challenge at this stage as well, and it can impact the success f the Vulnerability Management prgram by freeing up resurces with autmated prcesses. VM STAKEHOLDERS CEO IT Directr Systems Administratrs Vulnerability Management Crdinatr Technical Team Supervisr Security Analysts Netwrk Engineers It is imprtant t carefully cntrl authenticated vulnerability scans and the assciated administratr accunt. Attackers will take ver ne machine with lcal privileges, and wait fr an authenticated scan t ccur against the machine. When the scanner lgs in with dmain admin privileges, the attacker either grabs the tken f the lgged-in scanning tl, r sniffs the challenge respnse and cracks it. Either way, the attacker then can pivt anywhere else in the rganizatin as dmain administratr. -SANS 1 The challenges cntinue thrughut the actual scanning prcess as all f the varius stakehlders attempt t discern wh is respnsible fr what actins, and what the pririty f a reprted vulnerability is. Once a patch is executed, the stakehlders rely n a system t track, check, and revisit the patches, as well as lg the varius firmware updates. Veris Grup has identified three critical cmpnents t cnsider fr rganizatins seeking t implement a successful and cst-effective Vulnerability Management prgram. Figure 1: VM Stakehlders The Three Cs f a Successful Vulnerability Management Prgram A Vulnerability Management prgram allws the rganizatin t plan fr the scans, but als fr the peple and the prcesses that lead t the success f the prgram. By cnfiguring the tls, resurces, and reprting mechanisms ahead f time, the prgram is ready t handle the data that the scans prduce. Hwever, thrugh the prper crdinatin f staffing and definitin f rles and respnsibilities, the rganizatin can ensure that the data results in the

crrect slutin in a timely manner. Finally, by cmmunicating the status, reprts, releases, and plicies assciated with the prgram, the stakehlders ensure that the data results in a secure and cmpliant rganizatin. Cnfiguratin Tls Detectin is the mst imprtant task f vulnerability management. Identifying the risks allws the rganizatin t be able t crrect the deficiency, prduce an accurate reprt fr a cmpliance audit, and reduce the level f risk. Hwever, it is imprtant t select the right tl fr the rganizatin. Sme tls, including the cmmercial detectrs Tenable Nessus, Rapid7 Nexpse, and eeye Retina with REM server integratin, have the ability t scale up depending n the size f the enterprise. Other tls will wrk better in smaller envirnment. The tl shuld als be able t utput in the specific reprting frmat required fr cmpliance purpses. The key t selecting a patch management suite is fr the sftware t supprt the majrity f the applicatins in the envirnment with the least amunt f verhead. Patching slutins (e.g., Micrsft SCCM and Altiris Patch Management) shuld als be strng in their ability t prduce status reprts and t autmate patch deplyment. The tls shuld help the rganizatin determine the manual and autmated prcesses, which are als dependent upn the type f platfrms invlved. If a tl des nt supprt a particular platfrm, remediatin n that platfrm becmes a manual prcess. Knwing this rati will help infrm the resurce needs. Prperly cnfigured remediatin and audit tls reduce the time and effrt needed t manually remediate and track enterprise vulnerabilities. Resurces COMMUNICATION Remediatin Status Mnthly & Mid- Cycle Reprts Plicy CONFIGURATION Tls Resurces Reprts COORDINATION Staffing Rles & Respnsibilities Apprpriate staffing is required fr a successful prgram. Resurce allcatin must include the verall management f the vulnerability prgram management, including auditing, as well as technical allcatins. The assigned resurces must have the crrect skillset t effectively interpret and remediate the findings in a timely manner. Figure 1: The Three Cs f VM

Supprt fr the prgram must als cme frm the rganizatin s management as a whle. The buy in f this key stakehlder ensures that the technical resurces are allcated the time necessary t manage the prgram and patches. Reprts Withut a system t rganize and interpret the data in the many reprts f a Vulnerability Management prgram, their value becmes mt. An effective prgram relies n an executive dashbard design t track trends and t prvide a current snapsht f the enterprise vulnerability status. This dashbard allws the Vulnerability Management crdinatr t chart available data pints, thereby prviding a different way t visualize the data. This dashbard makes it easier fr the crdinatr t spt trends and identify areas fr imprvement. In cmbinatin with this dashbard, reprting frm the detectin and patching tls delivers the mst accurate picture f an rganizatin's current risk level. The mnthly baseline enterprise scans create an nging and regularly ccurring reprt f the enterprise status. When prperly cnfigured, these reprts are generated by the tl itself and split accrding t device grupings. Frm there, the reprts either trigger an autmated respnse frm the system r signal fr persnnel t be deplyed fr the patch. Additinal scans prduce reprts that indicate the success f the patch. Mid-cycle vulnerability releases als have a rle in the reprt cnfiguratin. After a midcycle alert and subsequent remediatin, the next scheduled scan will cnfirm that the wrk is cmplete. Once remediatin, either resulting frm scan reprts r mid-cycle alerts, is cmplete, an imprtant aspect f cnfiguring the reprts is t prepare a prcess t frmat and archive the reprts fr tracking and auditability purpses. Wh is respnsible fr cmpleting these tasks is a cnnectin between this cmpnent and that f Crdinatin. Crdinatin Staffing Effective security requires cntinuus autmated mnitring f agency netwrks fr security prblems, immediate access t the Natinal Vulnerabilities Database t be able t identify prblems, and immediate mitigatin f prblems when they are fund. -CSIS, 2012 2 Apprpriate staffing is essential fr an effective Vulnerability Management prgram. The varius stakehlders must identify a Vulnerability Management crdinatr t versee the regularly ccurring prcesses and t becme familiar with the enterprise inventry. This persn is nt simply a technical resurce; the crdinatr will als facilitate the prcesses that help maintain the integrity f the Vulnerability Management prgram. Fr example, there may be instances where a vendr is unwilling t bring device sftware int cmpliance. The crdinatr will need t think thrugh a respnse and actin plan ahead f time t be prepared fr such a situatin. The crdinatr is als respnsible fr maintaining the executive dashbard, inventry prcess, reprt archives, and auditing dcuments. On the technical side, the respnding staff must be trained in the selected tl. They

shuld nt nly be able t administer the required patches, but they shuld have a slid understanding f the autmated prcesses as well. These staffing resurces als cntinuusly update the device inventry and carefully maintain recrds and tracking f remediatin actin, device updates, and device retirement. Even if all f these requirements are in place, the Vulnerability Management prgram will nt be effective if an adequate number f resurces are nt applied t the prgram. Rles & Respnsibilities Amng the Vulnerability Management stakehlders, there are varius different rles and respnsibilities. In a prgram that requires structure and cnsistency in rder t be successful, it is imprtant t define these rles (and clearly cmmunicate them, which links the "Crdinatin" cmpnent with the "Cmmunicatin" cmpnent) and the duties and tasks assciated with each. Even a simple Vulnerability Management prgram benefits frm a regularly updated prject plan that describes the varius rles and maps them t the scanning, reprting, and maintenance schedule. Particularly in an rganizatin where the resurces allcated t the Vulnerability Management prgram have ther respnsibilities, ensuring that their assigned tasks fr Vulnerability Management are clearly defined will supprt the cnsistency f the prgram. Fr example, certain resurces may be assigned t handle the scans and assciated autmated tasks while ther are respnsible fr facilitating vendr-released patches. The crdinatr may chse t be respnsible fr assigning risks r facilitating that task with senir leadership. The crdinatr may als maintain the executive dashbard and analyze the mnthly scanning reprts. Cmmunicatin Remediatin Status Once the prgram has prvided an rganizatin an assessment f its current risk level, the crdinatr can begin t clse any vulnerabilities that the detectin tls identified by implementing the selected patching tls. The cmmunicatin f the remediatin status ccurs via the Vulnerability Management dashbard. This centralized lcatin fr cmmunicating status allws all stakehlders t track which stage the remediatin is in the prcess frm detectin t risk determinatin and patching t the next successful scan. Timely and accurate cmmunicatin f remediatin status is especially imprtant t checking the success f the patch, whether manual r autmated, by the suspense date. Mnthly Reprts and Mid-Cycle Releases A cmplete picture f the Vulnerability Management prgram includes data frm the mnthly reprts and mid-cycle releases. The varius steps f the reprts and releases, explained in greater detail belw, create the infrmatin that directs the next steps in the Vulnerability Management prgram. Once again, timely and accurate cmmunicatin and tracking f the data in the reprts and releases is critical t the success f the entire prgram.

Plicy The Vulnerability Management prgram relies n plicies t ensure that the cnfiguratin, crdinatin, and cmmunicatin steps abve ccur as planned. Well-thught ut plicies plan fr user errrs and vendr issues. Hwever, plicies themselves d nt effect change. Effectively cmmunicating the plicies and subsequent plicy updates will ensure that the Vulnerability Management prgram runs accrding t plan. Enfrcing such plicies will als aide in preparatin fr cmpliance mnitring fr varius regulatry prgrams that require a Vulnerability Management prgram t be in place in an rganizatin. Vulnerability Management in Practice The cmpnents f the Vulnerability Management prgram base the mst critical decisins n the data frm mnthly baseline enterprise scans and mid-cycle vulnerability releases. Mnthly Baseline Enterprise Scans In the mnthly scans, the executive dashbard is ppulated with data as the prgram mves thrugh the fllwing steps: Enterprise Baseline Gruped Device Reprt Analysis f Next Steps Autmated Respnse Manual Respnse Validatin Scan Analysis Final Scan Archiving A baseline f the enterprise is created by the detectin tl based n the audits r signatures available at that pint in time. A reprt is generated thrugh the tl and is split in such a way where devices are gruped and assigned based upn the device type, gegraphical lcatin, r a cmbinatin f the tw. The reprt is sent t the respnsible persnnel fr actin. If there are autmated tls t aid with remediatin they are used t reduce the amunt f time required t patch. If n tls are deplyed in the enterprise r if the autmated tls cannt fully patch by the suspense date, persnnel are required t manually patch. After a predetermined amunt f time, a validatin scan is run against the devices which were determined t be vulnerable during the first baseline scan. Results are again passed n t the grups fr actin. A final scan is perfrmed after anther predetermined time perid. Any vulnerabilities must be patched as sn as pssible. If fr sme reasn a vulnerability cannt be remediated, the

subject matter expert must create a dcument which describes why the vulnerability cannt be remediated and a plan f actin t reduce risk alng with estimated dates remediatin can ccur. The VM crdinatr frmats and archives the reprting fr tracking and auditability purpses. If any plan f actin dcuments are pen, the crdinatr checks in with the respnsible teams fr status updates and t ensure that the plan is still accurate. Mid-Cycle Vulnerability Release Fr all prducts running in the enterprise, the vulnerability management crdinatr shuld receive alerts either frm the vendr r thrugh a third party service which prvides infrmatin n the latest identified issues. Vendr Vulnerability Alert Dashbard Updated Archiving Risk Assignment Next Scheduled Scan Analysis f Next Steps Suspense Date (r POA) Assests Affected Audit Cnfirmatin When a new vulnerability alert is received fr sftware r hardware, the vulnerability management crdinatr assigns a risk level and suspense date requirements t the alert fr reprting and remediatin. The alert is then disseminated t apprpriate team members fr actin. The team member respnds with the number f assets affected and a plan f actin if the time required t remediate will surpass the suspense date fr tracking purpses. The Vulnerability Management crdinatr ensures that the executive dashbard is updated with the numbers. The next scheduled scan with the mst current audit file will cnfirm the wrk has been successfully cmpleted and the pen items can be clsed ut in the tracker. If the subject matter expert is aware f any issues which wuld cause delays in remediatin f a mid-cycle vulnerability, the team member creates a plan f actin similar t the dcument referenced abve.

Clsing Summary Vulnerability scans are nly ne cmpnent in a successful Vulnerability Management prgram. The varius steps that ccur in the mnthly scans and mid-cycle releases must ccur within a framewrk that accunts fr the myriad ther activities assciated with identifying, remediating, and tracking the risks in any rganizatin. Specifically, balancing the cnfiguratin f tls, resurces, and reprts, the crdinatin f staffing, rles, and respnsibilities, and the cmmunicatin f remediatin status, reprts, and plicies is a careful and deliberate prcess requiring the supprt f leadership and the dedicatin f a team f qualified individuals. A high quality Vulnerability Management prgram is required fr cmpliance purpses, but it als is an indicatr f the integrity f the rganizatin as ne wh actively prtects its critical data. Kyle Snavely is a cybersecurity assciate at Veris Grup, LLC, a Vienna, VA-based cybersecurity firm and accredited FedRAMP 3PAO. Veris Grup, LLC Attn: Vulnerability Management 8229 Bne Blvd., Suite 750 Vienna, VA 22182 (703) 760-9160 inf@verisgrup.cm 1 SANS Institute (March 2013). The Critical Security Cntrls 4.1. http://www.sans.rg/critical-security-cntrls 2 Reeder, F., Chenk, D., Evans, K., Lewis, J., and Paller, A. (Octber 2012). Updating U.S. Federal Cybersecurity Plicy and Guidance. http://csis.rg/files/publicatin/121019_reeder_a130_web.pdf 8229 BOONE BLVD., SUITE 750 VIENNA, VA 22182 P: (703) 760-9160 F: (703) 760-9164 inf@verisgrup.cm www.verisgrup.cm

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information