Introduction Jim Rowland, Senior System Architect and Project Manager Daly Stepping Up to Enterprise Vulnerability Management Keren Cummins, Director, Federal and MidAtlantic Markets ncircle Presentation to MEEC, November 15, 2011 ncircle 2011. All rights reserved.
Daly Proven track record with 25 years experience in State, Local and Education in Maryland. Minority Business Enterprise (MBE). Ability to provide the complete solution as all of the hardware, software and services discussed today are available on the MEEC contract as well as other state contracts. Robust Professional Services Offerings delivered by our Project Management and Systems Engineering Team. 2 ncircle 2011 All rights reserved. ncircle Company Confidential
A Quick Definition A Vulnerability is a known mistake in software that can be directly used by a hacker to gain access to a system or network. Adapted from CVE FAQs at http://cve.mitre.org/about/faqs 3 3 ncircle 2011 All rights reserved. ncircle Company Confidential
Vulnerability Scans Networks should be scanned for vulnerabilities Scans should be conducted periodically Internal resources Outsourced services Scan results should be prioritized for remediation Reports can be.lengthy 4 4 ncircle 2011 All rights reserved. ncircle Company Confidential
Agenda How does Vulnerability Assessment fit in with what I know about Cybersecurity? What is Vulnerability Assessment, and how is it different from Vulnerability Management? WHY do Vulnerability Management? What are the Benefits of an Enterprise Approach to VM A few words on Continuous Monitoring 5 5 ncircle 2011 All rights reserved. ncircle Company Confidential
IT Security Landscape Reactive Active Proactive Forensics Reporting Monitoring/Alerting/Blocking Auditing/Risk Assessment Security Information Management Firewalls Vulnerability Assessment Security Event Management IDS/IPS Data Encryption Configuration Compliance Log Management Antivirus/ Data Monitoring/Auditing Spyware Web App Scanning Data Leakage (DLP) File Integrity Monitoring Network Activity Monitoring IT-GRC Network/Data Behavior Analysis Identity Access Management Network Access Control (NAC) Network/Asset Discovery Data Discovery Email/SPAM/Gateway Network Topology Assessment Identity/Access Auditing 6 6 ncircle 2011 All rights reserved. ncircle Company Confidential
What is Vulnerability Assessment Wikipedia: A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, nuclear power plants, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. A vulnerability assessment is a one-off event: It s time for our quarterly vulnerability assessment And then what? 7 7 ncircle 2011 All rights reserved. ncircle Company Confidential
Vulnerability *MANAGEMENT* Wikipedia again: "Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" [1] It s not enough run a scan and know what your risks are How are you going to act on that information? Vulnerability management is an on-going program, not a technology solution 8 8 ncircle 2011 All rights reserved. ncircle Company Confidential
WHY Vulnerability Management? 6% 4% Patch Available for more than 1 Year (71%) 19% Patch Available for 6 to 12 Months (19%) Patch Available for 3 to 6 Months (6%) 71% Patch Available for 1 to 3 Months (4%) 9 9 ncircle 2011 All rights reserved. ncircle Company Confidential
Data Breaches in 2010 96% of breaches were avoidable through simple or intermediate controls 92% of attacks were not highly difficult 89% of victims subject to PCI-DSS had not achieved compliance 86% were discovered by a third party 83% of victims were targets of opportunity 76% of all data was compromised from servers Source: Verizon Business 2011 Data Breach Investigations Report 10 ncircle 2011 All rights reserved. ncircle Company Confidential
Vulnerability Management: Moving to an Enterprise Model I already take a snapshot of my network four times a year: I run scans of every network, analyze them, and produce lists of tasks for my security or operations team to chisel away at. When they remediate, I even run another scan to confirm. What s wrong with this? Why should I do this differently? Why should I do it more often? How much more often??!! 11 ncircle 2011 All rights reserved. ncircle Company Confidential
A Basic Enterprise Vulnerability Management System Centrally administered Distributed scanners stay in place Scan scheduling Role-based access control Reports 12 12 ncircle 2011 All rights reserved. ncircle Company Confidential
What do the basics buy me? Automate the scanning function set it and forget it, eliminate the repetitive work of going to each network and running a scan Automate the prioritization eliminate repetitive analytical work of reviewing scans Ensure complete coverage of the entire environment (including things you didn t know were there) Produce actionable data for the security team Have the data available when you are ready for it 13 13 ncircle 2011 All rights reserved. ncircle Company Confidential
Benefits of Continuous Monitoring: I make a movie of my network: Scans run in the background on an automated schedule all the time, collecting asset and vuln/config data. When team members have time to work on remediation, they pull data from the previous most recent scan and work on highest priority tasks. When a zero-day event occurs, I can instantly find vulnerable apps/oses using the previous days scan data. When something unusual happens (new device found, specific vuln or configuration of concern) I can be proactively alerted Oh and by the way, I can output reports to auditors or management on the fly 14 14 ncircle 2011 All rights reserved. ncircle Company Confidential
Characteristics of Solutions that Meet the Security- Savvy Model Highly automated scanning (so I don t mind scanning all the time) Extremely gentle, non-intrusive and low bandwidth scanning (so my system owners don t mind me scanning all the time) Powerful prioritization (so we don t get buried in TMI) Trending supported by host correlation (i.e., dynamic host tracking) Easy-to-use query feature against all findings Configurable alerts Broad variety of reporting templates to support self-service reporting for auditors, executives, managers, security experts and asset owners 15 15 ncircle 2011 All rights reserved. ncircle Company Confidential
Case Study: First Impressions Patch management needs work Systems outside of patch management control Types of software not being patched (typically non-microsoft) Compliance picture is complex Legacy systems and exceptions Systems out of security control management 16 16 ncircle 2011 All rights reserved. ncircle Company Confidential
Case Study: Second Impressions Inventory! How many routers, switches, Linux systems, etc. Software license utilization System management technology improves Packages for non-microsoft software Business processes improve Patch management coverage Reduction of non-compliant software (change control boards, software removal packages) Reduction of non-compliant systems (standard software builds, port security ) 17 17 ncircle 2011 All rights reserved. ncircle Company Confidential
Case Study: Additional Uses Incident response How was it configured? Who was using the system? Was it vulnerable to a specific attack? Risk modeling Modeling the network and systems Measuring real risk with a consideration of: Threat source Vulnerability Exposure Asset Value 18 18 ncircle 2011 All rights reserved. ncircle Company Confidential
The Case for New Tools Measure vulnerabilities Prioritize response Reduce attack surface Measure configuration compliance Standardize configuration controls Develop compliance reports Our Mantra: Measure often Be accurate and fair Report consistently and clearly 19 19 ncircle 2011 All rights reserved. ncircle Company Confidential
ncircle at a Glance Corporate overview More than 5,500 customers worldwide Significant investment in R&D with 50% of employees in Engineering Ranked in Inc 5000 three years in a row Received highest rating of Strong Positive in Gartner's MarketScope for Vulnerability Assessment in 2010 and 2011 Ranked number one in Current Offering in Forrester Wave for Vulnerability Management in 2010 Continuous, consistent growth Three consecutive years of profitability through Q2 2011 ncircle s US Federal government business grew more than 65% year over year in 2010 Ranked in San Francisco Business Times Top 100 Fastest Growing Private Companies Teamed with Daly in the regional state/local/education market 20 ncircle 2011 All rights reserved. ncircle Company Confidential
ncircle Customers by Industry Financial Services & Insurance Government 21 ncircle 2011 All rights reserved. Healthcare & Pharmaceuticals Energy & Utilities Media & Leisure Retail & Consumer Goods ncircle Company Confidential
ncircle Analyst Reviews "ncircle The company's mixture of vulnerability scanning, Web application scanning, file-integrity monitoring and configuration management put it at the forefront of those trying to deliver risk-based security. " 451 Group, December 2009 Gartner Marketscope for Vulnerability Assessment With WebApp360, ncircle enhances the value of their enterprise-wide risk assessment to include on-going production scanning of these critical web-based applications, complementing the penetration testing that may have been done during development and enabling their ongoing security. As of February 2010 Source: Gartner Peter Christy, Internet Research Group ncircle addresses two of the most significant concerns of today s technology-dependent business: comprehensive risk control essential to security, risk and compliance efforts; and IT reliability improvement through more effective configuration management processes. Enterprise Management Associates Any organisation with a significantly sized IP infrastructure would benefit from using IP360, especially if heterogeneity is a feature, as this brings exposure to more threat types. Alan Rogers, Butler Group 22 ncircle 2011 All rights reserved. ncircle Company Confidential Source: Forrester Wave for Vulnerability Management, Q2 2010
Thank You Jim Rowland Senior System Architect and Project Manager Daly jwr@daly.com (301) 670-0381 ext. 335 Keren Cummins Director Federal and Midatlantic Markets ncircle kcummins@ncircle.com Phone: (301) 379-2493 23 ncircle 2011 All rights reserved. ncircle Company Confidential