Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great)



Similar documents
How To Use Qqsguard At The University Of Minneapolis

SANS Top 20 Critical Controls for Effective Cyber Defense

Sample Vulnerability Management Policy

STREAM Cyber Security

Analysis of the Global Vulnerability Management Market Platform Convergence Intensifies Competition but Creates Opportunity in Growth Technology

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

YOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

IT Security & Compliance. On Time. On Budget. On Demand.

Best Practices for Vulnerability Management

Vulnerability Management

THE TOP 4 CONTROLS.

Digi Device Cloud: Security You Can Trust

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Qualys Scanning for PCI Devices University of Minnesota

D. Grzetich 6/26/2013. The Problem We Face Today

Vulnerability management lifecycle: defining vulnerability management

Proactive Vulnerability Management Using Rapid7 NeXpose

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Overcoming PCI Compliance Challenges

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

How To Test For Security On A Network Without Being Hacked

Risk Analytics for Cyber Security

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Justin Kallhoff CISSP, C EH, GPCI, GCIH, GSEC, GISP, GCWN, GCFA. Tristan Lawson CISSP, C EH, E CSA, GISP, GSEC, MCSA, A+, Net+, Server+, Security+

Goals. Understanding security testing

Current IBAT Endorsed Services

Introduction to QualysGuard IT Risk SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Review: McAfee Vulnerability Manager

2015 Enterprise Vulnerability Management Trends Report

Next-Generation Vulnerability Management

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Industrial Security for Process Automation

Critical Controls for Cyber Security.

STATE OF NEW JERSEY IT CIRCULAR

TRIPWIRE NERC SOLUTION SUITE

CLOUD GUARD UNIFIED ENTERPRISE

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

How To Manage A Network Security Risk

Critical Security Controls

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Minimizing Risk Through Vulnerability Management. Presentation for Rochester Security Summit 2015 Security Governance Track October 7, 2015

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Delivering IT Security and Compliance as a Service

Optimizing Network Vulnerability

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Ovation Security Center Data Sheet

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Patch and Vulnerability Management Program

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI-DSS Penetration Testing

PCI DSS Overview and Solutions. Anwar McEntee

GETTING STARTED WITH THE ISCAN ONLINE DATA BREACH PREVENTION LIFECYCLE

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Trend Micro. Advanced Security Built for the Cloud

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

The Value of Vulnerability Management*

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

2011 Forrester Research, Inc. Reproduction Prohibited

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

TOP 10 CHALLENGES. With suggested solutions

Pragmatic Metrics for Building Security Dashboards

Leveraging Security Risk Intelligence

INCIDENT RESPONSE CHECKLIST

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

VULNERABILITY MANAGEMENT

Average annual cost of security incidents

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Using Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

1 Scope of Assessment

McAfee Database Security. Dan Sarel, VP Database Security Products

AHS Vulnerability Scanning Standard

Transcription:

Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great) Kelly Hammons Principal Consultant, CISSP Secutor Consulting October 2 nd, 2015 97% of breaches could have been avoided through simple or intermediate controls - Verizon Data Breach Investigations Report, 2012 While over 90 percent of all organizations monitor security effectiveness in some manner, only 40 percent do so constantly rather than on an as-needed basis. - Enterprise Security Group (ESG) Security Management & Operations Report, June 2012

How are vulnerabilities usually managed? Limited or non-existent budget Scanning too infrequently to be relevant Or scanning too aggressively Not using authentication Only scanning the perimeter Ad hoc prioritization Ignoring them Vulnerability Management Goals (or, VM Maturity Model) Comply with regulations (PCI, HIPAA, NERC CIP ) Vulnerability remediation / reduce attack surface Keep your company s name off the front page of the New York Times keep your job Asset discovery Understand your perimeter Test new systems before they re brought online Automation + Integration Produce actionable data & metrics

Challenges Resistance from Network Operations, Patching Team, System Owners Things *will* crash Network devices *will* become saturated Patching software won t always agree with the scanner Vulnerability Prioritization DHCP Who owns the machine and/or service? Scanning Scanner placement What is in/out of scope? Can you scan partner networks? Where do we start? What are you going to scan? Discovery scan Internal vs External IPs Ports Authentication Workstations, servers, lab, DMZ, IP phones, printers, network devices Scan frequency and windows? Who is responsible for patching? Where are the firewalls? Where do I place the scanners? How will vulnerabilities be prioritized?

What do I do with all of these vulnerabilities? Patch Upgrade Disable/Uninstall the service Add a client-side firewall or HIPS Modify the network fabric (routers/firewalls/ips) or ignore Prioritization CVSS Valuable hosts/data *accessibility* from a threat source What does your network look like?

@NTXISSA #NTXISSACSC3 @NTXISSA #NTXISSACSC3

Metrics Are you measuring busyness or addressing risk? What am I scanning? What am I *not* scanning? How many of what kind of vulnerabilities? What s different compared to last month? Pitfalls DHCP Trending Upgrading or sunsetting hosts Stale scan data Wall of shame Simple Metrics

A good example A great example Metrics in context February Scan Results: Asset Group Status Comments ABC Servers and Network Devices Yellow No host increase, number of Level 5 vulnerabilities is the same. DEF Servers and Network Devices Green No increase in hosts, Level 5 vulnerabilities have decreased. GHI Servers and Network Devices Yellow No host increase, number of Level 5 vulnerabilities is the same. NA Workstations Red The number of hosts and Level 5 Vulnerabilities increased. Europe Workstations Green The number of hosts increased and the number of Level 5 vulnerabilities still decreased. JKL Workstations Red The number of hosts and Level 5 Vulnerabilities increased.

More great examples Interoperability The whole is greater than the sum of its parts Asset Management/CMDB: Who owns this box? Patching: Discover false negatives Pen Testing: Speed up vulnerability discovery, less intrusive SIEM/IPS/IDS: Mitigate false alerts, fine-tune, add context, prioritize remediation Ticketing: Easy workflow Vector Analysis: Prioritization, discover unscanned subnets, discover *downstream* risk GRC: Fine-tune risk metrics, remediation tracking

The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) Thank you NTX ISSA Cyber Security Conference October 2-3, 2015 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information