Vulnerability management for the real world
Download
1 / 42

Vulnerability Management for the Real World - PowerPoint PPT Presentation


  • 312 Views
  • Updated On :

Vulnerability Management for the Real World. Contents:. The Problem. What is Vulnerability Management?. George Kurtz Chief Executive Officer Foundstone . Challenges to Effective VM. Successful Approaches. The Problem. Question. What won’t you see in this presentation?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Vulnerability Management for the Real World' - elina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Vulnerability management for the real world l.jpg

Vulnerability Management for the Real World

Contents:

  • The Problem

  • What is Vulnerability Management?

George Kurtz

Chief Executive Officer Foundstone

  • Challenges to Effective VM

  • Successful Approaches



Question l.jpg
Question

  • What won’t you see in this presentation?

Answer: Another CSI /FBI slide!

We all know the problem, what about a solution!


Proclamation l.jpg
Proclamation

VA Is Dead…..

They Just Haven’t Buried The Body!


Organizations are feeling the pain l.jpg

1. What causes the damage?

2. How do you prevent the damage? What are your options?

RISK=

Assets x Vulnerabilities x Threats

You can control vulnerabilities.

95% of breaches target

known vulnerabilities

4. How do you make the best security decisions?

3. How do you successfully deal with vulnerabilities?

Vulnerabilities

Business complexity

Focus on the right assets, right threats, right measures.

Human resources

Financial resources

Organizations are Feeling the Pain



What is vulnerability management7 l.jpg
What Is Vulnerability Management

A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.


What is vulnerability management8 l.jpg
What Is Vulnerability Management

  • At a high level, the ”intelligent confluence” of…

Assessment

What assets?

Analysis

What to fix first?

Remediation

Fix the problem

+

+

  • Component of Risk Management

  • Balance the demands of business goals and processes



Challenges assessment l.jpg
Challenges – Assessment

  • Traditional desktop scanners cannot handle large networks

  • Provide volumes of useless checks

  • Chopping up scans and distributing them is cumbersome

  • Garbage In- Garbage Out (GIGO)– volumes of superfluous data

  • Coverage at all OSI layers is inadequate

  • Time consuming and resource intensive

  • Finding the problem is only half the battle


Challenges analysis l.jpg
Challenges – Analysis

  • Manual and resource intensive process to determine

    • What to fix

    • If you should fix

    • When to fix

  • No correlation between vulnerabilities, threats and assets

  • No way to prioritize what vulnerabilities should be addressed

    • What order

  • Stale data

    • Making decisions on last quarter’s vulnerabilities

  • No credible metrics


Challenges remediation l.jpg
Challenges – Remediation

  • Security resources are often decentralized

  • The security organization often doesn’t own the network or system

  • Multiple groups may own the asset

  • Presenting useful and meaningful information to relevant stakeholders

  • Determining if the fix was actually made


Challenges time l.jpg

Cost to ignore vulnerability is greater than the cost to repair

Challenges – Time

Threat Level

Asset Criticality

Risk Threshold

Vulnerability

discovered

Exploit

public

Automated

exploit

Remediation

Discovery


Challenges time14 l.jpg

Goal = compress time from discovery to remediation repair

Cost to ignore vulnerability is greater than the cost to repair

Cost to ignore vulnerability is greater than the cost to repair

Remediation

Discovery

Challenges – Time

Threat Level

Asset Criticality

Risk Threshold

Automated

exploit

Exploit

public

Vulnerability

discovered


Challenges time15 l.jpg

Goal = compress time from discovery to remediation repair

Cost to ignore vulnerability is greater than the cost to repair

Remediation

Discovery

Challenges – Time

Threat Level

Asset Criticality

Risk Threshold

x 15 new vulnerabilities per day across many assets

Automated

exploit

Exploit

public

Vulnerability

discovered




Successful approaches implementing an effective vm strategy l.jpg

Successful Approaches: repairImplementing An Effective VM Strategy


Successful approaches l.jpg
Successful Approaches repair

  • Focus on four key areas:

    • Prioritize Assets

    • Determine Risk Level (assets, threats, vulnerabilities)

    • Remediate Vulnerabilities

    • Measure


Asset l.jpg
Asset: repair

Any function, task, capability, equipment or information that has value to the organization or supports the ability of the organization to conduct business


Threat l.jpg
Threat: repair

Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function


Vulnerability l.jpg
Vulnerability: repair

Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process



Asset prioritization l.jpg
Asset Prioritization repair

  • Identify assets by:

    • Networks

      • Logical groupings of devices

      • Connectivity - None, LAN, broadband, wireless

    • Network Devices

      • Wireless access points, routers, switches

    • Operating System

      • Windows, Unix

    • Applications

      • IIS, Apache, SQL Server

    • Versions

      • IIS 5.0, Apache 1.3.12, SQL Server V.7


Asset prioritization25 l.jpg
Asset Prioritization repair

  • Network-based discovery

    • Known and “unknown” devices

    • Determine network-based applications

    • Excellent scalability

  • Agent-based discovery

    • In-depth review of the applications and patch levels

    • Deployment disadvantages

  • Network- and agent-based discovery techniques are optimal

    • Agents - Cover what you already know in great detail

    • Network - Identify rogue or new devices

  • Frequency

    • Continuous, daily, weekly

    • Depends on the asset



Correlate threats27 l.jpg
Correlate Threats repair

  • Not all threat and vulnerability data have equal priority

  • Primary goal is to rapidly protect your most critical assets

  • Identify threats

    • Worms

    • Exploits

    • Wide-scale attacks

    • New vulnerabilities

  • Correlate with your most critical assets

  • Result = Prioritization of vulnerabilities within your environment



Risk calculation l.jpg
Risk Calculation repair

  • The Union of:

    • Vulnerabilities

    • Assets

    • Threats

  • Based upon the criticality of VAT

  • Focus your resources on the true risk


Remediation l.jpg
Remediation repair


Remediation resolution l.jpg
Remediation / Resolution repair

  • Perfection is unrealistic (zero vulnerabilities)

    • Think credit card fraud – will the banks ever eliminate credit card fraud?

  • You have limited resources to address issues

  • The question becomes:

    • Do I address or not?

  • Factor in the business impact costs + remediation costs

    • If the risk outweighs the cost – eliminate or mitigate the vulnerability!


Remediation resolution32 l.jpg
Remediation / Resolution repair

  • Apply the Pareto Principle – the 80/20 rule

    • Focus on the vital few not the trivial many

    • 80% of your risk can be eliminated by addressing 20% of the issues

    • The Risk Union will show you the way

      • Right assets

      • Relevant threats

      • Critical vulnerabilities


Remediation resolution33 l.jpg
Remediation / Resolution repair

  • Patch or Mitigate

    • Impact on availability from a bad patch vs. the risk of not patching

    • Patch or mitigate

    • Recommendations:

      • QA security patches 24 hours

      • Determine if there are wide spread problems

      • Implement defense-in-depth


Slide34 l.jpg

Measure repair


Measure l.jpg
Measure repair

  • Current state of security metrics

    • You can’t manage what you can’t measure

    • No focus on quantifying “Security”

      • What is my real risk?

    • Only a relative scale of risk, not an absolute

    • Return on Security Investment (ROSI) is extremely difficult to calculate

    • No accountability in security


Measure36 l.jpg
Measure repair

  • Future Look:

    • Accountability

    • A universal standard to quantify risk

    • Common nomenclature

    • Dashboard view of risk and vulnerabilities across disparate organizations

    • Technologies that will help answer the questions:

      • Am I secure?

      • Who is accountable and by when?

      • Am I getting better or worse?

      • How am I trending over time?

      • How do I compare to my peers?

      • How do I compare outside my industry?


Summary l.jpg
Summary repair

  • All assets are not created equally

  • You cannot respond to or even protect against all threats

  • An effective vulnerability management program focuses on Risk

    • Vulnerabilities

    • Assets

    • Threats

  • The hardest step in a 1000 mile journey is the first – start somewhere

  • Strategically manage vulnerabilities using a comprehensive process


10 steps to effective vulnerability management l.jpg
10 Steps to Effective Vulnerability Management repair

  • Identify all the assets in your purview

  • Create an Asset Criticality Profile (ACP)

  • Determine exposures and vulnerabilities

  • Track relevant threats – realized and unrealized

  • Determine Risk - union of vulnerabilities x assets x threats

  • Take corrective action if risk > cost to eliminate or mitigate

  • Create meaningful metrics and hold people accountable

  • Identify and address compliance gaps

  • Implement an automated vulnerability management system

  • Convince someone with a budget that vulnerability management is important


Slide39 l.jpg

Don’t Spend Another Dime On Security Until You Understand How To….

Protect The Right Assets

From The Right Threats

With The Right Measures


Contact information l.jpg

Contact Information How To….

George Kurtz

949-297-5600

george.kurtz@foundstone.com

www.foundstone.com


Questions l.jpg
Questions? How To….

Submit your questions to George

by clicking on the Ask a Question link

on the lower left corner of the screen.

George’s answers will be sent to you by e-mail.


Thank you l.jpg
Thank you How To….

Thank you for participating in this SearchSecurity.com on-demand webcast. If you have suggestions for future webcasts, e-mail the editor at webcast@searchSecurity.com

For other SearchSecurity.com webcasts, visit

http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax292632,00.html