21
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Embed Size (px)

Citation preview

Page 1: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Vulnerability Management Explained

By Peter Benson

Page 2: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

By the Numbers…• 67% of senior tech executives admit their organization has

experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study  

• 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center  

• 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT  

• $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g  

Page 3: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Why Vulnerability Management? • Building a strong program based on mitigating known

vulnerabilities has transformed from a security centric process to an operational necessity for business success.

• The root cause of the problem is the existence of vulnerabilities in the corporate network.

• Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.

Page 4: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Why Vulnerability Management?• Patch Management is ineffective and inefficient.

• The most intelligent equation is investing in a vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.

Page 5: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

What is Vulnerability Management? • Dynamic best practices (Yankee Group, 2004)

– Classify. Assign network resources with a heirarchy based on criticality

– Measure. Assess security performance in reducing exposures to key vulnerabilities

– Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning.

– Audit. Regularly audit the effectiveness of integrated vulnerability processes

Page 6: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Laws of Vulnerabilities

Page 7: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

The Law of Half Life• Lessons learned:

– You can’t patch them all at once

– Mitigate more than the remaining half of the vulnerabilities over the next month

– Improve the reduction in risk in the enterprise by shrinking the half life to less than 30 days

• Best practices: Patch within 21 days for critical systems, and a rollout procedure to other assets based on their priority level

Page 8: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

The Law of Prevalence• Lessons Learned:

– New critical vulnerabilities occur throughout the year

– Half of the vulnerabilities still exist in the network a year later

– Vulnerability Management is a never-ending process

• Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase

Page 9: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

The Law of Persistence• Lessons Learned:

– Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network

– Be alert for vulnerabilities that may be lurking in application code

• Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process

Page 10: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

The Law of Exploitation• Lessons Learned:

– Keep an eagle eye on key vendors for early warnings of available patches for critical resources

– Make a team decision on when to patch

– Integrate with automated patch management and configuration control systems. Verify the patch has eliminated the weakness

– Be prepared to scan for vulnerabilities on an attack basis

Page 11: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Yankee Group Dynamic Best Practice ModelClassify Assets

identify andBusiness

RiskPrioritisation

MeasureCompliance,

Current Laws ofVulnerabilities,Communicate

IntegratePatch

ManagementSecurity Portals

SecurityReporting

Audit PerformanceCompliance,Performance

against Metrics

Page 12: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Dynamic Best Practice - Classify• Classify network resources

• Tier the hierarchy of assets by value to the business

Page 13: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Dynamic Best Practice - Measure• Measure your network

against the half life and persistence curves

• Measure team performance by the half life results and the treatment of the persistence law

• Use gathered metrics to communicate the security problem to Senior Management

Page 14: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Dynamic Best Practice - Integrate• Integrate with discovery systems such as network

integrity systems

• Integrate with patch management systems to confirm completion of the task

• Integrate into management reporting portals. Take the mystery out of security.

Page 15: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Dynamic Best Practice - Audit• Evaluate actual vulnerability management results

against targeted metrics

• Regularly review vulnerability management reports with the security teams

• Measure the performance of security teams by the reduction of critical vulnerabilities

Page 16: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Vulnerability Management Business Models

Discovery

Analysis and Policy Compliance

Remediation

Business Prioritisation

Assessment

Model 1 Model 2

Page 17: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Summary of Dynamic Best Practices

Page 18: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

VM and Qualys Solutions

Page 19: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Business Reporting and Risk Management

Page 20: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Business Reporting

Page 21: Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson

Copyright Security-Assessment.com 2004

Questions?