15
Harves’ng Vulnerabili’es in FoodIndustry Agrokor Group Ivo Pejakovic, MScEE, MBA CISO of Agrokor Group, Croa:a

Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Embed Size (px)

Citation preview

Page 1: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Harves'ng  Vulnerabili'es  in  Food-­‐Industry  Agrokor  Group  

Ivo  Pejakovic,  MScEE,  MBA  CISO  of  Agrokor  Group,  Croa:a  

Page 2: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Agrokor  Group              5+  Billions  USD  Revenue        40+  Companies  Holding        40.000+  Employees  in  Group  

in  6  countries  of  South-­‐East  Europe  

Page 3: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Where  is  the  problem?  

Page 4: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

IT  security  controls  

Page 5: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Vulnerability  Management  Process  

•  #4  of  SANS  Cri:cal  Security  Controls  •  Related  to:  

•  #1  of  SANS  Cri:cal  Security  Controls  •  #2  of  SANS  Cri:cal  Security  Controls  

•  VM  &  QualysGuard  in  Agrokor  Group:  since  2006  •  Started  with  100s  of  assets  now  we  1000s  of  IT  Assets  in  VM  

Page 6: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Key  challenges  1.  VM  workflow  2.  RACI  matrix    3.  IT  Asset  management  in  VM      4.  Remedia:on  policy      5.  Visibility  of  VM  process  6.  Accuracy  of  VA  Scans  

Page 7: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

VM  workflow  

Source:  SANS  20  Cri/cal  Controls    4.1  

Page 8: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

RACI  matrix  

Page 9: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

IT  Assets  management  in  VM    

Page 10: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

VM  Policy  

Page 11: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

VM  Visibility  

Page 12: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

VM  Accuracy  

Be>er  insights  in:  –  Patch  levels  –  Installed  so_ware  base  –  Configura:on  details      

Authen'cated  scans  performed  on  following  plaEorms:  –  AIX,  Linux,  Windows  servers  

–  Client  computers  (Windows  7,  XP)    

–  Network  equipment  (Cisco  IOS  devices)  

Page 13: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Sharing  Best  Prac:ce  •  Define  sustainable  VM  policy      

•  Address  all  excep:ons  from  the  policy    

•   Automa:on  of  VM  ac:vi:es  

•  Be  careful  with  VM  process  roles  defini:on    

•  Delegate  responsibili:es    •  Improve  accuracy    use  authen:cated  scans  

Page 14: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

This  does  not  exist!  

Page 15: Harvesng Vulnerabili’es* in* Food3Industry* … · Tickets C  UALYSGUARD'ENTERPRISE SUITE KnowledgeBase Owner Help Modified Assets No Pejakovió (agrkr-vp)

Q&A