10 Steps to Effective Vulnerability Management » 10 Steps » What is Vulnerability Management? » Challenges to Effective VM » The Problem Contents: Derek A. Smith

10 Steps to Building an Effective Vulnerability Management Program

Embed Size (px)

Citation preview

10 Steps to Effective

Vulnerability Management

» 10 Steps

» What is Vulnerability Management?

» Challenges to Effective VM

» The Problem


Derek A. Smith

The Problem

Insider Threat – Analysis and Countermeasures 3

Organizations are Feeling the


1. What causes the


95% of breaches target known vulnerabilities

2. How do you prevent the

damage? What are your


RISK= Assets x Vulnerabilities x Threats

You can control vulnerabilities.

3. How do you successfully

deal with vulnerabilities? Vulnerabilities

Business complexity

Human resources

Financial resources

4. How do you make the

best security decisions?

Focus on the right assets, right threats,

right measures.

What is Vulnerability


Insider Threat – Analysis and Countermeasures 5

What Is Vulnerability


A process to determine whether to eliminate,

mitigate or tolerate vulnerabilities based upon

risk and the cost associated with fixing the


Insider Threat – Analysis and Countermeasures 6

What Is Vulnerability


At a high level, the ”intelligent

confluence” of…

Assessment What assets?

Analysis What to fix first?

Remediation Fix the problem

+ +

• Component of Risk Management

• Balance the demands of business goals and processes

Challenges to Effective VM

Insider Threat – Analysis and Countermeasures 8

Challenges – Assessment

Traditional desktop scanners cannot handle large networks

Provide volumes of useless checks

Chopping up scans and distributing them is cumbersome

Garbage In- Garbage Out (GIGO)– volumes of superfluous data

Coverage at all OSI layers is inadequate

Time consuming and resource intensive

Finding the problem is only half the battle

Insider Threat – Analysis and Countermeasures 9

Challenges – Analysis

Manual and resource intensive process to determine

What to fix

If you should fix

When to fix

No correlation between vulnerabilities, threats and assets

No way to prioritize what vulnerabilities should be addressed

What order

Stale data

Making decisions on last quarter’s vulnerabilities

No credible metrics

Insider Threat – Analysis and Countermeasures 10

Challenges – Remediation

Security resources are often decentralized

The security organization often doesn’t own the network

or system

Multiple groups may own the asset

Presenting useful and meaningful information to relevant


Determining if the fix was actually made

Insider Threat – Analysis and Countermeasures 11

Challenges – Time A


t C




discovered Exploit

public Automated


Discovery Remediation

Cost to ignore vulnerability is greater

than the cost to repair

Threat Level

Risk Threshold

Vulnerability Management


Insider Threat – Analysis and Countermeasures 13




10 Step Approach: Implementing An Effective VM Strategy

Insider Threat – Analysis and Countermeasures 15

Step 1 - Identify all the assets

needing protection Identify assets by:


Logical groupings of devices

Connectivity - None, LAN, broadband, wireless

Network Devices

Wireless access points, routers, switches

Operating System

Windows, Unix


IIS, Apache, SQL Server


IIS 5.0, Apache 1.3.12, SQL Server V.7

Insider Threat – Analysis and Countermeasures 16

Asset Prioritization

Network-based discovery

Known and “unknown” devices

Determine network-based applications

Excellent scalability

Agent-based discovery

In-depth review of the applications and patch levels

Deployment disadvantages

Network- and agent-based discovery techniques are optimal

Agents - Cover what you already know in great detail

Network - Identify rogue or new devices


Continuous, daily, weekly

Depends on the asset

Insider Threat – Analysis and Countermeasures 17

Step 2 - Vulnerability Identification

Knowing what vulnerabilities exist for each

asset and the criticality of that vulnerability

is essential in determining how best to

secure it.

Insider Threat – Analysis and Countermeasures 18

Correlate Threats

Insider Threat – Analysis and Countermeasures 19

Correlate Threats

Not all threat and vulnerability data have equal priority

Primary goal is to rapidly protect your most critical assets

Identify threats



Wide-scale attacks

New vulnerabilities

Correlate with your most critical assets

Result = Prioritization of vulnerabilities within your


Insider Threat – Analysis and Countermeasures 20

Step 3 - Consistent Vulnerability

Management Use consistent, high‐frequency scanning

Reduce the volume of vulnerabilities from

any one scan

Insider Threat – Analysis and Countermeasures 21

Step 4 - Risk Assessment

Accurate and timely details on the

vulnerabilities that exist.

Employ a consistent vulnerability

management approach

Insider Threat – Analysis and Countermeasures 22

Determine Risk Level

Insider Threat – Analysis and Countermeasures 23

Risk Calculation

The Union of:




Based upon the

criticality of VAT

Focus your

resources on the

true risk

Insider Threat – Analysis and Countermeasures 24

Step 5 - Change Management

Integrate change management with a

consistent vulnerability management


Insider Threat – Analysis and Countermeasures 25

Step 6 - Patch Management

An effective vulnerability management


Feedback from the patch management


Insider Threat – Analysis and Countermeasures 26

Step 7 – Mobile Devices

Mobile devices evade traditional

vulnerability and compliance management


Integrate with Mobile Device Management

(MDM) systems or deploy technology

Insider Threat – Analysis and Countermeasures 27

Step 8 - Mitigation Management

Manage vulnerabilities in the event no

software update or fix to address the

vulnerability is available

Identify alternative ways to manage the


Insider Threat – Analysis and Countermeasures 28


Insider Threat – Analysis and Countermeasures 29

Remediation / Resolution

Perfection is unrealistic (zero vulnerabilities)

Think credit card fraud – will the banks ever eliminate

credit card fraud?

You have limited resources to address issues

The question becomes:

Do I address or not?

Factor in the business impact costs + remediation costs

If the risk outweighs the cost – eliminate or mitigate

the vulnerability!

Insider Threat – Analysis and Countermeasures 30

Remediation / Resolution

Apply the Pareto Principle – the 80/20 rule

Focus on the vital few not the trivial many

80% of your risk can be eliminated by

addressing 20% of the issues

The Risk Union will show you the way

Right assets

Relevant threats

Critical vulnerabilities

Insider Threat – Analysis and Countermeasures 31

Remediation / Resolution

Patch or Mitigate

Impact on availability from a bad patch vs. the

risk of not patching

Patch or mitigate

Recommendations: QA security patches 24 hours

Determine if there are wide spread problems

Implement defense-in-depth

Insider Threat – Analysis and Countermeasures 32

Step 9 - Incident Response

The security of an organization’s systems

is only as effective as how it responds to a

security breach

Ensuring the incident response process is

alerted to the issue can provide a number

of benefits

Insider Threat – Analysis and Countermeasures 33

Step 10 - Automation

The final key to a successful vulnerability

management program is automation

Time is of the utmost importance in

detecting, assessing and remediating any


Manual processing of large amounts of

data is extremely time consuming and

prone to error.

Reduce the human element

Insider Threat – Analysis and Countermeasures 34


All assets are not created equally

You cannot respond to or even protect against all threats

An effective vulnerability management program focuses on





The hardest step in a 1000 mile journey is the first –

start somewhere

Strategically manage vulnerabilities using a comprehensive


Insider Threat – Analysis and Countermeasures 35




10 Steps to Effective Vulnerability

Management Alex DaCosta, Retina Product Manager






Poll Question




Thank you for attending!