Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong

Sean Keef

Director, Sales Engineering

Skybox Security

Don’t be a Target: Everything You Know About

Vulnerability Prioritization is Wrong

© 2014 Skybox Security Inc., Confidential 2

Everything you ‘know’ about VM is wrong:

My active scanner finds all known vulnerabilities

Our traditional VM approach is reducing risk

We know what we need to fix first

Severity is a good indicator of what to fix

Low and medium severity vulnerabilities can be ignored

30 days scan cycle is acceptable


Agenda

The Present

The Purpose

The Pain

Relationships

The Prioritization

The Process

The Punchline


Definitions

Risk – The probability of

occurrence and degree of damage

an undesirable event will cause.

Vulnerability – Host-based,

application and operating system

vulnerabilities.

Vulnerability Management – The

process of discovering, prioritizing

and remediating vulnerabilities


Case Study (FinCorp Bank)

90% of the servers are scanned

every 30 days

50% Workstations are scanned

every 90 day

Average PC has ~117

vulnerabilities

Over 1 million vulnerabilities to be

remediated

Critical severity remediation SLA

is 15 days


The Present

Vulnerability Management

Discovery with an active scanner

Prioritization, remediation and

SLAs based on severity

Critical vulnerabilities are not

remediated before the next scan is

executed, leading to SLAs not

being met.


The Purpose

To ensure that risk causing vulnerabilities exist in an

exploitable state for the shortest amount of time possible

Ris

k

Time



Spends ~100 man hours per week remediating vulnerabilities

Week to Week:

– Average ~1 million vulnerabilities

– Average ~20% Critical, ~50% High, ~30% Medium or lower

– No significant reduction of vulnerability count or breakdown week over week. (Was actually growing.)

No real plan for how to reduce the overall number of vulnerabilities or overall risk.

No prioritization plan beyond severity.

A realization that severity based remediation isn’t doing the job.


Ris

k

Time

The Pain

Risk is not decreased over time

Remediating low risk-causing

vulnerabilities

Not remediating high risk-causing

vulnerabilities

Remediating high risk-causing

vulnerabilities

Severity Risk



Priorities

1. Risk visibility and qualification

2. Prioritization

3. Communication

Solutions

– Collect more data

– Correlate the data

– Relationships


Relationships

Exploitability

Impact

Severity Severity


Host – Vulnerability Relationship

Hosts Vulnerabilities



Vulnerabilities Hosts

Asset Data Network Map Vulnerability Data


Host Value

Assets

Value

Function

Location

Asset Data

– Baby Steps

• Get the data that exists

• PIC CDE machines

• Important networks

• Known critical machines

• Incomplete is better than

nothing

– Asset classification is its

own project


Host Loss

Assets

C A I Confidentiality

Availability

Integrity



Vulnerabilities

C A I



Vulnerabilities

Expanded

Vulnerability

Data


Vulnerability Attributes

Vuln

era

bili

ty

Impact

IPS

Severity

Vector

Catalog



Vuln

era

bili

ty

Impact

IPS

Severity

Network

Catalog

Assets


Vulnerability + Host importance

(Impact)

Vulnerability + Time on host

Vulnerability + Host location

Vulnerability + Host type

Vulnerability + Patch

(Quick win)

Vulnerability + IPS Signature

(IPS shielding)

Prioritization – Simple Relationships

Easy – (Scanner / Spreadsheet / Script)




Hard – (Application)

Hard – (Application)


Prioritization – IPS Signature to Vulnerability


Prioritization – Patch to Vulnerability

Quick Win!



<Missing something>

Critical vulnerabilities on PCI

CDE Hosts

Vulnerabilities that can be IPS

Shielded

Patch that wipes out the most

vulnerabilities


Prioritization – Complex Relationships

Risk = Impact * Likelihood * Time

Vulnerability &

Host

Host w/ Vulnerability &

Network Security


Likelihood

Compromised Workstation

Foreign Threat

Exploited Partner

Attack Simulations

Vulnerabilities

CVE 2014-0160

CVE 2014-0515

CVE 2014-1776


Stair Step Attacks


Prioritize Vulnerabilities by Multiple Factors

Vulnerabilities Prioritized

Directly Exploitable Vulnerabilities

Vulnerabilities on PCI hosts

IPS Shielded Vulnerabilities

Vulnerabilities remediated with a single MS Bulletin


Ris

k

Time

The Result

Risk is reduced over time

Risk visibility and communication is increased

Remediating high risk-causing

vulnerabilities Risk reduced by reducing attack

surface



Before

Losing the fixed vs found battle

Unfocused remediation

Risk not reduced over time

After

Full visibility into many

relationships

Risk and attack surface reduced

week over week

Understanding of network

topology + network map

Result – More effective understanding and

application of remediation options


The Process

Discovery – Is there a better way than active scanning?


Case Study

Large Multi-national

– Central IT / Strong Business Units

– Loosely controlled scanning / Business units can opt out.

– CISO needed to be able to ensure a single vulnerability was

wiped out.

– Had SCCM everywhere


Limited and Out of Date Information

The value of vulnerability information decays over time

Time

Add

knowledge

during scan

Decay of

knowledge

post scan

Month 1 Month 2 Month 3

80%

100%

Missing

data

60%


We just don’t need to scan more

Unable to gain credentialed access to scanportions of the network

The cost of licenses is prohibitive

Some hosts are not scannable due to their use

We don't have the resources to deal withbroader patching activity

We don’t have the resources to analyze more frequent scan data

We are concerned about disruptions fromscanning 59%

58%

41%

34%

29%

12%

5%

Reasons that respondents don’t scan more often

Why Not Scan More Often? (2012 Survey)

It’s Just Too Difficult


So Security Teams Try to Limit Impact

Disruption

“Oops, we took

down the net”

Scan Today

Scan Next Week

Scan Next Month

Scan Next Year

Scan NEVER


Scan Frequency and Coverage (2012 Survey)

0

50

100

150

200

250

300

350

10% 20% 30% 40% 50% 60% 70% 80% 90%

Frequency and Coverage

Scan F

requency in D

ays

% of Network Scanned

Partner/External

Networks

~60-90 days

<50% of hosts

Critical

systems, DMZ

~30 days

50-75% of hosts

Goal

~Daily / Continuous

90%+ of hosts



Asset

Windows 7

Firefox

Adobe Reader

10

Java SE 20

Buffer Overflow

Window 7

Windows 2K SP2

Windows 2K SP1

Remote Code

Execution

Adobe Reader

8

Adobe Reader

9

Adobe Reader

10

Adobe Reader

7.7

Security Bypass

Firefox

Thunderbird

SeaMonkey

Remote DOS

IIS 6.0

IIS 7.5

Remote Unspecified

Java 7.4

Java FX

2.2.4

Java JRE 6.7

Java SE

7.11


Vulnerability Deduction Process

Vulnerability Deduction

Product Catalog

(CPE)

OS version & patch level. Application versions

Vulnerability List

(CVE)

Vulnerability Database

Pro

du

ct

Pro

fili

ng

Asset / Patch

Management

Networking

Devices

Active

Scanner


Speed

Typical scanner Analytical Scan

250 host/hour

100,000 host/hour

VS


Analytics Give You a Continuous View

of Vulnerabilities

Time Month 1 Month 2 Month 3

50%

Combining active scanning and analytics

based vulnerability detection

100%

Active

scanner

Analytics-based

detection


Case Study

Large MultiNational

– Visibility on ~100% of hosts in less than

a week.

– Able to eradicate Heartbleed on 98% of

PCs (over 500k) in less than a week.

– Complete eradication in 23 days.

– Has visibility into network devices.

– Able to discover vulnerabilities on

mission critical portions of the network.


Not all scanners have every vulnerability

Qualys McAfee TripWire Tenable

CVE-2014-4228 Jul 17 Jul 29 Not Added Jul 16

CVE-2014-4943 Jul 28 Jul 24 Jul 19 Jul 17

CVE-2013-1741 Apr 4 Dec 11 Nov 18 Dec 6

CVE-2014-4607 Jul 14 Jul 10 Jan 1 Jun 27

CVE-2014-2804 Apr 28 Jun 25 Jul 8 Jul 8

CVE-2014-2783 Apr 28 Jul 8 Sep 26 Jul 8

CVE-2014-1375 Jul 2 Not Added Jun 30 Jul 1

CVE-2014-1369 Not Added Jul 10 Not Added Jun 30

CVE-2014-0015 Not Added Jul 9 Jun 30 Not Added

Date vulnerability was added to scanner by vendor


Your scanner needs to be part of a greater

plan

The more data sources you can include, the better.

Advisories Scanners IPS Other Sources

Adobe eEye Retina* HP Tipping Point CERT

Cisco PSIRT ISS Internet Scanner* ISS Proventia Mitre CVE

Microsoft Security

Bulletin

McAfee Foundstone Palo-Alto Networks NIST’s NVD

Oracle Qualys Guard SourceFire Rapid7 Metasploit

Rapid7 Nexpose SourceFite Rapid7 Metasploit

Tenable Nessus Symantec

SecurityFocus

Tripwire nCirce Symantec Worms


The Power of Seven Scanners at Once


The Process

Remediation and Tracking – Do you know how you are

doing?


Remediation Reporting


The Punchline

To ensuring that risk causing vulnerabilities exist in an

exploitable state for the shortest amount of time

possible, you must:

– Discover vulnerabilities quickly – Challenge the Active Scanner

Status Quo

– Understand the relationship between the hosts and your

vulnerabilities to discover what matters

– Remediate or mitigate based on analysis or risk – not severity.

Enable reporting.


Thank you!

Interested in Skybox for Vulnerability Assessment and

Management? Start your 30-Day Trial today!

www.skyboxsecurity.com/trial

http://lp.skyboxsecurity.com/Enterprise-Suite-Trial.html

Technology

Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong