Upload
skybox-security
View
694
Download
0
Tags:
Embed Size (px)
DESCRIPTION
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to: Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation. Build a remediation strategy that addresses ‘unpatchable’ systems Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies. Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Citation preview
Is Your Vulnerability Management
Program Irrelevant?
© 2012 Enterprise Management Associates, Inc.
Scott Crawford
Managing Research Director
Enterprise Management Associates
www.enterprisemanagement.com
Vulnerability management:
Seems pretty important…
• A security fundamental
• PDCA: Find and fix exploitable exposures
Slide 2 © 2012 Enterprise Management Associates, Inc.
• Is it actually working in your organization?
• How do you know?
Polling Question 1
• Do you experience any of the following challenges with your
vulnerability management program? (choose all that apply)
• Disruptions due to active scanning
• Lack the resources to analyze vulnerabilities in a timely manner
• Lack the resources to mitigate vulnerabilities (eg. patch) in a timely
manner
• Some hosts are not scannable
• Unable to gain credentialed access to some parts of network
© 2012 Skybox Security - Confidential
3
Is it making a difference?
Slide 4 © 2012 Enterprise Management Associates, Inc.
Discovery Correlation Prioritization Mitigation
Lots of emphasis
here…up to a
point
Too many missed
opportunities here
“Here be
dragons…”
• Discovery that fails to culminate in effective mitigation isn’t
vulnerability management. At best, it’s vulnerability assessment
(and often, not even a thorough job of that…)
Issues often
overlooked here
Vulnerability discovery:
Not comprehensive enough
• Scope of assessment is
often constrained
• Thousands of systems
• Distribution of assets
• Limitations on access
• The paradox of
assessment impact
• “Don’t touch these most
critical systems!”
• “OK, we’ll make sure to
let attackers know…”
• What often happens?
• Assessment not
frequent enough
• Scope not adequate
Slide 5 © 2012 Enterprise Management Associates, Inc.
Does IT risk assessment in your organization include
actual testing of systems for their resistance to
penetration, exploit, or other threats?
From: IT Risk Management: Five Aspects of High Performers that
Set Them Apart, EMA Research Note, July 2011
Vulnerability correlation
• All right, so now you have a laundry list
of vulns
• …or at least some vulns…
• How accurate is the assessment?
• How specific is the vuln?
E.g.: Affected versions?
• How accurate is the correlation to
assets?
E.g. Update/patch history?
• What often happens?
• Correlation may not be accurate or
specific enough to individual assets
• Can lead to downstream issues in
remediation
Slide 6 © 2012 Enterprise Management Associates, Inc.
Polling Question 2
• What information sources do you use to prioritize vulnerability data?
(choose all that apply)
• Vendor vulnerability rankings (eg. Microsoft vuln criticality levels)
• Network infrastructure
• Configuration of security controls (firewalls, IPS, etc)
• Asset data
• Patch history
• Threat data
© 2012 Skybox Security - Confidential
7
Vulnerability prioritization
• How to prioritize?
• CVSS score? Configuration issue?
• An even better question:
• What is the asset anyway?
Customer payments processing system handling
cardholder data? Or the employee satisfaction survey?
• How do you know?
• What is its relationship to other assets?
• Is it actually exploitable?
• Where will exploit lead?
• What often happens?
• Priority based on vendor vulnerability ranking, not by
what’s actually exploitable in the environment.
• Exacerbated by inadequate insight into assets
Slide 8 © 2012 Enterprise Management Associates, Inc.
Vulnerability remediation
• What are your options?
• Patching? Reconfig? Access control? Network?
• What about “unpatchable” vulnerabilities?
• Non-COTS, custom apps, factors of system integration
• Can the system be changed?
• E.g. availability-critical physical infrastructure? SCADA?
Slide 9 © 2012 Enterprise Management Associates, Inc.
• Is change necessary?
• E.g. Sensitive asset, highly-rated vuln, access tightly controlled
• How do remediation options factor into prioritization?
• What often happens?
• Patching becomes overwhelming (or is not an option)
• Opportunities missed when mitigation excludes possible alternatives
• Remediation takes too long or is ineffective
Completing the process:
What did you learn?
• How do you know your efforts are successful?
• Remediation success?
• …and did remediation go as planned?
• What data are you using to verify?
• Incident data?
• Attempts against unremediated vulns?
What about historical data? <- Evidence of exploit
before vulns became known
• Attempts against remediated vulns?
Success? Further penetration?
• Numbers of incidents that result in exposure?
• Reductions in “significant” incidents? (i.e.
investigation/response beyond “normal” resource
allocation)
• Do findings factor into refining processes?
Slide 10 © 2012 Enterprise Management Associates, Inc.
The upshot:
What happens to security?
• Checklist mentality
• Only cover most
“important” obligations
• Scope of assessment not
comprehensive enough
• Correlation &
prioritization lost in a sea
of noise…or not enough
information
• Remediation bogs down
(time, complexity)
Slide 11 © 2012 Enterprise Management Associates, Inc.
Compliance rulez! (NOT!)
Is there a secret to getting us beyond these
obstacles?
Slide 12 © 2012 Enterprise Management Associates, Inc.
Hint #1:
Slide 13 © 2012 Enterprise Management Associates, Inc.
It’s
in
the
data!
The rise of “data-driven” security
In a 2012 EMA survey of 200
organizations worldwide,*
• 38% are currently expanding
investment in technologies
for improving security data
management
• 40% plan such expansion in
the next 1 to 3 years
• 32% are expanding
investment in personnel
expertise in security data
management
• 44% plan to do so in next 1
to 3 years
Slide 14 © 2012 Enterprise Management Associates, Inc.
Would your organization collect more
data, or a wider variety of data,
relevant to information security if you
could make use of it?
*The Rise of Data-Driven Security, EMA Research Report, May 2012
Why?
Many reasons – One important example:
• Is this confidence
validated by the
evidence?
• Verizon 2010 DBIR:
86% had breach
evidence in log data
• 2012: 92% of
breaches discovered
by 3rd party
• EMA 2012 survey:
57% spend
unplanned work on
security incidents 2-
3x/month or more
(12% do so daily)
Slide 15 © 2012 Enterprise Management Associates, Inc.
Are you confident or doubtful that your
organization could detect an important security
issue before it has a significant impact?
From: The Rise of Data-Driven Security, EMA Research Report, May 2012
Data-driven vulnerability management
• If you cannot scan more often or
include a wider sample, what data
do you already have?
• Some examples:
• Asset inventory
• Asset detail
• Network topology
• Access privileges
• How can you improve it?
• Better correlation of vulnerability
data to asset specifics
• Factors of exploitability
• How can you use it?
Slide 16 © 2012 Enterprise Management Associates, Inc.
Hint #2 (and #3)
• Better
performance =
better
outcomes
• High
performers are
more thorough
in PDCA – In
other words,
they complete
their
processes
Slide 17
© 2012 Enterprise Management Associates, Inc.
Which of the following best characterizes your organization’s
IT change control processes?
• 94% of High
Performers
• Half the median
incidence of
security events
requiring
response
From: IT Risk Management: Five Aspects of High Performers that
Set Them Apart, EMA Research Note, July 2011
• An example from a closely related aspect of IT ops:
Change management
Making vulnerability management relevant:
Linking data with completing the process
• Automate and integrate
• The volume of available data may be excessive without tools to automate its application
• Integration of assessment with prioritization and remediation often depends on integration of data
• Prioritization depends on knowing which assets are affected – as specifically and accurately as possible
• Have a way to compare remediation options
• Patching may not be your only – or even your best – option
• …and for “unpatchable” vulns, it isn’t an option at all!
• Here are a few questions that don’t get asked often enough:
• What are your outcomes?
• How do you know your VM program is succeeding?
• How and where can you best apply resources to improvement?
Slide 18 © 2012 Enterprise Management Associates, Inc.
Skybox Security Overview
© 2012 Skybox Security
• Global 2000 customers
• Financial Services, Government, Defense,
Energy & Utilities, Retail, Service
Providers, Manufacturing, Tech
Proven Solutions
19
• Automated Firewall Management
• Risk and Vulnerability Management
Leader in Security Risk Management
Polling Question 3
• On average, how long does it take for your company
to complete one cycle of scanning, prioritizing, and
mitigating critical vulnerabilities across your entire
network? (choose one answer)
• 1. 1-3 days
• 2. 3-7 days
• 3. 7-30 days
• 4. 30-60 days
• 5. never
• 6. don’t know
© 2012 Skybox Security - Confidential 20
Need vs. Reality Gap
Too Little, Too Late
0
50
100
150
200
250
300
350
10% 20% 30% 40% 50% 60% 70% 80% 90%
Frequency and Coverage
Fre
quency x
/year
% of Network Scanned
Where you need to be
Daily process
90%+ hosts
Partner/External networks
Avg. scan: every 60-90
days
<50% of hosts
Critical systems, DMZ
Avg. scan: every 30 days
50-75% of hosts
© 2012 Skybox Security - Confidential 21
The Skybox Security Solution:
Next Generation
Vulnerability Management
Data-driven approach links vuln, network, asset data
Continuous, non-disruptive vuln discovery
Prioritize vulns according to business risk
Evaluate mitigation options and change impact
Automated and integrated with IT processes
© 2012 Skybox Security - Confidential 22
Skybox Data-Driven Approach
Use a Network Model
Firewall Load Balancer
Router IPS Vulnerability
Scanner Patch
© 2012 Skybox Security 23
System Config
Vulnerability Detector
Non-Invasive Vulnerability Discovery
© 2012 Skybox Security - Confidential 24
Traditional “Active” Vuln Scanner
Active
Scanner Test thousands of signatures
against hosts
Vulnerability
List
System,
Asset,
Patch Info
Profile Vulns
based on
Rules
Extract
Product
Catalog
Skybox “Scanless” Vulnerability Discovery
Vulnerability
List
Skybox Vulnerability Detector
hosts
Finding Exploitable Vulnerabilities
Compromised
Partner
Rogue
Admin
Vulnerabilities • CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Internet
Hacker
© 2012 Skybox Security 25
Predictive Analytics via
Attack Simulation
Compromised
Partner
Attack
Simulations
Rogue
Admin
Vulnerabilities • CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Internet
Hacker
© 2012 Skybox Security 26
Plan Defensive Strategy
Monitor Vulnerability KPI’s
Most Critical
Actions
Vulnerabilities
Threats
© 2012 Skybox Security 27
Recap… Steps to Effective
Vulnerability Management
Prioritize by Business Impact
• Evaluate options beyond patching, sync
with change management process
Close the Loop with Mitigation and Metrics
• Able to gather and process more
vulnerability and risk data, faster
Data Driven
© 2012 Skybox Security - Confidential 28
• Know what’s really exploitable, rank by
business impact
Find out more…
Download our VM Whitepaper
or VM Survey Results
Ask for a demo of our solutions
www.skyboxsecurity.com
Thank you!
© 2012 Skybox Security - Confidential 29
Questions?
© 2012 Skybox Security - Confidential 30
Scott Crawford
Managing Research Director
Enterprise Management Associates
www.enterprisemanagement.com
Michelle Johnson Cobb
VP Worldwide Marketing
Skybox Security
www.skyboxsecurity.com