Transcript E - isaca
Effective Enterprise Vulnerability
Management.
Minimizing Risk by Implementing
Vulnerability Management Process
Samwel Orwa
ITILv3, CISA, CISM, CRISC, QualysGuard Certified
After Hours Seminar, 26.6.2012,
ISACA Switzerland Chapter
1
Agenda
1
The Problem
2
What is Vulnerability Management ?
3
Challenges to Effective VM
4
Vulnerability Management Lifecycle
5
Successful Approaches
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
2
The Problem
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
3
Organizations are Feeling the Pain
1. What causes the damage?
2. How do you prevent the
damage? What are your
options?
RISK=
Assets x Vulnerabilities x Threats
95% of breaches target
known vulnerabilities
4. How do you make the best
security decisions?
You can control vulnerabilities.
3. How do you successfully deal
with vulnerabilities?
Vulnerabilities
Focus on the
right assets, right threats,
right measures.
Business complexity
Human resources
Financial resources
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
4
The Enterprise Today
Mountains of data, many stakeholders
Malicious Code Detection
Spyware detection
Real-Time Monitoring
Troubleshooting
Access Control Enforcement
Configuration Control
Privileged User Management
Lockdown enforcement
Unauthorized
Service Detection
False Positive
Reduction
IP Leakage
Web server
activity logs
User
Monitoring
Switch logs
VA Scan logs
Windows
domain
logins
Windows logs
Web cache & proxy logs
SLA Monitoring
Content management logs
IDS/IDP logs
Router logs
VPN logs
Firewall logs
Wireless
access
logs
Oracle Financial
Logs
Mainframe
logs
Linux, Unix,
Windows OS
logs
Client & file
server logs
DHCP logs
San File
Access
Logs
VLAN Access
& Control logs
Database Logs
How do you collect & protect all the data necessary to secure
your network and comply with critical regulations? Vulnerability Management
5
What is Vulnerability
Management?
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
6
What Is Vulnerability Management?
A process to determine whether to eliminate, mitigate
or tolerate vulnerabilities based upon risk and the cost
associated with fixing the vulnerability.
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
7
Challenges to Effective VM
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
8
Challenges – Assessment
• Traditional desktop scanners cannot handle large networks
• Provide volumes of useless checks
• Confidentiality, Storage of scan data outside the Organization legal
resident
• Chopping up scans and distributing them is cumbersome
• Garbage In- Garbage Out (GIGO)– volumes of superfluous data
• Coverage at all OSI layers is inadequate
• Time consuming and resource intensive
• Finding the problem is only half the battle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
9
Challenges – Analysis
• Manual and resource intensive process to determine
– What to fix
– If you should fix
– When to fix
• No correlation between vulnerabilities, threats and assets
• No way to prioritize what vulnerabilities should be
addressed
– What order
• Stale data
– Making decisions on last quarter’s vulnerabilities
• No credible metrics
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
10
Challenges – Remediation
• Security resources are often decentralized
• The security organization often doesn’t own the
network or system
• Multiple groups may own the asset
• Presenting useful and meaningful information to
relevant stakeholders
• Determining if the fix was actually made
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
11
Vulnerability Management
Lifecycle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
12
Vulnerability
Management
Lifecycle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
13
Successful Approaches:
Implementing An Effective VM Strategy
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
14
Network Discovery
– Mapping
• Gives hacker’s eye view of you
network
• Enables the detection of rogue
devices (Shadow IT)
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
15
Vulnerability Management Lifecycle
1. DISCOVERY
(Mapping)
6. VERIFICATION
(Rescanning)
2. ASSET
PRIORITISATION
(and allocation)
5. REMEDIATION
(Treating Risks)
3. ASSESSMENT
(Scanning)
4. REPORTING
(Technical and
Executive)
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
16
Question
1) What is the Primary goal of vulnerability assessment ?
a. To determine the likelihood of identified risk
b. To assess the criticality of information resources
c. To verify that controls are working as intended
d. To detect known deficiencies in a particular
environment
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
17
Prioritize
Assets
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
18
Asset Prioritization
• Identify assets by:
– Networks
• Logical groupings of devices
• Connectivity - None, LAN, broadband, wireless
– Network Devices
• Wireless access points, routers, switches
– Operating System
• Windows, Unix
– Applications
• IIS, Apache, SQL Server
– Versions
• IIS 5.0, Apache 1.3.12, SQL Server V.7
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
19
Correlate
Threats
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
20
Correlate Threats
• Not all threat and vulnerability data have equal priority
• Primary goal is to rapidly protect your most critical
assets
• Identify threats
–
–
–
–
Worms
Exploits
Wide-scale attacks
New vulnerabilities
• Correlate with your most critical assets
• Result = Prioritization of vulnerabilities within your
environment
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
21
Determine
Risk Level
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
22
Remediation
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
23
Remediation / Resolution
• Perfection is unrealistic (zero vulnerabilities)
– Think credit card fraud – will the banks ever eliminate
credit card fraud?
• You have limited resources to address issues
• The question becomes:
– Do I address or not?
• Factor in the business impact costs + remediation costs
– If the risk outweighs the cost – eliminate or mitigate the
vulnerability!
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
24
Measure
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
25
Measure
• Current state of security metrics
– You can’t manage what you can’t measure
– No focus on quantifying “Security”
• What is my real risk?
– Only a relative scale of risk, not an absolute
– Return on Security Investment (ROSI) is extremely
difficult to calculate
– No accountability in security
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
26
Scanner Appliance Architecture
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
27
QualysGuard- Global Cloud
Architecture
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
28