Transcript E - isaca
Effective Enterprise Vulnerability Management. Minimizing Risk by Implementing Vulnerability Management Process Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 1 Agenda 1 The Problem 2 What is Vulnerability Management ? 3 Challenges to Effective VM 4 Vulnerability Management Lifecycle 5 Successful Approaches After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 2 The Problem After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 3 Organizations are Feeling the Pain 1. What causes the damage? 2. How do you prevent the damage? What are your options? RISK= Assets x Vulnerabilities x Threats 95% of breaches target known vulnerabilities 4. How do you make the best security decisions? You can control vulnerabilities. 3. How do you successfully deal with vulnerabilities? Vulnerabilities Focus on the right assets, right threats, right measures. Business complexity Human resources Financial resources After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 4 The Enterprise Today Mountains of data, many stakeholders Malicious Code Detection Spyware detection Real-Time Monitoring Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized Service Detection False Positive Reduction IP Leakage Web server activity logs User Monitoring Switch logs VA Scan logs Windows domain logins Windows logs Web cache & proxy logs SLA Monitoring Content management logs IDS/IDP logs Router logs VPN logs Firewall logs Wireless access logs Oracle Financial Logs Mainframe logs Linux, Unix, Windows OS logs Client & file server logs DHCP logs San File Access Logs VLAN Access & Control logs Database Logs How do you collect & protect all the data necessary to secure your network and comply with critical regulations? Vulnerability Management 5 What is Vulnerability Management? After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 6 What Is Vulnerability Management? A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability. After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 7 Challenges to Effective VM After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 8 Challenges – Assessment • Traditional desktop scanners cannot handle large networks • Provide volumes of useless checks • Confidentiality, Storage of scan data outside the Organization legal resident • Chopping up scans and distributing them is cumbersome • Garbage In- Garbage Out (GIGO)– volumes of superfluous data • Coverage at all OSI layers is inadequate • Time consuming and resource intensive • Finding the problem is only half the battle After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 9 Challenges – Analysis • Manual and resource intensive process to determine – What to fix – If you should fix – When to fix • No correlation between vulnerabilities, threats and assets • No way to prioritize what vulnerabilities should be addressed – What order • Stale data – Making decisions on last quarter’s vulnerabilities • No credible metrics After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 10 Challenges – Remediation • Security resources are often decentralized • The security organization often doesn’t own the network or system • Multiple groups may own the asset • Presenting useful and meaningful information to relevant stakeholders • Determining if the fix was actually made After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 11 Vulnerability Management Lifecycle After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 12 Vulnerability Management Lifecycle After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 13 Successful Approaches: Implementing An Effective VM Strategy After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 14 Network Discovery – Mapping • Gives hacker’s eye view of you network • Enables the detection of rogue devices (Shadow IT) After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 15 Vulnerability Management Lifecycle 1. DISCOVERY (Mapping) 6. VERIFICATION (Rescanning) 2. ASSET PRIORITISATION (and allocation) 5. REMEDIATION (Treating Risks) 3. ASSESSMENT (Scanning) 4. REPORTING (Technical and Executive) After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 16 Question 1) What is the Primary goal of vulnerability assessment ? a. To determine the likelihood of identified risk b. To assess the criticality of information resources c. To verify that controls are working as intended d. To detect known deficiencies in a particular environment After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 17 Prioritize Assets After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 18 Asset Prioritization • Identify assets by: – Networks • Logical groupings of devices • Connectivity - None, LAN, broadband, wireless – Network Devices • Wireless access points, routers, switches – Operating System • Windows, Unix – Applications • IIS, Apache, SQL Server – Versions • IIS 5.0, Apache 1.3.12, SQL Server V.7 After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 19 Correlate Threats After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 20 Correlate Threats • Not all threat and vulnerability data have equal priority • Primary goal is to rapidly protect your most critical assets • Identify threats – – – – Worms Exploits Wide-scale attacks New vulnerabilities • Correlate with your most critical assets • Result = Prioritization of vulnerabilities within your environment After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 21 Determine Risk Level After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 22 Remediation After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 23 Remediation / Resolution • Perfection is unrealistic (zero vulnerabilities) – Think credit card fraud – will the banks ever eliminate credit card fraud? • You have limited resources to address issues • The question becomes: – Do I address or not? • Factor in the business impact costs + remediation costs – If the risk outweighs the cost – eliminate or mitigate the vulnerability! After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 24 Measure After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 25 Measure • Current state of security metrics – You can’t manage what you can’t measure – No focus on quantifying “Security” • What is my real risk? – Only a relative scale of risk, not an absolute – Return on Security Investment (ROSI) is extremely difficult to calculate – No accountability in security After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 26 Scanner Appliance Architecture After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 27 QualysGuard- Global Cloud Architecture After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter 28