Transcript Slide 1
VULNERABILITY MANAGEMENT
Moving Away from the Compliance Checkbox Towards
Continuous Discovery
WHO AM I?
Derek Thomas
Security Consultant
VM, SSO/AM, SIEM
Active in local INFOSEC groups
Misec
OWASP
ISSA
AGENDA
1
Common Problems
2
What are Vulnerabilities
3
Objectives of Vulnerability Management
4
Program Approach
5
Questions
PROBLEMS
• Limited Scope
• External Network Centric
• Unauthenticated Scans
• Infrequent Assessments
• Compliance Driven
Common Themes
THREATS ARE EVERYWHERE
Malware
Insider
Hackivist
Target
Environmental
Mobile
Devices
Improper
Configs
MINIMUM STANDARDS
Regulations are setting the standard
Example: NERC CIP
Requires R8. Cyber Vulnerability Assessment
“A review to verify that only ports and services
required for operation of the Cyber Assets within the
Electronic Security Perimeter are enabled”
A simple network command like “Netstat” would
satisfy this generic requirement
MINIMUM STANDARDS = LIMITED INSIGHT
When your goal is meeting
a minimum standard you
run the risk of missing
valuable insight into the
security posture of many
aspects of your
organization
LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES
Patch Management
Security Monitoring
Outdated software exists on newer assets and
assets not on the domain.
Detection is slow, tedious, or non-existent
because there are an overabundance of false
positives
Change Management
Incident Response
Ineffective Change Management allows for rogue
servers to appear on network
Data breach has lead to costly damages
PATH TO THE DARKSIDE
Lightside
Darkside
Minimum Requirements
Minimal Insight
Vulnerabilities
Exploits
Suffering
AVOID THE DARK SIDE WITH A VM PROGRAM
Follow a defined lifecycle
Proactively identify vulnerabilities
Technical
Process
Evaluate effectiveness with testing
NON-TECHNICAL VULNERABILITIES
What’s the first thing that comes to your
mind when you think of a vulnerability?
Outdated software and insecure configurations
is often the answer
Non-technical vulnerabilities exist in security
processes as well
Understanding how each can be addressed is
the key to a successful program
THE “WHAT”
Availability
THE “HOW”
Security controls can fall into 3 categories
Prevention
Correction
Detection
THE “WHY” (AVOID THE DARKSIDE)
Incident Reduction
Risk Reduction
Minimize threat vectors
Risk Reporting
Tracking
VM PROGRAM APPROACH
Define a Plan
Assign Responsibilities
Define Scope
Define Critical Controls
Utilize a Sustainable Lifecycle
Strive for Predictable and Repeatable Results
DEFINE A PLAN - RESPONSIBILITIES
• Assign roles and
responsibilities
• Who is responsible
for what
• Most roles are
already suited for a
particular person
VM Project Lead
Name
Jane Doe
• Manages VM team
•Coordinates remediation
Patch Management Lead
Name
Jenny Smith
• Patch Engineer
Red Team
Name
John Doe
• Penetration Testing
• Vulnerability Management
DEFINE A PLAN - SCOPE
What is going to be managed?
Start with discovery scans
Incorporate as many assets as possible
Security controls should be added as well
In Scope
Critical Servers
Medical Devices
Firewall X
Application Y
Out of Scope
DEFINE A PLAN - CRITICAL CONTROLS
Vulnerabilities exist in controls
What controls should be added
SANS Top 20 Critical Controls
SUSTAINABLE LIFECYCLE
Find
Test
Fix
1.Find
2.Fix
3.Test
Proactively search for
weaknesses within the scope
Remediate known
vulnerabilities
Verify vulnerabilities have been
remediated
SUSTAINABLE LIFECYCLE - FIND
How are vulnerabilities found?
2 basic approaches:
Automated
(Semi)Manual
Many tasks can be automated
Manual assessments still need to be
performed
SUSTAINABLE LIFECYCLE – FIND AUTOMATED
Automated tool performs the heavy lifting
The most famous is the vulnerability scanner
7 out of 20 SANS Critical Controls can be
automated in some way with a vulnerability tool
Another 8 can be automated using additional
tools
Automate as much as possible to save time for
the fun
SUSTAINABLE LIFECYCLE – FIND MANUAL
Remaining security controls can be manually
tested
Controls can be tested through various Red
Team exercises
The Red Team simulates attacks from a
malicious party
Incident Detection
Incident Response
People
SUSTAINABLE LIFECYCLE - FIX
How are vulnerabilities going to be fixed
Present data in actionable form
6000 page .pdf is not very actionable
Generate patch reports for patch management
team
Reports filtered for server IP’s can be sent to the
server team
SUSTAINABLE LIFECYCLE - FIX
Easier said then done
Use built in tools if possible
Need buy in from application, system, and
network team
Without buy-in remediation becomes difficult
SUSTAINABLE LIFECYCLE - TEST
Verification of
remediation efforts
Verify that patches have
been applied
Ideally right after
application
Can also be performed
next scan interval
PREDICTABLE AND REPEATABLE RESULTS
Once the program has reached a mature level
the results shouldn’t be surprising
The processes will mature to the point that you
can accurately predict the outcomes
Patches will be applied on time
Malware will be detected and cleaned
assets will be introduced with secure configurations
PREDICTABLE AND REPEATABLE RESULTS - METRICS
Vulnerability Management needs to
be assessed
Metrics can gauge your
improvement
NIST SP 800-40 provides
excellent metrics
55%
PREDICTABLE AND REPEATABLE RESULTS - METRICS
Host Susceptibility to Attack
Vulnerability Mitigation Response Time
Number of patches, vulnerabilities, or network
services per computer
Response time for vulnerability identification, patch
application, or configuration change
VM Program Cost
Cost of Vulnerability Management group, support,
or tools
VULNERABILITY METRICS
NIST SP 800-40
VULNERABILITY METRICS
3 minimum
8 maximum
NIST SP 800-40
CONCLUSION
Approach VM as a continuous lifecycle
Move beyond minimum standards to enhance
visibility and insight into the current state of
security
Clear objectives and proper approach is
fundamental to VM