Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,

1

Effective Enterprise Vulnerability Management.

Minimizing Risk by Implementing Vulnerability Management Process

Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified

After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter

2

What is Vulnerability Management ?2

The Problem1

Challenges to Effective VM3

Vulnerability Management Lifecycle4

Successful Approaches5

Agenda


3

The Problem


4

Organizations are Feeling the Pain

1. What causes the damage?

95% of breaches target known vulnerabilities

2. How do you prevent the damage? What are your options?

RISK= Assets x Vulnerabilities x Threats

You can control vulnerabilities.

3. How do you successfully deal with vulnerabilities?

Vulnerabilities

Business complexity

Human resources

Financial resources

4. How do you make the best security decisions?

Focus on the right assets, right threats,

right measures.


5Vulnerability Management

The Enterprise TodayMountains of data, many

stakeholders

How do you collect & protect all the data necessary to secure your network and comply with critical regulations?

Router logs

IDS/IDP logs

VPN logs

Firewall logs

Switch logs

Windows logs

Client & file server logs

Wireless access

logs

Windows domain logins

Oracle Financial Logs

San File Access Logs

VLAN Access & Control logs

DHCP logs

Linux, Unix, Windows OS

logs

Mainframe logs

Database Logs

Web server activity logs

Content management logs

Web cache & proxy logs

VA Scan logs

UnauthorizedService Detection

IP Leakage

Configuration ControlLockdown enforcement

False Positive Reduction

Access Control EnforcementPrivileged User Management

Malicious Code DetectionSpyware detection

Real-Time MonitoringTroubleshooting

User Monitoring

SLA Monitoring

6

What is Vulnerability Management?


7

What Is Vulnerability Management?

A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.


8

Challenges to Effective VM


9

Challenges – Assessment• Traditional desktop scanners cannot handle large networks

• Provide volumes of useless checks

• Confidentiality, Storage of scan data outside the Organization legal resident

• Chopping up scans and distributing them is cumbersome

• Garbage In- Garbage Out (GIGO)– volumes of superfluous data

• Coverage at all OSI layers is inadequate

• Time consuming and resource intensive

• Finding the problem is only half the battle


10

Challenges – Analysis• Manual and resource intensive process to determine

– What to fix– If you should fix– When to fix

• No correlation between vulnerabilities, threats and assets• No way to prioritize what vulnerabilities should be

addressed – What order

• Stale data– Making decisions on last quarter’s vulnerabilities

• No credible metrics


11

Challenges – Remediation• Security resources are often decentralized

• The security organization often doesn’t own the network or system

• Multiple groups may own the asset

• Presenting useful and meaningful information to relevant stakeholders

• Determining if the fix was actually made


12

Vulnerability Management Lifecycle


13

Vulnerability Management

Lifecycle


14

Successful Approaches:Implementing An Effective VM Strategy


15

Network Discovery

– Mapping• Gives hacker’s eye view of you

network• Enables the detection of rogue

devices (Shadow IT)

15After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter

16

Vulnerability Management Lifecycle

1. DISCOVERY(Mapping)

2. ASSET PRIORITISATION(and allocation)

3. ASSESSMENT (Scanning)

4. REPORTING(Technical and Executive)

5. REMEDIATION(Treating Risks)

6. VERIFICATION(Rescanning)


17

Question

1) What is the Primary goal of vulnerability assessment ?

a. To determine the likelihood of identified risk

b. To assess the criticality of information resources

c. To verify that controls are working as intended

d. To detect known deficiencies in a particular environment



Prioritize Assets

19

Asset Prioritization• Identify assets by:

– Networks • Logical groupings of devices• Connectivity - None, LAN, broadband, wireless

– Network Devices• Wireless access points, routers, switches

– Operating System• Windows, Unix

– Applications• IIS, Apache, SQL Server

– Versions• IIS 5.0, Apache 1.3.12, SQL Server V.7


20

Correlate Threats


21

Correlate Threats• Not all threat and vulnerability data have equal priority• Primary goal is to rapidly protect your most critical

assets • Identify threats

– Worms– Exploits– Wide-scale attacks– New vulnerabilities

• Correlate with your most critical assets• Result = Prioritization of vulnerabilities within your

environment


22

Determine Risk Level


23

Remediation


24

Remediation / Resolution• Perfection is unrealistic (zero vulnerabilities)

– Think credit card fraud – will the banks ever eliminate credit card fraud?

• You have limited resources to address issues

• The question becomes:– Do I address or not?

• Factor in the business impact costs + remediation costs– If the risk outweighs the cost – eliminate or mitigate the

vulnerability!


25

Measure


26

Measure

• Current state of security metrics– You can’t manage what you can’t measure– No focus on quantifying “Security”

• What is my real risk?

– Only a relative scale of risk, not an absolute– Return on Security Investment (ROSI) is extremely

difficult to calculate– No accountability in security


27

Scanner Appliance Architecture


28

QualysGuard- Global Cloud Architecture


Date post:	12-Feb-2016
Category:	Documents
Upload:	saniya
View:	56 times
Download:	0 times

Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,

Documents