1
Effective Enterprise Vulnerability Management.
Minimizing Risk by Implementing Vulnerability Management Process
Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
2
What is Vulnerability Management ?2
The Problem1
Challenges to Effective VM3
Vulnerability Management Lifecycle4
Successful Approaches5
Agenda
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
3
The Problem
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
4
Organizations are Feeling the Pain
1. What causes the damage?
95% of breaches target known vulnerabilities
2. How do you prevent the damage? What are your options?
RISK= Assets x Vulnerabilities x Threats
You can control vulnerabilities.
3. How do you successfully deal with vulnerabilities?
Vulnerabilities
Business complexity
Human resources
Financial resources
4. How do you make the best security decisions?
Focus on the right assets, right threats,
right measures.
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
5Vulnerability Management
The Enterprise TodayMountains of data, many
stakeholders
How do you collect & protect all the data necessary to secure your network and comply with critical regulations?
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access
logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs
Linux, Unix, Windows OS
logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
UnauthorizedService Detection
IP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
Real-Time MonitoringTroubleshooting
User Monitoring
SLA Monitoring
6
What is Vulnerability Management?
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
7
What Is Vulnerability Management?
A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
8
Challenges to Effective VM
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
9
Challenges – Assessment• Traditional desktop scanners cannot handle large networks
• Provide volumes of useless checks
• Confidentiality, Storage of scan data outside the Organization legal resident
• Chopping up scans and distributing them is cumbersome
• Garbage In- Garbage Out (GIGO)– volumes of superfluous data
• Coverage at all OSI layers is inadequate
• Time consuming and resource intensive
• Finding the problem is only half the battle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
10
Challenges – Analysis• Manual and resource intensive process to determine
– What to fix– If you should fix– When to fix
• No correlation between vulnerabilities, threats and assets• No way to prioritize what vulnerabilities should be
addressed – What order
• Stale data– Making decisions on last quarter’s vulnerabilities
• No credible metrics
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
11
Challenges – Remediation• Security resources are often decentralized
• The security organization often doesn’t own the network or system
• Multiple groups may own the asset
• Presenting useful and meaningful information to relevant stakeholders
• Determining if the fix was actually made
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
12
Vulnerability Management Lifecycle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
13
Vulnerability Management
Lifecycle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
14
Successful Approaches:Implementing An Effective VM Strategy
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
15
Network Discovery
– Mapping• Gives hacker’s eye view of you
network• Enables the detection of rogue
devices (Shadow IT)
15After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
16
Vulnerability Management Lifecycle
1. DISCOVERY(Mapping)
2. ASSET PRIORITISATION(and allocation)
3. ASSESSMENT (Scanning)
4. REPORTING(Technical and Executive)
5. REMEDIATION(Treating Risks)
6. VERIFICATION(Rescanning)
16After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
17
Question
1) What is the Primary goal of vulnerability assessment ?
a. To determine the likelihood of identified risk
b. To assess the criticality of information resources
c. To verify that controls are working as intended
d. To detect known deficiencies in a particular environment
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
18After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
Prioritize Assets
19
Asset Prioritization• Identify assets by:
– Networks • Logical groupings of devices• Connectivity - None, LAN, broadband, wireless
– Network Devices• Wireless access points, routers, switches
– Operating System• Windows, Unix
– Applications• IIS, Apache, SQL Server
– Versions• IIS 5.0, Apache 1.3.12, SQL Server V.7
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
20
Correlate Threats
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
21
Correlate Threats• Not all threat and vulnerability data have equal priority• Primary goal is to rapidly protect your most critical
assets • Identify threats
– Worms– Exploits– Wide-scale attacks– New vulnerabilities
• Correlate with your most critical assets• Result = Prioritization of vulnerabilities within your
environment
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
22
Determine Risk Level
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
23
Remediation
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
24
Remediation / Resolution• Perfection is unrealistic (zero vulnerabilities)
– Think credit card fraud – will the banks ever eliminate credit card fraud?
• You have limited resources to address issues
• The question becomes:– Do I address or not?
• Factor in the business impact costs + remediation costs– If the risk outweighs the cost – eliminate or mitigate the
vulnerability!
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
25
Measure
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
26
Measure
• Current state of security metrics– You can’t manage what you can’t measure– No focus on quantifying “Security”
• What is my real risk?
– Only a relative scale of risk, not an absolute– Return on Security Investment (ROSI) is extremely
difficult to calculate– No accountability in security
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
27
Scanner Appliance Architecture
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
28
QualysGuard- Global Cloud Architecture
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter