VULNERABILITY MANAGEMENT

Moving Away from the Compliance Checkbox Towards Continuous Discovery

WHO AM I? Derek Thomas Security Consultant VM, SSO/AM, SIEM Active in local INFOSEC groups

Misec OWASP ISSA

AGENDA

Common Problems

What are Vulnerabilities

Objectives of Vulnerability Management

Program Approach

Questions5

4

3

2

1

PROBLEMS

• Limited Scope

• External Network Centric

• Unauthenticated Scans

• Infrequent Assessments

• Compliance DrivenCommon Themes

THREATS ARE EVERYWHERE

Insider

Environmental

Target

Mobile Devices

Malware

Hackivist

Improper

Configs

MINIMUM STANDARDS Regulations are setting the standard Example: NERC CIP Requires R8. Cyber Vulnerability Assessment

“A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled”

A simple network command like “Netstat” would satisfy this generic requirement

http://www.nerc.com/files/CIP-007-1.pdf

MINIMUM STANDARDS = LIMITED INSIGHT

When your goal is meeting a minimum standard you run the risk of missing valuable insight into the security posture of many aspects of your organization

LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES

Patch Management

Outdated software exists on newer assets and assets not on the domain.

Change ManagementIneffective Change Management allows for rogue servers to appear on network

Security MonitoringDetection is slow, tedious, or non-existent because there are an overabundance of false positives

Incident ResponseData breach has lead to costly damages

PATH TO THE DARKSIDELightsid

eDarkside

Minimum Requirements

Minimal Insight

Vulnerabilities

Exploits

Suffering

AVOID THE DARK SIDE WITH A VM PROGRAM Follow a defined lifecycle Proactively identify vulnerabilities

Technical Process

Evaluate effectiveness with testing

NON-TECHNICAL VULNERABILITIES

What’s the first thing that comes to your mind when you think of a vulnerability? Outdated software and insecure

configurations is often the answer Non-technical vulnerabilities exist in

security processes as well Understanding how each can be

addressed is the key to a successful program

THE “WHAT”Co

nfide

ntial

ity Integrity

Availability

THE “HOW” Security controls can fall into 3

categoriesPreventio

n

DetectionCorrection

THE “WHY” (AVOID THE DARKSIDE) Incident Reduction Risk Reduction Minimize threat vectors Risk Reporting Tracking

VM PROGRAM APPROACH Define a Plan

Assign Responsibilities Define Scope Define Critical Controls

Utilize a Sustainable Lifecycle Strive for Predictable and Repeatable

Results

NameJohn Doe• Penetration Testing• Vulnerability

Management

NameJenny Smith• Patch Engineer

NameJane Doe

• Manages VM team• Coordinates remediation

VM Project Lead

• Assign roles and responsibilities• Who is

responsible for what• Most roles are

already suited for a particular person

Patch Management Lead Red Team

DEFINE A PLAN - RESPONSIBILITIES

DEFINE A PLAN - SCOPE What is going to be managed? Start with discovery scans Incorporate as many assets as possible Security controls should be added as

wellIn Scope

Out of Scope

Critical Servers

Medical Devices

Firewall XApplication Y

DEFINE A PLAN - CRITICAL CONTROLS Vulnerabilities exist in controls What controls should be added SANS Top 20 Critical Controls

SUSTAINABLE LIFECYCLE

Test

Find

Fix

1.FindProactively search for weaknesses within the scope

2.FixRemediate known vulnerabilities

3.TestVerify vulnerabilities have been remediated

SUSTAINABLE LIFECYCLE - FIND How are vulnerabilities found? 2 basic approaches:

Automated (Semi)Manual

Many tasks can be automated Manual assessments still need to be

performed

SUSTAINABLE LIFECYCLE – FIND AUTOMATED

Automated tool performs the heavy lifting

The most famous is the vulnerability scanner

7 out of 20 SANS Critical Controls can be automated in some way with a vulnerability tool

Another 8 can be automated using additional tools

Automate as much as possible to save time for the fun

SUSTAINABLE LIFECYCLE – FIND MANUAL Remaining security controls can be

manually tested Controls can be tested through various

Red Team exercises The Red Team simulates attacks from a

malicious party Incident Detection Incident Response People

SUSTAINABLE LIFECYCLE - FIX How are vulnerabilities going to be

fixed Present data in actionable form 6000 page .pdf is not very actionable

Generate patch reports for patch management team

Reports filtered for server IP’s can be sent to the server team

SUSTAINABLE LIFECYCLE - FIX Easier said then done Use built in tools if possible Need buy in from application, system,

and network team Without buy-in remediation becomes

difficult

SUSTAINABLE LIFECYCLE - TEST Verification of

remediation efforts Verify that patches

have been applied Ideally right after

application Can also be

performed next scan interval

PREDICTABLE AND REPEATABLE RESULTS Once the program has reached a

mature level the results shouldn’t be surprising

The processes will mature to the point that you can accurately predict the outcomes Patches will be applied on time Malware will be detected and cleaned assets will be introduced with secure

configurations

PREDICTABLE AND REPEATABLE RESULTS - METRICS Vulnerability Management

needs to be assessed Metrics can gauge your

improvement NIST SP 800-40 provides

excellent metrics

55%

PREDICTABLE AND REPEATABLE RESULTS - METRICS

Host Susceptibility to Attack Number of patches, vulnerabilities, or

network services per computer Vulnerability Mitigation Response Time

Response time for vulnerability identification, patch application, or configuration change

VM Program Cost Cost of Vulnerability Management group,

support, or tools

VULNERABILITY METRICS

NIST SP 800-40

VULNERABILITY METRICS 3 minimum 8 maximum

NIST SP 800-40

CONCLUSION Approach VM as a continuous lifecycle Move beyond minimum standards to

enhance visibility and insight into the current state of security

Clear objectives and proper approach is fundamental to VM