VULNERABILITY MANAGEMENT
Moving Away from the Compliance Checkbox Towards Continuous Discovery
WHO AM I? Derek Thomas Security Consultant VM, SSO/AM, SIEM Active in local INFOSEC groups
Misec OWASP ISSA
AGENDA
Common Problems
What are Vulnerabilities
Objectives of Vulnerability Management
Program Approach
Questions5
4
3
2
1
PROBLEMS
• Limited Scope
• External Network Centric
• Unauthenticated Scans
• Infrequent Assessments
• Compliance DrivenCommon Themes
THREATS ARE EVERYWHERE
Insider
Environmental
Target
Mobile Devices
Malware
Hackivist
Improper
Configs
MINIMUM STANDARDS Regulations are setting the standard Example: NERC CIP Requires R8. Cyber Vulnerability Assessment
“A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled”
A simple network command like “Netstat” would satisfy this generic requirement
http://www.nerc.com/files/CIP-007-1.pdf
MINIMUM STANDARDS = LIMITED INSIGHT
When your goal is meeting a minimum standard you run the risk of missing valuable insight into the security posture of many aspects of your organization
LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES
Patch Management
Outdated software exists on newer assets and assets not on the domain.
Change ManagementIneffective Change Management allows for rogue servers to appear on network
Security MonitoringDetection is slow, tedious, or non-existent because there are an overabundance of false positives
Incident ResponseData breach has lead to costly damages
PATH TO THE DARKSIDELightsid
eDarkside
Minimum Requirements
Minimal Insight
Vulnerabilities
Exploits
Suffering
AVOID THE DARK SIDE WITH A VM PROGRAM Follow a defined lifecycle Proactively identify vulnerabilities
Technical Process
Evaluate effectiveness with testing
NON-TECHNICAL VULNERABILITIES
What’s the first thing that comes to your mind when you think of a vulnerability? Outdated software and insecure
configurations is often the answer Non-technical vulnerabilities exist in
security processes as well Understanding how each can be
addressed is the key to a successful program
THE “WHAT”Co
nfide
ntial
ity Integrity
Availability
THE “HOW” Security controls can fall into 3
categoriesPreventio
n
DetectionCorrection
THE “WHY” (AVOID THE DARKSIDE) Incident Reduction Risk Reduction Minimize threat vectors Risk Reporting Tracking
VM PROGRAM APPROACH Define a Plan
Assign Responsibilities Define Scope Define Critical Controls
Utilize a Sustainable Lifecycle Strive for Predictable and Repeatable
Results
NameJohn Doe• Penetration Testing• Vulnerability
Management
NameJenny Smith• Patch Engineer
NameJane Doe
• Manages VM team• Coordinates remediation
VM Project Lead
• Assign roles and responsibilities• Who is
responsible for what• Most roles are
already suited for a particular person
Patch Management Lead Red Team
DEFINE A PLAN - RESPONSIBILITIES
DEFINE A PLAN - SCOPE What is going to be managed? Start with discovery scans Incorporate as many assets as possible Security controls should be added as
wellIn Scope
Out of Scope
Critical Servers
Medical Devices
Firewall XApplication Y
DEFINE A PLAN - CRITICAL CONTROLS Vulnerabilities exist in controls What controls should be added SANS Top 20 Critical Controls
SUSTAINABLE LIFECYCLE
Test
Find
Fix
1.FindProactively search for weaknesses within the scope
2.FixRemediate known vulnerabilities
3.TestVerify vulnerabilities have been remediated
SUSTAINABLE LIFECYCLE - FIND How are vulnerabilities found? 2 basic approaches:
Automated (Semi)Manual
Many tasks can be automated Manual assessments still need to be
performed
SUSTAINABLE LIFECYCLE – FIND AUTOMATED
Automated tool performs the heavy lifting
The most famous is the vulnerability scanner
7 out of 20 SANS Critical Controls can be automated in some way with a vulnerability tool
Another 8 can be automated using additional tools
Automate as much as possible to save time for the fun
SUSTAINABLE LIFECYCLE – FIND MANUAL Remaining security controls can be
manually tested Controls can be tested through various
Red Team exercises The Red Team simulates attacks from a
malicious party Incident Detection Incident Response People
SUSTAINABLE LIFECYCLE - FIX How are vulnerabilities going to be
fixed Present data in actionable form 6000 page .pdf is not very actionable
Generate patch reports for patch management team
Reports filtered for server IP’s can be sent to the server team
SUSTAINABLE LIFECYCLE - FIX Easier said then done Use built in tools if possible Need buy in from application, system,
and network team Without buy-in remediation becomes
difficult
SUSTAINABLE LIFECYCLE - TEST Verification of
remediation efforts Verify that patches
have been applied Ideally right after
application Can also be
performed next scan interval
PREDICTABLE AND REPEATABLE RESULTS Once the program has reached a
mature level the results shouldn’t be surprising
The processes will mature to the point that you can accurately predict the outcomes Patches will be applied on time Malware will be detected and cleaned assets will be introduced with secure
configurations
PREDICTABLE AND REPEATABLE RESULTS - METRICS Vulnerability Management
needs to be assessed Metrics can gauge your
improvement NIST SP 800-40 provides
excellent metrics
55%
PREDICTABLE AND REPEATABLE RESULTS - METRICS
Host Susceptibility to Attack Number of patches, vulnerabilities, or
network services per computer Vulnerability Mitigation Response Time
Response time for vulnerability identification, patch application, or configuration change
VM Program Cost Cost of Vulnerability Management group,
support, or tools
VULNERABILITY METRICS
NIST SP 800-40
VULNERABILITY METRICS 3 minimum 8 maximum
NIST SP 800-40
CONCLUSION Approach VM as a continuous lifecycle Move beyond minimum standards to
enhance visibility and insight into the current state of security
Clear objectives and proper approach is fundamental to VM