Date post: | 14-Dec-2014 |
Category: |
Technology |
Upload: | alienvault |
View: | 368 times |
Download: | 1 times |
Vulnerability scansVulnerability scores Vulnerability remediationThreat intelligenceUSM demoQ&A
Agenda
Unified Security Management
Threat DetectionIncident ResponsePolicy Compliance
About AlienVault
Vulnerabilities by Vendor – 2013
Yeah, It’s Bad
Source: http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/
But It’s Always Been Bad
Source: Symantec Internet Security Threat Report - 2013
Nothing Goes Away…Ever
Source: Symantec Internet Security Threat Report - 2013
Too many compromises due to:• Unknown systems• Unknown data • Unpatched vulns
Need a process to determine what to patch, work around, or live with
The Need for Vulnerability Management
Vulnerability Management Lifecycle
Assess
Prioritize
Remediate
Mitigate
Monitor
How many of you have an active Vulnerability Management program?YesNoDon’t Know
Poll #1
For those who said No, what is keeping you from deploying a Vulnerability Management program?ToolsStaff timeStaff training I’m protected by UTM / NGFW / IPS /
Advanced Antimalware …Don’t know
Poll #2
“There's a trend underway in the information security field to shift from a prevention mentality to a focus on rapid
detection”
“Your detection & response capabilities are more important than blocking &
prevention”
Detection is the New Black
Passive/Continuous: Monitors network trafficActive: Sends data to devices to generate a responseCredential: Logs on to individual systems Agent: Dedicated agent installed on subset of devices
Assessment ScansCombination of Techniques is Ideal
Benefits: Visibility, Assets Values, Grouping
CVSS: Common Vulnerability Scoring System
• Base Metric Score from 0-10- 7.0 - 10.0 = High- 4.0 - 6.9 = Medium- 0 - 3.9 = Low- Average = 6.8
Vulnerability Prioritization
Sources: www.first.org/cvss www.cvedetails.com
Other software installed on these systems?What systems communicate with these systems?What traffic do these vulnerable hosts generate?
Are these systems targeted by malicious hosts?Have these systems generated any alarms previously?Is there a patch or workaround available?
Prioritizing Remediation & Mitigation
Understanding the Context
Correlation is Essential• Correlate asset information with vulnerability
data and threat data • Correlate IDS alarms with vulnerabilities
- Is the host being attacked actually vulnerable to the exploit attempt?
Threat Intelligence• Threat landscape is constantly changing• Tools need to keep pace
Threat Correlation & Intelligence
Risk = Assets x Vulnerabilities x Threats
Limitations of Vulnerability Management• Can’t patch everything at once• Patch ≠ No Compromise
- Focused, patient attacker will get in• BYOD = No patch • Zero-day = No patch• Do the names Edward Snowden or
Bradley Manning ring a bell?
No Silver Bullet
1. Think like an attacker• They may not be after your data
2. It all starts with the network• Regular network assessment scans are
essential3. Unify & automate security controls
• You can’t keep up with the data4. Use threat intelligence to prioritize
remediation• Only way to keep up with changing landscape
5. Remember it is an ongoing process• It does not end with a checkbox
5 Tips
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
Vulnerability Assessment• Network Vulnerability Testing• Remediation Verification
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability
MonitoringSecurity Intelligence• SIEM Event Correlation• Incident Response
Our Approach
Threat Intelligence Powered by Open Collaboration
OTX + AlienVault Labs
USM Demo
Tom D’Aquino VP Worldwide Systems Engineering