Fast Track: Planning & Deploying an Effective Vulnerability Management Program
By Jonathan Bitle, Technical Director, Qualys, Inc. By Jonathan Bitle, Technical Director, Qualys, Inc.
Problems affecting implementation
There are 3 main categories of importance
When planning an effective Vulnerability
Management Program:
Technology
People
Process
Technology:Solution Design
Design is the simple part of a production roll-out
Technology:Appliances
Plan for the number of scanning Appliances
# of active hosts = # of appliances required– Frequency of scans alter requirements
Network Topology can complicate the design– Firewalls / Access Control Devices– Low speed bandwidth links– Geographic and political boundaries
Technology:Gather Basic Information
IP addresses for each planned scanning appliance
Subnet Mask for each planned network interface
Hostname for each appliance
DNS information
Technology:Utilize The Technology
Take advantage of Automation capabilities of the
technology to save time for more important tasks
such as remediation.
Schedule Scans
Develop alerts for severe risk issues
Automate report generation and distribution
People
People are the cornerstone of an effective security policy and risk reduction.
People:Know Your Target Audience
Make a list of key team members and know Their needs. If possible, interview them toBetter understand how to streamline information. CISO / CIO
– Ultimate owner of risk in the environment– Signs off on regulatory compliance measures– Needs high-level metrics (pass/fail?) to ensure risk reduction
Executive Staff– Makes resource allocation decisions– Needs trend information to understand effectiveness of security program
Directors / Managers– Oversees system owners and helps prioritize work efforts– Needs visibility into system owner performance
System Owner– Own the systems and responsible for remediation efforts– Need detailed technical reports with prioritization
People:Know Your System Owners
Remediation will require significant resourceallocation and time.
Important to properly identify system owners – Enables Automated host ownership reports– By geographical region or business unit– Based on Operating System– Based on applications
Streamline the information provided– Provide information to the owner, don’t rely on them to find it– Irrelevant information will create push-back– A list of 1000 issues will rarely get fixed– A list of 10 high risk issues will get done immediately
People:Problems Will Occur
Expect that problems will occur and develop a strategy to deal with them. Hosts or applications will have interoperability issues with the scans
– Work with vendors to identify root cause Team members may not meet performance goals
– Look into prioritization issues Vendors may not have patches to resolve discovered issues
– Develop ways to mitigate risk (firewalls, port filtering, etc)
Evangelize. Evangelize. Evangelize. It is imperative that numerous groups in the organization understand the importance of your
vulnerability management program.– System Administrators must understand the importance of reducing risk, and how it ultimately effects
system uptime– Executive buy-in is required for effective risk reduction
Provide product demos and training sessions
People:Create a list of stated goals
Provide an accurate assessment of risk for each host and relative network segments
Facilitate a security assessment that leads to best practices with regard to remediation actions
Provide system administrators with the tools to optimize and validate remediation efforts
Provide a common language and metrics to discuss risk across the organization
Provide for prioritization of vulnerabilities and remediation efforts in the environment
Provide executive staff with risk metrics and measure adherence to corporate policies
Provide a feedback loop for current and future system policy
Provide constant monitoring and measurement of risk in the environment for adherence to regulatory compliance initiatives
Measure overall effectiveness of the security program
Provide automated workflow capabilities that reduce resource requirements
Protect the organization from successful exploit of vulnerabilities
People:Work Toward a Single Goal
The ultimate goal of our Vulnerability Management solution is to measure, manage and reduce risk in our environment.
Always work towards this main goal.
Process:Define Your Security Policy
Recognize that your security policy should fit the needs and goals of YOUR organization, and as such every there is no one-size-fits-all solution. However, there are commonalities and guidelines that will help you define an effective policy.
Process:Heterogeneous Environment
Most environments are highly heterogeneous
creating numerous challenges.
Rarely a clear understanding of the types of hosts for each network segment
Multitude of host and application owners
Asset management systems are rarely kept up to date
Process:Define “In / Out of Scope”
What are the total networks in use?– Is network information stored in an asset management system?– Utilize automated discovery process of the tool
Which networks should be excluded?– Networks that should never be scanned, given the ramification of an
application interaction issue. (ie process control systems like SCADA devices)
– Networks that have serious bandwidth constraints (defer these to a different phase?)
– Small subnets that do not contain hosts (ie router to router subnets – exclude all /29 and up?)
– Systems that are known to have application interaction issues that can not be resolved
– Systems that are obstructed by Access Control devices
Process:Classify Your Assets
We can get mired down in classification schemes,However it is more important to have some form ofclassification no matter how simple. Start with a simple classification system and adjust as necessary:
Critical Assets– Mission / business critical– Related to regulatory compliance
* PCI* Sarbanes Oxley* HIPAA* NERC / FERC
High– General server category
Medium– Workstations & Laptops
Low– Printers, etc
Process:Prioritization
You can’t fix everything so prioritization is key.
Critical (48 hours to resolve)– High & Critical vulnerability on critical asset
High (one week to resolve)– Medium vulnerability on critical asset– High vulnerability on High asset
Medium (one month to resolve)– Low vulnerability on critical asset– Medium vulnerability on High asset– High vulnerability on Low asset
Low (6 months to resolve)– Medium vulnerability on Low Asset
Process:Oversight & Accountability
Some organizations will have a mandate, possiblydriven by external regulatory measures. However,many organizations do not start off in this way.
Bonus tied to remediation– Most effective way to ensure compliance to security policy
Remediation Managers– Provide oversight of risk reduction process
“Wall of Shame”– Peer pressure can be effective!
Process:Deployment Phases
Recommend phasing in scans to determine application interaction issues
Phased approach not necessary for all networks, but recommended for critical infrastructure
Perform Initial testing of critical infrastructure in change windows
Summary
Technology is the simple part of your Vulnerability Management solution
– Utilize Automation wherever possible
People are key to getting the job done, use them wisely and build a good working relationship.
– Know the key players, their roles and responsibilities– Don’t overwhelm people with data– Get buy-in from multiple groups in your organization, especially the executive staff
Process is necessary to an effective solution - keep it simple to understand and follow
– Classify your assets; always work on the most important assets first– Prioritize remediation; always work on the most critical issues first– Create and use Service Level Agreements– Monitor progress and make policy adjustments as necessary