400 likes | 663 Vues
Vulnerability Management. Moving Away from the Compliance Checkbox Towards Continuous Discovery. Derek Thomas Security Consultant VM, SSO/AM, SIEM Active in local INFOSEC groups Misec OWASP ISSA. Who am i ?. Agenda. 1. Common Problems. 2. What are Vulnerabilities. 3.
E N D
Vulnerability Management Moving Away from the Compliance Checkbox Towards Continuous Discovery
Derek Thomas • Security Consultant • VM, SSO/AM, SIEM • Active in local INFOSEC groups • Misec • OWASP • ISSA Who am i?
Agenda 1 Common Problems 2 What are Vulnerabilities 3 Objectives of Vulnerability Management 4 ProgramApproach 5 Questions
Problems • Limited Scope • External Network Centric • Unauthenticated Scans • Infrequent Assessments • Compliance Driven Common Themes
Threats are Everywhere Malware Insider Hackivist Target Environmental Improper Configs Mobile Devices
Regulations are setting the standard Example: NERC CIP Requires R8. Cyber Vulnerability Assessment “A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled” A simple network command like “Netstat” would satisfy this generic requirement http://www.nerc.com/files/CIP-007-1.pdf Minimum Standards
When your goal is meeting a minimum standard you run the risk of missing valuable insight into the security posture of many aspects of your organization Minimum Standards = Limited Insight
Limited Insight will not expose Vulnerabilities • Patch Management • Outdated software exists on newer assets and assets not on the domain. Security Monitoring Detection is slow, tedious, or non-existent because there are an overabundance of false positives Change Management Ineffective Change Management allows for rogue servers to appear on network Incident Response Data breach has lead to costly damages
Path to the Darkside Lightside Darkside Exploits Suffering Vulnerabilities Minimum Requirements Minimal Insight
Follow a defined lifecycle • Proactively identify vulnerabilities • Technical • Process • Evaluate effectiveness with testing Avoid the Dark side with a VM Program
What’s the first thing that comes to your mind when you think of a vulnerability? • Outdated software and insecure configurations is often the answer • Non-technical vulnerabilities exist in security processes as well • Understanding how each can be addressed is the key to a successful program Non-Technical Vulnerabilities
The “What” Integrity Confidentiality Availability
Incident Reduction Risk Reduction Minimize threat vectors Risk Reporting Tracking The “Why” (AVOID the DARKSIDE)
Define a Plan • Assign Responsibilities • Define Scope • Define Critical Controls • Utilize a Sustainable Lifecycle • Strive for Predictable and Repeatable Results VM Program Approach
Define a Plan - Responsibilities VM Project Lead Name Jane Doe • Assign roles and responsibilities • Who is responsible for what • Most roles are already suited for a particular person • Manages VM team • Coordinates remediation Name John Doe • Penetration Testing • Vulnerability Management Name Jenny Smith Patch Management Lead Red Team • Patch Engineer
What is going to be managed? • Start with discovery scans • Incorporate as many assets as possible • Security controls should be added as well Define a Plan - SCOPE In Scope Critical Servers Medical Devices Firewall X Application Y Out of Scope
Vulnerabilities exist in controls What controls should be added SANS Top 20 Critical Controls Define a Plan - Critical Controls
Sustainable Lifecycle Find Test Fix 1.Find Proactively search for weaknesses within the scope 2.Fix Remediate known vulnerabilities 3.Test Verify vulnerabilities have been remediated
How are vulnerabilities found? • 2 basic approaches: • Automated • (Semi)Manual • Many tasks can be automated • Manual assessments still need to be performed Sustainable Lifecycle - Find
Automated tool performs the heavy lifting The most famous is the vulnerability scanner 7 out of 20 SANS Critical Controls can be automated in some way with a vulnerability tool Another 8 can be automated using additional tools Automate as much as possible to save time for the fun Sustainable Lifecycle – Find Automated
Remaining security controls can be manually tested • Controls can be tested through various Red Team exercises • The Red Team simulates attacks from a malicious party • Incident Detection • Incident Response • People Sustainable Lifecycle – Find Manual
How are vulnerabilities going to be fixed • Present data in actionable form • 6000 page .pdf is not very actionable • Generate patch reports for patch management team • Reports filtered for server IP’s can be sent to the server team Sustainable Lifecycle - FIX
Easier said then done Use built in tools if possible Need buy in from application, system, and network team Without buy-in remediation becomes difficult Sustainable Lifecycle - FIX
Sustainable Lifecycle - Test • Verification of remediation efforts • Verify that patches have been applied • Ideally right after application • Can also be performed next scan interval
Once the program has reached a mature level the results shouldn’t be surprising • The processes will mature to the point that you can accurately predict the outcomes • Patches will be applied on time • Malware will be detected and cleaned • assets will be introduced with secure configurations Predictable and Repeatable Results
Predictable and Repeatable Results - Metrics • Vulnerability Management needs to be assessed • Metrics can gauge your improvement • NIST SP 800-40 provides excellent metrics 55%
Host Susceptibility to Attack • Number of patches, vulnerabilities, or network services per computer • Vulnerability Mitigation Response Time • Response time for vulnerability identification, patch application, or configuration change • VM Program Cost • Cost of Vulnerability Management group, support, or tools Predictable and Repeatable Results - Metrics
Vulnerability Metrics NIST SP 800-40
3 minimum 8 maximum Vulnerability Metrics NIST SP 800-40
Approach VM as a continuous lifecycle Move beyond minimum standards to enhance visibility and insight into the current state of security Clear objectives and proper approach is fundamental to VM Conclusion