Upload
mahina
View
50
Download
3
Embed Size (px)
DESCRIPTION
Quick Wins in Vulnerability Management. Classification: Confidential Owner: Michael Holcomb Approver: Phil Cirulli Prepared: April 14 th , 2014. Agenda. The Need for Vulnerability Management Clarifications on Vulnerability Management SANS’ Top 20 Critical Controls Master the Basics - PowerPoint PPT Presentation
Citation preview
HO20110473 1© 2012 Fluor. All rights reserved.© 2012 Fluor. All rights reserved.
Quick Wins in Vulnerability Management
Classification: Confidential
Owner: Michael Holcomb
Approver: Phil Cirulli
Prepared: April 14th, 2014
HO20110473 2© 2012 Fluor. All rights reserved.
Agenda
The Need for Vulnerability Management Clarifications on Vulnerability Management SANS’ Top 20 Critical Controls Master the Basics Perform a Self Audit Continuous Scanning & Remediation Leverage Vulnerability Data in Incident Response Metrics That Count Secure Your ISP
HO20110473 3© 2012 Fluor. All rights reserved.
About Michael Holcomb
25+ years in Information Technology 15+ years dedicated to Information Security Sr. Information Security Manager at Fluor President of Upstate SC ISSA Chapter CISSP, GCIH, GCIA, etc.
HO20110473 4© 2012 Fluor. All rights reserved.
The Need for Vulnerability Management
The quicker we stop an attacker, the less it costs the business
An attacker today will gain access to your resources and they are on your network now
Proper vulnerability management reduces the attack vectors an attacker can exploit for spreading control through the environment
Gives intrusion detection capabilities times to detect intruder and response to eject from network
HO20110473 5© 2012 Fluor. All rights reserved.
Clarifications on Vulnerability Management
Vulnerability assessments and vulnerability management are two different things
Vulnerability assessments and penetration testing are two different things
Soft skills are more important than technical skills in vulnerability management
Successful vulnerability management is required to help secure an environment; successful vulnerability scans help ensure compliance
HO20110473 6© 2012 Fluor. All rights reserved.
SANS’ Top 20 Critical Controls
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Access Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Protection
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
#4: Continuous Vulnerability Assessment and Remediation
HO20110473 7© 2012 Fluor. All rights reserved.
Master the Basics
HO20110473 8© 2012 Fluor. All rights reserved.
Perform a Self Audit
If you have no Vulnerability Management Program in place today, perform a self audit to discover what vulnerabilities you do have.
Before engaging an outside party to conduct a vulnerability assessment or penetration testing exercise, remediate as many issues as possible.
HO20110473 9© 2012 Fluor. All rights reserved.
Continuous Scanning & Remediation
Determine scanning schedule and “window threshold” based on your organization’s requirements– If a new vulnerability is introduced into your environment, how
long would it take you to discover and understand the vulnerability?
Compliance requirements, rather than the quest for security, often drive scanning schedules
SEIM solutions now integrating vulnerability scanning management capabilities with host detection capabilities
HO20110473 10© 2012 Fluor. All rights reserved.
Leverage Vulnerability Data in Incident Response
Correlate most current vulnerability data to focus intrusion detection response efforts– Identify alerts that can be closed due to inapplicability– Escalate alerts for response based on actual risk for an attack
against a specific existing vulnerability
HO20110473 11© 2012 Fluor. All rights reserved.
Metrics That Count
Metrics can be used to communicate to technical and non-technical parties the risks associated with existing vulnerabilities within the environment
Such metrics should measure items which can be controlled by the organization– Number of vulnerabilities by risk
• Critical, High, Medium/Severe, Low
– Average risk (CVSS) score– Remediation time– False remediation
HO20110473 12© 2012 Fluor. All rights reserved.
Metrics That Count (cont.)
Sample metrics can be simple, but meaningful Examples below* demonstrate that while, limited
progress is being made for remediating “backlog” of vulnerabilities, processes for addressing new vulnerabilities and patch releases are highly successful
*Not based on actual Fluor data
HO20110473 13© 2012 Fluor. All rights reserved.
Thank You!
If you have any questions, please don’t hesitate to contact me– Email: [email protected]– Phone: 864.281.5958