INFORMATION SECURITY;
RISK ASSESSMENT AND
MANAGEMENT Digital Defense, Inc. Cyber Texas August 2016
Gordon MacKay – CTO Digital Defense Inc.
@gord_mackay
Confidential
Overview
• What is Vulnerability Management and how has it Evolved
• Inside the CISO’s Mind
• Vulnerability Management Challenges
• Vulnerability Management Maturity Model – VM3
• Accelerating your Evolution
• Bringing it all Together
2
Vulnerability Management - Then
• Scanning the Network
Once a Year
• Reporting on Vulnerabilities
Mountains of Data
• Fixing the Issues
Overwhelming Resources
3
Vulnerability Management - Now
• Management Process Overview & Policy
• Discover Assets/Applications Data Center, Cloud, Mobile
• Discover Consider Business Value
• Assess What? Vulnerabilities, Configuration, People
• Assess How? Unauthenticated, Authenticated,
DAST, SAST
• Prioritize Findings Business Value, Threat Intelligence,
Network Architecture
• Assign Findings IT Operations
• Measure Report
4
CISO Challenges
• Think Like a General
What is Vulnerable Now?
Minimize my Risk
• Think Like Detective
Where Might I Already Be
Compromised?
Newly Discovered Threats Reveal
Possible Compromised Assets
6
How Modern CISO Thinks – Real World Like a General and a Detective
7
Hypothetical Use Case: New Zero Day Impacts
Apache version 2.4.0 – 2.4.22 but fixed in 2.4.23
Vulnerable Then Vulnerable Now Time
Vulnerability Management Challenges
• Too Many Vulnerabilities
How to Prioritize
• Where is Business Value
Situational Awareness
• Who Owns the Assets
Many Different Teams
• IT Security and IT Operations
Have Different Agendas
• Accuracy of Past Findings
VM Intelligence
8
VM Challenge Scan-to-Scan Endpoint Correlation
9
time Scan
Week 1
Scan
Week 2
IP=192.168.40.6
DNS HN= None
NETBIOS HN= Blue
MAC= Alpha
IP=192.168.40.7
DNS HN= [email protected]
NETBIOS HN= White
MAC= Undetected
IP=92.168.40.6
DNS HN=crm.myorg.com
NETBIOS HN= None
MAC= Undetected
IP=192.168.40.5
DNS HN= None
NETBIOS HN= Blue
MAC= Alpha
Asset A Asset B Asset C
Real World Network Assets
IP=192.168.40.5
NETBIOS HN=None
MAC= Undetected
Prevalence of Network Churn DDI Study
10
Source: https://www.ddifrontline.com/wp-content/uploads/2015/08/Network_Host_Reconciliation.pdf
Vulnerability Management Maturity Model VM3 Where do I Operate?
11
Source: https://www.ddifrontline.com/vm3-whitepaper
Vulnerability Management Maturity Major Influencing Factors
• Business Environment
Executive Management Participation
Security Awareness
Business IT Structure
• Policy
Risk Threshold
Set Goals (SLA)
• Discover & Prioritize Assets
Know Your Business Critical Assets
• Assess
Type, Depth, Breadth, Frequency
12
Vulnerability Management Maturity Major Influencing Factors
• Prioritize Findings • Vulnerability Severity, Asset Criticality,
Threat Intelligence, Attack Path
• Remediate • Who are Asset Owners?
• Security Operations vs IT Operations
• Remediation/Mitigation Speed?
• Measure – Report • Measure/Report vs Set Goals
• Measure Risk
• Learn and Evolve Based on Measurements
13
Managed Service Vulnerability Management
Can Help
• Design and Build
• Discover New Assets Ongoing Basis
• Examine, Re-examine Business Criticality
• Design, Build Assessments
Varying Types, Depth, Breadth, Frequency
• Operate
• Prioritize Findings
Understand which vulnerabilities you should take on
• Managed Service Helps Bridge Gap Between Security
Operations and IT Operations Teams
• Report
Report on what matters to you
14
Wrap Up
• Vulnerability Management – An Evolving Process
• VM Challenges • Time – Scan-To-Scan Endpoint Correlation
• Prioritizing Findings
• Asset Owners?
• Business Communication – IT Ops vs Security Ops
• Vulnerability Management Maturation Model • Higher Maturity Levels -> Lower Risk
• Accelerating Your VM Evolution
15