@NTXISSA#NTXISSACSC3
VulnerabilityManagementIsn’tSimple…(or,HowtoMakeYourVMProgramGreat)
KellyHammonsPrincipalConsultant,CISSP
SecutorConsultingOctober2nd,2015
@NTXISSA#NTXISSACSC3
“97% of breaches could have been avoided through simple or intermediate controls”
- Verizon Data BreachInvestigations Report, 2012
While over 90 percent of all organizations monitor security effectiveness in some manner, only 40 percent do so ‘constantly’rather than on an as-needed basis.
- Enterprise Security Group (ESG) Security Management & Operations Report, June 2012
@NTXISSA#NTXISSACSC3
How are vulnerabilities usually managed?
• Limited or non-existent budget• Scanning too infrequently to be relevant
• Or scanning too aggressively• Not using authentication• Only scanning the “perimeter”• Ad hoc prioritization
… Ignoring them
@NTXISSA#NTXISSACSC3
Vulnerability Management Goals…
• … keep your job
• Asset discovery• Understand your perimeter• Test new systems before they’re brought online• Automation + Integration• Produce actionable data & metrics
• Comply with regulations (PCI, HIPAA, NERC CIP…)• Vulnerability remediation / reduce attack surface• Keep your company’s name off the front page of the New
York Times…
(or, VM Maturity Model)
@NTXISSA#NTXISSACSC3
Challenges
• Resistance from Network Operations, Patching Team, System Owners• Things *will* crash• Network devices *will* become saturated• Patching software won’t always agree with the scanner• Vulnerability Prioritization• DHCP
• Who owns the machine and/or service?• Scanning
• Scanner placement• What is in/out of scope?• Can you scan partner networks?
@NTXISSA#NTXISSACSC3
Where do we start?
• What are you going to scan?• Discovery scan• Internal vs External IPs• Ports• Authentication• Workstations, servers, lab, DMZ, IP phones, printers,
network devices• Scan frequency and windows?• Who is responsible for patching?• Where are the firewalls?• Where do I place the scanners?• How will vulnerabilities be prioritized?
@NTXISSA#NTXISSACSC3
What do I do with all of these vulnerabilities?
• Patch• Upgrade• Disable/Uninstall the service• Add a client-side firewall or HIPS• Modify the network fabric (routers/firewalls/IPS)• … or ignore
• Prioritization• CVSS• Valuable hosts/data• *accessibility* from a threat source
@NTXISSA#NTXISSACSC3
Metrics
• Are you measuring busyness or addressing “risk”?• What am I scanning?• What am I *not* scanning?• How many of what kind of vulnerabilities?• What’s different compared to last month?• Pitfalls
• DHCP• Trending• Upgrading or sunsetting hosts• Stale scan data• Wall of shame
@NTXISSA#NTXISSACSC3
A great example… Metrics in context
February Scan Results:
Asset Group Status Comments
ABC Servers and Network Devices Yellow No host increase, number of Level 5 vulnerabilities is the same.
DEF Servers and Network Devices Green No increase in hosts, Level 5 vulnerabilities have decreased.
GHI Servers and Network Devices Yellow No host increase, number of Level 5 vulnerabilities is the same.
NA Workstations Red The number of hosts and Level 5 Vulnerabilities increased.
Europe Workstations Green The number of hosts increased and the number of Level 5 vulnerabilities still decreased.
JKL Workstations Red The number of hosts and Level 5 Vulnerabilities increased.
@NTXISSA#NTXISSACSC3
Interoperability –The whole is greater than the sum of its parts
• Asset Management/CMDB: Who owns this box?• Patching: Discover false negatives• Pen Testing: Speed up vulnerability discovery, less
intrusive• SIEM/IPS/IDS: Mitigate false alerts, fine-tune, add
context, prioritize remediation• Ticketing: Easy workflow• Vector Analysis: Prioritization, discover unscanned
subnets, discover *downstream* risk• GRC: Fine-tune risk metrics, remediation tracking