Upload
frost-sullivan
View
484
Download
8
Tags:
Embed Size (px)
DESCRIPTION
Listen On Demand: https://www.brighttalk.com/webcast/5567/102273 Why You Should Attend: - Learn how key network security management solution providers are expanding vulnerability assessments to include more than just network endpoints - Gain a sneak peek of the newest tools and technologies in assessment precision and remediation - Understand how vulnerability reporting is vital to the interests of compliance, IT and C-level management
Citation preview
Cutting Edge Approaches to Vulnerability Cutting Edge Approaches to Vulnerability ManagementManagement
VM ValueVM Value--Added ServicesAdded Services
Chris Kissel, Industry Analyst
Information & Network Security
March 13, 2014March 13, 2014
© 2014 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan. No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.
Today’s Presenter
Chris Kissel, Industry Analyst
Frost & Sullivan
Follow me on: (Connect with social media)
www.linkedin.com
2
• IT & Network Security: vulnerability management, cloud-based file
sharing services, public vulnerabilities, NAC, and SSL certificates.
• Ten years of research and sales experience in the cellular
infrastructure, wireless, telecomm, PCs, semiconductor, and high-
definition consumer device sectors.
www.linkedin.com
Introduction
1. Vulnerability Management Market Size
2. Vulnerability Management Basics
3. Specialized Reporting
3
4. Context Awareness
5. Integration with Complementary Secondary Technologies
Vulnerability Management Market Size
Cyber Threat Environment
The Nature of Cyber Attacks is Changing
• According to the Symantec Internet Security THREAT REPORT 2014, “targeted” attacks
increased by 32 percent between 2012 and 2013.
• Because of the availability of software and a growing history of cyber attacks, the skill level
required of a cyber attacker is becoming less important. Similar to legitimate
communications services providers, rogue agencies that are offering cyber attack services
are also providing a service level agreement (SLA).
• Cyber attacks are moving from server-side to client-side attacks.
5
• Cyber attacks are moving from server-side to client-side attacks.
• High-profile security breaches have received extensive media coverage, and can actually
affect the market worth of a company.
• While there may be no formal declaration of hostilities and the term “cyber warfare” may be
too much, certainly cyber conflicts are evident. Nation-states are suspected to be
responsible for the most pernicious attacks.
• Literally any aspect of networking from applications to access can be turned into a
vulnerability. While attacks have been sophisticated so too are the defenses against
attacks. Source: Frost & Sullivan
2010–2018 Vulnerability Management Market Size
Total Vulnerability Management Market: Unit Shipment and Revenue Forecast, Global, 2010–2018; Revenue CAGR (2013–2018) = 13.0%
Source: Frost & Sullivan
Investments in Vulnerability Management
• In the last two years, vulnerability
management fundamentally
changed. The major industry
players received money in one form
or another. Tenable Network
Systems and Rapid7 each received
$50 million in funding; Qualys
7
issued an IPO, and eEye Digital and
nCircle were acquisition targets by
BeyondTrust and Tripwire,
respectively.
Source: Frost & Sullivan
Drivers and Restraints
Total Vulnerability Management Market: Key Market Drivers and Restraints, Global, 2014–2018
1–2 Years 3–4 Years 5 Years
The nature of cyber attacks is changing to include smaller businesses and threats are becoming more targeted
H H H
Integration of features in vulnerability management platforms is helping customers harden their systems
M M M
Compliance reporting is increasing in importance to conform
with regulatory requirementsM M H
The Internet of Things requires heterogeneous networks, and M H HM
ark
et
Dri
vers
8
Customers are concerned that vulnerability management is too thin of a slice of protection and worried about limits in the platform
H H H
Vulnerability management customers are prohibited from publishing scan results which reinforces the feeling from customers that they have trouble making value-based decisions
M M M
Syncing security measures to match changes in a network is difficult
M M M
Vulnerability management competes with other technologies for security solution dollars
L L L
integrates new devices and security practicesM H H
Continuous threat monitoring is becoming requisite M H H
Note: Drivers & Restraints are ranked in order of impact. Source: Frost & Sullivan
Mark
et
Dri
vers
Mark
et
Restr
ain
ts
Impact: H High M Medium L Low
Poll Question Number One
Vulnerability Management Basics
Fundamentals to Vulnerability Management
Fundamental Aspects of Vulnerability Management
• Vulnerabilities are defined as any errors or weaknesses within a software program that
enable an unauthorized user to access sensitive data, gain control, or deny access to
authorized users.
• Vulnerability management provides an essential proactive solution to prevent data
breaches and system disruptions. These products enable companies to find weaknesses
in their networks and provide remediation guidance.
11
• Network scanners have the ability to scan all network-attached endpoints for
vulnerabilities. However, the resulting reports often generate long lists of vulnerable
systems.
• Vulnerability management now has much more concise reporting platforms. Ranking
vulnerabilities in terms of remediation is an important efficacy aspect of vulnerability
management. Nearly all devices and systems will show a vulnerability. This makes
vulnerability prioritization important. A security team needs to know which threats should
be addressed first. The ability to identify and remediate a threat at its earliest stages
prevents the likelihood of an advanced persistent threat in the future.Source: Frost & Sullivan
CVSS v.2 Scoring
Figure 1: Attributes and Measures of CVSS v.2
Attributes Measures Worst Case Scenarios
Exploitability
Access Complexity
The type of access a hacker has to a network
No restrictions on access—a hacker can create an exploit without limitations.
Access Vector Where an exploit can be triggered
Exploits triggered remotely operating at Level 3 or above in a network. above in a network.
Authentication How many times an attacker needs to be authenticated
None. No authentication is needed to exploit vulnerabilities.
Impact
Confidentiality Size of breach The hacker can access or steal any or all of the data.
Integrity File security An attacker can manipulate data—total integrity lost.
Availability Pertains to a system or network availability.
Crash! An attacker can incapacitate a system or a network.
Source: NIST; Common Vulnerability Scoring System v.2 (Base Score Metrics)
More About Vulnerability Management Basics
• Ticketing systems are something of a necessity in vulnerability management systems, and elicit strong emotions from IT personnel.
• Outpost24 has an elaborate ticketing system. Ticketing options can be manual or automated. Ticketing can be sorted by a remedy necessity; from low-priority to high priority. The detail of ticket includes who has ownership of the issue, who is assigned to fix the issue, when the issue is to be fixed, and ultimate resolution.
• Patching vulnerabilities is the next step. Vulnerability management companies • Patching vulnerabilities is the next step. Vulnerability management companies have agreements with patch management vendors.
• One differentiator vulnerability management providers can offer is a shortened cycle between remediation and new scanning.
Specialized Reporting
Reporting by Department
• Optimally, reports would be generated to facilitate different functions.
• Many organizations require different perspectives for IT/Security, CEO, and auditing conventions.
• Vulnerability management platform providers • Vulnerability management platform providers can provide templates that accomplish specific reports to prove compliance or that are more appropriate for specific market verticals.
• BeyondTrust uses the Microsoft Online Analytical Processing (OLAP) cubes to port data to its data warehouse.
Compliance Reporting
• Language in the Health Information Technology for Economic and Clinical Health Act (HITECH) suggests that larger healthcare providers like Cigna and Blue Cross assume indemnity for data and patient records coming from subcontractors. Consequently, the large healthcare providers have the right to audit their subcontractors which includes smaller practices like radiologists and ultrasound.
• On November 2013, Payment Card Industry Data Security Standard (PCI-DSS) 3.0 became an official standard. There is a phase-in period for vendors, but on January 1, 2014 the new standards became actionable. In the new set of January 1, 2014 the new standards became actionable. In the new set of standards, PCI-DSS 3.0 added best practices on top of its list of compliances. PCI-DSS 3.0 requires a merchant to have anti-malware protection, and lets merchants use password phrases as well passwords for authentication. PCI DSS 3.0 standards will remain in place for at least three years.
• In the United States, National Institute of Standards and Technology (NIST) 4.0 was released April 30, 2013. NIST develops standards, guidelines, and recommendations to promote information security for all government agency operations and systems. In many cases, NIST compliance is required for private businesses to compete for contracts with government agencies.
Context Awareness
Context Awareness
• Context awareness integrates threat, risk, vulnerability, privilege, and event data, with compliance reporting and remediation procedures and statistics to give IT the information it needs to make the most effective decisions possible.
• There is never a shortage of vulnerabilities. Almost without exception, all networks will show vulnerabilities. The ability to react and remediate the most potentially damaging threat environments is important.
• Vulnerability prioritization allows an IT team to act on Advanced Persistent Threats • Vulnerability prioritization allows an IT team to act on Advanced Persistent Threats and Zero Day vulnerabilities—hopefully before a threat is initiated.
• The pillars of contextual awareness in this report are specialized reporting, device fingerprinting, threat simulation, and risk management.
Enhanced Reporting—Tripwire
Source: Tripwire Analyst Deck, 2013, With permission.
Enhanced Reporting
• The end user can look at any metric on the dashboard and drill down to see what assets are being threatened.
• The Tripwire paradigm lets the end user cross-match conditions: AUTOMATED EXPLOIT AND EXPOSURE would be among the most dire. Additionally, Tripwire vulnerability scoring considers 90,000 conditions.
• Ease of use is also an important specialized report differentiator.
• Outpost24 customers can generate automated reports from a selection of 42 attributes. There are 31 pre-assigned templates, 10 custom templates, and one defined asset groups report) attributes.
• The reports are designed to pivot from the perspective of a stakeholder (system owner, location, or, business unit etc.) regardless of scan time.
• Automated reporting can pair down the flow of information from each perspective.
Device Fingerprinting
• One of the biggest challenges to VM platformsis an ever-changing network.
• Visibility is the unifying concept. New devices, virtualized machines and devices that have been offline or otherwise decommissioned all present the same challenge.
• Any weakness becomes a potential attack • Any weakness becomes a potential attack vectors. IT teams must maintain visibility.
• Of course, the same principle applies to devices that are powered down.
• Essentially, vulnerability management platforms must have easy hooks into mobile device management program (MDM) or must provide “MDM-lite” functionality.
Threat Modeling (Leading Toward Risk Management)
• Rapid7 offers threat modeling simulation in Metasploit Pro and Metasploit Express (An It department can create a tunnel of communications on the L2 layer which bypasses intrusion detection and intrusion prevention systems (IDS/IPS).
• in order to simulate an attack, IT can then launch a single exploit against a host, and use the knowledge from a compromised machine to exploit another machine. Other scenarios include brute force, basic and smart exploitations.
• Outpost24 solutions prioritize remediation based on dependency and criticality • Outpost24 solutions prioritize remediation based on dependency and criticality ratings for affected systems as; the ease of exploitation and its impact on the organization; efficiency and effectiveness of the remediation efforts (solution-based reporting).
Poll Question Number Two
Integration with Secondary Technologies
Integration with Secondary Technologies
Log Management
SSL Certificate Authentication
SIEM
Vulnerability Management
Platform
Privileged Identity
Management
Web Application Scanning
Secure Configurations
Risk Management
Platform
Source: Frost & Sullivan
Applied Analytics
• Security information event management (SIEM), log management and risk management are interrelated and are analytically driven technologies.
• An analytical approach to vulnerability management platforms is preferred on several levels.: Proper event correlation can be incorporated into the frontline of vulnerability scanning.
26
• SIEM or SIEM-like capabilities are the gateway for integration with other security measures. Data loss prevention (DLP) identifies when there are breaches to data surrounding personal identification, industrial or government secrets, or financial data.
• BeyondTrust uses analytics from its solutions integrated under its BeyondInsight IT Risk Management platform to make sure that identity is the basis of access to certain files, to deny access to unauthorized users, and to turn intelligence gathered from the platform into better vulnerability management.
Web Application Scanning
• Hackers are using vulnerabilities in Web applications as a means to create exploits.
• Web application scanning is being offered by several vulnerability management service providers.
• Qualys has a separate Web Application Scanning/Web Firewall Service.
27
Service.
• In June 2012, Tripwire included Web application scanning, WebApp360, on its Tripwire IP360 vulnerability and risk management platform at no additional cost.
• Web application scanning is an integral part of Tenable SecurityCenter Continuous View platform.
QualysGuard Integrated Suite of Security and Compliance Solutions
2828
*In Beta
VulnerabilityManagement
PolicyCompliance
CustomizableQuestionnaires
PCIDSS
Web ApplicationScanning
MalwareDetection
Web ApplicationFirewall
Web ApplicationLog Analysis
Source: Qualys, Used with Permission.
Continuous Monitoring
• In the United States, NIST considers continuous monitoring to be a set of “planned, required, and deployed security controls” in the context of an information system to remain effective “in light of the inevitable changes that occur.”
• From NIST 800-137 (verbatim)… Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
29
• All Federal agencies have to produce monthly inventories of all assets on their networks (devices, applications, servers, virtual machines, etc.).
Continuous Monitoring Principles
Real-time, Continuous Monitoring Platform
� Immediate discovery of assets including
mobile, cloud, and virtual systems
� Continuous, real-time vulnerability assessment
� Integrated threat detection and advanced
Benefits of Continuous MonitoringVulnerability
Management
Malware
Detection
Compliance &
Patch Monitoring
Continuous
Monitoring
30
� Integrated threat detection and advanced
malware analysis, isolation of attack paths
� Real-time network monitoring and anomaly
detection
� Integrated logging, forensics, and threat
investigation & response
� Proactive compliance reporting and patch
auditing
Network
Behavioral Analysis
Log Collection
& Analysis
Continuous Monitoring Architecture (Tenable Network Security)
31
Aspects of Continuous Monitoring (Tenable Network Security)
• Tenable Network Security offers a Continuous Monitoring solution that combines active scanning, passive sniffing, and log analysis forming a composite view of assets, vulnerabilities, and threats.
• Its Nessus active scanner supports both credentialed and non-credentialed scans to identify vulnerabilities, compliance and configuration checks.
• The Passive Vulnerability Scanner (PVS) analyzes network traffic at the packet layer –
32
The Passive Vulnerability Scanner (PVS) analyzes network traffic at the packet layer –also known colloquially as “sniffing” to detect assets as they connect to the network. PVS also identifies vulnerabilities and malicious communications from network traffic supplementing the Nessus active scans.
• The Log Correlation Engine (LCE) provides log analysis to add additional context to vulnerabilities and threats from the surrounding infrastructure and system logs.
• These combined technologies work together to identify risk from transient devices and dynamic systems including mobile devices, virtual infrastructure, and cloud applications.
Major Challenges (Current and Future)
CURRENT CHALLENGES
1. Developing products for the small and medium-sized business markets.
2. Find a unified scoring metric to determine the effectiveness of scanning accuracy. Like many of the enhanced vulnerability scoring matrix offered by VM service providers, time to remediation has to be a part of the platform.
3. To more heavily automate more of the processes in vulnerability management.
4. Explaining goods and services within the context of the Top 20 CSC SANS
33
Explaining goods and services within the context of the Top 20 CSC SANS (SysAdmin, Audit, Networking, and Security) security measures.
FUTURE CHALLENGES
1. Extend the principles of vulnerability management to hybrid cloud environments.
2. Decide which features are best integrated into vulnerability management products.
3. Building an infrastructure to account for the APAC region.
Frost & Sullivan Services, Community Contribution and Network and Information
Security Team InfoSecurity Team Info
Next Steps
Develop Your Visionary and Innovative SkillsGrowth Partnership Service Share your growth thought leadership and ideas or
join our GIL Global Community
35
Join our GIL Community NewsletterKeep abreast of innovative growth opportunities
Phone: 1-877-GOFROST (463-7678) Email: [email protected]
Follow Frost & Sullivan on Facebook, LinkedIn, SlideShare, and Twitter
http://www.facebook.com/FrostandSullivan
http://www.linkedin.com/companies/4506
36
http://twitter.com/frost_sullivan
http://www.linkedin.com/companies/4506
http://www.slideshare.net/FrostandSullivan
Your Feedback is Important to Us
Growth Forecasts?
Competitive Structure?
What would you like to see from Frost & Sullivan?
37
Emerging Trends?
Strategic Recommendations?
Other?
Please inform us by “Rating” this presentation.
For Additional Information
Chris Kissel
Industry Analyst
IT & Network Security, IRG-74
(623) 910-7986
Michael Suby
VP of Research
IT & Network Security, IRG-74
(720) 344-4860
38
Frank Dickson
Principal Analyst
IT & Network Security, IRG-74
(469) 387-0256
Chris Rodriguez
Senior Analyst
IT & Network Security, IRG-74
(210) 477-8423