Embed Size (px)
DESCRIPTION
While vulnerability assessments are essential, considering vulnerability data in a vacuum greatly limits your ability to prioritize your action plan in an effective way. Without the context of which vulnerabilities are the most severe, which are actively being targeted, which are on critical assets, etc, you may waste time checking things off the list without actually improving security. Join AlienVault for this session to learn: - Strategies for addressing common vulnerability management challenges - The pros and cons of different vulnerability scanning techniques - How to integrate threat intelligence into your vulnerability management strategy
Citation preview
THREAT INTELLIGENCE: THE KEY TO A COMPLETE VULNERABILITY MANAGEMENT STRATEGY
Sandy HawkeVP, Product Marketing
@sandybeachSF
KEY DISCUSSION POINTS
2
Rethinking Vulnerability ManagementOvercoming challengesOverview of vulnerability scanning techniques Benefits of shared threat intelligenceCustomer feedbackKey takeawaysQ & A
WHY DO WE DO VULNERABILITY MANAGEMENT?
BECAUSE THAT’S WHAT ATTACKERS EXPLOIT.
WHY DO WE DO VULNERABILITY MANAGEMENT?
SO WHY ISN’T VULNERABILITY MANAGEMENT DONE IN THE CONTEXT OF ACTUAL THREATS?
Historical: limitations of initial products to market
Became part of a “silo’ed” process
Many have taken the “checklist” mindset in approaching this problem.
OVERCOMING OPERATIONAL CHALLENGES
With vulnerability management programs
COMMON CHALLENGES
Prioritizing remediation tasks • Which vulnerability matters most?
• What’s the larger risk context? Active threats?
Removing false positives• What can I do to reduce this “noise”?
Optimizing workflows• How do I minimize disruption but maximize accuracy?
• How do I go from a static report to active remediation?
(e.g. who owns this vulnerable asset anyway?)
IS THIS WHAT YOUR VULNERABILITY REPORT LOOKS LIKE?
What are you supposed to do with this?
Avoiding the “vulnerability visibility vacuum”
PRIORITIZING VULNERABILITIES
• View vulnerabilities inside the context of actual threats – both global and local
• At a glance, be able to understand:
• What other software is installed on these systems?
• What type of traffic do these vulnerable hosts generate?
• Who owns these systems?
• Have these systems been targeted by known attackers?
• Are there recent alarms in my SIEM that have been triggered involving vulnerable systems?
VIEWING VULNERABILITIES IN THE CONTEXT OF THREATS
Step 2: Review vulnerabilities on assets that are being targeted in active threats.
Step 1: Immediately identify known malicious IPs targeting these vulns.
Step 3: Follow step-by-step guidance in responding to the threat.
Leverage a variety of scanning techniquesREMOVING FALSE POSITIVES
Continuous Vulnerability Monitoringcorrelate data from asset discovery & inventory scans with the latest known vulnerabilities Benefits: avoids network
“noise”; minimizes system impact; requiresminimal resources
Active Network Scanningactively scan to identify vulnerable services and software. Authenticated – more
accurate, but potentially more impactful
Unauthenticated – less accurate, but less impactful
Breaking down silosOPTIMIZING WORKFLOWS
Streamline this process: Run the scan, vet the data, prioritize
remediation* based on global and local threat intelligence, then re-run a validation scan.
Document the process: Integrated ticketing system makes this much
easier. Secret to success?
Having all of the essential functionality in one place.
*sometimes this is a patch, and sometimes it’s a workaround.
USING A UNIFIED, THREAT-BASED APPROACH FOR VULNERABILITY MANAGEMENT
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
Identify ways the target could be compromised
What functionality do I need?
Figure out what is valuable
14
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
Identify ways the target could be compromised
15
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
What functionality do I need?
Piece it all together
Look for strange activity which could
indicate a threat
Start looking for threats
16
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
What functionality do I need?
Piece it all together
Look for strange activity which could
indicate a threat
17
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
What functionality do I need?
Piece it all together
18
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
BehavioralMonitoring What
functionality do I need?
19
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
BehavioralMonitoring
Security Intelligence• SIEM Event Correlation• Incident Response
SecurityIntelligence
What functionality do I need?
20
AssetDiscovery
Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VulnerabilityAssessment
Vulnerability Assessment• Network Vulnerability Testing
Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
ThreatDetection
Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring
BehavioralMonitoring
Security Intelligence• SIEM Event Correlation• Incident Response
SecurityIntelligence
Unified Security
Management
WHY ALIENVAULT USM?
All-in-one functionality Vulnerability assessment within a broader
context Targeted remediation, easier to manage
Flexible reporting, multiple modules, formats & queries… as detailed as you want it.
Threat intelligence from AlienVault Labs Know WHO is targeting vulnerabilities,
HOW they’re doing it and WHAT to do about it
21
ALIENVAULT LABS THREAT INTELLIGENCE: SECURITY FOR YOU, POWERED BY ALL
22
ALIENVAULT LABS THREAT INTELLIGENCE:COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT
23
Network and host-based IDS signatures – detects the latest threats in your environment
Asset discovery signatures – identifies the latest OS’es, applications, and device types
Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems
Correlation rules – translates raw events into actionable remediation tasks
Reporting modules – provides new ways of viewing data about your environment
Dynamic incident response templates – delivers customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your monitoring footprint
CUSTOMER SUCCESS
ACHIEVING COMPLETE VULNERABILITY MANAGEMENT
Unify your security monitoring controls for better visibility into vulnerabilities
Use emerging threat intelligence to prioritize remediation
Evolve from checklist reporting to true risk reduction
NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http
://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http
://www.alienvault.com/marketing/alienv
ault-usm-live-
demo
Questions? [email protected]
