Скачать презентацию Vulnerability Management for the Real World Contents Скачать презентацию Vulnerability Management for the Real World Contents

2c7a4c96cceb2e3402a1e8386306af69.ppt

  • Количество слайдов: 42

» Vulnerability Management for the Real World Contents: The Problem What is Vulnerability Management? » Vulnerability Management for the Real World Contents: The Problem What is Vulnerability Management? George Kurtz Chief Executive Officer Foundstone Challenges to Effective VM Successful Approaches

» The Problem » The Problem

Question » What won’t you see in this presentation? Answer: Another CSI /FBI slide! Question » What won’t you see in this presentation? Answer: Another CSI /FBI slide! We all know the problem, what about a solution! 3

Proclamation VA Is Dead…. . They Just Haven’t Buried The Body! 4 Proclamation VA Is Dead…. . They Just Haven’t Buried The Body! 4

Organizations are Feeling the Pain 1. What causes the damage? 2. How do you Organizations are Feeling the Pain 1. What causes the damage? 2. How do you prevent the damage? What are your options? RISK= Assets x Vulnerabilities x Threats 95% of breaches target known vulnerabilities 4. How do you make the best security decisions? You can control vulnerabilities. 3. How do you successfully deal with vulnerabilities? Vulnerabilities Focus on the right assets, right threats, right measures. Business complexity Human resources Financial resources 5

» What is Vulnerability Management? » What is Vulnerability Management?

What Is Vulnerability Management A process to determine whether to eliminate, mitigate or tolerate What Is Vulnerability Management A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability. 7

What Is Vulnerability Management » At a high level, the ”intelligent confluence” of… Assessment What Is Vulnerability Management » At a high level, the ”intelligent confluence” of… Assessment What assets? + Analysis What to fix first? + Remediation Fix the problem • Component of Risk Management • Balance the demands of business goals and processes 8

» Challenges to Effective VM » Challenges to Effective VM

Challenges – Assessment » Traditional desktop scanners cannot handle large networks » Provide volumes Challenges – Assessment » Traditional desktop scanners cannot handle large networks » Provide volumes of useless checks » Chopping up scans and distributing them is cumbersome » Garbage In- Garbage Out (GIGO)– volumes of superfluous data » Coverage at all OSI layers is inadequate » Time consuming and resource intensive » Finding the problem is only half the battle 10

Challenges – Analysis » Manual and resource intensive process to determine – What to Challenges – Analysis » Manual and resource intensive process to determine – What to fix – If you should fix – When to fix » No correlation between vulnerabilities, threats and assets » No way to prioritize what vulnerabilities should be addressed – What order » Stale data – Making decisions on last quarter’s vulnerabilities » No credible metrics 11

Challenges – Remediation » Security resources are often decentralized » The security organization often Challenges – Remediation » Security resources are often decentralized » The security organization often doesn’t own the network or system » Multiple groups may own the asset » Presenting useful and meaningful information to relevant stakeholders » Determining if the fix was actually made 12

Challenges – Time Asset Criticality Threat Level Cost to ignore vulnerability is greater than Challenges – Time Asset Criticality Threat Level Cost to ignore vulnerability is greater than the cost to repair Risk Threshold Vulnerability discovered Discovery Exploit public Automated exploit Remediation 13

Challenges – Time Asset Criticality Goal = compress time from discovery to remediation Threat Challenges – Time Asset Criticality Goal = compress time from discovery to remediation Threat Level Cost to ignore vulnerability is greater than the cost to repair Risk Threshold Vulnerability discovered Discovery Exploit public Automated exploit Remediation 14

Challenges – Time Asset Criticality Goal = compress time from discovery to remediation Threat Challenges – Time Asset Criticality Goal = compress time from discovery to remediation Threat Level Cost to ignore vulnerability is greater than the cost to repair Risk Threshold x 15 new vulnerabilities per day across many assets Vulnerability discovered Discovery Exploit public Automated exploit Remediation 15

» Vulnerability Management Lifecycle » Vulnerability Management Lifecycle

Vulnerability Management Lifecycle 17 Vulnerability Management Lifecycle 17

» Successful Approaches: Implementing An Effective VM Strategy » Successful Approaches: Implementing An Effective VM Strategy

Successful Approaches » Focus on four key areas: – – Prioritize Assets Determine Risk Successful Approaches » Focus on four key areas: – – Prioritize Assets Determine Risk Level (assets, threats, vulnerabilities) Remediate Vulnerabilities Measure 19

Asset: Any function, task, capability, equipment or information that has value to the organization Asset: Any function, task, capability, equipment or information that has value to the organization or supports the ability of the organization to conduct business 20

Threat: Any person, circumstance or event that has the potential to cause damage to Threat: Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function 21

Vulnerability: Any flaw in the design, implementation or administration of a system that provides Vulnerability: Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process 22

Prioritize Assets 23 Prioritize Assets 23

Asset Prioritization » Identify assets by: – Networks • Logical groupings of devices • Asset Prioritization » Identify assets by: – Networks • Logical groupings of devices • Connectivity - None, LAN, broadband, wireless – Network Devices • Wireless access points, routers, switches – Operating System • Windows, Unix – Applications • IIS, Apache, SQL Server – Versions • IIS 5. 0, Apache 1. 3. 12, SQL Server V. 7 24

Asset Prioritization » Network-based discovery – Known and “unknown” devices – Determine network-based applications Asset Prioritization » Network-based discovery – Known and “unknown” devices – Determine network-based applications – Excellent scalability » Agent-based discovery – In-depth review of the applications and patch levels – Deployment disadvantages » Network- and agent-based discovery techniques are optimal – Agents - Cover what you already know in great detail – Network - Identify rogue or new devices » Frequency – Continuous, daily, weekly – Depends on the asset 25

Correlate Threats 26 Correlate Threats 26

Correlate Threats » Not all threat and vulnerability data have equal priority » Primary Correlate Threats » Not all threat and vulnerability data have equal priority » Primary goal is to rapidly protect your most critical assets » Identify threats – – Worms Exploits Wide-scale attacks New vulnerabilities » Correlate with your most critical assets » Result = Prioritization of vulnerabilities within your environment 27

Determine Risk Level 28 Determine Risk Level 28

Risk Calculation » The Union of: – Vulnerabilities – Assets – Threats » Based Risk Calculation » The Union of: – Vulnerabilities – Assets – Threats » Based upon the criticality of VAT » Focus your resources on the true risk 29

Remediation 30 Remediation 30

Remediation / Resolution » Perfection is unrealistic (zero vulnerabilities) – Think credit card fraud Remediation / Resolution » Perfection is unrealistic (zero vulnerabilities) – Think credit card fraud – will the banks ever eliminate credit card fraud? » You have limited resources to address issues » The question becomes: – Do I address or not? » Factor in the business impact costs + remediation costs – If the risk outweighs the cost – eliminate or mitigate the vulnerability! 31

Remediation / Resolution » Apply the Pareto Principle – the 80/20 rule – Focus Remediation / Resolution » Apply the Pareto Principle – the 80/20 rule – Focus on the vital few not the trivial many – 80% of your risk can be eliminated by addressing 20% of the issues – The Risk Union will show you the way • Right assets • Relevant threats • Critical vulnerabilities 32

Remediation / Resolution » Patch or Mitigate – Impact on availability from a bad Remediation / Resolution » Patch or Mitigate – Impact on availability from a bad patch vs. the risk of not patching – Patch or mitigate – Recommendations: –QA security patches 24 hours –Determine if there are wide spread problems –Implement defense-in-depth 33

Measure 34 Measure 34

Measure » Current state of security metrics – You can’t manage what you can’t Measure » Current state of security metrics – You can’t manage what you can’t measure – No focus on quantifying “Security” • What is my real risk? – Only a relative scale of risk, not an absolute – Return on Security Investment (ROSI) is extremely difficult to calculate – No accountability in security 35

Measure » Future Look: – – – Accountability A universal standard to quantify risk Measure » Future Look: – – – Accountability A universal standard to quantify risk Common nomenclature Dashboard view of risk and vulnerabilities across disparate organizations Technologies that will help answer the questions: • Am I secure? • Who is accountable and by when? • Am I getting better or worse? • How am I trending over time? • How do I compare to my peers? • How do I compare outside my industry? 36

Summary » All assets are not created equally » You cannot respond to or Summary » All assets are not created equally » You cannot respond to or even protect against all threats » An effective vulnerability management program focuses on Risk – Vulnerabilities – Assets – Threats » The hardest step in a 1000 mile journey is the first – start somewhere » Strategically manage vulnerabilities using a comprehensive process 37

10 Steps to Effective Vulnerability Management 1. Identify all the assets in your purview 10 Steps to Effective Vulnerability Management 1. Identify all the assets in your purview 2. Create an Asset Criticality Profile (ACP) 3. Determine exposures and vulnerabilities 4. Track relevant threats – realized and unrealized 5. Determine Risk - union of vulnerabilities x assets x threats 6. Take corrective action if risk > cost to eliminate or mitigate 7. Create meaningful metrics and hold people accountable 8. Identify and address compliance gaps 9. Implement an automated vulnerability management system 10. Convince someone with a budget that vulnerability management is important 38

Don’t Spend Another Dime On Security Until You Understand How To…. Protect The Right Don’t Spend Another Dime On Security Until You Understand How To…. Protect The Right Assets From The Right Threats With The Right Measures 39

» Contact Information George Kurtz 949 -297 -5600 george. kurtz@foundstone. com www. foundstone. com » Contact Information George Kurtz 949 -297 -5600 george. [email protected] com www. foundstone. com

Questions? Submit your questions to George by clicking on the Ask a Question link Questions? Submit your questions to George by clicking on the Ask a Question link on the lower left corner of the screen. George’s answers will be sent to you by e-mail. 41

Thank you for participating in this Search. Security. com on-demand webcast. If you have Thank you for participating in this Search. Security. com on-demand webcast. If you have suggestions for future webcasts, e-mail the editor at [email protected] Security. com For other Search. Security. com webcasts, visit http: //searchsecurity. techtarget. com/best. Web. Links/0, 289521, sid 14 _tax 292632, 00. html 42