Copyright © Aujas All rights reserved.Aujas Restricted Circulation

Nail Vulnerability Management with Intelligence plus Analytics

IDC IT Security Roadshow 2016Doha, Qatar

Yogesh Bhatia, CISSP, CSSLPPractice Head, Aujas

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

2

Disclaimer

The aspects discussed in this presentation are purely individual observations and opinions. They may not be necessarily correct, specially when generalized.

Incidents, examples, people, organizations etc. are used only to illustrate the points of discussion.

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

3

Everyone has their own perspective – Intelligence and Analytics

CIO and IT Operations perspective:Vulnerability data are coming from multiple sources. We really don’t have money and resources to fix them all. Not sure what to fix first.

CISO Perspective:We have assigned vulnerabilities to IT team. We really don’t have tracking mechanism till operations update us.

Business Executives Perspective:We really don’t know what all (business) group of assets have vulnerabilities, which are important and the one which matters are getting mitigated or not.

Security Analyst Perspective:We don’t want to prepare dashboard and reports every time IT operations fixes an issue.

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

4

Reliance on Single Source for Vulnerability Intelligence

“Vulnerability Intelligence refers to all research data on vulnerabilities, including but not limited to – historical data, exploits, targets, attacks etc.

Most of time we rely on scanner tool to get intelligence about a vulnerability and manually prioritize remediation.

Is this vulnerability really getting exploited and responsible for breaches happening out?

Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/?utm_source=datafloq&utm_medium=ref&utm_campaign=datafloq

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

5

No Context

Were you ShellShocked?

Researchers announced a vulnerability ShellShock which allows an adversary to execute arbitrary commands on remote system and may allow an adversary to gain control over a target computer if exploited successfully.

The another one PODDLE which allows an adversary to hijack browser sessions if they are using flawed SSL protocol.

You really want to make sure that it is applicable to your environment and really impact assets before you start patching them!

Shift from fixing vulnerability mindset to risk assessment mindset is what is required.

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

6

What you need - Vulnerability Intelligenalytics

“Organization can increase effectiveness of their vulnerability management programs by automating, analytics and threat intelligence.

Targets

Threats Zero-Day

Breaches

Organization Context

Vulnerability Intelligence

Scanner Data

Manual Testing

Audit Reports

CVSS Score

Vulnerabilities that matters the most and

to be fixed first

Vulnerability Data

Analytics

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

7

Key Take Away

• Consider asset risk rating and criticality of it in the network. Get context right before spending efforts on fixing an issue.

• Subscribe to vulnerability intelligence feeds to get information on attacks, breaches, zero-day, active exploits to get perspective on vulnerabilities.

• Clearly communicate security posture to all relevant stakeholders – be it technical people or non-technical (business) people.

• CVSS is good but when you customize it your environment, it works better.

• Once you have list of important ones to be fixed, track them to the closure.

• The last not but least – Don’t do this manually as its huge task depending upon size of network and organization. Automate efforts to effectively contextualize what’s happening in outside world and what’s relevant to your organization.

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

8

Aujas Information Risk Services

390+

Customers served across 22 countries

320+

Employees globally with more than 200 specialists

220+

Certified employees across standards, technologies & industry certifications

Aujas helps organizations manage information security risks by protecting data, software, people and identities in line with compliance requirements and best practices; we also help strengthen security governance and intelligence frameworks.

Investors:• Seed Funding

• IDG Ventures – Boston, MA• Series B Funding

• IDG Ventures – Boston, MA• IvyCap Ventures – Bay

Area, CA• RVCF - India

Global Presence:

Copyright © Aujas All rights reserved. Aujas Restricted Circulation

9

Bangalore | Cupertino | Delhi | Dubai | Jersey City | Mumbai

Thank YouFor more information:Yogesh BhatiaPractice Head, Threat Management ServicesYogesh.Bhatia@aujas.com