new approaches to vulnerability management
DESCRIPTION
TRANSCRIPT
New Approaches to Vulnerability Management
Todd Graham
Director, Risk & Compliance
RSA
What is Vulnerability Management
• The definition thus far[1]:
“Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This practice generally refers to software vulnerabilities in computing systems.”
“Host and infrastructure vulnerabilities can often be addressed by applying patches or changing configuration settings. Custom software or application-based vulnerabilities often require additional software development in order to fully mitigate. Technologies such as web application firewalls can be used in the short term to shield systems, but to address the root cause, changes must be made to the underlying software.”
[1] Thank you Wikipedia
Mega Changes Forcing Evolution
• Cloud– New area to audit and protect– Computing power available for good and evil
• Virtualization– The data center becomes homogeneous– Potential hypervisor-based vulnerabilities
• Attacker Motivation– Vulnerabilities exploited for financial gain
• “Enterprization” of Consumer– Web 2.0 technologies open up new threats to the enterprise
Classic VM Program Steps
• Define Policy - Organizations must start out by determining what the desired security state for their environment is. This include determining desired device and service configurations and access control rules for users accessing resources.
• Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.
• Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing). These vulnerabilities are then prioritized using risk and effort-based criteria. Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.
• Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.
• Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event. Gartner: Improve IT Security With Vulnerability Management
Technology Surfaces
• Network & Host– Scan network to discover assets
– Determine asset type, version, and configuration
– Compare current device state to known vulnerabilities
• Application– Profile applications to determine risky behavior or insecure
programming techniques
– Part of SDLC and Vendor Management Programs
• Configuration Management– Adjacent to traditional VM
– Focused on managing configuration to mitigate threats
What’s Next
Thesis:
The next generation of vulnerability management will come from the integration and correlation of disparate data sources, many of which already exist in the enterprise.
We need to intelligently connect the dots (SIEM, DLP, App Scanners, File and DB Access Monitoring…).
Creative Zero Day Detection
• Leverage your SIEM to detect and correlate abnormal behaviors
3 Step Process – Step 1
1. Collect and normalize information from VA scanners and asset inventory tracking systems– View and manage the asset details across the entire enterprise
Event ID
Asset ID
Threat Desc
Event ID
Asset ID
SIG ID
Event ID
Asset ID
VUL IDREFsIDS
MSG
NIC
VULNERABILITY
DATABASE
VULNERABILTY
DEFINITION
SOURCE
A
VULNERABILTY
DEFINITION
SOURCE
B
VULNERABILTY
DEFINITION
SOURCE
C
WWW...
NIC
IDS MSG
GRAMMARS
(EVENT IDs)
PARSE MAP
SIGs
VUL ID
Vulnerabilty Desc
ACQUIRE
VUL ID
Asset Predicates
Severity
PARSE
NORMALIZEBUILD &
DISTRIBUTE
DETAIL
PARSE
+
ASSIGN
SIG
NIC
NORMALIZED
ASSET
PREDICATES
BUILD &
MAINTAIN
FREQUENT
SIGNATURE
UPDATES
FREQUENT
VULNERABILITY
UPDATES
IDS/IPS
Device
Vulnerability
Assesment
Tool
VA
ReportVA
ReportVA
Report
Asset ID
Structured Desc
PARSEAsset ID
Asset Predicate
Flags
ENCODE
PRODUCTION
ASSET PREDICATE
FLAGS
LOAD
PERIODICALLY
REFRESHED
IDS
Vendors
SIG
UPDATE
SIG ID
VUL IDREFs
MAP
SIGNATUREs to
VUL IDs
BUILD &
DISTRIBUTE
VUL ID
Structured Desc
FREQUENT
SIGNATURE
UPDATES
V3.5
3 Step Process – Step 2
2. Embedded Vulnerability Repository• Database of vulnerabilities from NVD
• Description, impact, cross-reference meta-data, affected products, vendors, versions, protocols, network service
Event ID
Asset ID
Threat Desc
Event ID
Asset ID
SIG ID
Event ID
Asset ID
VUL IDREFsIDS
MSG
NIC
VULNERABILITY
DATABASE
VULNERABILTY
DEFINITION
SOURCE
A
VULNERABILTY
DEFINITION
SOURCE
B
VULNERABILTY
DEFINITION
SOURCE
C
WWW...
NIC
IDS MSG
GRAMMARS
(EVENT IDs)
PARSE MAP
SIGs
VUL ID
Vulnerabilty Desc
ACQUIRE
VUL ID
Asset Predicates
Severity
PARSE
NORMALIZEBUILD &
DISTRIBUTE
DETAIL
PARSE
+
ASSIGN
SIG
NIC
NORMALIZED
ASSET
PREDICATES
BUILD &
MAINTAIN
FREQUENT
SIGNATURE
UPDATES
FREQUENT
VULNERABILITY
UPDATES
IDS/IPS
Device
Vulnerability
Assesment
Tool
VA
ReportVA
ReportVA
Report
Asset ID
Structured Desc
PARSEAsset ID
Asset Predicate
Flags
ENCODE
PRODUCTION
ASSET PREDICATE
FLAGS
LOAD
PERIODICALLY
REFRESHED
IDS
Vendors
SIG
UPDATE
SIG ID
VUL IDREFs
MAP
SIGNATUREs to
VUL IDs
BUILD &
DISTRIBUTE
VUL ID
Structured Desc
FREQUENT
SIGNATURE
UPDATES
V3.5
3 Step Process – Step 3
3. Automatically relate security events to asset attributes via the vulnerability repository– Assign a confidence to the impact an incident will have upon the target
Event ID
Asset ID
Threat Desc
Event ID
Asset ID
SIG ID
Event ID
Asset ID
VUL IDREFsIDS
MSG
NIC
VULNERABILITY
DATABASE
VULNERABILTY
DEFINITION
SOURCE
A
VULNERABILTY
DEFINITION
SOURCE
B
VULNERABILTY
DEFINITION
SOURCE
C
WWW...
NIC
IDS MSG
GRAMMARS
(EVENT IDs)
PARSE MAP
SIGs
VUL ID
Vulnerabilty Desc
ACQUIRE
VUL ID
Asset Predicates
Severity
PARSE
NORMALIZEBUILD &
DISTRIBUTE
DETAIL
PARSE
+
ASSIGN
SIG
NIC
NORMALIZED
ASSET
PREDICATES
BUILD &
MAINTAIN
FREQUENT
SIGNATURE
UPDATES
FREQUENT
VULNERABILITY
UPDATES
IDS/IPS
Device
Vulnerability
Assesment
Tool
VA
ReportVA
ReportVA
Report
Asset ID
Structured Desc
PARSEAsset ID
Asset Predicate
Flags
ENCODE
PRODUCTION
ASSET PREDICATE
FLAGS
LOAD
PERIODICALLY
REFRESHED
IDS
Vendors
SIG
UPDATE
SIG ID
VUL IDREFs
MAP
SIGNATUREs to
VUL IDs
BUILD &
DISTRIBUTE
VUL ID
Structured Desc
FREQUENT
SIGNATURE
UPDATES
V3.5
The New Threat Surface: Customers
• Enterprises are beginning to view their customers and partners as threat sources
• Must identify threats against their customers (phishing, etc.) and work to mitigate
• Customer wanted toview VA scans next to anti-phishing
Bringing It All Together:Case Study Overview
• A global internet, mobility and communications company built a best-in-class Threat Management Program by:– Consolidating Security and Asset Information– Creating correlations to generate actionable intelligence– Providing key-stakeholders with information and vision of their risk– Building a repetitive process for effective and efficient Threat
Management
• Company Facts:– Fortune Ranking: ~60– 2006 Revenue: $54.29b– Number of Employees: 68,483
Challenges• Information Silos – Difficult to correlate
security data to determine actual risk.
• Global Segmentation – Impossible to correlate data from third party and company managed assets.
• Ownership of Risk – Difficult for executives to determine which vulnerabilities affect their Products and Services.
• Lack of Visibility – Lack of reporting prevented executives from making intelligent decisions about acceptable risk to their business.
VASys
Mgm
t
VA’
Threat
Feed
Goals• Effective Threat Management – Manage
Threats from a Product and Services perspective.
• Information Consolidation – Turn disparate silos of information into actionable knowledge.
• Information Correlation – Correlate threat and asset data across multiple business units and geographies.
• Delivery – Enable executives to release their Products and Services faster to market.
• Ownership – Empower executives to effectively manage risks to their business through an enterprise security view of their business.
VASys
Mgm
t
VA’Threat
Feed
Threat Management Strategy
Analyze &
Prioritize
Notify Personnel Remediation
Tasks
VA
VA’
Threat
Feed
Threat Management Reporting
Enterprise Reporting
Analyze &
Prioritize
Notify Personnel Remediation
Tasks
VA
VA’
Threat
Feed
A Best-in-Class Threat Management Program
• Consolidate Asset Data
• Consolidate Threat Data
• Manage your Risk Posture
• Monitor your Business Security and Risk Mitigation efforts
Assets
Threats
Risks
Reports
1
2
3
4
Consolidating Asset Information
Asset Discovery
Asset
Inventory
Asset Management
Consolidated Database
Asset
Integration
Sensors Sensors
1
What is an Asset?
Products and
Services
Business
Processes
Applications
Devices
Facilities
1
Device: Application Server Details1
Consolidating Threat Data
• Threat Alerts
– Known vulnerabilities
– Patches
– CVE
– Bugtrack ID
• Vulnerability Scan
– Host IP address
– Vulnerabilities Found
– CVE
• Configuration Scan
– Hostname
– Registry Information
– Users
– Installed Applications
– Risks
2
Vulnerability: Details Overview2
Turning Threat Data into Intelligence
Scan ID CVE-ID
90423CVE-2007-0069
CVE-2007-0066
90420 CVE-2007-5350
90418 CVE-2007-0064
Alert ID CVE-ID
466355 CVE-2007-5350
466938 CVE-2007-0069
466951 CVE-2007-0066
Host Name IP Address
DBSERV001 192.168.1.101
APPSERV002 192.168.1.100
Host Name IP Address
APPSERV002 192.168.1.100
DBSERV001 192.168.1.101
Scan ResultsAsset Data
Threat Alerts
3
Map Alerts and Assets to Scan Results
Map Scan Results to
Alerts using CVE-ID
Identify
Vulnerability
Alerts associated
to Scan Results
3
Manage and Track Remediation Progress
Document Remediation
Activity
Assign and Delegate
Tasks to responsible
personnel
Track Activity History
3
Reports: Enterprise Security Posture
• Provides users with a single interface for IT Security information at any level for Threat Management
• Presents relevant security information in an understandable format customized for differing environments
• Enables users to understand what actions should be taken to reduce risk and/or improve configuration compliance Asset
4
Additional Data Sources
AV
Auth
WAF DLP
ADWLAN
EP
URL
FW
IPS
Data Enhancement
Event A
ggre
gation
Locatio
nId
entity
Div
isio
nD
epartm
ent
Data
Asset V
alu
e
Ge
o In
foR
egula
tion
CIR
T
SOC
GIS
Th
rea
ts
Incid
en
ts
GR
C
UI
HR
Legal
Eng.Business
Reporting
SIEM
Emerging Vendors to Watch
• NeuralIQ– Next-generation honey pot
– Virtual machine-based clones of production systems capture all attacker behavior from the hypervisor
• HBGary– Technologies to analyze malware, fingerprinting the
‘DNA’ at the memory and execution-level
– Has proactive capabilities to prevent execution of identified “risky” behavior
Emerging Vendors to Watch ‘cont
• Checkmarx– Static Application Security Testing (SAST) company
– Compiles all scanned code into common framework for future testing
• Mykonos– Web 2.0 AJAX framework
– Ensures that Javascript code on end-user systems is not compromised
– Built-in security for AJAX calls and functions
A Parting Thought
“Security is always going to be a cat andmouse game because there'll be people outthere that are hunting for the zero day award,you have people that don't have configurationmanagement, don't have vulnerabilitymanagement, don't have patch management.”
-Kevin Mitnick