1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Proactively Engaged – Questions Executives Should Ask Their Security Teams

Part II – Vulnerability Management

2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Vulnerability ManagementThe ProblemIn the context of this article, vulnerability management refers to the processes by which an organization mitigates weaknesses in deployed software and systems.

Vulnerabilities affect every type of software from operating systems and applications to network devices, providing avenues for threat actors to gain access to systems and information.

We are forced time and again to learn the lesson that previously unknown vulnerabilities will be discovered and disclosed, and recommend you:

- Always expect software to have vulnerabilities, whether they are publicly disclosed or not yet discovered.

- Assume that threat actors will leverage them.

The “HeartBleed” vulnerability, made public in April 2014, is a good example of how a significant vulnerability becomes well-used by attackers.

https://www.fireeye.com/blog/threat-research/2014/04/attackers-exploit-heartbleed-openssl-vulnerability.html

https://blog.sucuri.net/2014/04/heartbleed-in-the-wild.html

3Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Operating systems and applications are complex and no one can fully eliminate the risk they pose.

For effective vulnerability mitigation strategy, consider:

- What would an attacker gain from fully controlling this system?

- Could the attacker use it to operate in other areas of the network?

- Both the sensitive data within the system, and the passwords, hashes, or other stored information that could provide access to other systems.

Organizations should prioritize resources toward eliminating publicly known, critical vulnerabilities. - Aim to patch end-user web browsers and desktop applications quickly

- Assume that the end-user workstations will be compromised and plan your security architecture and monitoring accordingly.

- Focus those resources on Internet-facing systems, infrastructure systems (e.g., Active Directory, SharePoint, Exchange), systems with sensitive data, and privileged users’ workstations (which provide passwords and hashes that would provide attackers quick lateral movement to other systems).

The following sections expand on the questions outlined in the first article.

Achievable Mitigation

4Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

What Processes Can Detect and Remediate Vulnerabilities?

Organizations should build and maintain a dedicated program to detect and mitigate vulnerabilities. Larger organizations can benefit from a third-party provider who specializes in vulnerability scanning.

A vulnerability management process program should:

• Holistically cover the entire enterprise, including all significant technologies, operating systems, and applications.

• Use an “authenticated scan” at least quarterly on the entire environment, so the vulnerability scanner logs into the target systems and gains a comprehensive picture of the systems’ security.

• Ensures IT and the business align to rapidly mitigate serious vulnerabilities.

• Mitigate risks posed by systems without available patches, or that face business or operational constraints.

5Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Where is Our Environment Vulnerable?

Few organizations have adequate coverage across the enterprise. Understanding where coverage is lacking and prioritizing enhancements conveys confidence in the vulnerability management team.

 

Are We Effective at Remediating Known, High-risk Vulnerabilities?The time between detection and closure offers a valuable metric about the vulnerability management program’s effectiveness. Geographic area and business function metrics can highlight roadblocks.

Consider the downstream impacts. Passwords, hashes or other information on an unpatched risk-accepted system could allow access to other systems across the environment.

Systems with known, high-risk vulnerabilities offer zero access control, because an attacker can immediately gain entry with a trivial level of skill and effort. Organizations should not allow such systems on their networks.

6Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Have We Applied Lessons Learned from Publicized Breaches?

Effective security teams learn everything they can from others’ security breaches and apply those lessons to their environments.

This could involve reading published news reports or case studies, and asking colleagues whether the malicious activity in question could have been prevented or detected if it occurred in your environment.

More formally, tabletop exercises with subject matter experts (whether internal or external) can provide a new level of realism for your team. Such SMEs can highlight the most significant gaps within visibility and response.

7Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Up Next: Monitoring

Prevention is difficult and is often simply not achievable. Even the most secure organizations are vulnerable. But, these companies excel at quickly identifying and containing compromises.

Our next blog will focus on key elements of a successful monitoring program: Where do we have good visibility and where is it lacking?

How do we monitor to detect security incidents?

How do we measure capability effectiveness?

How consistent are we about the type of information we gather?

What additional tools or information do we need to be effective?