vulnerability and configuration management best practices for state and local governments jonathan...
TRANSCRIPT
![Page 1: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/1.jpg)
Vulnerability and Configuration
Management Best Practices for State and
Local GovernmentsJonathan Trull, CISO, Qualys, Inc.
![Page 2: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/2.jpg)
ATTACKS
80%
More than 80% of attacks target known vulnerabilities
79%
PATCHES
79% of vulnerabilities have patches available on day of
disclosure
Most Breaches Exploit Known Vulnerabilities
2
![Page 3: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/3.jpg)
Threats vs. Vulnerabilities
3
![Page 4: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/4.jpg)
Patch and Vulnerability Management
A security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The continuous process
of identifying, classifying, remediating, and mitigating
vulnerabilities.
4
![Page 5: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/5.jpg)
Configuration Management
The process of evaluating, coordinating, approving, disapproving,
and implementing changes to systems and software.
Security Perspective: The process of ensuring systems are configured to prevent successful cyber attacks and stay that way.
5
![Page 6: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/6.jpg)
Major Constraints on Security Teams
6
![Page 7: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/7.jpg)
Attack-Defend Cycle (OODA Loop)
7
![Page 8: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/8.jpg)
Laws of Vulnerabilities
• Half-Life – time interval for reducing occurrence of a vulnerability by half.
• Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year.
• Persistence – total lifespan of vulnerabilities
• Exploitation – time interval between an exploit announcement and the first attack
8
![Page 9: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/9.jpg)
Half-Life
• 29.5 Days
9
![Page 10: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/10.jpg)
Prevalence• 8 critical vulnerabilities retained a constant
presence in the Top 20
10
![Page 11: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/11.jpg)
Persistence
• Indefinite• Stabilize at 5-10%
11
![Page 12: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/12.jpg)
12
Exploitation
• Average: < 10 days
• Critical client vulnerabilities: < 48 hours– Exploit Kits offer money back guarantees /
Next day delivery
12
![Page 13: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/13.jpg)
Cyber Hygiene Campaign
Multi-year effort that provides key recommendations for a low-cost security program
that any organization can adopt to achieve immediate and effective defenses against cyber
security attacks.
13
![Page 14: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/14.jpg)
14
• Pilot of scanning baselines completed• Using Qualys, CIS provided a baseline network and app
scan, for 12 States, at the following key agencies: o healtho public safety o revenue
• Reports were sent to each State with the results and information to remediate; follow up discussions were available if needed
• Re-scans provided to remediate findings• Feedback from the pilot states has helped to improve the
process.• CIS is ready to offer the same baseline scans to other
governments, for further information, contact Kathleen
Patentreger at [email protected]
![Page 15: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/15.jpg)
Cyber Hygiene Scans
15
![Page 16: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/16.jpg)
Summary ResultsNetwork Based Vulnerabilities
16
![Page 17: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/17.jpg)
Summary ResultsApplication Based Vulnerabilities
17
![Page 18: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/18.jpg)
Summary ResultsTypes of Vulnerabilities
18
![Page 19: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/19.jpg)
MS-ISAC Guidance
The goal of your security team is to reduce risk by identifying and eliminating weaknesses in your network assets. To do this, there are a few questions you need to ask about your organization.
19
![Page 20: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/20.jpg)
MS-ISAC Guidance1. Do you maintain an asset inventory? Is it up to date?2. Manage the flow of information -- what machines have
access to critical information, how does that information get dispersed across your network?
3. Are your network assets classified? If not, assign them a position in a hierarchy. The systems at the top being the most critical.
4. Have you done a risk assessment on these systems? What level of risk is your organization okay with?
5. How often do you perform vulnerability assessments on these hosts?
6. How is the remediation of these hosts being tracked? How long does it take to remediate hosts on average?
7. If a host was compromised, how would you respond?
20
![Page 21: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/21.jpg)
Case Studies
• State of New York
• University of Colorado
• State of Michigan
• State of Ohio
• Colorado Statewide Internet Portal Authority
21 21
![Page 22: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/22.jpg)
The Great Divide
22 22
![Page 23: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/23.jpg)
Vulnerability & Compliance
Scanning
Automated Remediation
SecOps integration
Vulnerability Information
Matched
vulnerabilities
and patches
SecOps Integration
If <trigger> then <action>
23
![Page 24: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/24.jpg)
Best Practices• Vulnerability and configuration management
should be an essential part of any security program
• Obtain executive level support – Identify and obtain an executive level champion– Build partnerships with other execs who need the same
data– When selling security, keep it simple– Establish supporting written policies and procedures
• Communicate vertically and horizontally within your Organization– Essential to remove fear, uncertainty, and doubt
24
![Page 25: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/25.jpg)
Best Practices Continued• Scan everything and scan often– Scan anything connected to your network– Scan your perimeter daily and servers and endpoints
weekly– Be prepared for zero days / use predictive analytics
• Use credentialed scanning
• Use metrics to drive risk reduction and program support
• Use tags to manage VM/CM processes / workflows– Use tags for business value, ownership, and
compliance
25
![Page 26: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/26.jpg)
Best Practices Continued• Measure the security and ops teams’
performance by the half-life results & treatment of the persistence law
– Include results in HR performance reviews
• Use metrics to communicate with senior management
• Integrate VM/CM solution with patch management systems, asset inventory systems, ticketing systems, configuration systems (Chef / Puppet), and reporting systems for best results
26
![Page 27: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/27.jpg)
Best Practices Continued• Focus patching on those things that will hurt you
most
• Select a VM/CM solution with strong APIs, integration, and that limits resources spent on system administration
• Learn to speak the language of Ops staff / Ensure VM/CM data are reported in the most useful format
27
![Page 28: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/28.jpg)
Question and Answers
28
![Page 29: Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc](https://reader038.vdocuments.us/reader038/viewer/2022110207/56649d745503460f94a53680/html5/thumbnails/29.jpg)
[email protected] @jonathantrull
Government Series Webcasts: https://lps.qualys.com/gov-webcast-series-1-2015.html
More Resources:Qualys Top 4 Security Controls
https://www.qualys.com/forms/top-4-security-controls/
Qualys Free Tools and Trialshttps://www.qualys.com/free-tools-trials/
Cyber Hygiene Toolkitshttps://www.cisecurity.org/about/CHToolkits.cfm