vulnerability management explained
DESCRIPTION
Vulnerability Management Explained. By Peter Benson. By the Numbers…. - PowerPoint PPT PresentationTRANSCRIPT
Copyright Security-Assessment.com 2004
Vulnerability Management Explained
By Peter Benson
Copyright Security-Assessment.com 2004
By the Numbers…• 67% of senior tech executives admit their organization has
experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study
• 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center
• 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT
• $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g
Copyright Security-Assessment.com 2004
Why Vulnerability Management? • Building a strong program based on mitigating known
vulnerabilities has transformed from a security centric process to an operational necessity for business success.
• The root cause of the problem is the existence of vulnerabilities in the corporate network.
• Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.
Copyright Security-Assessment.com 2004
Why Vulnerability Management?• Patch Management is ineffective and inefficient.• The most intelligent equation is investing in a
vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.
Copyright Security-Assessment.com 2004
What is Vulnerability Management? • Dynamic best practices (Yankee Group, 2004)
– Classify. Assign network resources with a heirarchy based on criticality
– Measure. Assess security performance in reducing exposures to key vulnerabilities
– Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning.
– Audit. Regularly audit the effectiveness of integrated vulnerability processes
Copyright Security-Assessment.com 2004
Laws of Vulnerabilities
Copyright Security-Assessment.com 2004
The Law of Half Life• Lessons learned:
– You can’t patch them all at once– Mitigate more than the remaining half of the
vulnerabilities over the next month– Improve the reduction in risk in the enterprise by
shrinking the half life to less than 30 days• Best practices: Patch within 21 days for critical systems,
and a rollout procedure to other assets based on their priority level
Copyright Security-Assessment.com 2004
The Law of Prevalence• Lessons Learned:
– New critical vulnerabilities occur throughout the year– Half of the vulnerabilities still exist in the network a
year later– Vulnerability Management is a never-ending process
• Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase
Copyright Security-Assessment.com 2004
The Law of Persistence• Lessons Learned:
– Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network
– Be alert for vulnerabilities that may be lurking in application code
• Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process
Copyright Security-Assessment.com 2004
The Law of Exploitation• Lessons Learned:
– Keep an eagle eye on key vendors for early warnings of available patches for critical resources
– Make a team decision on when to patch– Integrate with automated patch management and
configuration control systems. Verify the patch has eliminated the weakness
– Be prepared to scan for vulnerabilities on an attack basis
Copyright Security-Assessment.com 2004
Yankee Group Dynamic Best Practice ModelClassify Assets
identify andBusiness
RiskPrioritisation
MeasureCompliance,
Current Laws ofVulnerabilities,Communicate
IntegratePatch
ManagementSecurity Portals
SecurityReporting
Audit PerformanceCompliance,Performance
against Metrics
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Classify• Classify network resources• Tier the hierarchy of assets
by value to the business
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Measure• Measure your network
against the half life and persistence curves
• Measure team performance by the half life results and the treatment of the persistence law
• Use gathered metrics to communicate the security problem to Senior Management
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Integrate• Integrate with discovery systems such as network
integrity systems• Integrate with patch management systems to confirm
completion of the task• Integrate into management reporting portals. Take the
mystery out of security.
Copyright Security-Assessment.com 2004
Dynamic Best Practice - Audit• Evaluate actual vulnerability management results
against targeted metrics• Regularly review vulnerability management reports with
the security teams• Measure the performance of security teams by the
reduction of critical vulnerabilities
Copyright Security-Assessment.com 2004
Vulnerability Management Business Models
Discovery
Analysis and Policy Compliance
Remediation
Business Prioritisation
Assessment
Model 1 Model 2
Copyright Security-Assessment.com 2004
Summary of Dynamic Best Practices
Copyright Security-Assessment.com 2004
VM and Qualys Solutions
Copyright Security-Assessment.com 2004
Business Reporting and Risk Management
Copyright Security-Assessment.com 2004
Business Reporting
Copyright Security-Assessment.com 2004
Questions?