vulnerability management explained

Copyright Security-Assessment.com 2004

Vulnerability Management Explained

By Peter Benson


By the Numbers…• 67% of senior tech executives admit their organization has

experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study

• 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center

• 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT

• $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g


Why Vulnerability Management? • Building a strong program based on mitigating known

vulnerabilities has transformed from a security centric process to an operational necessity for business success.

• The root cause of the problem is the existence of vulnerabilities in the corporate network.

• Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.


Why Vulnerability Management?• Patch Management is ineffective and inefficient.• The most intelligent equation is investing in a

vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.


What is Vulnerability Management? • Dynamic best practices (Yankee Group, 2004)

– Classify. Assign network resources with a heirarchy based on criticality

– Measure. Assess security performance in reducing exposures to key vulnerabilities

– Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning.

– Audit. Regularly audit the effectiveness of integrated vulnerability processes


Laws of Vulnerabilities


The Law of Half Life• Lessons learned:

– You can’t patch them all at once– Mitigate more than the remaining half of the

vulnerabilities over the next month– Improve the reduction in risk in the enterprise by

shrinking the half life to less than 30 days• Best practices: Patch within 21 days for critical systems,

and a rollout procedure to other assets based on their priority level


The Law of Prevalence• Lessons Learned:

– New critical vulnerabilities occur throughout the year– Half of the vulnerabilities still exist in the network a

year later– Vulnerability Management is a never-ending process

• Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase


The Law of Persistence• Lessons Learned:

– Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network

– Be alert for vulnerabilities that may be lurking in application code

• Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process


The Law of Exploitation• Lessons Learned:

– Keep an eagle eye on key vendors for early warnings of available patches for critical resources

– Make a team decision on when to patch– Integrate with automated patch management and

configuration control systems. Verify the patch has eliminated the weakness

– Be prepared to scan for vulnerabilities on an attack basis


Yankee Group Dynamic Best Practice ModelClassify Assets

identify andBusiness

RiskPrioritisation

MeasureCompliance,

Current Laws ofVulnerabilities,Communicate

IntegratePatch

ManagementSecurity Portals

SecurityReporting

Audit PerformanceCompliance,Performance

against Metrics


Dynamic Best Practice - Classify• Classify network resources• Tier the hierarchy of assets

by value to the business


Dynamic Best Practice - Measure• Measure your network

against the half life and persistence curves

• Measure team performance by the half life results and the treatment of the persistence law

• Use gathered metrics to communicate the security problem to Senior Management


Dynamic Best Practice - Integrate• Integrate with discovery systems such as network

integrity systems• Integrate with patch management systems to confirm

completion of the task• Integrate into management reporting portals. Take the

mystery out of security.


Dynamic Best Practice - Audit• Evaluate actual vulnerability management results

against targeted metrics• Regularly review vulnerability management reports with

the security teams• Measure the performance of security teams by the

reduction of critical vulnerabilities


Vulnerability Management Business Models

Discovery

Analysis and Policy Compliance

Remediation

Business Prioritisation

Assessment

Model 1 Model 2


Summary of Dynamic Best Practices


VM and Qualys Solutions


Business Reporting and Risk Management


Business Reporting


Questions?

vulnerability management explained

Documents