vulnerability management today and tomorrow
TRANSCRIPT
Vulnerability Management today and tomorrow in the EnterpriseBy Jonathan Sinclair
Vulnerability Management today and tomorrow by Jonathan Sinclair2
Agenda
Current Situation1
Definition of terms
What we can control3
Asset Exposure4
The Future5
What to take away6
3
Current Situation
Today : It’s a mess
Vulnerability Management today and tomorrow by Jonathan Sinclair
• Multi-dimensional, heterogeneous system landscape
• Legacy systems with ‘do not touch’ (patch/upgrade) license agreements
• Global deployment (different time zones)
• Distributed ownership (out-sourced IT)
• Cloud scenarios
• Everything managed through Excel
• Scanning too much/not enough
4
Definition of terms
What do we want to achieve operating IT security?
Vulnerability Management today and tomorrow by Jonathan Sinclair
• Ask yourself what is the difference between a RISK and a VULNERABILITY?• Both can be mitigated/treated• It seems that when someone talks about a risk, a vulnerability
immediately follows• Risk* = A situation involving exposure to danger• Vulnerability* = Coming from the Latin ‘vulnus’ wound: Exposure to
the possibility of being attacked or harmed, either physically or emotionally (digitally)
• The point of every vulnerability management program is to reduce the exposure of information to a harm/threat
* Definitions taken from oxforddictionaries.com, 10.2015
5
Vulnerability Management
Dependency triad
Vulnerability Management today and tomorrow by Jonathan Sinclair
Vulnerability Management
Risk
VulnerabilityThreat
6
What can we control?
Vulnerability Management today and tomorrow by Jonathan Sinclair
• What we can’t control
• Threats will always exist
• Air gap, Malicious insider agents, Hacktivists etc.
• Risk• Can be reduced and mitigated but accurate predictability can never
be assured
• What we can control (to a degree)
• The asset exposure (vulnerability of a system)
7
Asset exposure
Asset contextualisation is the key
Vulnerability Management today and tomorrow by Jonathan Sinclair
• Asset contextualisation is very difficult to obtain1. Server Type : Dev, Integration, Prod2. Informational representation: Open, Closed, Confidential3. Application Criticality 4. CVSS(x)5. Software inventory6. Last patch cycle 7. Exploitability (publically available exploit exists vs. doesn’t)
• Combine with network/asset level segregation• Assess known risk(s): scanning sources (OSVDB, Scip VulnDB, CVE, Security
Advisories, NVD, Exploit-DB, SecurityFocus (BugTraq))
8
Transition to future situation
Start small, build out
Vulnerability Management today and tomorrow by Jonathan Sinclair
• Where did all the software engineers go?
• Automate, automate, automate!• Start with zoning (network, logical, software or otherwise).
Resilience is critical.• Once zoned scanning cycles can be applied (weekly, monthly etc.),
dependent on environmental ecology• Scanned results must be triaged: React, Patch, Accept• Vulnerability risk register must be maintained and updated to track
asset(s) and current status• Escalation paths require top level management support especially
when considering cross-zone roll out (re: Heartbleed, Poodle etc.)
9
Transition to future situation
Vulnerability Management today and tomorrow by Jonathan Sinclair
• Analogy to the automotive industry: Safety/security mechanisms built in at design time, no opt out.
• Behavioral identification of potential malicious usage at the outset
• Security logging, not just debugging..
• HTTPS: Why is HTTP even optional (ignoring legacy integration for a moment)?
• Litigation support: A key component that needs to be deployed through policy
10
Future problems
It will get worse, before it gets better
Vulnerability Management today and tomorrow by Jonathan Sinclair
• BYOD: How can one scan a device that isn’t owned by the enterprise? • Conflicts concerning privacy, ownership and accountability
• Cloud services: How can an enterprise ensure a service provider will not expose it’s information to risk? • Legal frameworks for enforcement, accountability and liability• Cyber insurance• Financial penalties
11
Future problems
Vulnerability Management today and tomorrow by Jonathan Sinclair
• Internet of Thing’s and OT: How can enterprises cope with technological restrictions, warranty violations, embedded systems etc.?• Impose device on-boarding screening. Comply or you’re not connecting• Test scanning tools ability for ‘smart-scanning’, automated tools
shouldn’t knock devices off the network or cause systems to fall over• Devices with remote monitoring or call-home functionality have to be
carefully reviewed for enabling out-of-zone/band communication• Create separate logical zones to house these devices
12
What to take away
Vulnerability Management today and tomorrow by Jonathan Sinclair
Your environment is no doubt complex and heterogeneous• Start small• Build out from your most valuable assets • Assess their context and range of freedom (connectivity allowance)• Adhere to strict parameter security controls (tried and tested)
Build a manageable vulnerability review program• Select multiple trusted vulnerability repositories• Have a dedicated team to review the status of emerging threats• Arrange for weekly reviews of the emerging threats vs. asset inventory according
to zone priority
13
What to take away
Vulnerability Management today and tomorrow by Jonathan Sinclair
Get smart about engineering• Automate wherever possible• Understand your asset(s) exposure e.g. Poodle (which threat actors have the
skills to implement and is the asset exposed to them?)• Does publically available exploit code exist in the wild?• Ensure you have a diverse range of threat sources
Be prepared for resistance and understand the compromises you’ll be asked to make