vulnerability voodoo and the convergence of foundational security controls

Vulnerability Voodoo:The Convergence of Foundational Security Controls

CHARLES KOLODGY, RESEARCH VICE PRESIDENT FOR IDC'S SECURITY PRODUCTS SERVICE, EDWARD SMITH, PRODUCT MARKETING MANAGER AT TRIPWIRE

Vulnerability Voodoo: The Convergence of

Foundational Security Controls

3

The leading provider of risk-based security and compliance management solutions, enabling enterprises

to effectively connect security to their business

• Broadest set of foundational security controls

• Business context with blended asset and risk scoring

• Security business intelligence with performance reporting and visualization to make better decisions

• Covering the extended enterprise

TRIPWIRECONFIDENCE: SECURED

4

Inventory Hardware1 Inventory Software2

Secure Configurations for Network Devices

10

20 CSCDELIVERING THE ‘FIRST FOUR’

4

Secure Configurations for Servers & Endpoints

3

Application Security

6

Boundary Defense13 Maintain & Monitor Audit Logs

14

Vulnerability Assessment

4

5: Malware Protection7: Wireless Device Control11: Limit & Control Net Ports

Additional Support

12: Control Admin Privileges15: ‘Need to Know’ Access16: Account Monitoring & Control

5

Tripwire Delivers Foundational Security Controls

System Integrity

SecurityConfiguration Management

Continuous

Periodic

Vulnerability Management& Log Management

Asset Discovery & Reconciliation

Fre

qu

en

cy

HighLow Number of Devices

CRITICAL DATA

Risk & Business Criticality

BUSINESS PARTNERS

Servers Applications BYODDatabases DesktopsFirewalls Net Devices Printer Wireless

6

Tripwire Product Suite

• Vulnerability Management

• Security Configuration Management

• Log Intelligence

• Reporting and Analytics

Vulnerability Voodoo: The Convergence of Foundational Security Controls

Charles KolodgyResearch VP

Security Products

Agenda

• Pain• Brain v. Brawn• VRM Program• Security Policy• Value• Analyst Closing Comments

9© IDC Visit us at IDC.com and follow us on Twitter: @IDC


Pain

Expanding Business Requirements Data Overload Lack of visibility Budget Constraints Consumerization Bad Users Compliance Straightjacket Malware Professional Attackers


Regulatory Controls

• Straight Jacket on IT Operations• Drives Operations and Budgets• Compliance not equal to Security• Brake on Innovative Business Opportunities• Can’t be Avoided• Auditors require PROOF

“Hackers may find you, auditors WILL find you.”


Compliance DrivenWhat percentage of your overall IT budget is associated with

regulatory compliance?

What percentage of your overall IT budget is associated with regulatory compliance?

On average, 13% of respondents’ overall IT budget is associated with regulatory compliance

None

Less than 10%

10% - 24%

25% or more

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

2011 2009 2007

Source: IDC’s Enterprise Security Surveys for 2007 & 2009 & 2011


Security Gap

TIME

Expanding Security

GapCumulative Growth


Vulnerabilities

Majority of security breaches exploit known vulnerabilities

Vulnerabilities in software and configurations Window of Exposure Expanding

Vulnerability Patch Released

ExploitWritten Exploit

Popularized

PatchTesting

50%PatchesInstalled

All PatchesInstalled

Window of Exposure


Polling Question

How is your company’s Vulnerability Assessment program perceived?

It is a Tactical solution

It is a Strategic solution

It is only for Compliance (check box)

We do not have a corporate side VA program


Brain v. Brawn

• Multi-layers of security products• Brawn products address specific threats• Brain products used to Manage & Assess• Brain products (VA, P&C, SIEM) only 11%

security spend• Managing and Assessing can be force

multiplier• Integrate with Other Security Controls• Starts with Vulnerability Risk Management

Program


Vulnerability Risk Management:

Vulnerability Risk Management is a Process to determine the probability and impact of an event

Ties together What, How and Why Improve capabilities to make intelligent IT security

investment decisions Risk-prioritized issues drive action Relies on accurate, correlated information Align security reality with business goals

Basic Security Assessment

Stay ahead of threats

Focus on top priorities

Build sustainable risk program

Connect to business


Vulnerability Risk Management: The Process Assess Threats Assess Vulnerabilities Estimate Value of Vulnerable Asset Estimate Frequency of Exploitability Rank Vulnerability Estimate Cost to Remediate Prioritize Initiatives Implement Improvements


Vulnerability Risk Management:The Benefits

2

• Draw data driven conclusions which are defensible

• Prioritize remediation based on exploitability not just vulnerability

• Have quantifiable measurement with which to remediate risks

Risk Prioritization

1

• Identify vulnerabilities to systems and networks

• Identify what systems have drifted from a known “good state”

• Drive awareness, action and accountability with targeted metrics

Better Visibility

3

• Automate assessment and remediation lifecycle

• Facilitate continual assessments for better data accuracy

• Convey impact of IT risk in business-relevant terms

Automation


Enterprise Security Policy

Vulnerability Risk Management isn’t solved with just technology, but rules

Policies are a mechanism for dealing with the most difficult problems in computer security

What, How and Why? Knowing why something needs to be protected it becomes easier to

describe potential risks within the context of business objectives.

Implementing security according to a “master plan” results in consistency

Measurement and Enforcement required to make policies real

Policy bridges the gap between technology and reality!


Top IT Initiatives

Source: IDC CIO Agenda Survey. November-December, 2011Data shows % of respondents who listed as a top 3 initiative. n= 36


Vulnerability Risk Management: Competitive Advantage Drive up cost for adversaries Improve capability to make intelligent IT security

investment decisions• Security solutions protect what needs to be protected• Saving time and money on security

Reduce security “fire fighting” enables strategic monitoring and prevention

Improve confidence in security Measure Status and Progress for auditors and executives IT Security can intelligently support business innovation


Analyst Final Thoughts

Considerable stakes to the business Work smarter (Brain) not harder (Brawn) Vulnerability Risk Management puts YOU in control

• Identify and respond quickly• Adjust to ever-change

Select the RIGHT security solutions that secures and improves business efficiency

Policy needs to be part of the solution Ultimately align IT Security to Business Operations

24

Tripwire IP360 provides actionable vulnerability intelligence to efficiently and effectively manage the constant change of security risk in complex computing environments.

Enterprise Vulnerability Management

25

PRIORITIZE

Prioritization of vulnerabilities using business context

Up-to-date and accurate vulnerability research from the Tripwire VERT team

Continuous and on-demand vulnerability detection

Understand which vulnerability you should fix right now

26

DISCOVER

Take inventory of devices and software to manage or reduce attack surface

Detect unpublished vulnerabilities in web applications

Scan the “hard to reach places” like your network perimeter and remote offices

Detect vulnerabilities, devices, software, and lost/hidden devices on your network

27

MEASURE

Measure, analyze, and communicate proactively and effectively with key stakeholders

Measure how effectively you are reducing risk

Executives Auditors

Security & IT Ops

28

Q&A

Questions?

tripwire.com | @TripwireInc

THANK YOU

vulnerability voodoo and the convergence of foundational security controls

Technology