vulnerability voodoo and the convergence of foundational security controls
DESCRIPTION
In this, our final webcast of 2013, we’ll show you how Vulnerability Management at “The New Tripwire” benefits you and your organization and how an intelligent approach to performance reporting and visualization enables better business decisions. Charles Kolodgy, Research Vice President for IDC's Security Products service, and Edward Smith, Product Marketing Manager at Tripwire discuss: - Integrating Vulnerability Management with other security controls to improve compliance and security posture - Leveraging Vulnerability Management beyond the server room to reduce risk across the entire enterprise - Combining business intelligence from Vulnerability Management with other security controls to make better business decisions A recording of the webcast that accompanies this slide deck can be found here: http://www.tripwire.com/register/vulnerability-voodoo-the-convergence-of-foundational-security-controls/TRANSCRIPT
Vulnerability Voodoo:The Convergence of Foundational Security Controls
CHARLES KOLODGY, RESEARCH VICE PRESIDENT FOR IDC'S SECURITY PRODUCTS SERVICE, EDWARD SMITH, PRODUCT MARKETING MANAGER AT TRIPWIRE
Vulnerability Voodoo: The Convergence of
Foundational Security Controls
3
The leading provider of risk-based security and compliance management solutions, enabling enterprises
to effectively connect security to their business
• Broadest set of foundational security controls
• Business context with blended asset and risk scoring
• Security business intelligence with performance reporting and visualization to make better decisions
• Covering the extended enterprise
TRIPWIRECONFIDENCE: SECURED
4
Inventory Hardware1 Inventory Software2
Secure Configurations for Network Devices
10
20 CSCDELIVERING THE ‘FIRST FOUR’
4
Secure Configurations for Servers & Endpoints
3
Application Security
6
Boundary Defense13 Maintain & Monitor Audit Logs
14
Vulnerability Assessment
4
5: Malware Protection7: Wireless Device Control11: Limit & Control Net Ports
Additional Support
12: Control Admin Privileges15: ‘Need to Know’ Access16: Account Monitoring & Control
5
Tripwire Delivers Foundational Security Controls
System Integrity
SecurityConfiguration Management
Continuous
Periodic
Vulnerability Management& Log Management
Asset Discovery & Reconciliation
Fre
qu
en
cy
HighLow Number of Devices
CRITICAL DATA
Risk & Business Criticality
BUSINESS PARTNERS
Servers Applications BYODDatabases DesktopsFirewalls Net Devices Printer Wireless
6
Tripwire Product Suite
• Vulnerability Management
• Security Configuration Management
• Log Intelligence
• Reporting and Analytics
Vulnerability Voodoo: The Convergence of Foundational Security Controls
Charles KolodgyResearch VP
Security Products
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 8
Agenda
• Pain• Brain v. Brawn• VRM Program• Security Policy• Value• Analyst Closing Comments
9© IDC Visit us at IDC.com and follow us on Twitter: @IDC
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 10
Pain
Expanding Business Requirements Data Overload Lack of visibility Budget Constraints Consumerization Bad Users Compliance Straightjacket Malware Professional Attackers
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 11
Regulatory Controls
• Straight Jacket on IT Operations• Drives Operations and Budgets• Compliance not equal to Security• Brake on Innovative Business Opportunities• Can’t be Avoided• Auditors require PROOF
“Hackers may find you, auditors WILL find you.”
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 12
Compliance DrivenWhat percentage of your overall IT budget is associated with
regulatory compliance?
What percentage of your overall IT budget is associated with regulatory compliance?
On average, 13% of respondents’ overall IT budget is associated with regulatory compliance
None
Less than 10%
10% - 24%
25% or more
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
2011 2009 2007
Source: IDC’s Enterprise Security Surveys for 2007 & 2009 & 2011
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 13
Security Gap
TIME
Expanding Security
GapCumulative Growth
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 14
Vulnerabilities
Majority of security breaches exploit known vulnerabilities
Vulnerabilities in software and configurations Window of Exposure Expanding
Vulnerability Patch Released
ExploitWritten Exploit
Popularized
PatchTesting
50%PatchesInstalled
All PatchesInstalled
Window of Exposure
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 15
Polling Question
How is your company’s Vulnerability Assessment program perceived?
It is a Tactical solution
It is a Strategic solution
It is only for Compliance (check box)
We do not have a corporate side VA program
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 16
Brain v. Brawn
• Multi-layers of security products• Brawn products address specific threats• Brain products used to Manage & Assess• Brain products (VA, P&C, SIEM) only 11%
security spend• Managing and Assessing can be force
multiplier• Integrate with Other Security Controls• Starts with Vulnerability Risk Management
Program
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 17
Vulnerability Risk Management:
Vulnerability Risk Management is a Process to determine the probability and impact of an event
Ties together What, How and Why Improve capabilities to make intelligent IT security
investment decisions Risk-prioritized issues drive action Relies on accurate, correlated information Align security reality with business goals
Basic Security Assessment
Stay ahead of threats
Focus on top priorities
Build sustainable risk program
Connect to business
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 18
Vulnerability Risk Management: The Process Assess Threats Assess Vulnerabilities Estimate Value of Vulnerable Asset Estimate Frequency of Exploitability Rank Vulnerability Estimate Cost to Remediate Prioritize Initiatives Implement Improvements
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 19
Vulnerability Risk Management:The Benefits
2
• Draw data driven conclusions which are defensible
• Prioritize remediation based on exploitability not just vulnerability
• Have quantifiable measurement with which to remediate risks
Risk Prioritization
1
• Identify vulnerabilities to systems and networks
• Identify what systems have drifted from a known “good state”
• Drive awareness, action and accountability with targeted metrics
Better Visibility
3
• Automate assessment and remediation lifecycle
• Facilitate continual assessments for better data accuracy
• Convey impact of IT risk in business-relevant terms
Automation
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 20
Enterprise Security Policy
Vulnerability Risk Management isn’t solved with just technology, but rules
Policies are a mechanism for dealing with the most difficult problems in computer security
What, How and Why? Knowing why something needs to be protected it becomes easier to
describe potential risks within the context of business objectives.
Implementing security according to a “master plan” results in consistency
Measurement and Enforcement required to make policies real
Policy bridges the gap between technology and reality!
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 21
Top IT Initiatives
Source: IDC CIO Agenda Survey. November-December, 2011Data shows % of respondents who listed as a top 3 initiative. n= 36
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 22
Vulnerability Risk Management: Competitive Advantage Drive up cost for adversaries Improve capability to make intelligent IT security
investment decisions• Security solutions protect what needs to be protected• Saving time and money on security
Reduce security “fire fighting” enables strategic monitoring and prevention
Improve confidence in security Measure Status and Progress for auditors and executives IT Security can intelligently support business innovation
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 23
Analyst Final Thoughts
Considerable stakes to the business Work smarter (Brain) not harder (Brawn) Vulnerability Risk Management puts YOU in control
• Identify and respond quickly• Adjust to ever-change
Select the RIGHT security solutions that secures and improves business efficiency
Policy needs to be part of the solution Ultimately align IT Security to Business Operations
24
Tripwire IP360 provides actionable vulnerability intelligence to efficiently and effectively manage the constant change of security risk in complex computing environments.
Enterprise Vulnerability Management
25
PRIORITIZE
Prioritization of vulnerabilities using business context
Up-to-date and accurate vulnerability research from the Tripwire VERT team
Continuous and on-demand vulnerability detection
Understand which vulnerability you should fix right now
26
DISCOVER
Take inventory of devices and software to manage or reduce attack surface
Detect unpublished vulnerabilities in web applications
Scan the “hard to reach places” like your network perimeter and remote offices
Detect vulnerabilities, devices, software, and lost/hidden devices on your network
27
MEASURE
Measure, analyze, and communicate proactively and effectively with key stakeholders
Measure how effectively you are reducing risk
Executives Auditors
Security & IT Ops
28
Q&A
Questions?
tripwire.com | @TripwireInc
THANK YOU