Vulnerability Management - Belnet
advertisement
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011 Dimension Data Dimension Data Belgium - Security Consulting – Advisory & Assurance • Security Advisory services are Governance, Risk and Compliance oriented consultative engagements focusing on the organizational and strategic aspects of Security Management. Covering requirements such as Business Impact Analysis, Risk Assessment, Best Practices Gap Analysis and Policies and Procedures only to name a few. • Security Assurance Services are engagements where our customers rely on our technical expertise to gauge their security posture against a defined security standard or to obtain a ‘bird’s eye view’ of where hackers may exploit weaknesses. Services range from Penetration Testing, Vulnerability Assessment and Management to Source Code Analysis on a very broad technology spectrum. 13/04/2015 Vulnerability Management 2 Problem Statement - A day in the life of an IT Officer Questions • How do I manage the privacy of the corporate data ? • Are my endpoints a risk to my corporate network? • Are they subject to targeted attacks? • How do I demonstrate compliance with standards and regulations? • How do I maintain our security standards when • How can I show the value outsourcing ? of security within my organisation ? • Can I combine the new business requirements and uphold a strong secure network environment ? • …. 13/04/2015 Vulnerability Management 3 Problem Statement – Security Landscape The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex New vulnerabilities are found every day : • Much more research for vulnerabilities and security weaknesses • “On average, about 3000 vulnerabilities per year get reported to CERT and only about 10% are published.” CERT Source : http://www.gfi.com/blog/wp-content/uploads/2009/10/Florian-graph.JPG 13/04/2015 Vulnerability Management 4 Problem Statement – Security Landscape The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex Increase in attacks at the application layer : • 13/04/2015 Every 1,000 lines of code averages 15 critical security defects (US Department of Defense) Vulnerability Management 5 Problem Statement – Security Landscape The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex Change in malicious attacks: • Increased professionalism and commercialization of malicious activities • Threats that are increasingly tailored for specific regions • Increasing numbers of multi-staged attacks • More targeted attacks with bigger financial loss 13/04/2015 Vulnerability Management 6 Problem Statement – Security Landscape Compliance pressure and stringent legal requirements continue to drive security focus Compliance explicitly calling for vulnerability management and security assessments ISO 27001/27002 , PCI DSS v2.0, SOX Section 404, GLBA, HIPAA, FISMA, NIST 800-53, NIST 800-64, CBFA Circular 2009_17 (Belgium FSI regulator)... • Vulnerability Management • Penetration Testing • Source Code and Binary Code Review • ... 13/04/2015 Vulnerability Management 7 Problem Statement – Security Landscape 13/04/2015 Vulnerability Management 8 Problem Statement – Security Landscape Compliance pressure and stringent legal requirements continue to drive security focus Compliance explicitly calling for vulnerability management and security assessments • PCI – DSS : Req. 12 - Regularly test security systems and processes • ISO 27002 : 12.6.1 - Control of technical vulnerabilities • Directive 95/46/EC of the European Parliament : The Principle of Security 13/04/2015 Vulnerability Management 9 A Strategic Approach Determine Risk Level • How do you consistently calculate risk across a diverse enterprise? o ‘Finger in the air’ o Who shouts the loudest ? o Excel o CVSS (Common Vulnerability Scoring System) o …. • Can you do this in an automated • Is this used to help prioritize and repeatable manner ? your remediation efforts ? • … 13/04/2015 Vulnerability Management 10 A Strategic Approach Implement appropriate protection • How fast can your organization deploy a patch to all affected systems? • Is it more cost effective to protect first and fix later ? • What is the most effective tool to mitigate the risk ? • Example : Typical Savings 2005 2006 Number of patch cycles 19 9 Number of people assigned to patch operations 41 19 Average hours per patch cycle 73 68 Total FTE 27 5.6 Patch Management savings of one of the largest security vendors in the world. Vulnerability Management helped them decide to patch or not to. Depending on type of attacks, type of vulnerabilities, if systems are affected to specific attacks and control mechanisms in place. 13/04/2015 Vulnerability Management 11 A Strategic Approach Reducing overall IT Security Risk Targeted • New, critical vulnerabilities • Key assets Bottom-up • Assess vulnerability state • Remediate detected vulnerabilities Near day mitigation Scan and remediate Top-down • Define asset baseline • Define security baseline Policy audit and enforcement • Enforce IT security configuration 13/04/2015 Vulnerability Management 12 A Strategic Approach We need something that ... •provides continuous insight on the security posture of an external or internal infrastructure •helps us stay in control and measure security assessments e.g. an annual Penetration Test maturity and progress in between extended • automates the combating against vulnerabilities which crucial for success. Manual detection and remediation workflow is too slow, too expensive and ineffective. •can be used to drive the internal information to decide on priorities •Consolidate Patch Management process and provides valuable Proactive and Reactive security controls! •Demonstrates compliance and control •…….. 13/04/2015 Vulnerability Management 13 Vulnerability Management What is VM ? “Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities” “Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners” Source : Wikipedia 13/04/2015 Vulnerability Management 14 Vulnerability Management The 6 Steps of Vulnerability Management 1. Discover and inventory assets 2. Categorise and prioritise assets 3. Scan for vulnerabilities 4. Report, classify and rank risks 5. Remediate – apply patches, fixes and workarounds 6. Verify – Re-scan to confirm fixes and verify security 13/04/2015 Vulnerability Management 15 Vulnerability Management The 6 Steps of Vulnerability Management 1. Discover and inventory assets • Establish baseline of all assets o IP devices connected to the network o Software, applications and services o Individual configurations, latest software release, patches, etc. 2. Categorize and Prioritize Inventory • By measurable business value • By potential impact on business availability • Establish interrelations between systems and services 13/04/2015 Vulnerability Management 16 Vulnerability Management The 6 Steps of Vulnerability Management 3. Scan for vulnerabilities • Scan assets against comprehensive and industry standard database of vulnerabilities, this increases accuracy of scanning and minimizes false positives • Automated scanning keep you up-to-date, its accurate, and scales globally to the largest networks • Tests effectiveness of security policy and controls by examining network infrastructure and applications for vulnerabilities 13/04/2015 Vulnerability Management 17 Vulnerability Management The 6 Steps of Vulnerability Management 4. Report, classify and rank risks • Create manual or automated reports and distribute to the respective stakeholders • Maintain overview for instant risk analysis • Proof compliancy with regulations 13/04/2015 Vulnerability Management 18 Vulnerability Management The 6 Steps of Vulnerability Management 5. Remediate • Apply patches, updates and fixes or install workarounds to mitigate the risk. • Use a remediation workflow tool to automatically generate and assign tickets and ensure follow-up and remediation. • Pre-test all patches, etc. in your organization's test environment before deployment 13/04/2015 Vulnerability Management 19 Vulnerability Management The 6 Steps of Vulnerability Management 6. Verify – Re-scan to confirm fixes and verify security • Re-scan to verify applied patches and confirm compliance • Update the remediation workflow and the assets baseline 13/04/2015 Vulnerability Management 20 Belnet Vulnerability Scanner Advantages Web-based SAAS solution IPv6 Compliant Secure Solution with strong authentication and encryption… 99.997% proven accuracy Easy, transparent reporting using customizable templates Web Application Vulnerability scanning module Modules for specific compliance requirements (PCI DSS, …) …. 13/04/2015 Vulnerability Management 21 Vulnerability Management - Conclusion Things to think about ... • What are my compliance requirements and legal boundaries ? • Are my current security controls proactive • Is my Vulnerability or reactive ? Management tool efficient ? • Do I know what the current security state of my network is ? • Is my confidential data sufficiently protected ? • Can I properly 13/04/2015 protect my assets in this security landscape ? Vulnerability Management 22 Vulnerability Management - Conclusion Hacking is easy 13/04/2015 Vulnerability Management 23 Vulnerability Management - Conclusion Hacking is easy 13/04/2015 Vulnerability Management 24 Vulnerability Management - Conclusion Hacking is easy 13/04/2015 Vulnerability Management 25 Vulnerability Management - Conclusion Thank you !! 13/04/2015 Vulnerability Management 26
