Cutting Edge Approaches to Vulnerability Management


Published on

Listen On Demand:

Why You Should Attend:

- Learn how key network security management solution providers are expanding vulnerability assessments to include more than just network endpoints
- Gain a sneak peek of the newest tools and technologies in assessment precision and remediation
- Understand how vulnerability reporting is vital to the interests of compliance, IT and C-level management

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cutting Edge Approaches to Vulnerability Management

  1. 1. Cutting Edge Approaches to VulnerabilityCutting Edge Approaches to Vulnerability ManagementManagement VM ValueVM Value--Added ServicesAdded Services Chris Kissel, Industry Analyst Information & Network Security March 13, 2014March 13, 2014 © 2014 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan. No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.
  2. 2. Today’s Presenter Chris Kissel, Industry Analyst Frost & Sullivan Follow me on: (Connect with social media) 2 • IT & Network Security: vulnerability management, cloud-based file sharing services, public vulnerabilities, NAC, and SSL certificates. • Ten years of research and sales experience in the cellular infrastructure, wireless, telecomm, PCs, semiconductor, and high- definition consumer device sectors.
  3. 3. Introduction 1. Vulnerability Management Market Size 2. Vulnerability Management Basics 3. Specialized Reporting 3 4. Context Awareness 5. Integration with Complementary Secondary Technologies
  4. 4. Vulnerability Management Market Size
  5. 5. Cyber Threat Environment The Nature of Cyber Attacks is Changing • According to the Symantec Internet Security THREAT REPORT 2014, “targeted” attacks increased by 32 percent between 2012 and 2013. • Because of the availability of software and a growing history of cyber attacks, the skill level required of a cyber attacker is becoming less important. Similar to legitimate communications services providers, rogue agencies that are offering cyber attack services are also providing a service level agreement (SLA). • Cyber attacks are moving from server-side to client-side attacks. 5 • Cyber attacks are moving from server-side to client-side attacks. • High-profile security breaches have received extensive media coverage, and can actually affect the market worth of a company. • While there may be no formal declaration of hostilities and the term “cyber warfare” may be too much, certainly cyber conflicts are evident. Nation-states are suspected to be responsible for the most pernicious attacks. • Literally any aspect of networking from applications to access can be turned into a vulnerability. While attacks have been sophisticated so too are the defenses against attacks. Source: Frost & Sullivan
  6. 6. 2010–2018 Vulnerability Management Market Size Total Vulnerability Management Market: Unit Shipment and Revenue Forecast, Global, 2010–2018; Revenue CAGR (2013–2018) = 13.0% Source: Frost & Sullivan
  7. 7. Investments in Vulnerability Management • In the last two years, vulnerability management fundamentally changed. The major industry players received money in one form or another. Tenable Network Systems and Rapid7 each received $50 million in funding; Qualys 7 issued an IPO, and eEye Digital and nCircle were acquisition targets by BeyondTrust and Tripwire, respectively. Source: Frost & Sullivan
  8. 8. Drivers and Restraints Total Vulnerability Management Market: Key Market Drivers and Restraints, Global, 2014–2018 1–2 Years 3–4 Years 5 Years The nature of cyber attacks is changing to include smaller businesses and threats are becoming more targeted H H H Integration of features in vulnerability management platforms is helping customers harden their systems M M M Compliance reporting is increasing in importance to conform with regulatory requirements M M H The Internet of Things requires heterogeneous networks, and M H H MarketDrivers 8 Customers are concerned that vulnerability management is too thin of a slice of protection and worried about limits in the platform H H H Vulnerability management customers are prohibited from publishing scan results which reinforces the feeling from customers that they have trouble making value-based decisions M M M Syncing security measures to match changes in a network is difficult M M M Vulnerability management competes with other technologies for security solution dollars L L L integrates new devices and security practices M H H Continuous threat monitoring is becoming requisite M H H Note: Drivers & Restraints are ranked in order of impact. Source: Frost & Sullivan MarketDriversMarketRestraints Impact: H High M Medium L Low
  9. 9. Poll Question Number One
  10. 10. Vulnerability Management Basics
  11. 11. Fundamentals to Vulnerability Management Fundamental Aspects of Vulnerability Management • Vulnerabilities are defined as any errors or weaknesses within a software program that enable an unauthorized user to access sensitive data, gain control, or deny access to authorized users. • Vulnerability management provides an essential proactive solution to prevent data breaches and system disruptions. These products enable companies to find weaknesses in their networks and provide remediation guidance. 11 • Network scanners have the ability to scan all network-attached endpoints for vulnerabilities. However, the resulting reports often generate long lists of vulnerable systems. • Vulnerability management now has much more concise reporting platforms. Ranking vulnerabilities in terms of remediation is an important efficacy aspect of vulnerability management. Nearly all devices and systems will show a vulnerability. This makes vulnerability prioritization important. A security team needs to know which threats should be addressed first. The ability to identify and remediate a threat at its earliest stages prevents the likelihood of an advanced persistent threat in the future. Source: Frost & Sullivan
  12. 12. CVSS v.2 Scoring Figure 1: Attributes and Measures of CVSS v.2 Attributes Measures Worst Case Scenarios Exploitability Access Complexity The type of access a hacker has to a network No restrictions on access—a hacker can create an exploit without limitations. Access Vector Where an exploit can be triggered Exploits triggered remotely operating at Level 3 or above in a network.above in a network. Authentication How many times an attacker needs to be authenticated None. No authentication is needed to exploit vulnerabilities. Impact Confidentiality Size of breach The hacker can access or steal any or all of the data. Integrity File security An attacker can manipulate data—total integrity lost. Availability Pertains to a system or network availability. Crash! An attacker can incapacitate a system or a network. Source: NIST; Common Vulnerability Scoring System v.2 (Base Score Metrics)
  13. 13. More About Vulnerability Management Basics • Ticketing systems are something of a necessity in vulnerability management systems, and elicit strong emotions from IT personnel. • Outpost24 has an elaborate ticketing system. Ticketing options can be manual or automated. Ticketing can be sorted by a remedy necessity; from low-priority to high priority. The detail of ticket includes who has ownership of the issue, who is assigned to fix the issue, when the issue is to be fixed, and ultimate resolution. • Patching vulnerabilities is the next step. Vulnerability management companies• Patching vulnerabilities is the next step. Vulnerability management companies have agreements with patch management vendors. • One differentiator vulnerability management providers can offer is a shortened cycle between remediation and new scanning.
  14. 14. Specialized Reporting
  15. 15. Reporting by Department • Optimally, reports would be generated to facilitate different functions. • Many organizations require different perspectives for IT/Security, CEO, and auditing conventions. • Vulnerability management platform providers• Vulnerability management platform providers can provide templates that accomplish specific reports to prove compliance or that are more appropriate for specific market verticals. • BeyondTrust uses the Microsoft Online Analytical Processing (OLAP) cubes to port data to its data warehouse.
  16. 16. Compliance Reporting • Language in the Health Information Technology for Economic and Clinical Health Act (HITECH) suggests that larger healthcare providers like Cigna and Blue Cross assume indemnity for data and patient records coming from subcontractors. Consequently, the large healthcare providers have the right to audit their subcontractors which includes smaller practices like radiologists and ultrasound. • On November 2013, Payment Card Industry Data Security Standard (PCI-DSS) 3.0 became an official standard. There is a phase-in period for vendors, but on January 1, 2014 the new standards became actionable. In the new set ofJanuary 1, 2014 the new standards became actionable. In the new set of standards, PCI-DSS 3.0 added best practices on top of its list of compliances. PCI- DSS 3.0 requires a merchant to have anti-malware protection, and lets merchants use password phrases as well passwords for authentication. PCI DSS 3.0 standards will remain in place for at least three years. • In the United States, National Institute of Standards and Technology (NIST) 4.0 was released April 30, 2013. NIST develops standards, guidelines, and recommendations to promote information security for all government agency operations and systems. In many cases, NIST compliance is required for private businesses to compete for contracts with government agencies.
  17. 17. Context Awareness
  18. 18. Context Awareness • Context awareness integrates threat, risk, vulnerability, privilege, and event data, with compliance reporting and remediation procedures and statistics to give IT the information it needs to make the most effective decisions possible. • There is never a shortage of vulnerabilities. Almost without exception, all networks will show vulnerabilities. The ability to react and remediate the most potentially damaging threat environments is important. • Vulnerability prioritization allows an IT team to act on Advanced Persistent Threats• Vulnerability prioritization allows an IT team to act on Advanced Persistent Threats and Zero Day vulnerabilities—hopefully before a threat is initiated. • The pillars of contextual awareness in this report are specialized reporting, device fingerprinting, threat simulation, and risk management.
  19. 19. Enhanced Reporting—Tripwire Source: Tripwire Analyst Deck, 2013, With permission.
  20. 20. Enhanced Reporting • The end user can look at any metric on the dashboard and drill down to see what assets are being threatened. • The Tripwire paradigm lets the end user cross-match conditions: AUTOMATED EXPLOIT AND EXPOSURE would be among the most dire. Additionally, Tripwire vulnerability scoring considers 90,000 conditions. • Ease of use is also an important specialized report differentiator. • Outpost24 customers can generate automated reports from a selection of 42 attributes. There are 31 pre-assigned templates, 10 custom templates, and one defined asset groups report) attributes. • The reports are designed to pivot from the perspective of a stakeholder (system owner, location, or, business unit etc.) regardless of scan time. • Automated reporting can pair down the flow of information from each perspective.
  21. 21. Device Fingerprinting • One of the biggest challenges to VM platforms is an ever-changing network. • Visibility is the unifying concept. New devices, virtualized machines and devices that have been offline or otherwise decommissioned all present the same challenge. • Any weakness becomes a potential attack• Any weakness becomes a potential attack vectors. IT teams must maintain visibility. • Of course, the same principle applies to devices that are powered down. • Essentially, vulnerability management platforms must have easy hooks into mobile device management program (MDM) or must provide “MDM-lite” functionality.
  22. 22. Threat Modeling (Leading Toward Risk Management) • Rapid7 offers threat modeling simulation in Metasploit Pro and Metasploit Express (An It department can create a tunnel of communications on the L2 layer which bypasses intrusion detection and intrusion prevention systems (IDS/IPS). • in order to simulate an attack, IT can then launch a single exploit against a host, and use the knowledge from a compromised machine to exploit another machine. Other scenarios include brute force, basic and smart exploitations. • Outpost24 solutions prioritize remediation based on dependency and criticality• Outpost24 solutions prioritize remediation based on dependency and criticality ratings for affected systems as; the ease of exploitation and its impact on the organization; efficiency and effectiveness of the remediation efforts (solution- based reporting).
  23. 23. Poll Question Number Two
  24. 24. Integration with Secondary Technologies
  25. 25. Integration with Secondary Technologies Log Management SSL Certificate Authentication SIEM Vulnerability Management Platform Privileged Identity Management Web Application Scanning Secure Configurations Risk Management Platform Source: Frost & Sullivan
  26. 26. Applied Analytics • Security information event management (SIEM), log management and risk management are interrelated and are analytically driven technologies. • An analytical approach to vulnerability management platforms is preferred on several levels.: Proper event correlation can be incorporated into the frontline of vulnerability scanning. 26 • SIEM or SIEM-like capabilities are the gateway for integration with other security measures. Data loss prevention (DLP) identifies when there are breaches to data surrounding personal identification, industrial or government secrets, or financial data. • BeyondTrust uses analytics from its solutions integrated under its BeyondInsight IT Risk Management platform to make sure that identity is the basis of access to certain files, to deny access to unauthorized users, and to turn intelligence gathered from the platform into better vulnerability management.
  27. 27. Web Application Scanning • Hackers are using vulnerabilities in Web applications as a means to create exploits. • Web application scanning is being offered by several vulnerability management service providers. • Qualys has a separate Web Application Scanning/Web Firewall Service. 27 Service. • In June 2012, Tripwire included Web application scanning, WebApp360, on its Tripwire IP360 vulnerability and risk management platform at no additional cost. • Web application scanning is an integral part of Tenable SecurityCenter Continuous View platform.
  28. 28. QualysGuard Integrated Suite of Security and Compliance Solutions 2828 *In Beta Vulnerability Management Policy Compliance Customizable Questionnaires PCI DSS Web Application Scanning Malware Detection Web Application Firewall Web Application Log Analysis Source: Qualys, Used with Permission.
  29. 29. Continuous Monitoring • In the United States, NIST considers continuous monitoring to be a set of “planned, required, and deployed security controls” in the context of an information system to remain effective “in light of the inevitable changes that occur.” • From NIST 800-137 (verbatim)… Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. 29 • All Federal agencies have to produce monthly inventories of all assets on their networks (devices, applications, servers, virtual machines, etc.).
  30. 30. Continuous Monitoring Principles Real-time, Continuous Monitoring Platform Immediate discovery of assets including mobile, cloud, and virtual systems Continuous, real-time vulnerability assessment Integrated threat detection and advanced Benefits of Continuous Monitoring Vulnerability Management Malware Detection Compliance & Patch Monitoring Continuous Monitoring 30 Integrated threat detection and advanced malware analysis, isolation of attack paths Real-time network monitoring and anomaly detection Integrated logging, forensics, and threat investigation & response Proactive compliance reporting and patch auditing Network Behavioral Analysis Log Collection & Analysis
  31. 31. Continuous Monitoring Architecture (Tenable Network Security) 31
  32. 32. Aspects of Continuous Monitoring (Tenable Network Security) • Tenable Network Security offers a Continuous Monitoring solution that combines active scanning, passive sniffing, and log analysis forming a composite view of assets, vulnerabilities, and threats. • Its Nessus active scanner supports both credentialed and non-credentialed scans to identify vulnerabilities, compliance and configuration checks. • The Passive Vulnerability Scanner (PVS) analyzes network traffic at the packet layer – 32 The Passive Vulnerability Scanner (PVS) analyzes network traffic at the packet layer – also known colloquially as “sniffing” to detect assets as they connect to the network. PVS also identifies vulnerabilities and malicious communications from network traffic supplementing the Nessus active scans. • The Log Correlation Engine (LCE) provides log analysis to add additional context to vulnerabilities and threats from the surrounding infrastructure and system logs. • These combined technologies work together to identify risk from transient devices and dynamic systems including mobile devices, virtual infrastructure, and cloud applications.
  33. 33. Major Challenges (Current and Future) CURRENT CHALLENGES 1. Developing products for the small and medium-sized business markets. 2. Find a unified scoring metric to determine the effectiveness of scanning accuracy. Like many of the enhanced vulnerability scoring matrix offered by VM service providers, time to remediation has to be a part of the platform. 3. To more heavily automate more of the processes in vulnerability management. 4. Explaining goods and services within the context of the Top 20 CSC SANS 33 Explaining goods and services within the context of the Top 20 CSC SANS (SysAdmin, Audit, Networking, and Security) security measures. FUTURE CHALLENGES 1. Extend the principles of vulnerability management to hybrid cloud environments. 2. Decide which features are best integrated into vulnerability management products. 3. Building an infrastructure to account for the APAC region.
  34. 34. Frost & Sullivan Services, Community Contribution and Network and Information Security Team InfoSecurity Team Info
  35. 35. Next Steps Develop Your Visionary and Innovative Skills Growth Partnership Service Share your growth thought leadership and ideas or join our GIL Global Community 35 Join our GIL Community Newsletter Keep abreast of innovative growth opportunities Phone: 1-877-GOFROST (463-7678) Email:
  36. 36. Follow Frost & Sullivan on Facebook, LinkedIn, SlideShare, and Twitter 36
  37. 37. Your Feedback is Important to Us Growth Forecasts? Competitive Structure? What would you like to see from Frost & Sullivan? 37 Emerging Trends? Strategic Recommendations? Other? Please inform us by “Rating” this presentation.
  38. 38. For Additional Information Chris Kissel Industry Analyst IT & Network Security, IRG-74 (623) 910-7986 Michael Suby VP of Research IT & Network Security, IRG-74 (720) 344-4860 38 Frank Dickson Principal Analyst IT & Network Security, IRG-74 (469) 387-0256 Chris Rodriguez Senior Analyst IT & Network Security, IRG-74 (210) 477-8423
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.