SlideShare a Scribd company logo

Vulnerability management today and tomorrow

Download as PPTX, PDF
Jonathan Sinclair
Jonathan Sinclair

An introductory look at VM management and some of the issues existing today when applied to the enterprise space

Technology
1 of 13
Vulnerability Management today and tomorrow in the Enterprise By Jonathan Sinclair
Agenda Current Situation1 Definition of terms What we can control3 Asset Exposure4 The Future5 What to take away6 Vulnerability Management today and tomorrow by Jonathan Sinclair2
Current Situation Today : It’s a mess Vulnerability Management today and tomorrow by Jonathan Sinclair3 • Multi-dimensional, heterogeneous system landscape • Legacy systems with ‘do not touch’ (patch/upgrade) license agreements • Global deployment (different time zones) • Distributed ownership (out-sourced IT) • Cloud scenarios • Everything managed through Excel • Scanning too much/not enough
Definition of terms What do we want to achieve operating IT security? Vulnerability Management today and tomorrow by Jonathan Sinclair4 • Ask yourself what is the difference between a RISK and a VULNERABILITY? • Both can be mitigated/treated • It seems that when someone talks about a risk, a vulnerability immediately follows • Risk* = A situation involving exposure to danger • Vulnerability* = Coming from the Latin ‘vulnus’ wound: Exposure to the possibility of being attacked or harmed, either physically or emotionally (digitally) • The point of every vulnerability management program is to reduce the exposure of information to a harm/threat * Definitions taken from oxforddictionaries.com, 10.2015
Vulnerability Management Dependency triad Vulnerability Management today and tomorrow by Jonathan Sinclair5 Vulnerability Management Risk VulnerabilityThreat
What can we control? Vulnerability Management today and tomorrow by Jonathan Sinclair6 • What we can’t control • Threats will always exist • Air gap, Malicious insider agents, Hacktivists etc. • Risk • Can be reduced and mitigated but accurate predictability can never be assured • What we can control (to a degree) • The asset exposure (vulnerability of a system)
Asset exposure Asset contextualisation is the key Vulnerability Management today and tomorrow by Jonathan Sinclair7 • Asset contextualisation is very difficult to obtain 1. Server Type : Dev, Integration, Prod 2. Informational representation: Open, Closed, Confidential 3. Application Criticality 4. CVSS(x) 5. Software inventory 6. Last patch cycle 7. Exploitability (publically available exploit exists vs. doesn’t) • Combine with network/asset level segregation • Assess known risk(s): scanning sources (OSVDB, Scip VulnDB, CVE, Security Advisories, NVD, Exploit-DB, SecurityFocus (BugTraq))
Transition to future situation Start small, build out Vulnerability Management today and tomorrow by Jonathan Sinclair8 • Where did all the software engineers go? • Automate, automate, automate! • Start with zoning (network, logical, software or otherwise). Resilience is critical. • Once zoned scanning cycles can be applied (weekly, monthly etc.), dependent on environmental ecology • Scanned results must be triaged: React, Patch, Accept • Vulnerability risk register must be maintained and updated to track asset(s) and current status • Escalation paths require top level management support especially when considering cross-zone roll out (re: Heartbleed, Poodle etc.)
Transition to future situation Vulnerability Management today and tomorrow by Jonathan Sinclair9 • Analogy to the automotive industry: Safety/security mechanisms built in at design time, no opt out. • Behavioral identification of potential malicious usage at the outset • Security logging, not just debugging.. • HTTPS: Why is HTTP even optional (ignoring legacy integration for a moment)? • Litigation support: A key component that needs to be deployed through policy
Future problems It will get worse, before it gets better Vulnerability Management today and tomorrow by Jonathan Sinclair10 • BYOD: How can one scan a device that isn’t owned by the enterprise? • Conflicts concerning privacy, ownership and accountability • Cloud services: How can an enterprise ensure a service provider will not expose it’s information to risk? • Legal frameworks for enforcement, accountability and liability • Cyber insurance • Financial penalties
Future problems Vulnerability Management today and tomorrow by Jonathan Sinclair11 • Internet of Thing’s and OT: How can enterprises cope with technological restrictions, warranty violations, embedded systems etc.? • Impose device on-boarding screening. Comply or you’re not connecting • Test scanning tools ability for ‘smart-scanning’, automated tools shouldn’t knock devices off the network or cause systems to fall over • Devices with remote monitoring or call-home functionality have to be carefully reviewed for enabling out-of-zone/band communication • Create separate logical zones to house these devices
What to take away Vulnerability Management today and tomorrow by Jonathan Sinclair12 Your environment is no doubt complex and heterogeneous • Start small • Build out from your most valuable assets • Assess their context and range of freedom (connectivity allowance) • Adhere to strict parameter security controls (tried and tested) Build a manageable vulnerability review program • Select multiple trusted vulnerability repositories • Have a dedicated team to review the status of emerging threats • Arrange for weekly reviews of the emerging threats vs. asset inventory according to zone priority
What to take away Vulnerability Management today and tomorrow by Jonathan Sinclair13 Get smart about engineering • Automate wherever possible • Understand your asset(s) exposure e.g. Poodle (which threat actors have the skills to implement and is the asset exposed to them?) • Does publically available exploit code exist in the wild? • Ensure you have a diverse range of threat sources Be prepared for resistance and understand the compromises you’ll be asked to make

Recommended

Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT SecurityJonathan Sinclair
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 

Recommended

Blue Ocean IT Security
Blue Ocean IT SecurityBlue Ocean IT Security
Blue Ocean IT SecurityJonathan Sinclair
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseLumension
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management Kishor Datta Gupta
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1TECHNOLOGY CONTROL CO.
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 

More Related Content

What's hot

Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Skybox Security
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseLumension
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability ManagementRahul Neel Mani
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management Kishor Datta Gupta
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scaleEoin Keary
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewSusan Rantall
 

What's hot (20)

Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?Is Your Vulnerability Management Program Irrelevant?
Is Your Vulnerability Management Program Irrelevant?
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
Challenges of Vulnerability Management
Challenges of Vulnerability Management Challenges of Vulnerability Management
Challenges of Vulnerability Management
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Vulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) OverviewVulnerability Assessment & Analysis (VAA) Overview
Vulnerability Assessment & Analysis (VAA) Overview
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 

Similar to Vulnerability management today and tomorrow

Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Unified threat management 4 july 17
Unified threat management 4 july 17Unified threat management 4 july 17
Unified threat management 4 july 17Yabibo
 
Unified threat management cisco 21 jun 17
Unified threat management cisco 21 jun 17Unified threat management cisco 21 jun 17
Unified threat management cisco 21 jun 17Yabibo
 
Cisco security 27 jun 17
Cisco security 27 jun 17Cisco security 27 jun 17
Cisco security 27 jun 17Yabibo
 
Unified threat management cisco 1 july 17
Unified threat management cisco 1 july 17Unified threat management cisco 1 july 17
Unified threat management cisco 1 july 17Yabibo
 
Unified threat management cisco 5 july 17
Unified threat management cisco 5 july 17Unified threat management cisco 5 july 17
Unified threat management cisco 5 july 17Yabibo
 
Cisco security3 july17
Cisco security3 july17Cisco security3 july17
Cisco security3 july17Yabibo
 
Unified threat management cisco 25 july 17
Unified threat management cisco 25 july 17Unified threat management cisco 25 july 17
Unified threat management cisco 25 july 17Yabibo
 
Cisco security 7 jun 17
Cisco security 7 jun 17Cisco security 7 jun 17
Cisco security 7 jun 17Yabibo
 

Similar to Vulnerability management today and tomorrow (20)

Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Unified threat management 4 july 17
Unified threat management 4 july 17Unified threat management 4 july 17
Unified threat management 4 july 17
 
Unified threat management cisco 21 jun 17
Unified threat management cisco 21 jun 17Unified threat management cisco 21 jun 17
Unified threat management cisco 21 jun 17
 
Cisco security 27 jun 17
Cisco security 27 jun 17Cisco security 27 jun 17
Cisco security 27 jun 17
 
Unified threat management cisco 1 july 17
Unified threat management cisco 1 july 17Unified threat management cisco 1 july 17
Unified threat management cisco 1 july 17
 
Unified threat management cisco 5 july 17
Unified threat management cisco 5 july 17Unified threat management cisco 5 july 17
Unified threat management cisco 5 july 17
 
Cisco security3 july17
Cisco security3 july17Cisco security3 july17
Cisco security3 july17
 
Unified threat management cisco 25 july 17
Unified threat management cisco 25 july 17Unified threat management cisco 25 july 17
Unified threat management cisco 25 july 17
 
Cisco security 7 jun 17
Cisco security 7 jun 17Cisco security 7 jun 17
Cisco security 7 jun 17
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 

More from Jonathan Sinclair

Is the SOC working as a viable business model (or security model)?
Is the SOC working as a viable business model (or security model)?Is the SOC working as a viable business model (or security model)?
Is the SOC working as a viable business model (or security model)?Jonathan Sinclair
 
Machine learning 101 - or less
Machine learning 101 - or lessMachine learning 101 - or less
Machine learning 101 - or lessJonathan Sinclair
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 
Architecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereofArchitecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereofJonathan Sinclair
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
XAI – accountability unchecked
XAI – accountability uncheckedXAI – accountability unchecked
XAI – accountability uncheckedJonathan Sinclair
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentJonathan Sinclair
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingJonathan Sinclair
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 

More from Jonathan Sinclair (10)

Is the SOC working as a viable business model (or security model)?
Is the SOC working as a viable business model (or security model)?Is the SOC working as a viable business model (or security model)?
Is the SOC working as a viable business model (or security model)?
 
Machine learning 101 - or less
Machine learning 101 - or lessMachine learning 101 - or less
Machine learning 101 - or less
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon us
 
Architecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereofArchitecting trust in the digital landscape, or lack thereof
Architecting trust in the digital landscape, or lack thereof
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
XAI – accountability unchecked
XAI – accountability uncheckedXAI – accountability unchecked
XAI – accountability unchecked
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity component
 
Cyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not workingCyber Security: Strategies, Defence and what’s not working
Cyber Security: Strategies, Defence and what’s not working
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
 
Breach analysis slideshare
Breach analysis slideshareBreach analysis slideshare
Breach analysis slideshare
 

Recently uploaded

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

Vulnerability management today and tomorrow

  • 1. Vulnerability Management today and tomorrow in the Enterprise By Jonathan Sinclair
  • 2. Agenda Current Situation1 Definition of terms What we can control3 Asset Exposure4 The Future5 What to take away6 Vulnerability Management today and tomorrow by Jonathan Sinclair2
  • 3. Current Situation Today : It’s a mess Vulnerability Management today and tomorrow by Jonathan Sinclair3 • Multi-dimensional, heterogeneous system landscape • Legacy systems with ‘do not touch’ (patch/upgrade) license agreements • Global deployment (different time zones) • Distributed ownership (out-sourced IT) • Cloud scenarios • Everything managed through Excel • Scanning too much/not enough
  • 4. Definition of terms What do we want to achieve operating IT security? Vulnerability Management today and tomorrow by Jonathan Sinclair4 • Ask yourself what is the difference between a RISK and a VULNERABILITY? • Both can be mitigated/treated • It seems that when someone talks about a risk, a vulnerability immediately follows • Risk* = A situation involving exposure to danger • Vulnerability* = Coming from the Latin ‘vulnus’ wound: Exposure to the possibility of being attacked or harmed, either physically or emotionally (digitally) • The point of every vulnerability management program is to reduce the exposure of information to a harm/threat * Definitions taken from oxforddictionaries.com, 10.2015
  • 5. Vulnerability Management Dependency triad Vulnerability Management today and tomorrow by Jonathan Sinclair5 Vulnerability Management Risk VulnerabilityThreat
  • 6. What can we control? Vulnerability Management today and tomorrow by Jonathan Sinclair6 • What we can’t control • Threats will always exist • Air gap, Malicious insider agents, Hacktivists etc. • Risk • Can be reduced and mitigated but accurate predictability can never be assured • What we can control (to a degree) • The asset exposure (vulnerability of a system)
  • 7. Asset exposure Asset contextualisation is the key Vulnerability Management today and tomorrow by Jonathan Sinclair7 • Asset contextualisation is very difficult to obtain 1. Server Type : Dev, Integration, Prod 2. Informational representation: Open, Closed, Confidential 3. Application Criticality 4. CVSS(x) 5. Software inventory 6. Last patch cycle 7. Exploitability (publically available exploit exists vs. doesn’t) • Combine with network/asset level segregation • Assess known risk(s): scanning sources (OSVDB, Scip VulnDB, CVE, Security Advisories, NVD, Exploit-DB, SecurityFocus (BugTraq))
  • 8. Transition to future situation Start small, build out Vulnerability Management today and tomorrow by Jonathan Sinclair8 • Where did all the software engineers go? • Automate, automate, automate! • Start with zoning (network, logical, software or otherwise). Resilience is critical. • Once zoned scanning cycles can be applied (weekly, monthly etc.), dependent on environmental ecology • Scanned results must be triaged: React, Patch, Accept • Vulnerability risk register must be maintained and updated to track asset(s) and current status • Escalation paths require top level management support especially when considering cross-zone roll out (re: Heartbleed, Poodle etc.)
  • 9. Transition to future situation Vulnerability Management today and tomorrow by Jonathan Sinclair9 • Analogy to the automotive industry: Safety/security mechanisms built in at design time, no opt out. • Behavioral identification of potential malicious usage at the outset • Security logging, not just debugging.. • HTTPS: Why is HTTP even optional (ignoring legacy integration for a moment)? • Litigation support: A key component that needs to be deployed through policy
  • 10. Future problems It will get worse, before it gets better Vulnerability Management today and tomorrow by Jonathan Sinclair10 • BYOD: How can one scan a device that isn’t owned by the enterprise? • Conflicts concerning privacy, ownership and accountability • Cloud services: How can an enterprise ensure a service provider will not expose it’s information to risk? • Legal frameworks for enforcement, accountability and liability • Cyber insurance • Financial penalties
  • 11. Future problems Vulnerability Management today and tomorrow by Jonathan Sinclair11 • Internet of Thing’s and OT: How can enterprises cope with technological restrictions, warranty violations, embedded systems etc.? • Impose device on-boarding screening. Comply or you’re not connecting • Test scanning tools ability for ‘smart-scanning’, automated tools shouldn’t knock devices off the network or cause systems to fall over • Devices with remote monitoring or call-home functionality have to be carefully reviewed for enabling out-of-zone/band communication • Create separate logical zones to house these devices
  • 12. What to take away Vulnerability Management today and tomorrow by Jonathan Sinclair12 Your environment is no doubt complex and heterogeneous • Start small • Build out from your most valuable assets • Assess their context and range of freedom (connectivity allowance) • Adhere to strict parameter security controls (tried and tested) Build a manageable vulnerability review program • Select multiple trusted vulnerability repositories • Have a dedicated team to review the status of emerging threats • Arrange for weekly reviews of the emerging threats vs. asset inventory according to zone priority
  • 13. What to take away Vulnerability Management today and tomorrow by Jonathan Sinclair13 Get smart about engineering • Automate wherever possible • Understand your asset(s) exposure e.g. Poodle (which threat actors have the skills to implement and is the asset exposed to them?) • Does publically available exploit code exist in the wild? • Ensure you have a diverse range of threat sources Be prepared for resistance and understand the compromises you’ll be asked to make