Is Your Vulnerability Management Program Keeping Pace With Risks?


Published on

To effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks continuously. This is required in order to match or exceed the daily rate of attacks.
Why bother to assess your risks every 90 days when new threats are unleashed every day?
See how you can:
• Transform vulnerability discovery from a ‘round robin’ schedule to continuous monitoring for vulnerabilities
• Prioritize vulnerabilities based on exploitability and potential business impact
• Focus remediation efforts and track progress to show a measurable reduction of risk
• Make vulnerability management an essential part of daily change management processes

These slides will include case studies, survey data, and best practices – ideal for IT security practitioners who are considering, or already implementing, next-generation vulnerability management to effectively and measurably mitigate risk.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Is Your Vulnerability Management Program Keeping Pace With Risks?

  1. 1. Michelle Cobb, VP Marketing, Skybox SecurityEd Mosquera, Security Consultant, Skybox SecurityMay 2013Best Practices for Next-GenerationVulnerability Management
  2. 2. © 2013 Skybox Security Inc. 2Skybox Security Overview Predictive risk analytics for best decisionsupport Complete visibility of network and risks Designed for continuous, scalableoperationsLeader in Proactive Security Risk ManagementProven Effective in Complex Network Environments
  3. 3. © 2013 Skybox Security Inc. 3Vulnerability Management is Not Dead… It Is Just Not WorkingRisks Levels Keep RisingCompliance,continuousmonitoringProliferation ofmobile, cloudProtect againstfinancial loss dueto cybercrimeDeal withadvancedthreats, targetedattacksNeed to securenew servicesand users
  4. 4. © 2013 Skybox Security Inc. 4Is Your Vulnerability Management ProgramKeeping Pace?ThenNowFind Analyze Fix
  5. 5. © 2013 Skybox Security Inc. 52012 Survey Highlights the VulnerabilityDiscovery Gap05010015020025030035060% 70% 80% 90%Frequencycycles/year% of Network ScannedHow often do you scan? How much coverage?Critical systems, DMZScan every 30 days50-75% of hostsTo keep pace with threats?Daily updates90%+ hosts?
  6. 6. © 2013 Skybox Security Inc. 6We just don’t need to scan moreUnable to gain credentialed access to scanportions of the networkThe cost of licenses is prohibitiveSome hosts are not scannable due to their useWe dont have the resources to deal withbroader patching activityWe don’t have the resources to analyze morefrequent scan dataWe are concerned about disruptions fromscanning 59%58%41%34%29%12%5%Reasons that respondents don’t scan more oftenDisruptive, Inaccurate Picture of RiskChallenges with Traditional Scan Approach
  7. 7. © 2013 Skybox Security Inc. 7Polling Question #1 When you analyze scan data to determine how toremediate vulnerabilities, generally how old is thescan data?– <5 days– <15 days– <30 days– Older than 30 days
  8. 8. © 2013 Skybox Security Inc. 8All vulnerabilities inenvironment30,000Identified by scanner50-75%Naïve Analysis Results in Costly andIneffective RemediationAttack vectorsusingexploitablevulnerabilitiesPatch/FixPatchingmay missattack vectors
  9. 9. © 2013 Skybox Security Inc. 9NowFirst Generation Vulnerability ManagementProcesses Are No Longer Effective30-60 days to scanand catalog 75% ofvulnerabilities2-4 weeks toanalyse, and stillget it wrong60 days to patch,£ 200,000 per yearCycle Time: Typically 2-4 monthsNew vulnerabilities, threats, changes: Hundreds per dayResult: Risk level never reducedFind Analyze FixBig Disconnect …
  10. 10. © 2013 Skybox Security Inc. 10Self-Test:What are Your VM Program Challenges?DiscoverAnalyse andPrioritiseMitigateHow often isvulnerability datacollected?How much of thenetwork is covered?Is scanning disruptiveto the business?Are you able to findalternatives topatching?Do you prioritiseby possiblebusinessimpact?Are youconsidering thenetwork context?Is risk levelincreasing ordecreasingover time?Continuous, Automated, Scalable?
  11. 11. © 2013 Skybox Security Inc. 11DiscoverAnalyse andPrioritiseMitigateIntroduction toNext Generation Vulnerability Management Non-disruptivediscovery Scalable Automated analysis Risk-basedprioritisation Using network andsecurity context Actionable Optimal Easy to trackScalable Program to Address Critical VulnerabilitiesContinuously and Efficiently
  12. 12. © 2013 Skybox Security Inc. 12Vulnerability Discovery:Use the Right Approach for Your NetworkAssetDataPatchDataThreatIntel.Active ScanningNon-disruptiveScan-less DetectionContinuous identificationRelevant vulnerabilitiesInfrequent scanningLarge number of vulnerabilities
  13. 13. © 2013 Skybox Security Inc. 13Main Uses of Skybox DictionarySkybox DictionaryVulnerability DetectorAttack SimulationData Collection intosecurity modelData normalization(vulnerabilities, IPSsignatures)Product and vulnerabilityprofiling rulesAttack vectorsinformation
  14. 14. © 2013 Skybox Security Inc. 14Polling Question #2 What approach do you use most often to prioritizepatching activities?– Primarily by risk posed to business assets– Primarily by vulnerability severity level from the scanner– Primarily by scope; the number of systems affected by thevulnerability– Primarily by ease of applying the patch (eg. patches that couldbe disruptive applied last)
  15. 15. © 2013 Skybox Security Inc. 15Skybox Vulnerability and ThreatManagementNetwork DevicesFirewalls / IPSPrioritizedThreatsRemediationOptionsThreatReportsAttack SimulationThreat CorrelationAsset DataVulnerabilityDataThreatIntelligenceNetwork Modeling AttackScenariosRisk-Based Prioritization
  16. 16. © 2013 Skybox Security Inc. 16Skybox Data-Driven ApproachUse a Network ModelFirewall LoadBalancerRouter IPS VulnerabilityScannerPatch© 2012 Skybox Security 16SystemConfig
  17. 17. © 2013 Skybox Security Inc. 17“Scanless” Vulnerability DiscoveryMissing PatchesInstalled ProductsOn-goingSynchronizationNormalization & MergingHosts, Products, Vulnerabilities,PatchesThe Organizational AssetsVulnerabilityDetectorConfigurationFiles, Asset,Patch, and AVManagersActive ScanVulnerability FeedsVulnerabilitiesHostsVulnerabilityScannersScannerConnectors
  18. 18. © 2013 Skybox Security Inc. 18Finding Exploitable VulnerabilitiesCompromisedPartnerRogue AdminVulnerabilities• CVE 2009-203• CVE 2006-722• CVE 2006-490InternetHacker© 2012 Skybox Security 18
  19. 19. © 2013 Skybox Security Inc. 19Predictive Analytics via Attack SimulationCompromisedPartnerAttackSimulationsRogue AdminVulnerabilities• CVE 2013-203• CVE 2012-722• CVE 2010-490InternetHacker© 2012 Skybox Security 19
  20. 20. © 2013 Skybox Security Inc. 20All vulnerabilities inenvironment30,000Identified vulnerabilities90+%Automated Analysis – Attack Surface,Exploitable Attack Vectors, RisksPrioritize bypotentialimpactAttackSurfacePatch/FixHighpriorityremediation
  21. 21. © 2013 Skybox Security Inc. 21Actionable Remediation Process,Leveraging Attack Vectors InformationInstall securitypatch on serverChangefirewall accessruleActivatesignature onIPS
  22. 22. © 2013 Skybox Security Inc. 22High Level Visibility for Vulnerability ManagementMonitor Impact and Risk Metrics over TimeMost CriticalActionsVulnerabilitiesThreats
  23. 23. © 2013 Skybox Security Inc. 23Comparison – Old and Next Generation VMOld Generation Next GenerationDiscovery Scanning Only Scan-less discovery +scanningAnalysis Manual; inaccurate Automated; risk-basedRemediation Hit & Miss with Patching Optimal risk mitigationScope Limited to traditionalassetsEnterprise-wideprogramAutomation Only scanning;Cycle time 2-4 monthsFrom A-Z;Continuous processEffectiveness Costly program; littlebenefitsOptimal Risk Mitigation
  24. 24. © 2013 Skybox Security Inc. 24In Summary –Steps to Effective Vulnerability Management• Know what’s really exploitable in your network• Rank by business impact, end unnecessary patching• Increase coverage of vulnerability assessment• Increase frequency of vulnerability discoveryEnsure Frequent & Complete Knowledge of Your Vulnerabilities• Evaluate alternatives to patching• Verify impact on risk, and track progressClose the Loop with Optimal Mitigation and Effective TrackingUse Risk Analytics to Determine the Exposure
  25. 25. © 2013 Skybox Security Inc. 25Thank youwww.skyboxsecurity.comDownload the Skybox Vulnerability Management Tool Kit