Planning and Deploying an Effective Vulnerability Management Program


Published on

This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.

Key take-aways:

* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Planning and Deploying an Effective Vulnerability Management Program

  1. 1. Fast Track: Planning & Deploying an Effective Vulnerability Management Program By Jonathan Bitle, Technical Director, Qualys, Inc.
  2. 2. Problems affecting implementation <ul><ul><li>There are 3 main categories of importance </li></ul></ul><ul><ul><li>When planning an effective Vulnerability </li></ul></ul><ul><ul><li>Management Program: </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Process </li></ul></ul>
  3. 3. Technology: Solution Design <ul><ul><li>Design is the simple part of a production roll-out </li></ul></ul>
  4. 4. Technology: Appliances <ul><ul><li>Plan for the number of scanning Appliances </li></ul></ul><ul><ul><li># of active hosts = # of appliances required </li></ul></ul><ul><ul><ul><li>Frequency of scans alter requirements </li></ul></ul></ul><ul><ul><li>Network Topology can complicate the design </li></ul></ul><ul><ul><ul><li>Firewalls / Access Control Devices </li></ul></ul></ul><ul><ul><ul><li>Low speed bandwidth links </li></ul></ul></ul><ul><ul><ul><li>Geographic and political boundaries </li></ul></ul></ul>
  5. 5. Technology: Gather Basic Information <ul><ul><li>IP addresses for each planned scanning appliance </li></ul></ul><ul><ul><li>Subnet Mask for each planned network interface </li></ul></ul><ul><ul><li>Hostname for each appliance </li></ul></ul><ul><ul><li>DNS information </li></ul></ul>
  6. 6. Technology: Utilize The Technology <ul><ul><li>Take advantage of Automation capabilities of the </li></ul></ul><ul><ul><li>technology to save time for more important tasks </li></ul></ul><ul><ul><li>such as remediation. </li></ul></ul><ul><ul><li>Schedule Scans </li></ul></ul><ul><ul><li>Develop alerts for severe risk issues </li></ul></ul><ul><ul><li>Automate report generation and distribution </li></ul></ul>
  7. 7. People <ul><ul><li>People are the cornerstone of an effective security policy and risk reduction. </li></ul></ul>
  8. 8. People: Know Your Target Audience <ul><ul><li>Make a list of key team members and know </li></ul></ul><ul><ul><li>Their needs. If possible, interview them to </li></ul></ul><ul><ul><li>Better understand how to streamline information. </li></ul></ul><ul><ul><li>CISO / CIO </li></ul></ul><ul><ul><ul><li>Ultimate owner of risk in the environment </li></ul></ul></ul><ul><ul><ul><li>Signs off on regulatory compliance measures </li></ul></ul></ul><ul><ul><ul><li>Needs high-level metrics (pass/fail?) to ensure risk reduction </li></ul></ul></ul><ul><ul><li>Executive Staff </li></ul></ul><ul><ul><ul><li>Makes resource allocation decisions </li></ul></ul></ul><ul><ul><ul><li>Needs trend information to understand effectiveness of security program </li></ul></ul></ul><ul><ul><li>Directors / Managers </li></ul></ul><ul><ul><ul><li>Oversees system owners and helps prioritize work efforts </li></ul></ul></ul><ul><ul><ul><li>Needs visibility into system owner performance </li></ul></ul></ul><ul><ul><li>System Owner </li></ul></ul><ul><ul><ul><li>Own the systems and responsible for remediation efforts </li></ul></ul></ul><ul><ul><ul><li>Need detailed technical reports with prioritization </li></ul></ul></ul>
  9. 9. People: Know Your System Owners <ul><ul><li>Remediation will require significant resource </li></ul></ul><ul><ul><li>allocation and time. </li></ul></ul><ul><ul><li>Important to properly identify system owners </li></ul></ul><ul><ul><ul><li>Enables Automated host ownership reports </li></ul></ul></ul><ul><ul><ul><li>By geographical region or business unit </li></ul></ul></ul><ul><ul><ul><li>Based on Operating System </li></ul></ul></ul><ul><ul><ul><li>Based on applications </li></ul></ul></ul><ul><ul><li>Streamline the information provided </li></ul></ul><ul><ul><ul><li>Provide information to the owner, don’t rely on them to find it </li></ul></ul></ul><ul><ul><ul><li>Irrelevant information will create push-back </li></ul></ul></ul><ul><ul><ul><li>A list of 1000 issues will rarely get fixed </li></ul></ul></ul><ul><ul><ul><li>A list of 10 high risk issues will get done immediately </li></ul></ul></ul>
  10. 10. People: Problems Will Occur <ul><ul><li>Expect that problems will occur and develop a </li></ul></ul><ul><ul><li>strategy to deal with them. </li></ul></ul><ul><ul><li>Hosts or applications will have interoperability issues with the scans </li></ul></ul><ul><ul><ul><li>Work with vendors to identify root cause </li></ul></ul></ul><ul><ul><li>Team members may not meet performance goals </li></ul></ul><ul><ul><ul><li>Look into prioritization issues </li></ul></ul></ul><ul><ul><li>Vendors may not have patches to resolve discovered issues </li></ul></ul><ul><ul><ul><li>Develop ways to mitigate risk (firewalls, port filtering, etc) </li></ul></ul></ul><ul><ul><li>Evangelize. Evangelize. Evangelize. </li></ul></ul><ul><ul><li>It is imperative that numerous groups in the organization understand the importance of your vulnerability management program. </li></ul></ul><ul><ul><ul><li>System Administrators must understand the importance of reducing risk, and how it ultimately effects system uptime </li></ul></ul></ul><ul><ul><ul><li>Executive buy-in is required for effective risk reduction </li></ul></ul></ul><ul><ul><li>Provide product demos and training sessions </li></ul></ul>
  11. 11. People: Create a list of stated goals <ul><ul><li>Provide an accurate assessment of risk for each host and relative network segments </li></ul></ul><ul><ul><li>Facilitate a security assessment that leads to best practices with regard to remediation actions </li></ul></ul><ul><ul><li>Provide system administrators with the tools to optimize and validate remediation efforts </li></ul></ul><ul><ul><li>Provide a common language and metrics to discuss risk across the organization </li></ul></ul><ul><ul><li>Provide for prioritization of vulnerabilities and remediation efforts in the environment </li></ul></ul><ul><ul><li>Provide executive staff with risk metrics and measure adherence to corporate policies </li></ul></ul><ul><ul><li>Provide a feedback loop for current and future system policy </li></ul></ul><ul><ul><li>Provide constant monitoring and measurement of risk in the environment for adherence to regulatory compliance initiatives </li></ul></ul><ul><ul><li>Measure overall effectiveness of the security program </li></ul></ul><ul><ul><li>Provide automated workflow capabilities that reduce resource requirements </li></ul></ul><ul><ul><li>Protect the organization from successful exploit of vulnerabilities </li></ul></ul>
  12. 12. People: Work Toward a Single Goal <ul><ul><li>The ultimate goal of our Vulnerability Management solution is to measure, manage and reduce risk in our environment. </li></ul></ul><ul><ul><li>Always work towards this main goal. </li></ul></ul>
  13. 13. Process: Define Your Security Policy <ul><ul><li>Recognize that your security policy should fit the needs and goals of YOUR organization, and as such every there is no one-size-fits-all solution. However, there are commonalities and guidelines that will help you define an effective policy. </li></ul></ul>
  14. 14. Process: Heterogeneous Environment <ul><ul><li>Most environments are highly heterogeneous </li></ul></ul><ul><ul><li>creating numerous challenges. </li></ul></ul><ul><ul><li>Rarely a clear understanding of the types of hosts for each network segment </li></ul></ul><ul><ul><li>Multitude of host and application owners </li></ul></ul><ul><ul><li>Asset management systems are rarely kept up to date </li></ul></ul>
  15. 15. Process: Define “In / Out of Scope” <ul><ul><li>What are the total networks in use? </li></ul></ul><ul><ul><ul><li>Is network information stored in an asset management system? </li></ul></ul></ul><ul><ul><ul><li>Utilize automated discovery process of the tool </li></ul></ul></ul><ul><ul><li>Which networks should be excluded? </li></ul></ul><ul><ul><ul><li>Networks that should never be scanned, given the ramification of an application interaction issue. (ie process control systems like SCADA devices) </li></ul></ul></ul><ul><ul><ul><li>Networks that have serious bandwidth constraints (defer these to a different phase?) </li></ul></ul></ul><ul><ul><ul><li>Small subnets that do not contain hosts (ie router to router subnets – exclude all /29 and up?) </li></ul></ul></ul><ul><ul><ul><li>Systems that are known to have application interaction issues that can not be resolved </li></ul></ul></ul><ul><ul><ul><li>Systems that are obstructed by Access Control devices </li></ul></ul></ul>
  16. 16. Process: Classify Your Assets <ul><ul><li>We can get mired down in classification schemes, </li></ul></ul><ul><ul><li>However it is more important to have some form of </li></ul></ul><ul><ul><li>classification no matter how simple. </li></ul></ul><ul><ul><li>Start with a simple classification system and adjust as necessary: </li></ul></ul><ul><ul><li>Critical Assets </li></ul></ul><ul><ul><ul><li>Mission / business critical </li></ul></ul></ul><ul><ul><ul><li>Related to regulatory compliance </li></ul></ul></ul><ul><ul><ul><li>* PCI </li></ul></ul></ul><ul><ul><ul><li>* Sarbanes Oxley </li></ul></ul></ul><ul><ul><ul><li>* HIPAA </li></ul></ul></ul><ul><ul><ul><li>* NERC / FERC </li></ul></ul></ul><ul><ul><li>High </li></ul></ul><ul><ul><ul><li>General server category </li></ul></ul></ul><ul><ul><li>Medium </li></ul></ul><ul><ul><ul><li>Workstations & Laptops </li></ul></ul></ul><ul><ul><li>Low </li></ul></ul><ul><ul><ul><li>Printers, etc </li></ul></ul></ul>
  17. 17. Process: Prioritization <ul><ul><li>You can’t fix everything so prioritization is key. </li></ul></ul><ul><ul><li>Critical (48 hours to resolve) </li></ul></ul><ul><ul><ul><li>High & Critical vulnerability on critical asset </li></ul></ul></ul><ul><ul><li>High (one week to resolve) </li></ul></ul><ul><ul><ul><li>Medium vulnerability on critical asset </li></ul></ul></ul><ul><ul><ul><li>High vulnerability on High asset </li></ul></ul></ul><ul><ul><li>Medium (one month to resolve) </li></ul></ul><ul><ul><ul><li>Low vulnerability on critical asset </li></ul></ul></ul><ul><ul><ul><li>Medium vulnerability on High asset </li></ul></ul></ul><ul><ul><ul><li>High vulnerability on Low asset </li></ul></ul></ul><ul><ul><li>Low (6 months to resolve) </li></ul></ul><ul><ul><ul><li>Medium vulnerability on Low Asset </li></ul></ul></ul>
  18. 18. Process: Oversight & Accountability <ul><ul><li>Some organizations will have a mandate, possibly </li></ul></ul><ul><ul><li>driven by external regulatory measures. However, </li></ul></ul><ul><ul><li>many organizations do not start off in this way. </li></ul></ul><ul><ul><li>Bonus tied to remediation </li></ul></ul><ul><ul><ul><li>Most effective way to ensure compliance to security policy </li></ul></ul></ul><ul><ul><li>Remediation Managers </li></ul></ul><ul><ul><ul><li>Provide oversight of risk reduction process </li></ul></ul></ul><ul><ul><li>“ Wall of Shame” </li></ul></ul><ul><ul><ul><li>Peer pressure can be effective! </li></ul></ul></ul>
  19. 19. Process: Deployment Phases <ul><ul><li>Recommend phasing in scans to determine application interaction issues </li></ul></ul><ul><ul><li>Phased approach not necessary for all networks, but recommended for critical infrastructure </li></ul></ul><ul><ul><li>Perform Initial testing of critical infrastructure in change windows </li></ul></ul>
  20. 20. Summary <ul><ul><li>Technology is the simple part of your Vulnerability Management solution </li></ul></ul><ul><ul><ul><li>Utilize Automation wherever possible </li></ul></ul></ul><ul><ul><li>People are key to getting the job done, use them wisely and build a good working relationship. </li></ul></ul><ul><ul><ul><li>Know the key players, their roles and responsibilities </li></ul></ul></ul><ul><ul><ul><li>Don’t overwhelm people with data </li></ul></ul></ul><ul><ul><ul><li>Get buy-in from multiple groups in your organization, especially the executive staff </li></ul></ul></ul><ul><ul><li>Process is necessary to an effective solution - keep it simple to understand and follow </li></ul></ul><ul><ul><ul><li>Classify your assets; always work on the most important assets first </li></ul></ul></ul><ul><ul><ul><li>Prioritize remediation; always work on the most critical issues first </li></ul></ul></ul><ul><ul><ul><li>Create and use Service Level Agreements </li></ul></ul></ul><ul><ul><ul><li>Monitor progress and make policy adjustments as necessary </li></ul></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.