Fast Track: Planning & Deploying an Effective Vulnerability Management Program By Jonathan Bitle, Technical Director, Qualys, Inc.

Problems affecting implementation There are 3 main categories of importance When planning an effective Vulnerability Management Program: Technology People Process

There are 3 main categories of importance

When planning an effective Vulnerability

Management Program:

Technology

People

Process

Technology: Solution Design Design is the simple part of a production roll-out

Design is the simple part of a production roll-out

Technology: Appliances Plan for the number of scanning Appliances # of active hosts = # of appliances required Frequency of scans alter requirements Network Topology can complicate the design Firewalls / Access Control Devices Low speed bandwidth links Geographic and political boundaries

Plan for the number of scanning Appliances

# of active hosts = # of appliances required

Frequency of scans alter requirements

Network Topology can complicate the design

Firewalls / Access Control Devices

Low speed bandwidth links

Geographic and political boundaries

Technology: Gather Basic Information IP addresses for each planned scanning appliance Subnet Mask for each planned network interface Hostname for each appliance DNS information

IP addresses for each planned scanning appliance

Subnet Mask for each planned network interface

Hostname for each appliance

DNS information

Technology: Utilize The Technology Take advantage of Automation capabilities of the technology to save time for more important tasks such as remediation. Schedule Scans Develop alerts for severe risk issues Automate report generation and distribution

Take advantage of Automation capabilities of the

technology to save time for more important tasks

such as remediation.

Schedule Scans

Develop alerts for severe risk issues

Automate report generation and distribution

People People are the cornerstone of an effective security policy and risk reduction.

People are the cornerstone of an effective security policy and risk reduction.

People: Know Your Target Audience Make a list of key team members and know Their needs. If possible, interview them to Better understand how to streamline information. CISO / CIO Ultimate owner of risk in the environment Signs off on regulatory compliance measures Needs high-level metrics (pass/fail?) to ensure risk reduction Executive Staff Makes resource allocation decisions Needs trend information to understand effectiveness of security program Directors / Managers Oversees system owners and helps prioritize work efforts Needs visibility into system owner performance System Owner Own the systems and responsible for remediation efforts Need detailed technical reports with prioritization

Make a list of key team members and know

Their needs. If possible, interview them to

Better understand how to streamline information.

CISO / CIO

Ultimate owner of risk in the environment

Signs off on regulatory compliance measures

Needs high-level metrics (pass/fail?) to ensure risk reduction

Executive Staff

Makes resource allocation decisions

Needs trend information to understand effectiveness of security program

Directors / Managers

Oversees system owners and helps prioritize work efforts

Needs visibility into system owner performance

System Owner

Own the systems and responsible for remediation efforts

Need detailed technical reports with prioritization

People: Know Your System Owners Remediation will require significant resource allocation and time. Important to properly identify system owners Enables Automated host ownership reports By geographical region or business unit Based on Operating System Based on applications Streamline the information provided Provide information to the owner, don’t rely on them to find it Irrelevant information will create push-back A list of 1000 issues will rarely get fixed A list of 10 high risk issues will get done immediately

Remediation will require significant resource

allocation and time.

Important to properly identify system owners

Enables Automated host ownership reports

By geographical region or business unit

Based on Operating System

Based on applications

Streamline the information provided

Provide information to the owner, don’t rely on them to find it

Irrelevant information will create push-back

A list of 1000 issues will rarely get fixed

A list of 10 high risk issues will get done immediately

People: Problems Will Occur Expect that problems will occur and develop a strategy to deal with them. Hosts or applications will have interoperability issues with the scans Work with vendors to identify root cause Team members may not meet performance goals Look into prioritization issues Vendors may not have patches to resolve discovered issues Develop ways to mitigate risk (firewalls, port filtering, etc) Evangelize. Evangelize. Evangelize. It is imperative that numerous groups in the organization understand the importance of your vulnerability management program. System Administrators must understand the importance of reducing risk, and how it ultimately effects system uptime Executive buy-in is required for effective risk reduction Provide product demos and training sessions

Expect that problems will occur and develop a

strategy to deal with them.

Hosts or applications will have interoperability issues with the scans

Work with vendors to identify root cause

Team members may not meet performance goals

Look into prioritization issues

Vendors may not have patches to resolve discovered issues

Develop ways to mitigate risk (firewalls, port filtering, etc)

Evangelize. Evangelize. Evangelize.

It is imperative that numerous groups in the organization understand the importance of your vulnerability management program.

System Administrators must understand the importance of reducing risk, and how it ultimately effects system uptime

Executive buy-in is required for effective risk reduction

Provide product demos and training sessions

People: Create a list of stated goals Provide an accurate assessment of risk for each host and relative network segments Facilitate a security assessment that leads to best practices with regard to remediation actions Provide system administrators with the tools to optimize and validate remediation efforts Provide a common language and metrics to discuss risk across the organization Provide for prioritization of vulnerabilities and remediation efforts in the environment Provide executive staff with risk metrics and measure adherence to corporate policies Provide a feedback loop for current and future system policy Provide constant monitoring and measurement of risk in the environment for adherence to regulatory compliance initiatives Measure overall effectiveness of the security program Provide automated workflow capabilities that reduce resource requirements Protect the organization from successful exploit of vulnerabilities

Provide an accurate assessment of risk for each host and relative network segments

Facilitate a security assessment that leads to best practices with regard to remediation actions

Provide system administrators with the tools to optimize and validate remediation efforts

Provide a common language and metrics to discuss risk across the organization

Provide for prioritization of vulnerabilities and remediation efforts in the environment

Provide executive staff with risk metrics and measure adherence to corporate policies

Provide a feedback loop for current and future system policy

Provide constant monitoring and measurement of risk in the environment for adherence to regulatory compliance initiatives

Measure overall effectiveness of the security program

Provide automated workflow capabilities that reduce resource requirements

Protect the organization from successful exploit of vulnerabilities

People: Work Toward a Single Goal The ultimate goal of our Vulnerability Management solution is to measure, manage and reduce risk in our environment. Always work towards this main goal.

The ultimate goal of our Vulnerability Management solution is to measure, manage and reduce risk in our environment.

Always work towards this main goal.

Process: Define Your Security Policy Recognize that your security policy should fit the needs and goals of YOUR organization, and as such every there is no one-size-fits-all solution. However, there are commonalities and guidelines that will help you define an effective policy.

Recognize that your security policy should fit the needs and goals of YOUR organization, and as such every there is no one-size-fits-all solution. However, there are commonalities and guidelines that will help you define an effective policy.

Process: Heterogeneous Environment Most environments are highly heterogeneous creating numerous challenges. Rarely a clear understanding of the types of hosts for each network segment Multitude of host and application owners Asset management systems are rarely kept up to date

Most environments are highly heterogeneous

creating numerous challenges.

Rarely a clear understanding of the types of hosts for each network segment

Multitude of host and application owners

Asset management systems are rarely kept up to date

Process: Define “In / Out of Scope” What are the total networks in use? Is network information stored in an asset management system? Utilize automated discovery process of the tool Which networks should be excluded? Networks that should never be scanned, given the ramification of an application interaction issue. (ie process control systems like SCADA devices) Networks that have serious bandwidth constraints (defer these to a different phase?) Small subnets that do not contain hosts (ie router to router subnets – exclude all /29 and up?) Systems that are known to have application interaction issues that can not be resolved Systems that are obstructed by Access Control devices

What are the total networks in use?

Is network information stored in an asset management system?

Utilize automated discovery process of the tool

Which networks should be excluded?

Networks that should never be scanned, given the ramification of an application interaction issue. (ie process control systems like SCADA devices)

Networks that have serious bandwidth constraints (defer these to a different phase?)

Small subnets that do not contain hosts (ie router to router subnets – exclude all /29 and up?)

Systems that are known to have application interaction issues that can not be resolved

Systems that are obstructed by Access Control devices

Process: Classify Your Assets We can get mired down in classification schemes, However it is more important to have some form of classification no matter how simple. Start with a simple classification system and adjust as necessary: Critical Assets Mission / business critical Related to regulatory compliance * PCI * Sarbanes Oxley * HIPAA * NERC / FERC High General server category Medium Workstations & Laptops Low Printers, etc

We can get mired down in classification schemes,

However it is more important to have some form of

classification no matter how simple.

Start with a simple classification system and adjust as necessary:

Critical Assets

Mission / business critical

Related to regulatory compliance

* PCI

* Sarbanes Oxley

* HIPAA

* NERC / FERC

High

General server category

Medium

Workstations & Laptops

Low

Printers, etc

Process: Prioritization You can’t fix everything so prioritization is key. Critical (48 hours to resolve) High & Critical vulnerability on critical asset High (one week to resolve) Medium vulnerability on critical asset High vulnerability on High asset Medium (one month to resolve) Low vulnerability on critical asset Medium vulnerability on High asset High vulnerability on Low asset Low (6 months to resolve) Medium vulnerability on Low Asset

You can’t fix everything so prioritization is key.

Critical (48 hours to resolve)

High & Critical vulnerability on critical asset

High (one week to resolve)

Medium vulnerability on critical asset

High vulnerability on High asset

Medium (one month to resolve)

Low vulnerability on critical asset

Medium vulnerability on High asset

High vulnerability on Low asset

Low (6 months to resolve)

Medium vulnerability on Low Asset

Process: Oversight & Accountability Some organizations will have a mandate, possibly driven by external regulatory measures. However, many organizations do not start off in this way. Bonus tied to remediation Most effective way to ensure compliance to security policy Remediation Managers Provide oversight of risk reduction process “ Wall of Shame” Peer pressure can be effective!

Some organizations will have a mandate, possibly

driven by external regulatory measures. However,

many organizations do not start off in this way.

Bonus tied to remediation

Most effective way to ensure compliance to security policy

Remediation Managers

Provide oversight of risk reduction process

“ Wall of Shame”

Peer pressure can be effective!

Process: Deployment Phases Recommend phasing in scans to determine application interaction issues Phased approach not necessary for all networks, but recommended for critical infrastructure Perform Initial testing of critical infrastructure in change windows

Recommend phasing in scans to determine application interaction issues

Phased approach not necessary for all networks, but recommended for critical infrastructure

Perform Initial testing of critical infrastructure in change windows

Summary Technology is the simple part of your Vulnerability Management solution Utilize Automation wherever possible People are key to getting the job done, use them wisely and build a good working relationship. Know the key players, their roles and responsibilities Don’t overwhelm people with data Get buy-in from multiple groups in your organization, especially the executive staff Process is necessary to an effective solution - keep it simple to understand and follow Classify your assets; always work on the most important assets first Prioritize remediation; always work on the most critical issues first Create and use Service Level Agreements Monitor progress and make policy adjustments as necessary

Technology is the simple part of your Vulnerability Management solution

Utilize Automation wherever possible

People are key to getting the job done, use them wisely and build a good working relationship.

Know the key players, their roles and responsibilities

Don’t overwhelm people with data

Get buy-in from multiple groups in your organization, especially the executive staff

Process is necessary to an effective solution - keep it simple to understand and follow

Classify your assets; always work on the most important assets first

Prioritize remediation; always work on the most critical issues first

Create and use Service Level Agreements

Monitor progress and make policy adjustments as necessary