2. Agenda
Current Situation1
Definition of terms
What we can control3
Asset Exposure4
The Future5
What to take away6
Vulnerability Management today and tomorrow by Jonathan Sinclair2
3. Current Situation
Today : It’s a mess
Vulnerability Management today and tomorrow by Jonathan Sinclair3
• Multi-dimensional, heterogeneous system landscape
• Legacy systems with ‘do not touch’ (patch/upgrade) license agreements
• Global deployment (different time zones)
• Distributed ownership (out-sourced IT)
• Cloud scenarios
• Everything managed through Excel
• Scanning too much/not enough
4. Definition of terms
What do we want to achieve operating IT security?
Vulnerability Management today and tomorrow by Jonathan Sinclair4
• Ask yourself what is the difference between a RISK and a VULNERABILITY?
• Both can be mitigated/treated
• It seems that when someone talks about a risk, a vulnerability
immediately follows
• Risk* = A situation involving exposure to danger
• Vulnerability* = Coming from the Latin ‘vulnus’ wound: Exposure to
the possibility of being attacked or harmed, either physically or
emotionally (digitally)
• The point of every vulnerability management program is to reduce the
exposure of information to a harm/threat
* Definitions taken from oxforddictionaries.com, 10.2015
6. What can we control?
Vulnerability Management today and tomorrow by Jonathan Sinclair6
• What we can’t control
• Threats will always exist
• Air gap, Malicious insider agents, Hacktivists etc.
• Risk
• Can be reduced and mitigated but accurate predictability can never
be assured
• What we can control (to a degree)
• The asset exposure (vulnerability of a system)
7. Asset exposure
Asset contextualisation is the key
Vulnerability Management today and tomorrow by Jonathan Sinclair7
• Asset contextualisation is very difficult to obtain
1. Server Type : Dev, Integration, Prod
2. Informational representation: Open, Closed, Confidential
3. Application Criticality
4. CVSS(x)
5. Software inventory
6. Last patch cycle
7. Exploitability (publically available exploit exists vs. doesn’t)
• Combine with network/asset level segregation
• Assess known risk(s): scanning sources (OSVDB, Scip VulnDB, CVE, Security
Advisories, NVD, Exploit-DB, SecurityFocus (BugTraq))
8. Transition to future situation
Start small, build out
Vulnerability Management today and tomorrow by Jonathan Sinclair8
• Where did all the software engineers go?
• Automate, automate, automate!
• Start with zoning (network, logical, software or otherwise).
Resilience is critical.
• Once zoned scanning cycles can be applied (weekly, monthly etc.),
dependent on environmental ecology
• Scanned results must be triaged: React, Patch, Accept
• Vulnerability risk register must be maintained and updated to track
asset(s) and current status
• Escalation paths require top level management support especially
when considering cross-zone roll out (re: Heartbleed, Poodle etc.)
9. Transition to future situation
Vulnerability Management today and tomorrow by Jonathan Sinclair9
• Analogy to the automotive industry: Safety/security mechanisms built in at
design time, no opt out.
• Behavioral identification of potential malicious usage at the outset
• Security logging, not just debugging..
• HTTPS: Why is HTTP even optional (ignoring legacy integration for a
moment)?
• Litigation support: A key component that needs to be deployed through
policy
10. Future problems
It will get worse, before it gets better
Vulnerability Management today and tomorrow by Jonathan Sinclair10
• BYOD: How can one scan a device that isn’t owned by the enterprise?
• Conflicts concerning privacy, ownership and accountability
• Cloud services: How can an enterprise ensure a service provider will not
expose it’s information to risk?
• Legal frameworks for enforcement, accountability and liability
• Cyber insurance
• Financial penalties
11. Future problems
Vulnerability Management today and tomorrow by Jonathan Sinclair11
• Internet of Thing’s and OT: How can enterprises cope with technological
restrictions, warranty violations, embedded systems etc.?
• Impose device on-boarding screening. Comply or you’re not connecting
• Test scanning tools ability for ‘smart-scanning’, automated tools
shouldn’t knock devices off the network or cause systems to fall over
• Devices with remote monitoring or call-home functionality have to be
carefully reviewed for enabling out-of-zone/band communication
• Create separate logical zones to house these devices
12. What to take away
Vulnerability Management today and tomorrow by Jonathan Sinclair12
Your environment is no doubt complex and heterogeneous
• Start small
• Build out from your most valuable assets
• Assess their context and range of freedom (connectivity allowance)
• Adhere to strict parameter security controls (tried and tested)
Build a manageable vulnerability review program
• Select multiple trusted vulnerability repositories
• Have a dedicated team to review the status of emerging threats
• Arrange for weekly reviews of the emerging threats vs. asset inventory according
to zone priority
13. What to take away
Vulnerability Management today and tomorrow by Jonathan Sinclair13
Get smart about engineering
• Automate wherever possible
• Understand your asset(s) exposure e.g. Poodle (which threat actors have the
skills to implement and is the asset exposed to them?)
• Does publically available exploit code exist in the wild?
• Ensure you have a diverse range of threat sources
Be prepared for resistance and understand the compromises you’ll be asked to make