Best Practices and ROI for Risk-based Vulnerability Management

1. Best Practices and ROI for Risk- based Vulnerability Management October 2017

2. Nevra Ledwon Account Director nledwon@riskvisioninc.com Steve Finegan Product Manager sfinegan@riskvisioninc.com Introductions

3. Agenda Vulnerability Management Challenges Best Practices in Successful Programs About Resolver and RiskVision TVM Return on Investment – Case Study Solution Approaches, Benefits & Strategies

4. Challenge 1: Vulnerability MetricsWhat does this chart tell you?

5. Challenge 1: Vulnerability MetricsWhat does this chart tell you?

6. Challenge 1: Vulnerability Metrics  Are these vulnerability metrics accurate?  Are they the right metrics?  Do they tell the full story?

7. Challenge 2: Which Vulnerability Should We Remediate First? CVSS 5 vulnerability (e.g., a SQLi) vulnerability that's facing the internet from your DMZ that's now actively being exploited in the wild DB2 vulnerability on an RS/6000 w/CVSS 10 on an internal host with segmentation and other controls applied that’s not yet been exploited in the wild

8. Gartner Whitepaper

9. QUIZ TIME

10. The number of new vulnerabilities for which there exists a known exploit in the wild has:  Grown  Stayed flat  Shrunk

11. The number of new vulnerabilities for which there exists a known exploit in the wild has:  Grown  Stayed flat  Shrunk

12. Over the past 10 years, what percentage of the known vulnerabilities have ever been exploited in the wild?  12%  18%  23%  30%

13. Over the past 10 years, what percentage of the known vulnerabilities have ever been exploited in the wild?  12%  18%  23%  30%

14. Which severity of vulnerabilities is most often exploited in the wild?  Critical  High  Medium  Low

15. Which severity of vulnerabilities is most often exploited in the wild?  Critical  High  Medium  Low

16. Challenge 2: Which Vulnerability Should We Remediate First? CVSS 5 vulnerability (e.g., a SQLi) vulnerability that's facing the internet from your DMZ that's now actively being exploited in the wild DB2 vulnerability on an RS/6000 w/CVSS 10 on an internal host with segmentation and other controls applied that’s not yet been exploited in the wild

17. Challenge 3: Manual Administration & Shepherding Process

18. Challenge 4: Governance & Accountability

19. How to Prioritize Remediation Activities Debate Over Vulnerability Metrics Too Much Manual/ Administrative Work No Clear Governance, Accountability or Audit Trail Challenges Summary

20. Attendee Poll Which of the following challenges do you face in your organization? (more than one selection is ok)  Debate Over Vulnerability Metrics  How to Prioritize Remediation Activities  Too Much Manual/Administrative Work  No Clear Governance, Accountability or Audit Trail  None or N/A

21. Recommendations & Strategies

22. It’s All About Governance!!!  Appropriate program sponsorship for the vulnerability management program  Key stakeholder identification, representation and participation in the program  Documented security policies, practices, and standards  Documented roles and responsibilities  Documented communication and escalation plans  Asset identification (in-scope assets) SANS Components of an effective TVM Governance Process https://www.sans.org/reading-room/whitepapers/projectmanagement/building-vulnerability-management-program-project-management- approach-35932

23. 2. Enrich your Data 1. Classify your Assets 3. Calculate a Risk Score 4. Service Level Assignment 5. Automate Strategies for Making TVM Governance Easier

24. Step 1: Classify your Assets (Systems/Apps) PII PCI External FacingInternal Facing High Integrity High Availability Has Apache Port8080 Open On DMZ Europe

25. Step 1: Classify Your Assets (Systems/Apps) Classification Assessment Questionnaire Admin Setting Asset Classification

26. Step 1: Classify Your Assets (Systems/Apps)

27. Step 2: Enrich Your Data – Marry Vulns w/ Threat & Exploit Data Vulnerabilities In Your Environment Key Vulnerabilities to be Worried About All Disclosed Vulnerabilities Exploited Vulnerabilities Exploits Threats Are Focusing On

28. Step 2: Enrich Your Data – Marry Vulns w/ Threat & Exploit Data RiskVision leverages over 70 industry-leading applications, plus identity, security and IT technology

29. Step 3: Calculate a Risk Score

30. Risk Score CMDB asset factors, etc. CVSS Score + Other NVD Data Threat data, exploit data What goes into a Risk Score?

31. Step 3: Calculate a Risk Score VRF (Likelihood) • CVSS Score, or • Enhanced Vulnerability Score • e.g. Threat factor, # days open ACF (Impact) •H=10, M=7, L=3, or •Other numbers, or •Add additional custom attributes • e.g. internal vs external-facing • PCI-related Risk = Vulnerability Risk Factor (VRF) * Asset Criticality Factor (ACF) Vulnerability Risk = *

32. Step 3: Calculate a Risk Score – In RiskVision TVM Confidentiality Impact Vector • None = 0, Partial = 1, Complete = 2 Integrity Impact Vector • None = 0, Partial = 1, Complete = 2 Availability Impact Vector • None = 0, Partial = 1, Complete = 2 Access Complexity • Low = 1, Med = 3, High = 5 Access Vector • Local = 1, Adjacent Network = 3, Network = 5 Authentication Vector • Multiple = 1, Single = 3, None = 5 # Days Vuln was Open • = diff between current date and CVE vulnerability publish date Exploit Factor • local = .6, remote = 1, shellcode = .6, webapps = 1, dos = .5. No matching exploit = 0.25. • If >1 exploit maps to a vulnerability, highest Exploit Factor is used. Enhanced Vulnerability Score Factors

33. Step 3: Calculate a Risk Score – Risk Aggregation Enterprise BU 1 BU 2 BU 3 DBMS SERVE R SERVER SERVE R NVD CVE-2017-5638 CVE-2017-4187 CVE-…. CVE-.... CVE-2017-5632 AP PVULN VULN AP PVULN PATCH VULN

34. Step 3: Calculate a Risk Score – Risk Aggregation

35. Step 4: Service Level Assignment & Ticketing

36. Step 4: Service Level Assignment & Ticketing – Exception Process Exception Process

37. Step 4: Service Level Assignment & Ticketing – Exception Report

38. Step 5: Automate Where Possible De -Duping Vuln/Patch Prioritiz- ation Ticket Genera- tion Re- Scans

39. Attendee Poll Which of the following tasks have you already automated? (more than one selection is ok)  Consolidation of Threat & Vulnerability Data  Vuln/Patch prioritization  Ticket generation  Report generation  Workflow processes (e.g. exception handling process)  Patch validation/re-scan

40. Threat & Vuln Management: Key Capabilities Data Collection Remediatio n Validation Remediation Ticket Management Data Correlation 1 652 Workflow Orchestratio n Risk-Based Vulnerabilit y Prioritizatio n 3 4 Dashboards /Reporting 7

41. Workflow Management

42. Auto Re-Scan

43. Show Audit Trail/Exception

44. Step 6: Reports that are Useful/Relevant/Tell Whole Story

45. Report: Vulnerabilities Sorted by Risk Score

46. Vulnerable Asset Groups

47. System Drill Down

48. Vulnerability Heat Map

49. Return on Investment Case Study

51. Research Participant Spotlight  ~50,000 assets, 18% “high risk”, ~1M Vulnerability Instances  Management: ~20 FTEs, across various functions. Team breakdown and all-in costs (salary, benefits, overhead) - ~$2.9m per year  Two (2) security manager ($195,200 each)  Twelve (12) security analysts ($152,500 each)  Six (6) IT remediation engineers ($122,000 each)  Core tasks performed by the teams include creating trend reports, assessing & mitigating high risk vulnerabilities, and triaging monthly cyber-events  RiskVision All In Subscription and Services Fees are $374,545 in Year 1 and $124,900 thereafter

53. Building the Case for Automation Investment

54. 2. Enrich your Data 1. Classify your Assets 3. Calculate a Risk Score 4. Service Level Assignment 5. Automate Strategies Summary

55. About RiskVision

57. Introducing RiskVision  Enterprise Risk Intelligence Software  35+ solution, technology and content partners  Highly Rated by Gartner (IRMS & SOAR), Blue Hill, SANS, ESG, Aite, Ovum, and IDC Introducing Resolver  1,000+ Customers  Offices Around the Globe

58. RiskVision Solution Landscape 2m+ Assets 50m+ Vulnerabilities Scored for Risk 50% of RiskVision Customers 750k+ Assets 100k+ Incidents Scored for Risk 39% of RiskVision Customers 50k+ Assessments 200m+ Daily Control Checks 78% of RiskVision Customers 10k+ Practitioners 250k+ Third Parties Assessed 39% of RiskVision Customers CORE SOLUTIONS CUSTOMERS USAGE Incident / Issue Risk Response Coordinates classification, collaboration, evidence, policies, audit trail and reporting across the extra-prise for all operational and security risk events. Third Party (TP) Risk & Compliance Classifies third parties by risk level, and drives parallel workflows for diligence and security scoring, on-boarding, continuous monitoring and off-boarding. Technology (IT) Risk & Compliance Manages technology policies, maps policies to control, and assess multi-regulatory risk using an efficient Common Control Framework (CCF) to report for internal audit. SOARIRMS SCALABILITY Threat & Vulnerability Mitigation Automated continuous risk correlation, prioritization, and remediation of asset and operations criticality, threat reachability, control, and vulnerabilities.

59. Questions and Answers Nevra Ledwon, Account Director Office: +1.408.200.0435 Mobile: +1.703.351.8041

Best Practices and ROI for Risk-based Vulnerability Management

Best Practices and ROI for Risk-based Vulnerability Management

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Best Practices and ROI for Risk-based Vulnerability Management

Similar to Best Practices and ROI for Risk-based Vulnerability Management(20)

More from Resolver Inc.

More from Resolver Inc.(20)

Recently uploaded

Recently uploaded(20)

Best Practices and ROI for Risk-based Vulnerability Management