Real world security webinar (v2012-05-30)


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • [Seth]
  • [Seth] “The journey of a thousand miles begins with a single step.” “Beginning is half of the whole.” You can’t wish improvements to security; you have to take action. Whether that’s making a plan or taking the next step in the plan, the important thing is to do something.Some things are more easily accomplished than others. In vulnerability and compliance management, is there ONE THING you can do this week to improve your security program? If you gave it some thought you could probably come up with a half-dozen near-term accomplishments.
  • [Seth]But it’s not enough to take some action. You have to demonstrate not only that you’ve done something, but that what you’ve done has the desired effect. Whether this is a report to the executive committee or a chart for the technical staffs, you have to demonstrate that the work being performed is worthwhile, effective, and important to folks who are paying for it and folks who are performing it.In the context of vulnerability and compliance management, this means reporting. What data are you collecting about your program, and what information are you communicating to the program’s stakeholders? What improvements can you make in the reporting process so that it will be easier for you to show future successes?
  • [Bill] Refresh your memory: why did you implement a vulnerability and compliance program in the first place? Is your current process meeting your needs? If not, it’s time to change the game. Where are you on the maturity model? Are there improvements you can make to any one of the six components that will drive you towards the original goals?
  • [Bill] This represents a capability maturity process area focused on vulnerability and compliance management. There are six general categories that should be monitored. Moving clockwise around the spider graph:Coverage: are all your assets being scanned for vulnerabilities and compliance? Are there segments of your network environment that are off limits or otherwise outside your view? Do new networks and new devices get added to scan profiles promptly?Scan Depth: are you using credentialed scanning to get an “inside look” at the assets? This is advantageous to determine the actual security posture of the device.Frequency: how often are you scanning? More frequently = better intelligence.Reporting: are your reports provided to all levels of management and across your lines of business? Do they convey accurate information that will promote the desired response?Remediation: is your organization prepared to remediate the vulnerabilities and noncompliances found by the assessments? How responsive are the groups tasked with this mission?Currency: do you keep the scanning profiles and vulnerabilities databases up to date to ensure you’re scanning for the latest vulnerabilities?
  • [Bill]
  • [Bill] This is the vulnerability / compliance process wheel. It starts with a design, goes through planning and execution, and then reporting and remediation of found vulnerabilities and noncompliances. Based on the lessons learned during one cycle, the design is refined, new capabilities are introduced, and the cycle begins again.Key to the success is appropriate communication at all stages.
  • [Bill]
  • [Bill]
  • [Seth]Your work as a security professional can seem invisible – especially when you have no crises. It’s important to ensure that you’ve got the appropriate level of visibility – and for the right reasons – at all times. Reporting can be an effective way to communicate your goals and the performance of your security program – whether it’s to highlight successes and share praise, or to focus on an opportunity for improvement and areas that need attention. It is vital that the reports both reach and are target to specific audiences – an overly-technical report may not be suitable for inclusion at an executive board meeting, for example. Likewise, a high-level report will not give your security practitioners and other technical staff actionable information that will help them achieve your security program goals.
  • [Seth]This is an example of a maturity model report covering two quarters. It is appropriate for senior management and will show both progress towards some of the maturity goals you’ve set as well as the gaps where you might need some help from other stakeholders.In this example, the program has seen great progress in remediation, currency, and coverage, but needs to improve scan depth – perhaps by using credentialed scans. Frequency of scans has actually decreased in effectiveness from the previous quarter, so some analysis would probably be of benefit there. Reporting continues to be ok but improvements are certainly possible.
  • This is a high level representation of total vulnerability score – called the “Waher index” after its creator, AlexWaher. Here, it provides feedback on the relative vulnerability risk and remediation effects across two networks within the company: the business side and the operations network. Key messages are provided at the right, but the conclusion is clear: the effort spent remediating vulnerabilities in the operations network since September has resulted in a huge decrease in the vulnerability score (and, by implication, the associated risk on that network).This report is good to provide a quick snapshot of activity and progress to peers who have staff members involved in scanning and remediation activities.
  • This report breaks out average vulnerability scores by technology and by location, and is intended for use by IT management. At a glance, it is clear that Toronto needs some help reducing vulnerabilities in its Windows server environment, while San Francisco and Munich need to concentrate on both Windows and UNIX. In addition, it appears that the endpoint security program in San Francisco is not as effective as it is in Toronto and Munich.Reports like this can help get resources aligned across location and business/technology functions.
  • This report is intended for IT staff – both security and operations. It provides a quick list of the most significant vulnerabilities within an environment based on the relative weighted risk (vulnerability score multiplied by the number of hosts, as a percentage of the total vulnerability score across all hosts and vulnerabilities). It is intended to help prioritize remediation resources to focus on the most critical issues first, and will allow security analysts to take a “macro” view as suggested by the key messages; in particular, that strong credentials represent 4 of the top 10 and almost 55% of the total vulnerability score, and that applying 4 Windows patches would provide an immediate score reduction of almost 12%.
  • [Bill] 3-4 takeaways. (Seth to do)
  • [Bill]
  • Real world security webinar (v2012-05-30)

    1. 1. Real World Security Maximizing the Value of Your Security Investments© 2012 nCircle. All rights reserved.
    2. 2. Meet Your Presenters Bill Rudiak Seth Bromberger Director, Professional Services Principal nCircle NCI Security© 2012 nCircle. All rights reserved. nCircle Company Confidential
    3. 3. As a Security Professional responsible for your organization’s VM and/or Compliance Program You have fundamental tasks…© 2012 nCircle. All rights reserved. nCircle Company Confidential
    4. 4. DO SOMETHING to improve your organization’s security© 2012 nCircle. All rights reserved. nCircle Company Confidential
    5. 5. and PROVE IT!© 2012 nCircle. All rights reserved. nCircle Company Confidential
    6. 6. But First, Let’s Get Back to Basics (Some Key Questions) • Why did your organization establish a VM and compliance program in the first place? • What are (were) the specific goals of your program? • Do all stakeholders understand the program and their role in it? • Do your tools and processes support effective measurement of program performance? How are you doing? • What’s happening in your organization now (or soon) that will impact your program?© 2012 nCircle. All rights reserved. nCircle Company Confidential
    7. 7. A CMM for Assessing Your Program’s Effectiveness coverage currency depth remediation frequency reporting© 2012 nCircle. All rights reserved. nCircle Company Confidential
    8. 8. Do Something – Your Scanning Regimen • Coverage – Scan everything – Scan white space to discover new assets • Depth – Scan with Credentials • Frequency – Scan critical assets more frequently – Align scan frequency with regular change management windows© 2012 nCircle. All rights reserved. nCircle Company Confidential
    9. 9. Do Something – Closed Loop Process New Threats CISO/ Internal Policies • Vulnerability and CSO Regulatory Standards Compliance Management IT is a closed loop process Operations and requires continuous refinement • Participants in the process have different spans of control or concern Vulnerabilities/ Compliance Tests • Infosec Operations often lacks direct visibility to Remediation Infosec Operations • Communication among stakeholders is essential to Audit &Compliance present a common picture of the organization’s risk and compliance posture© 2012 nCircle. All rights reserved. nCircle Company Confidential
    10. 10. Do Something – Equip & Support Your Team • Position your Infosec team as Security Analysts who provide a valuable service to the organization • Provide C-level reinforcement and support for Infosec’s mandate — improving compliance and reducing risk • Build and maintain collaborative relationships with system owners • Leave the data munging to the computers© 2012 nCircle. All rights reserved. nCircle Company Confidential
    11. 11. Do Something – Automate via Integration Remember — more tools Identity and IT Service mean… Access Management Management • More integration points Asset Management • More possibly conflicting data Intrusion Security and information Prevention and Performance • More overlaps or gaps in Detection Management Real-Time solution functionality Vulnerability / Security Compliance • More overall impact when Event Management Monitoring your environment changes Anti-Virus and Patch Malware Management Glue can be VERY expensive! Prevention Network Engineering© 2012 nCircle. All rights reserved. nCircle Company Confidential
    12. 12. Prove It (First, More Questions about “It”) • What is it? (There are different flavors of it depending on your audience) • Is it believable? • Can you explain and defend it? • Can your audience easily acquire it? • Is it useful to its intended audience? • Does it support the goals of your program?© 2012 nCircle. All rights reserved. nCircle Company Confidential
    13. 13. Prove It – to Executives Program Maturity (trailing 2 quarters) n Q4 2011 n Q1 2012© 2012 nCircle. All rights reserved. nCircle Company Confidential
    14. 14. Prove It – to Business Management 5,791,465 Vulnerability Risk by Network Key Messages Q1 2011 - Present • 59.3% vulnerability riskEnterprise Vulnerability Risk reduction in past 18 months • Focus on patching the operations network resulted in majority of risk reduction 2,357,126 in the past 6 months Operations • Business network risk decreased despite deployment of over 200 new Business servers and 800 new end- user devices in 2011 2011 2011 2011 2011 2012 2012 Q1 Q2 Q3 Q4 Q1 Q2 © 2012 nCircle. All rights reserved. nCircle Company Confidential
    15. 15. Prove It – to IT Management 250 Average Host Score by device type/location Average Host Score (000s) 200 San Francisco Toronto 150 Munich 100 50 0 Win Server UNIX Clients Mobile Other© 2012 nCircle. All rights reserved. nCircle Company Confidential
    16. 16. Prove It – to IT Staff Top 10 Enterprise Vulnerabilities by % of total risk Key Messages % ofVulnerability Hosts Score Total Total • The top 10 vulnerabilitiesEasily Guessed SSH represent 71.2% of the total 45 54748 2463660 42.5%Credentials risk scoreIP360 Default Login 8 48315 386520 6.7%EnabledMS06-035: Mailslot Heap 6 33151 198906 3.4% • Application of 4 MicrosoftOverflow patches would immediatelyWeak SNMP CommunityString public Found 24 8052 193248 3.3% reduce the score by 11.5%MS05-043: Print Spooler 5 35681 178405 3.1%Service Buffer Overflow • Enforcement of strongMS06-040: Server ServiceRemote Code Execution 5 32931 164655 2.8% credentials would reduce theSSHv1 Protocol Man-In- score by 54.4% 20 7702 154040 2.7%The-Middle VulnerabilitySSHv1 Protocol Available 20 7522 150440 2.6%MS08-067: Server ServiceRPC Handling Remote 5 25809 129045 2.2%Code ExecutionEasily Guessed Telnet 2 54748 109496 1.9%Credentials © 2012 nCircle. All rights reserved. nCircle Company Confidential
    17. 17. In Conclusion… • Sustainability of your VM/Compliance Program requires continuous refinement — re-commit to it! • Revisit your goals and revise them if necessary • Measure and manage security program performance — tie output to risk reduction and compliance goals • Make intelligent decisions about your toolset • Use the Maturity Model to assess your program and track improvement over time • Maintain visibility of your program by getting the right information to stakeholders and other outreach activities© 2012 nCircle. All rights reserved. nCircle Company Confidential
    18. 18. nCircle Whitepaper© 2012 nCircle. All rights reserved. nCircle Company Confidential
    19. 19. Questions from the Audience…© 2012 nCircle. All rights reserved. nCircle Company Confidential