More Related Content
Similar to Vulnerability Management Program
Vulnerability Management Program
- 1. Headline Verdana BoldTheWhat, Who, Whom and Why about a Vulnerability Management Program BSides Ottawa 2019 Dennis Chaupis
- 2. Who am I? BSidesOttawa 2019 | VMP 2 Dennis Chaupis CISSP, CRISC, CTPRP Senior Manager Deloitte – Risk Advisory - Cyber Security Dennis is leading the Vulnerability Management & Penetration testing practice in Toronto from where he supports engagements across Canada and globally. He focuses on helping organizations identifying, managing, and remediating vulnerabilities that could lead to a business impact. Dennis has also worked for a major Canadian bank in its Operational Risk Management group. Opinions and views are my own and not necessarily my current or past employers.
- 3. A Vulnerability Management…..Program? What’s that…… =/ • “What do you mean? We do our annual internal and external pentest” • “I don’t have any audit findings so whatever I have been doing is fine” BSides Ottawa 2019 | VMP 3 But what if I tell you it also includes…… There is more in a VMP than VA Scanning and Pentest Asset Management Patch Management Infrastructure Build (e.g. Gold Image) Secure SDLC Technology Intake Risk Reporting Threat Intel Endpoint Security Risk Appetite Crown Jewels And more….
- 4. BSides Ottawa 2019| VMP 4 Case study 5 What is a Vulnerability Management Program 7 Key roles 9 Key Output 10 The VMP is not… 11 Summary 12 Contents
- 5. Case Study BSides Ottawa2019 | VMP 5 • Performs VA scanning using the most awesome scanner • Gets “threat intel” from different sources • Tells the “other team” what to patch • Reviews and “filters” results • Coordinates the pentests • Application Security Jedi • Member of the Threat Hunting team • Also member of the Red Team Security Team
- 6. Case Study BSides Ottawa2019 | VMP 6 • Performs VA scanning using the most awesome scanner • Gets “threat intel” from different sources • Tells the “other team” what to patch • Reviews and “filters” results • Coordinates the pentests • Application Security Jedi • Member of the Threat Hunting team • Also member of the Red Team Security Team Are you sure all the components in the NW are being scanned? Are you sure you are scanning ALL PORTS… or are you using a “Default” template? Have results been compared against the Asset Inventory? Is this “threat” relevant to us? Do we have that technology? How are we confirming a vuln has been remediated? Are all vuln the same in terms of risk? How are we measuring risk? CVSS? H/M/L? Do we create reports? Do we know which vulns we have formally accepted? Do we have KPI’s/KRI’s?
- 7. And the questionis… BSides Ottawa 2019 | VMP 7
- 8. What is aVulnerability Management Program BSides Ottawa 2019 | VMP 8 Asset Management • How do we know we are scanning everything we are supposed to? Vulnerability Management Program Patch Management • Besides what the vendor tells us… shouldn’t we be patching based on what we identify? Infrastructure Build • Are our “gold images” not as hardened as we thought? Technology Intake • Awesome, we are buying brand new tech…. But what vulnerabilities are we also buying with it? Secure SDLC • SAST/DAST will tell us A LOT about what we may be exposed to Risk Reporting • What metrics are being reported to the “Top of the house”? Do they know what we know? Threat Intel • It’s good info, but is it relevant to our organization? Risk Appetite • Can we afford having a publicly known vulnerability without patching? Crown Jewels • What matters the most for the business? Prioritization • How / What do we start remediating?
- 9. Wait a second…. AVMP is not a program that “rules them all”. It relies on the rest to be successful. The VMP relies on all other processes in order to succeed AND at the same time, governs some aspects of them….. Complicated? Of course it is Where does the VMP fits overall? BSides Ottawa 2019 | VMP 9 Process 1 VMP Process 3Process 2 Prc2 Prc3 Prc1 VMP VPM Prc2 Prc5 Prc4 Prc3 Prc6 Prc1 VMP Prc2Prc1 Prc4 Prc7 Prc8 Prc6Prc3 Prc9
- 10. Key roles BSides Ottawa2019 | VMP 10 CTOCISO CIO CROCPO CXO The C-Suite plays a key role in the VMP; however, the CISO should be the owner of the overall program; keeping in mind: • The CIO is a key stakeholder. • This does not mean the CISO is now responsible for the related processes. For example, the CISO is not responsible for patching. • It is not the CISO’s job to sign off on risk exceptions (e.g. It’s OK for us to continue using SW that is EoL). Most of the time it is the CIO’s job to coordinate with the business. • CRO should make sure that risks are treated accordingly and are not overlooked. • Chief Auditor should look at certain processes more at the enterprise level
- 11. Key output BSides Ottawa2019 | VMP 11 Reporting is probably the key output of a VMP….. But why? Shows how good (or bad) the organization actually is Relevant metrics can be created (with real data!) # of CRITICAL vulnerabilities in Crown Jewels not patched in over 60 days % of L3 incidents due to failure in patching process Critical servers with unperformed vulnerability scans High vulnerabilities detected and not remediated in the defined timeframe Vulnerability exposure due to exceptions Scanner coverage Network perimeter components with unpatched vulnerabilities
- 12. The VMP isnot • Is not something new. It is just a holistic view of existing processes and how they should work together in order to adequately protect the organization. • It is not just VA scanning and pentests. • It is not just reporting. Reporting is an outcome but it is not the main goal of a VMP. • Is not a program telling you to do things differently. It is advising you how to do things the right way. • It is not giving you “one more thing to do”. In fact, it looks to formalize and standardize processes across the organization. BSides Ottawa 2019 | VMP 12
- 13. In summary • Itis a program that relies on existing processes. • Even though it relies on other processes, it does not mean that your VMP is “broken” if your other processes are not strong enough. The fact that you are able to identify a weakness in the program, allows you to focus your efforts where they matter most. This does not mean that the issues in the processes do not need to be fixed; it means that they have been identified and should be fixed. • It is the CISO’s job and responsibility to drive a Cyber security agenda across the organization AND to embed cyber security in every process that may have an impact in the overall cyber security posture. • CXO need to cooperate with enhancing and revamping the cyber security posture in the processes they own. “Be agile”. • This is not new nor rocket science; it is about having an organization that is able to be more resilient towards vulnerabilities, even if that means coexisting with them. BSides Ottawa 2019 | VMP 13
- 14. Questions? BSides Ottawa 2019| VMP 14