The document discusses the complexities of enterprise vulnerability management, emphasizing the discrepancies between vendor marketing and real-world challenges faced by security analysts. It outlines the typical environments, asset management difficulties, and issues like unexplored vulnerabilities and patching inefficiencies. The author advocates for the practical use of vulnerability scanners while highlighting the necessity for customized automation to manage vulnerabilities effectively.

1. Enterprise Vulnerability
Management:
fancy marketing brochures
and the real-life troubles
Alexander Leonov
CyberCentral 2018

2. 2
#:whoami
- Alexander Leonov
- Lead Security Analyst at Tinkoff Bank
- 6+ years in Vulnerability Management vendor
- Security Automation blog at avleonov.com

3. IPs
Typical VM Solution
Task Results
Tasks
Reports
Dynamics
3

4. IPs
Inconvenient Questions
Task Results
Tasks
Reports
Dynamics
4
Targets?
Credentials?
Quality of
detection?
What is really
exploitable?
Who is
responsible for
patching?
Remediation
criteria?
Processes and
Products

5. What actually should we scan?
Perimeter Office
Business critical /
Production
5

6. 6
Perimeter
- Dynamic Assets: 20%
- Typical Targets: Linux WebServer
- Inventorisation: IANA ASN, Wiki, JIRA,
Monitoring, WAF/AntiDDoS
- Typical Assessment: Unauth Scanning

7. 7
Office
- Dynamic Assets: 80%
- Typical Targets: Windows Desktop with
old Web browser (need for legacy)
- Inventorisation: Wiki, WSUS, System Center
- Typical Assessment: Auth Scanning, Agents

8. 8
Business critical / Production
- Dynamic Assets: < 10%
- Typical Targets: Linux/Unix/Windows Server
ERP/CRM with third party modules installed
- Inventorisation: Wiki, сonsultations
- Typical Assessment: Unauth Scanning,
alternative methods

9. 9
VM Analyst's Heaven
- Scan targets: known and fully described
- Responsible person: known for every asset
- Credentials / local agents: available / installed
- Patch Management process: already functioning
- IT attitude: trust in scanning results
- Your task: ensure that everything works fine;
if not - create a task

10. 10
VM Analyst's Hell
- Scan targets: unknown
- Responsible person: unknown
- Credentials / local agents: no way!
- Patch Management process: it’s not necessary!
- IT attitude: don’t bother us!
- Your task: ensure that every vulnerability is really
exploitable in our environment; make exploitation PoC
(if you break something it will be your fault)

11. 11
VM Analyst's Heaven and Hell

12. Vulnerability Management Market
12
Worldwide Device
Vulnerability
Assessment
Revenue Share by
Vendor, 2016

13. IPs
Outrageously expensive
Task Results
Tasks
Reports
Dynamics
13
$2,190 USD/year
free (no complaints)
$10-15 USD/year
per host
5000
$50-75k

14. Limited license = Limited IT Visibility
Perimeter Office
Business critical /
Production
* free agented inventorisation in Qualys
and Rapid7 Nexpose without
Vulnerability Assessment
14

15. - The ability to manage scans via API
has been removed =(
- The ability to add multiple users
has also been removed =(
- As of January 1, 2019, all Nessus Professional users will be
required to update to version 7.x to maintain support and
updates.
The end of cost-effective VM
since V. 7
15

16. OpenVAS “Attic Cleanup”
16

17. What about your own scanner?
17
Asset Service Vulnerability
Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600
Data Gathering Assessment
Unauthenticated mode

18. 18
Asset Package Vulnerability
Hostname / IP Drupal7-7.32-1+deb8u10
DSA-4156,
CVE-2018-7600
Data Gathering Assessment
Authenticated mode
What about your own scanner?

19. 19
What about your own scanner?

20. 20
All Vulnerability Scanners are the same?
A Platforms (OSes)
x B Software Vendors making products for Platform
x C Products made by each Software Vendor
x D Vulnerabilities in each Product
x E Vulnerability detection methods (authenticated and
unauthenticated)
Knowledge Base of Vulnerability Scanner

21. CVE-based comparison
Based on data from
ALL CVEs in NVD: 104794 2018 CVEs in NVD: 2373
21

22. 22
Reports: problem of prioritization
- Exploitability flag
- Links to exploits at
- Use in Malware
- CVSS (AV:N)
- CWE (CWE-94 'Code Injection',
CWE-95 'Eval Injection', CWE-400 'Resource Exhaustion')

23. 23
Common Weakness Enumeration (CWE)

24. 24
Common Weakness Enumeration (CWE)

25. 25
Common Weakness Enumeration (CWE)

26. 26
Exploitability

27. 27
Dynamics
Why?
● Non-reliable scan results
● Dynamic assets
● ...

28. Dynamics
… Smoothing …
Set criteria of successful fix
28

29. 29
Why *they* don’t patch vulnerabilities

30. 30
It’s great when you can update OS
automatically, but
- Reboot is often required (nobody likes this)
- Update mechanisms may break and updates will not be
installed

31. Something can break after update
- It is necessary to check each patch on test servers
31

32. Update can make situation even worse
32
January 10, 2018
Spectre
CVE-2017-5753
CVE-2017-5715
Meltdown
CVE-2017-5754
January 3, 2018 January 05, 2018
January 23, 2018
“stop deployment of current versions, as they may
introduce higher than expected reboots and other
unpredictable system behavior“
…

33. Update can make situation even worse
33
Spectre
CVE-2017-5753
CVE-2017-5715
Base Score:
7.3, 6.5*
Meltdown
CVE-2017-5754
Base Score: 5.6*
January 3, 2018
April 05, 2018
Intel won’t patch some of its older processors against
Meltdown and Spectre
Windows 7 or Server 2008 R2 + applied Microsoft's
Meltdown patches => CVE-2018-1038 "Windows
Kernel Elevation of Privilege Vulnerability."
(Base Score: 7.8*)
March 29, 2018
* CVSS v.3
xforce.ibmcloud.com

34. The Neverending story
- Constantly appearing exploitable vulnerabilities of
web-browsers, Adobe products, Java, etc.
- Manual work or expensive patching solutions are required
34

35. Fifty Shades of Legacy
- Critical vulnerable software that is strongly needed for work;
Extra money for update and stuff retraining
- Critical software requires outdated vulnerable libraries (Java)
- Legacy Operating Systems that only can run some critical software
35

36. Some systems are just difficult to update
- UNIXes, network devices, etc.
36

37. 37
In conclusion
- There is no magic in Vulnerability Management
- Vulnerability scanners are awesome. Trust them, but not too much.
- Homegrown automation is still necessary:
○ Update scan targets (Wiki, DNS, WAF/AntiDDoS, AD,
Monitorings...) and manage regular scan tasks
○ Get critical exploitable vulnerabilities from scan results
○ Inform responsible person / make tasks
○ Get statistics and visualize VM process

38. 38
Thanks!
Questions?
me@avleonov.com