Download to read offline
Uploaded byAujas
How to Enhance Vulnerability Management with Intelligence plus Analytics
The document discusses the need for organizations to contextualize vulnerability data and prioritize remediation based on risk rather than relying solely on vulnerability scanner data. It advocates using vulnerability intelligence feeds incorporating threat data, breaches, exploits and targets to understand external attacks and their relevance to the organization. The document recommends automating these processes to effectively track the vulnerabilities that matter most and need to be fixed first given organizational context and asset criticality.
More Related Content
Similar to How to Enhance Vulnerability Management with Intelligence plus Analytics
How to Enhance Vulnerability Management with Intelligence plus Analytics
- 1. Copyright © AujasAll rights reserved. Aujas Restricted Circulation Nail Vulnerability Management with Intelligence plus Analytics IDC IT Security Roadshow 2016, United Arab Emirates Tarun Ambwani Practice Head, Aujas
- 2. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 2 Disclaimer The aspects discussed in this presentation are purely individual observations and opinions. They may not be necessarily correct, specially when generalized. Incidents, examples, people, organizations etc. are used only to illustrate the points of discussion.
- 3. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 3 Everyone has their own perspective – Intelligence and Analytics CIO and IT Operations perspective: Vulnerability data are coming from multiple sources. We really don’t have money and resources to fix them all. Not sure what to fix first. CISO Perspective: We have assigned vulnerabilities to IT team. We really don’t have tracking mechanism till operations update us. Business Executives Perspective: We really don’t know what all (business) group of assets have vulnerabilities, which are important and the one which matters are getting mitigated or not. Security Analyst Perspective: We don’t want to prepare dashboard and reports every time IT operations fixes an issue.
- 4. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 4 Reliance on Single Source for Vulnerability Intelligence “Vulnerability Intelligence refers to all research data on vulnerabilities, including but not limited to – historical data, exploits, targets, attacks etc. Most of time we rely on scanner tool to get intelligence about a vulnerability and manually prioritize remediation. Is this vulnerability really getting exploited and responsible for breaches happening out? Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/?utm_source=datafloq&utm_medium=ref&utm_campaign=datafloq
- 5. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 5 No Context Were you ShellShocked? Researchers announced a vulnerability ShellShock which allows an adversary to execute arbitrary commands on remote system and may allow an adversary to gain control over a target computer if exploited successfully. The another one PODDLE which allows an adversary to hijack browser sessions if they are using flawed SSL protocol. You really want to make sure that it is applicable to your environment and really impact assets before you start patching them! Shift from fixing vulnerability mindset to risk assessment mindset is what is required.
- 6. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 6 What you need - Vulnerability Intelligenalytics “Organization can increase effectiveness of their vulnerability management programs by automating, analytics and threat intelligence. Targets Threats Zero- Day Breaches Organization Context Vulnerability Intelligence Scanner Data Manual Testing Audit Reports CVSS Score Vulnerabilities that matters the most and to be fixed first Vulnerability Data Analytics
- 7. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 7 Key Take Away • Consider asset risk rating and criticality of it in the network. Get context right before spending efforts on fixing an issue. • Subscribe to vulnerability intelligence feeds to get information on attacks, breaches, zero-day, active exploits to get perspective on vulnerabilities. • Clearly communicate security posture to all relevant stakeholders – be it technical people or non- technical (business) people. • CVSS is good but when you customize it your environment, it works better. • Once you have list of important ones to be fixed, track them to the closure. • The last not but least – Don’t do this manually as its huge task depending upon size of network and organization. Automate efforts to effectively contextualize what’s happening in outside world and what’s relevant to your organization.
- 8. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 8 Bangalore | Cupertino | Delhi | Dubai | Jersey City | Mumbai Q & A
- 9. Copyright © AujasAll rights reserved. Aujas Restricted Circulation 9 Bangalore | Cupertino | Delhi | Dubai | Jersey City | Mumbai Thank You For more information: Yogesh Bhatia Practice Head, Threat Management Services Yogesh.Bhatia@aujas.com
Editor's Notes
- #5 Is it worth my time taking to fix this first and everything else later This information is good but may not be comprehensive. There might be other techniques which are getting used by attacker to compromise network. You probably focused on the single high profile threat which even is not getting exploited. A better strategy to use would be to use vulnerability or threat intelligence to explore source and spread of vulnerabilities. Checking vulnerability or threat intelligence feeds – What is being actively exploited Think like an attacker and have the same information as an attacker will help prioritize for remediation This shifts your strategy away from trying to fix everything and instead, focus on identifying and remediating vulnerability which is most likely to cause a breach.
- #6 The team needs to contextualize the threat data with the specific vulnerabilities and weakness. If high profile vulnerability like heart bleed or shellshock in this example is impacting large portion of internet, it may not matter at all to your specific company depending upon your environment and assets. Rather, it may be important to take some other vulnerability which is important to you. The another aspect to be considered - Have you considered position of server in your network segment ? What is the impact if particular vulnerability exploited ? What’s the asset criticality within network ?
- #8 Consider asset risk rating and criticality of asset in network. Get context right before spending efforts on fixing an issue. I am sure developers and IT team would appreciate it. If you ask me what needs to be fixed – Go for the vulnerabilities which listed in Metasploit and ExploitDB as they are easily available for exploitation and you don’t want to take chance. Subscribe to intelligence feeds to get information on attacks, breaches, zero-day, active exploits to get perspective on attacks. Apply what you need to fix first your own environment based on real time threat information. Clearly communicate security posture to all relevant stakeholders – be it technical people like IT or non-technical business people. CVSS is good when you customize it your environment, it works out better. Once you have list of important ones to be fixed, track them to the closure. The last not but least – Don’t do this manually as its huge task depending upon size of network and organization. Excel won’t be able to help beyond point. Automate efforts to effectively contextualize what’s happening in outside world and what’s relevant to your organization.