call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
New approaches to vulnerability management
1. New Approaches to Vulnerability
Management
Todd Graham
Director, Risk & Compliance
RSA
2. What is Vulnerability Management
• The definition thus far[1]:
“Vulnerability management is the cyclical practice of identifying,
classifying, remediating, and mitigating vulnerabilities. This practice
generally refers to software vulnerabilities in computing systems.”
“Host and infrastructure vulnerabilities can often be addressed by
applying patches or changing configuration settings. Custom
software or application-based vulnerabilities often require
additional software development in order to fully mitigate.
Technologies such as web application firewalls can be used in the
short term to shield systems, but to address the root cause,
changes must be made to the underlying software.”
[1] Thank you Wikipedia
3. Mega Changes Forcing Evolution
• Cloud
– New area to audit and protect
– Computing power available for good and evil
• Virtualization
– The data center becomes homogeneous
– Potential hypervisor-based vulnerabilities
• Attacker Motivation
– Vulnerabilities exploited for financial gain
• “Enterprization” of Consumer
– Web 2.0 technologies open up new threats to the enterprise
4. Classic VM Program Steps
• Define Policy - Organizations must start out by determining what the desired security state
for their environment is. This include determining desired device and service configurations
and access control rules for users accessing resources.
• Baseline the Environment - Once a policy has been defined, the organization must assess the
true security state of the environment and determine where instances of policy violations are
occurring.
• Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing). These
vulnerabilities are then prioritized using risk and effort-based criteria. Shield - In the short
term, the organization can take steps to minimize the damage that could be caused by the
vulnerability by creating compensating controls.
• Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed.
This is often done via patching vulnerable services, changing vulnerable configurations or
making application updates to remove vulnerable code.
• Maintain and Monitor - Organizations' computing environments are dynamic and evolve over
time, as do security policy requirements. In addition, additional security vulnerabilities are
always being identified. For this reason, vulnerability management is an ongoing process
rather than a point-in-time event. Gartner: Improve IT Security With Vulnerability Management
5. Technology Surfaces
• Network & Host
– Scan network to discover assets
– Determine asset type, version, and configuration
– Compare current device state to known vulnerabilities
• Application
– Profile applications to determine risky behavior or insecure
programming techniques
– Part of SDLC and Vendor Management Programs
• Configuration Management
– Adjacent to traditional VM
– Focused on managing configuration to mitigate threats
6. What’s Next
Thesis:
The next generation of vulnerability management
will come from the integration and correlation of
disparate data sources, many of which already
exist in the enterprise.
We need to intelligently connect the dots (SIEM,
DLP, App Scanners, File and DB Access
Monitoring…).
7. Creative Zero Day Detection
• Leverage your SIEM to detect and correlate
abnormal behaviors
8. 3 Step Process – Step 1
1. Collect and normalize information from VA
scanners and asset inventory tracking systems
– View and manage the asset details across the entire enterprise
NIC
IDS MSG V3.5
FREQUENT GRAMMARS
SIGNATURE
UPDATES
(EVENT IDs)
IDS/IPS
Event ID
Device PARSE Event ID DETAIL Event ID MAP
IDS SIGs Asset ID
Asset ID PARSE Asset ID
MSG + VUL IDREFs
Threat Desc ASSIGN SIG ID
SIG
WWW... BUILD &
DISTRIBUTE SIG ID
VULNERABILTY NIC
DEFINITION VULNERABILITY VUL IDREFs
SOURCE VULNERABILTY
VUL ID
DATABASE
A DEFINITION
PARSE
Structured Desc
SOURCE
C MAP
VULNERABILTY BUILD &
ACQUIRE BUILD & NORMALIZE SIGNATUREs to
DEFINITION VUL ID MAINTAIN
DISTRIBUTE
VUL IDs
SOURCE
B
Vulnerabilty Desc
VUL ID
Asset Predicates
NIC Severity
FREQUENT
VULNERABILITY
NORMALIZED
UPDATES ASSET
PREDICATES
SIG
UPDATE
VA FREQUENT
PARSE ENCODE
Asset ID LOAD
Report
VA Asset ID SIGNATURE
VA
Report Asset Predicate PRODUCTION UPDATES
Structured Desc
Vulnerability Report Flags ASSET PREDICATE
FLAGS
Assesment
Tool
IDS
PERIODICALLY Vendors
REFRESHED
9. 3 Step Process – Step 2
2. Embedded Vulnerability Repository
• Database of vulnerabilities from NVD
• Description, impact, cross-reference meta-data, affected products,
vendors, versions, protocols, network service
NIC
IDS MSG V3.5
FREQUENT GRAMMARS
SIGNATURE
UPDATES
(EVENT IDs)
IDS/IPS
Event ID
Device PARSE Event ID DETAIL Event ID MAP
IDS SIGs Asset ID
Asset ID PARSE Asset ID
MSG + VUL IDREFs
Threat Desc ASSIGN SIG ID
SIG
WWW... BUILD &
DISTRIBUTE SIG ID
VULNERABILTY NIC
DEFINITION VULNERABILITY VUL IDREFs
SOURCE VULNERABILTY
VUL ID
DATABASE
A DEFINITION
PARSE
Structured Desc
SOURCE
C MAP
VULNERABILTY BUILD &
ACQUIRE BUILD & NORMALIZE SIGNATUREs to
DEFINITION VUL ID MAINTAIN
DISTRIBUTE
VUL IDs
SOURCE
B
Vulnerabilty Desc
VUL ID
Asset Predicates
NIC Severity
FREQUENT
VULNERABILITY
NORMALIZED
UPDATES ASSET
PREDICATES
SIG
UPDATE
VA FREQUENT
PARSE ENCODE
Asset ID LOAD
Report
VA Asset ID SIGNATURE
VA
Report Asset Predicate PRODUCTION UPDATES
Structured Desc
Vulnerability Report Flags ASSET PREDICATE
FLAGS
Assesment
Tool
IDS
PERIODICALLY Vendors
REFRESHED
10. 3 Step Process – Step 3
3. Automatically relate security events to
asset attributes via the vulnerability
repository
– Assign a confidence to the impact an incident will have upon the target
NIC
IDS MSG V3.5
FREQUENT GRAMMARS
SIGNATURE
UPDATES
(EVENT IDs)
IDS/IPS
Event ID
Device PARSE Event ID DETAIL Event ID MAP
IDS SIGs Asset ID
Asset ID PARSE Asset ID
MSG + VUL IDREFs
Threat Desc ASSIGN SIG ID
SIG
WWW... BUILD &
DISTRIBUTE SIG ID
VULNERABILTY NIC
DEFINITION VULNERABILITY VUL IDREFs
SOURCE VULNERABILTY
VUL ID
DATABASE
A DEFINITION
PARSE
Structured Desc
SOURCE
C MAP
VULNERABILTY BUILD &
ACQUIRE BUILD & NORMALIZE SIGNATUREs to
DEFINITION VUL ID MAINTAIN
DISTRIBUTE
VUL IDs
SOURCE
B
Vulnerabilty Desc
VUL ID
Asset Predicates
NIC Severity
FREQUENT
VULNERABILITY
NORMALIZED
UPDATES ASSET
PREDICATES
SIG
UPDATE
VA FREQUENT
PARSE ENCODE
Asset ID LOAD
Report
VA Asset ID SIGNATURE
VA
Report Asset Predicate PRODUCTION UPDATES
Structured Desc
Vulnerability Report Flags ASSET PREDICATE
FLAGS
Assesment
Tool
IDS
PERIODICALLY Vendors
REFRESHED
11. The New Threat Surface: Customers
• Enterprises are beginning to view their
customers and partners as threat sources
• Must identify threats against their customers
(phishing, etc.) and work to mitigate
• Customer wanted to
view VA scans next to
anti-phishing
12. Bringing It All Together:
Case Study Overview
• A global internet, mobility and communications company built a
best-in-class Threat Management Program by:
– Consolidating Security and Asset Information
– Creating correlations to generate actionable intelligence
– Providing key-stakeholders with information and vision of their risk
– Building a repetitive process for effective and efficient Threat
Management
• Company Facts:
– Fortune Ranking: ~60
– 2006 Revenue: $54.29b
– Number of Employees: 68,483
13. Challenges
• Information Silos – Difficult to correlate
security data to determine actual risk.
• Global Segmentation – Impossible to Sys
correlate data from third party and company VA Mgm
managed assets. t
• Ownership of Risk – Difficult for executives
to determine which vulnerabilities affect
their Products and Services.
VA’
• Lack of Visibility – Lack of reporting
prevented executives from making intelligent
decisions about acceptable risk to their
business.
Threat
Feed
14. Goals
• Effective Threat Management – Manage
Threats from a Product and Services
perspective.
• Information Consolidation – Turn disparate Sys
silos of information into actionable VA Mgm
knowledge.
t
• Information Correlation – Correlate threat
and asset data across multiple business units
and geographies.
• Delivery – Enable executives to release their Threat VA’
Products and Services faster to market. Feed
• Ownership – Empower executives to
effectively manage risks to their business
through an enterprise security view of their
business.
17. A Best-in-Class Threat
Management Program
1 Assets • Consolidate Asset Data
2 Threats • Consolidate Threat Data
3 Risks • Manage your Risk
Posture
4 Reports
• Monitor your Business
Security and Risk
Mitigation efforts
23. 3 Turning Threat Data into Intelligence
Asset Data
Scan Results
Host Name IP Address
Host Name IP Address
APPSERV002 192.168.1.100
DBSERV001 192.168.1.101
DBSERV001 192.168.1.101
APPSERV002 192.168.1.100
Threat Alerts Scan ID CVE-ID
CVE-2007-0069
Alert ID CVE-ID 90423
CVE-2007-0066
466355 CVE-2007-5350 90420 CVE-2007-5350
466938 CVE-2007-0069 90418 CVE-2007-0064
466951 CVE-2007-0066
24. 3 Map Alerts and Assets to Scan Results
Map Scan Results to
Alerts using CVE-ID
Identify
Vulnerability
Alerts associated
to Scan Results
25. 3 Manage and Track Remediation Progress
Document Remediation
Activity
Track Activity History
Assign and Delegate
Tasks to responsible
personnel
26. 4 Reports: Enterprise Security Posture
• Provides users with a
single interface for IT
Security information at
any level for Threat
Management
• Presents relevant
security information in
an understandable
format customized for
differing environments
• Enables users to
understand what
actions should be taken
to reduce risk and/or
improve configuration
compliance Asset
27. Additional Data Sources
Business Eng. HR
Reporting
Legal
SIEM
Geo Info
Division
Identity
Data
IPS
UI
Event Aggregation
AV
EP
Auth
Incidents
Threats
Data Enhancement
GRC
WAF DLP
FW
WLAN URL Department
Location
Regulation
Asset Value
AD
SOC
CIRT
GIS
28. Emerging Vendors to Watch
• NeuralIQ
– Next-generation honey pot
– Virtual machine-based clones of production systems
capture all attacker behavior from the hypervisor
• HBGary
– Technologies to analyze malware, fingerprinting the
‘DNA’ at the memory and execution-level
– Has proactive capabilities to prevent execution of
identified “risky” behavior
29. Emerging Vendors to Watch ‘cont
• Checkmarx
– Static Application Security Testing (SAST) company
– Compiles all scanned code into common framework
for future testing
• Mykonos
– Web 2.0 AJAX framework
– Ensures that Javascript code on end-user systems is
not compromised
– Built-in security for AJAX calls and functions
30. A Parting Thought
“Security is always going to be a cat and
mouse game because there'll be people out
there that are hunting for the zero day award,
you have people that don't have configuration
management, don't have vulnerability
management, don't have patch management.”
-Kevin Mitnick