3. @NTXISSA #NTXISSACSC3
“97% of breaches could have been
avoided through simple or intermediate
controls”
- Verizon Data Breach
Investigations Report, 2012
While over 90 percent of all organizations
monitor security effectiveness in some
manner, only 40 percent do so ‘constantly’
rather than on an as-needed basis.
- Enterprise Security Group (ESG) Security
Management & Operations Report, June
2012
4. @NTXISSA #NTXISSACSC3
How are vulnerabilities usually managed?
• Limited or non-existent budget
• Scanning too infrequently to be relevant
• Or scanning too aggressively
• Not using authentication
• Only scanning the “perimeter”
• Ad hoc prioritization
… Ignoring them
5. @NTXISSA #NTXISSACSC3
Vulnerability Management Goals…
• … keep your job
• Asset discovery
• Understand your perimeter
• Test new systems before they’re brought online
• Automation + Integration
• Produce actionable data & metrics
• Comply with regulations (PCI, HIPAA, NERC CIP…)
• Vulnerability remediation / reduce attack surface
• Keep your company’s name off the front page of the New
York Times…
(or, VM Maturity Model)
6. @NTXISSA #NTXISSACSC3
Challenges
• Resistance from Network Operations, Patching Team, System
Owners
• Things *will* crash
• Network devices *will* become saturated
• Patching software won’t always agree with the scanner
• Vulnerability Prioritization
• DHCP
• Who owns the machine and/or service?
• Scanning
• Scanner placement
• What is in/out of scope?
• Can you scan partner networks?
7. @NTXISSA #NTXISSACSC3
Where do we start?
• What are you going to scan?
• Discovery scan
• Internal vs External IPs
• Ports
• Authentication
• Workstations, servers, lab, DMZ, IP phones, printers,
network devices
• Scan frequency and windows?
• Who is responsible for patching?
• Where are the firewalls?
• Where do I place the scanners?
• How will vulnerabilities be prioritized?
8. @NTXISSA #NTXISSACSC3
What do I do with all of these vulnerabilities?
• Patch
• Upgrade
• Disable/Uninstall the service
• Add a client-side firewall or HIPS
• Modify the network fabric (routers/firewalls/IPS)
• … or ignore
• Prioritization
• CVSS
• Valuable hosts/data
• *accessibility* from a threat source
15. @NTXISSA #NTXISSACSC3
Metrics
• Are you measuring busyness or addressing “risk”?
• What am I scanning?
• What am I *not* scanning?
• How many of what kind of vulnerabilities?
• What’s different compared to last month?
• Pitfalls
• DHCP
• Trending
• Upgrading or sunsetting hosts
• Stale scan data
• Wall of shame
18. @NTXISSA #NTXISSACSC3
A great example… Metrics in context
February Scan Results:
Asset Group Status Comments
ABC Servers and Network Devices Yellow No host increase, number of
Level 5 vulnerabilities is the
same.
DEF Servers and Network Devices Green No increase in hosts, Level 5
vulnerabilities have
decreased.
GHI Servers and Network Devices Yellow No host increase, number of
Level 5 vulnerabilities is the
same.
NA Workstations Red The number of hosts and
Level 5 Vulnerabilities
increased.
Europe Workstations Green The number of hosts
increased and the number of
Level 5 vulnerabilities still
decreased.
JKL Workstations Red The number of hosts and
Level 5 Vulnerabilities
increased.
20. @NTXISSA #NTXISSACSC3
Interoperability –
The whole is greater than the sum of its parts
• Asset Management/CMDB: Who owns this box?
• Patching: Discover false negatives
• Pen Testing: Speed up vulnerability discovery, less
intrusive
• SIEM/IPS/IDS: Mitigate false alerts, fine-tune, add
context, prioritize remediation
• Ticketing: Easy workflow
• Vector Analysis: Prioritization, discover unscanned
subnets, discover *downstream* risk
• GRC: Fine-tune risk metrics, remediation tracking
21. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 21
Thank you