SlideShare a Scribd company logo

Patch and Vulnerability Management

Marcelo Martins
Marcelo Martins

This document discusses patch and vulnerability management. It begins with an agenda that covers why patch management matters, its relationship to risk management and penetration testing, how to implement patch and vulnerability management, establish metrics, plan ahead, and draw conclusions. It then discusses key aspects of patch and vulnerability management including monitoring vulnerabilities, establishing priorities, managing knowledge of vulnerabilities and patches, testing patches, implementing patches, verifying implementation, and improving the process. The goal is to reduce risk by addressing vulnerabilities through a structured patch management program.

Technology
1 of 62
Patch and Vulnerability Management Marcelo Martins linkedin.com/in/marcelomartins
Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
§  Assets §  1 – Business processes (or sub-processes) and activities, for example: §  Processes whose loss or degradation make it impossible to carry out the mission of the organization §  Processes that contain secret processes or processes involving proprietary technology §  Processes that, if modified, can greatly affect the accomplishment of the organization's mission §  Processes that are necessary for the organization to comply with contractual, legal or regulatory requirements Source: ISO/IEC 27005:2011 B.1 Why does it matter?
§  Assets §  2 – Information §  Vital information for the exercise of the organization's mission or business §  Personal information, as can be defined specifically in the sense of the national laws regarding privacy §  Strategic information required for achieving objectives determined by the strategic orientations §  High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost Source: ISO/IEC 27005:2011 B.1 Why does it matter?
§  Vulnerabilities: Software or configuration flaws that weaken the security of an asset §  Ex: Used to gain access to a system §  Controls §  Software patches §  Configuration changes §  Flawed software or service removal §  Threats: Exploit vulnerabilities and cause damage to the asset §  Ex: exploit scripts, worms, viruses, rootkits e Trojan horses Why does it matter?
Vulnerabilities Threats (agents) Controls Risk Assets Impactexploit reduce potencialize risk and cause impact affects mitigate Why does it matter? are present are implemented
Why does it matter?
Why does it matter?
Why does it matter?
Why does it matter?
Why does it matter?
Why does it matter?
Why does it matter?
Why does it matter?
Why does it matter? The more we use… The less we need to use… Vulnerability Management Changes Management Configuration Management Incident Management Business Continuity Management
Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
Relationship Risk Management Information Security Management Vulnerability Management
Relationship Vulnerability Assessment Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Reporting Penetration Test Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting
Relationship Vulnerability Assessment Usually has a broader scope than Penetration Test Predictable, because network adm is aware of the tools being used May include several false postitives Produces a report with recommendations for risk reduction Penetration Test Exploits specific attack vectors (services or assets) May happen unannounced, to test incident response Trustworthy because provides evidence of break in (root!) Pen Testing = Proof of Concept against vulnerabilities Produces a binary result: got root or not
Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Monitor vulnerabilities
Monitor vulnerabilities §  Some tools
Monitor vulnerabilities §  Some sources of alerts §  NIST NVD §  nvd.nist.gov §  CVE §  cve.mitre.org §  US-CERT §  us-cert.gov §  CERT.BR §  cert.br §  Vendor site and e-mail lists
Monitor vulnerabilities §  Scope Definition §  Avoid the situation where the Organization is aware of a serious security flaw. If there is awareness and no patching, there is no due diligence §  If a security incident is related to a known vulnerability not patched by the Organization, it may open a possibility to claims of damage Vulnerability analysis without patching has little value Little analysis and lots of patching is better than lots of analysis and little patching
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Establish priorities Likelihood Consequence
Establish priorities Risk Quantification Loss Expectancy Control Cost Exposure Factor
Establish priorities Acceptable Risk Controlable Risk Unacceptable Risk
Establish priorities Assets Process or system Business objective Billing e-Commerce Email
Establish priorities
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Manage knowledge §  Maintaining a database §  Manually maintained databases should contain instructions on removing vulnerabilities by installing patches or performing workarounds, as well as the actual patches when applicable §  Linking resources §  While the creation of a database is recommended, resource constraints may limit an organization to listing only Web sites or specific Uniform Resource Locators (URL) for each patch
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Test patch §  Many vendors provide mechanisms of authentication §  Patches should have their authenticity verified, using PGP or digital certificates §  Antivirus software should scan all patches before installation §  And before that, make sure the antivirus and its signature database are updated §  Patches e configuration changes should be tested in the testing environment, they can bring unexpected results §  Some patches are extremely complicated and largely affect the operating system by replacing files and changing system settings
Test patch §  Uninstallation option (undo) must be seriously taken into consideration §  Even though, sometimes the uninstallation process cannot bring the system back to its previous state
Test patch Development Environment Testing Environment Prodution Environment
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Implement patch Risk Treatment Risk modification Implement controls Risk avoidance Cancel the operation Risk sharing Buy insurance Risk retention “I’m feeling lucky”
Implement patchReduceRisk •  There is no “zero risk”. •  To cancel the operation avoids the risk but may not be the best option. •  The objective is to make money with adequate risks. TransferRisk •  Insurance won’t transfer risk. It will only transfer risk of financial losses. •  Health insurance won’t transfer death risk. Life insurance? Not a chance. •  Control cost is the cost of insurance. AcceptRisk •  May not be so bad. Depends on factors and costs. •  A soccer coach knows there is about 50/50 chance of winning the match, even managing the stronger team. •  Risk is inherent to business.
Implement patch
Implement patch §  Threat exposure §  Determinate the real meaning of the threat or vulnerability and which systems are vulnerable or exposed, focusing on critical systems §  Determinate the risk of applying the patch and if the patch affects the functionality of other applications and services (should also be addressed in Changes Management)
Implement patch §  Recent backup §  Before making any changes, it is better to make sure there is a recent backup copy. This way, it is easier to restore the environment §  Many assets §  Patch implementation gets very hard when there are thousands of assets. Automated solutions (EPM – Enterprise Patch Management) may be the answer.
Implement patch §  Delay of patch implementation must be carefully considered §  Threat level §  Internet accessible assets, many systems to be patched §  Exploitation risk §  If the vulnerability may be easily exploited, the patch (or virtual patch) should be immediately installed §  Exploitation consequences §  Critical systems or systems containing sensitive information should be patched as soon as possible
Implement patch §  Possible problems §  The instalation agent may reduce performance or make the systems uninstable §  Patches may be incompatible with other softwares §  User may lose informatgion when the agents reboots the system to install the patch §  EPM agent may be itself another security threat §  Mobile users may have problem when EPM tries to install a large amount of patches as the user logs on
Implement patch §  Determinate root cause §  Many vulnerabilities are the result of poorly formed system configuration or user administration policies, and inadequate provisioning or change management processes. §  Eliminating root causes requires improvements in the policies and processes that are used to provision, configure and change systems, and administer users.
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Verify implementation §  Verify that files and settings were changed as specified by the vendor §  Run a vulnerability scanner §  Make sure patches were installed by log review §  Make use of penetration testing services to make sure that the vulnerability was patched
Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
Improve the process §  Training §  Automated patch management solutions §  Enterprise patch management §  Learned lessons §  Implementation flaws §  Slow bandwidth and processing power §  User permissions §  Best date and time
Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
§  Every organization should consistently measure the effectiveness of its patch and vulnerability management program and apply corrective actions as necessary. §  Without such a capability, even the best-designed security architectures can be susceptible to penetration or other forms of exploit. Establishing metrics Metric Name (Example) Units Vulnerability ratio Vulnerabilities/Host Unapplied patches ratio Patches/Host Network services ratio Services/Host Response time for vulnerability and patch identification Time Patch response time (critical) Time
Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
§  Acting before the infection §  For any single vulnerability for which a widespread worm will be created, manual monitoring and patching is much more cost-effective than responding to a worm infection §  Enterprise Patch Management (EPM) §  Given that patches are constantly released, manual patching becomes prohibitively expensive unless the operating environment consists of only a few software packages (thus decreasing the total number of patches needed) Planning ahead
§  Enterprise patch management §  All moderate to large-size organizations should be using EPM §  Even small organizations should be migrating to some form of automated patching tool §  Manual patching is becoming ineffective as the number of patches grows and as attackers develop exploit code more rapidly §  Only uniquely configured computers and appliance- based devices should continue to be patched manually Planning ahead
Planning ahead §  Types of EPM §  There are two primary categories of enterprise patch management tools §  those that use agents §  those that do not §  Some products support both approaches and allow the administrator to choose the approach that is most efficient for the environment
§  New acquisitions §  Consider less complicated products. More code, features, and services can mean more bugs, vulnerabilities, and patches §  Delay implementing recently released major operating systems or applications until the experiences of others can be included in the decision-making process §  Consider software validated by independent testing. For the greatest assurance, the software’s source code should be evaluated §  Use only versions of software that are currently supported. Obsolete software beyond its lifecycle often has flaws that are only addressed in the newer, supported versions Planning ahead
§  Standardization §  The standard configuration will likely include the following items §  Hardware type and model §  Operating system version and patch level §  Major installed applications (version and patch level) §  Security settings for the operating system and applications. §  In many cases, these standardized configurations can be maintained centrally, and changes can be propagated to all participating IT resources. Planning ahead
§  Post incident patching §  Patching after a security compromise is significantly more complicated than merely applying the appropriate patch §  The vulnerability that was exploited must be patched §  It will not eliminate rootkits, backdoors, or most other changes that might have been introduced by the intruder §  For example, the Code Red II worm placed backdoors on compromised systems, and later the Nimda worm exploited those backdoors §  A compromised system should be reformatted and reinstalled or restored from a known safe and trusted backup Planning ahead
Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
Conclusion §  There must be a Vulnerability Management process §  Little analysis and lots of patching §  Network administration must be kept informed of disclosed vulnerabilities §  The environment should be standardized and well-documented §  All changes must go through Changes Management §  Every change must be tested at the testing environment §  An automated process of patch installation may have the best cost/benefit
References §  NIST §  SP 800-40 §  Creating a Patch and Vulnerability Management Program §  SP 800-115 §  Technical Guide to Information Security Testing and Assessment §  CVE §  http://measurablesecurity.mitre.org/directory/areas/ vulnerabilitymanagement.html §  ISO/IEC 29147:2014 §  gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure. §  ISO/IEC 30111:2013 §  gives guidelines for how to process and resolve potential vulnerability information in a product or online service.

Recommended

OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
Ivanti
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 

Recommended

OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
Ivanti
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
Ivanti
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
Iftikhar Ali Iqbal
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Marlabs
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
Tri Phan
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 

More Related Content

What's hot

cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
Marcelo Silva
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Sounil Yu
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
Iftikhar Ali Iqbal
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Marlabs
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 

What's hot (20)

cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 

Similar to Patch and Vulnerability Management

TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
Tri Phan
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
Erika Barron
 
Security Misconfiguration.pptx
Security Misconfiguration.pptxSecurity Misconfiguration.pptx
Security Misconfiguration.pptx
Kalyani Raut
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
ssuser66c4d5
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous delivery
Masas Dani
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
Fahad Al-Hasan
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Secure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your BusinessSecure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your Business
Stacy Clements
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
BabyBoy55
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 
PACE-IT, Security+2.8: Risk Management Best Practices
PACE-IT, Security+2.8: Risk Management Best PracticesPACE-IT, Security+2.8: Risk Management Best Practices
PACE-IT, Security+2.8: Risk Management Best Practices
Pace IT at Edmonds Community College
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview Solutions
Drew Madelung
 
PACE-IT, Security+ 4.3: Solutions to Establish Host Security
PACE-IT, Security+ 4.3: Solutions to Establish Host SecurityPACE-IT, Security+ 4.3: Solutions to Establish Host Security
PACE-IT, Security+ 4.3: Solutions to Establish Host Security
Pace IT at Edmonds Community College
 

Similar to Patch and Vulnerability Management (20)

TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability Management
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Security Misconfiguration.pptx
Security Misconfiguration.pptxSecurity Misconfiguration.pptx
Security Misconfiguration.pptx
 
Module 6.pptx
Module 6.pptxModule 6.pptx
Module 6.pptx
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous delivery
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAM
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Secure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your BusinessSecure Your WordPress Site - And Your Business
Secure Your WordPress Site - And Your Business
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
PACE-IT, Security+2.8: Risk Management Best Practices
PACE-IT, Security+2.8: Risk Management Best PracticesPACE-IT, Security+2.8: Risk Management Best Practices
PACE-IT, Security+2.8: Risk Management Best Practices
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Breakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview SolutionsBreakdown of Microsoft Purview Solutions
Breakdown of Microsoft Purview Solutions
 
PACE-IT, Security+ 4.3: Solutions to Establish Host Security
PACE-IT, Security+ 4.3: Solutions to Establish Host SecurityPACE-IT, Security+ 4.3: Solutions to Establish Host Security
PACE-IT, Security+ 4.3: Solutions to Establish Host Security
 

More from Marcelo Martins

Criptografia Aplicada
Criptografia AplicadaCriptografia Aplicada
Criptografia Aplicada
Marcelo Martins
 
Applied Cryptography
Applied CryptographyApplied Cryptography
Applied Cryptography
Marcelo Martins
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Indicadores na Gestão de Riscos de Segurança da Informação
Indicadores na Gestão de Riscos de Segurança da InformaçãoIndicadores na Gestão de Riscos de Segurança da Informação
Indicadores na Gestão de Riscos de Segurança da Informação
Marcelo Martins
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e Vulnerabilidades
Marcelo Martins
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
Marcelo Martins
 

More from Marcelo Martins (6)

Criptografia Aplicada
Criptografia AplicadaCriptografia Aplicada
Criptografia Aplicada
 
Applied Cryptography
Applied CryptographyApplied Cryptography
Applied Cryptography
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Indicadores na Gestão de Riscos de Segurança da Informação
Indicadores na Gestão de Riscos de Segurança da InformaçãoIndicadores na Gestão de Riscos de Segurança da Informação
Indicadores na Gestão de Riscos de Segurança da Informação
 
Gestão de Patches e Vulnerabilidades
Gestão de Patches e VulnerabilidadesGestão de Patches e Vulnerabilidades
Gestão de Patches e Vulnerabilidades
 
Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?Cloud: Should I Stay or Should I Go?
Cloud: Should I Stay or Should I Go?
 

Recently uploaded

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

Patch and Vulnerability Management

  • 1. Patch and Vulnerability Management Marcelo Martins linkedin.com/in/marcelomartins
  • 2. Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
  • 3. §  Assets §  1 – Business processes (or sub-processes) and activities, for example: §  Processes whose loss or degradation make it impossible to carry out the mission of the organization §  Processes that contain secret processes or processes involving proprietary technology §  Processes that, if modified, can greatly affect the accomplishment of the organization's mission §  Processes that are necessary for the organization to comply with contractual, legal or regulatory requirements Source: ISO/IEC 27005:2011 B.1 Why does it matter?
  • 4. §  Assets §  2 – Information §  Vital information for the exercise of the organization's mission or business §  Personal information, as can be defined specifically in the sense of the national laws regarding privacy §  Strategic information required for achieving objectives determined by the strategic orientations §  High-cost information whose gathering, storage, processing and transmission require a long time and/or involve a high acquisition cost Source: ISO/IEC 27005:2011 B.1 Why does it matter?
  • 5. §  Vulnerabilities: Software or configuration flaws that weaken the security of an asset §  Ex: Used to gain access to a system §  Controls §  Software patches §  Configuration changes §  Flawed software or service removal §  Threats: Exploit vulnerabilities and cause damage to the asset §  Ex: exploit scripts, worms, viruses, rootkits e Trojan horses Why does it matter?
  • 6. Vulnerabilities Threats (agents) Controls Risk Assets Impactexploit reduce potencialize risk and cause impact affects mitigate Why does it matter? are present are implemented
  • 7. Why does it matter?
  • 8. Why does it matter?
  • 9. Why does it matter?
  • 10. Why does it matter?
  • 11. Why does it matter?
  • 12. Why does it matter?
  • 13. Why does it matter?
  • 14. Why does it matter?
  • 15. Why does it matter? The more we use… The less we need to use… Vulnerability Management Changes Management Configuration Management Incident Management Business Continuity Management
  • 16. Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
  • 18. Relationship Vulnerability Assessment Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Reporting Penetration Test Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting
  • 19. Relationship Vulnerability Assessment Usually has a broader scope than Penetration Test Predictable, because network adm is aware of the tools being used May include several false postitives Produces a report with recommendations for risk reduction Penetration Test Exploits specific attack vectors (services or assets) May happen unannounced, to test incident response Trustworthy because provides evidence of break in (root!) Pen Testing = Proof of Concept against vulnerabilities Produces a binary result: got root or not
  • 20. Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
  • 21. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 24. Monitor vulnerabilities §  Some sources of alerts §  NIST NVD §  nvd.nist.gov §  CVE §  cve.mitre.org §  US-CERT §  us-cert.gov §  CERT.BR §  cert.br §  Vendor site and e-mail lists
  • 25. Monitor vulnerabilities §  Scope Definition §  Avoid the situation where the Organization is aware of a serious security flaw. If there is awareness and no patching, there is no due diligence §  If a security incident is related to a known vulnerability not patched by the Organization, it may open a possibility to claims of damage Vulnerability analysis without patching has little value Little analysis and lots of patching is better than lots of analysis and little patching
  • 26. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 32. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 33. Manage knowledge §  Maintaining a database §  Manually maintained databases should contain instructions on removing vulnerabilities by installing patches or performing workarounds, as well as the actual patches when applicable §  Linking resources §  While the creation of a database is recommended, resource constraints may limit an organization to listing only Web sites or specific Uniform Resource Locators (URL) for each patch
  • 34. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 35. Test patch §  Many vendors provide mechanisms of authentication §  Patches should have their authenticity verified, using PGP or digital certificates §  Antivirus software should scan all patches before installation §  And before that, make sure the antivirus and its signature database are updated §  Patches e configuration changes should be tested in the testing environment, they can bring unexpected results §  Some patches are extremely complicated and largely affect the operating system by replacing files and changing system settings
  • 36. Test patch §  Uninstallation option (undo) must be seriously taken into consideration §  Even though, sometimes the uninstallation process cannot bring the system back to its previous state
  • 38. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 39. Implement patch Risk Treatment Risk modification Implement controls Risk avoidance Cancel the operation Risk sharing Buy insurance Risk retention “I’m feeling lucky”
  • 40. Implement patchReduceRisk •  There is no “zero risk”. •  To cancel the operation avoids the risk but may not be the best option. •  The objective is to make money with adequate risks. TransferRisk •  Insurance won’t transfer risk. It will only transfer risk of financial losses. •  Health insurance won’t transfer death risk. Life insurance? Not a chance. •  Control cost is the cost of insurance. AcceptRisk •  May not be so bad. Depends on factors and costs. •  A soccer coach knows there is about 50/50 chance of winning the match, even managing the stronger team. •  Risk is inherent to business.
  • 42. Implement patch §  Threat exposure §  Determinate the real meaning of the threat or vulnerability and which systems are vulnerable or exposed, focusing on critical systems §  Determinate the risk of applying the patch and if the patch affects the functionality of other applications and services (should also be addressed in Changes Management)
  • 43. Implement patch §  Recent backup §  Before making any changes, it is better to make sure there is a recent backup copy. This way, it is easier to restore the environment §  Many assets §  Patch implementation gets very hard when there are thousands of assets. Automated solutions (EPM – Enterprise Patch Management) may be the answer.
  • 44. Implement patch §  Delay of patch implementation must be carefully considered §  Threat level §  Internet accessible assets, many systems to be patched §  Exploitation risk §  If the vulnerability may be easily exploited, the patch (or virtual patch) should be immediately installed §  Exploitation consequences §  Critical systems or systems containing sensitive information should be patched as soon as possible
  • 45. Implement patch §  Possible problems §  The instalation agent may reduce performance or make the systems uninstable §  Patches may be incompatible with other softwares §  User may lose informatgion when the agents reboots the system to install the patch §  EPM agent may be itself another security threat §  Mobile users may have problem when EPM tries to install a large amount of patches as the user logs on
  • 46. Implement patch §  Determinate root cause §  Many vulnerabilities are the result of poorly formed system configuration or user administration policies, and inadequate provisioning or change management processes. §  Eliminating root causes requires improvements in the policies and processes that are used to provision, configure and change systems, and administer users.
  • 47. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 48. Verify implementation §  Verify that files and settings were changed as specified by the vendor §  Run a vulnerability scanner §  Make sure patches were installed by log review §  Make use of penetration testing services to make sure that the vulnerability was patched
  • 49. Patch and Vulnerability Management Monitor vulnerabilities Establish priorities Manage knowledge Test patch Implement patch Verify implementation Improve the process
  • 50. Improve the process §  Training §  Automated patch management solutions §  Enterprise patch management §  Learned lessons §  Implementation flaws §  Slow bandwidth and processing power §  User permissions §  Best date and time
  • 51. Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
  • 52. §  Every organization should consistently measure the effectiveness of its patch and vulnerability management program and apply corrective actions as necessary. §  Without such a capability, even the best-designed security architectures can be susceptible to penetration or other forms of exploit. Establishing metrics Metric Name (Example) Units Vulnerability ratio Vulnerabilities/Host Unapplied patches ratio Patches/Host Network services ratio Services/Host Response time for vulnerability and patch identification Time Patch response time (critical) Time
  • 53. Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
  • 54. §  Acting before the infection §  For any single vulnerability for which a widespread worm will be created, manual monitoring and patching is much more cost-effective than responding to a worm infection §  Enterprise Patch Management (EPM) §  Given that patches are constantly released, manual patching becomes prohibitively expensive unless the operating environment consists of only a few software packages (thus decreasing the total number of patches needed) Planning ahead
  • 55. §  Enterprise patch management §  All moderate to large-size organizations should be using EPM §  Even small organizations should be migrating to some form of automated patching tool §  Manual patching is becoming ineffective as the number of patches grows and as attackers develop exploit code more rapidly §  Only uniquely configured computers and appliance- based devices should continue to be patched manually Planning ahead
  • 56. Planning ahead §  Types of EPM §  There are two primary categories of enterprise patch management tools §  those that use agents §  those that do not §  Some products support both approaches and allow the administrator to choose the approach that is most efficient for the environment
  • 57. §  New acquisitions §  Consider less complicated products. More code, features, and services can mean more bugs, vulnerabilities, and patches §  Delay implementing recently released major operating systems or applications until the experiences of others can be included in the decision-making process §  Consider software validated by independent testing. For the greatest assurance, the software’s source code should be evaluated §  Use only versions of software that are currently supported. Obsolete software beyond its lifecycle often has flaws that are only addressed in the newer, supported versions Planning ahead
  • 58. §  Standardization §  The standard configuration will likely include the following items §  Hardware type and model §  Operating system version and patch level §  Major installed applications (version and patch level) §  Security settings for the operating system and applications. §  In many cases, these standardized configurations can be maintained centrally, and changes can be propagated to all participating IT resources. Planning ahead
  • 59. §  Post incident patching §  Patching after a security compromise is significantly more complicated than merely applying the appropriate patch §  The vulnerability that was exploited must be patched §  It will not eliminate rootkits, backdoors, or most other changes that might have been introduced by the intruder §  For example, the Code Red II worm placed backdoors on compromised systems, and later the Nimda worm exploited those backdoors §  A compromised system should be reformatted and reinstalled or restored from a known safe and trusted backup Planning ahead
  • 60. Agenda §  Why does it matter? §  Relationship §  with Risk Management §  with Penetration Test §  Implementing Patch and Vulnerability Management §  Establishing metrics §  Planning ahead §  Conclusion
  • 61. Conclusion §  There must be a Vulnerability Management process §  Little analysis and lots of patching §  Network administration must be kept informed of disclosed vulnerabilities §  The environment should be standardized and well-documented §  All changes must go through Changes Management §  Every change must be tested at the testing environment §  An automated process of patch installation may have the best cost/benefit
  • 62. References §  NIST §  SP 800-40 §  Creating a Patch and Vulnerability Management Program §  SP 800-115 §  Technical Guide to Information Security Testing and Assessment §  CVE §  http://measurablesecurity.mitre.org/directory/areas/ vulnerabilitymanagement.html §  ISO/IEC 29147:2014 §  gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure. §  ISO/IEC 30111:2013 §  gives guidelines for how to process and resolve potential vulnerability information in a product or online service.