SlideShare a Scribd company logo

Vuln.ppt

•Download as PPT, PDF•
•
K
karthikvcyber

VUL

Education
1 of 42
» Vulnerability Management for the Real World » Successful Approaches » What is Vulnerability Management? » Challenges to Effective VM » The Problem Contents: George Kurtz Chief Executive Officer Foundstone
» The Problem
3 Question » What won’t you see in this presentation? Answer: Another CSI /FBI slide! We all know the problem, what about a solution!
4 VA Is Dead….. They Just Haven’t Buried The Body! Proclamation
5 Organizations are Feeling the Pain 1. What causes the damage? 95% of breaches target known vulnerabilities 2. How do you prevent the damage? What are your options? RISK= Assets x Vulnerabilities x Threats You can control vulnerabilities. 3. How do you successfully deal with vulnerabilities? Vulnerabilities Business complexity Human resources Financial resources 4. How do you make the best security decisions? Focus on the right assets, right threats, right measures.
» What is Vulnerability Management?
7 What Is Vulnerability Management A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.
8 What Is Vulnerability Management » At a high level, the ”intelligent confluence” of… Assessment What assets? Analysis What to fix first? Remediation Fix the problem + + • Component of Risk Management • Balance the demands of business goals and processes
» Challenges to Effective VM
10 Challenges – Assessment » Traditional desktop scanners cannot handle large networks » Provide volumes of useless checks » Chopping up scans and distributing them is cumbersome » Garbage In- Garbage Out (GIGO)– volumes of superfluous data » Coverage at all OSI layers is inadequate » Time consuming and resource intensive » Finding the problem is only half the battle
11 Challenges – Analysis » Manual and resource intensive process to determine – What to fix – If you should fix – When to fix » No correlation between vulnerabilities, threats and assets » No way to prioritize what vulnerabilities should be addressed – What order » Stale data – Making decisions on last quarter’s vulnerabilities » No credible metrics
12 Challenges – Remediation » Security resources are often decentralized » The security organization often doesn’t own the network or system » Multiple groups may own the asset » Presenting useful and meaningful information to relevant stakeholders » Determining if the fix was actually made
13 Challenges – Time Asset Criticality Vulnerability discovered Exploit public Automated exploit Discovery Remediation Cost to ignore vulnerability is greater than the cost to repair Threat Level Risk Threshold
14 Challenges – Time Vulnerability discovered Cost to ignore vulnerability is greater than the cost to repair Exploit public Automated exploit Discovery Remediation Goal = compress time from discovery to remediation Cost to ignore vulnerability is greater than the cost to repair Threat Level Asset Criticality Risk Threshold
15 Challenges – Time Vulnerability discovered Cost to ignore vulnerability is greater than the cost to repair Exploit public Automated exploit Goal = compress time from discovery to remediation x 15 new vulnerabilities per day across many assets Discovery Remediation Threat Level Asset Criticality Risk Threshold
» Vulnerability Management Lifecycle
17 Vulnerability Management Lifecycle
» Successful Approaches: Implementing An Effective VM Strategy
19 Successful Approaches » Focus on four key areas: – Prioritize Assets – Determine Risk Level (assets, threats, vulnerabilities) – Remediate Vulnerabilities – Measure
20 Asset: Any function, task, capability, equipment or information that has value to the organization or supports the ability of the organization to conduct business
21 Threat: Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function
22 Vulnerability: Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process
23 Prioritize Assets
24 Asset Prioritization » Identify assets by: – Networks • Logical groupings of devices • Connectivity - None, LAN, broadband, wireless – Network Devices • Wireless access points, routers, switches – Operating System • Windows, Unix – Applications • IIS, Apache, SQL Server – Versions • IIS 5.0, Apache 1.3.12, SQL Server V.7
25 Asset Prioritization » Network-based discovery – Known and “unknown” devices – Determine network-based applications – Excellent scalability » Agent-based discovery – In-depth review of the applications and patch levels – Deployment disadvantages » Network- and agent-based discovery techniques are optimal – Agents - Cover what you already know in great detail – Network - Identify rogue or new devices » Frequency – Continuous, daily, weekly – Depends on the asset
26 Correlate Threats
27 Correlate Threats » Not all threat and vulnerability data have equal priority » Primary goal is to rapidly protect your most critical assets » Identify threats – Worms – Exploits – Wide-scale attacks – New vulnerabilities » Correlate with your most critical assets » Result = Prioritization of vulnerabilities within your environment
28 Determine Risk Level
29 Risk Calculation » The Union of: – Vulnerabilities – Assets – Threats » Based upon the criticality of VAT » Focus your resources on the true risk
30 Remediation
31 Remediation / Resolution » Perfection is unrealistic (zero vulnerabilities) – Think credit card fraud – will the banks ever eliminate credit card fraud? » You have limited resources to address issues » The question becomes: – Do I address or not? » Factor in the business impact costs + remediation costs – If the risk outweighs the cost – eliminate or mitigate the vulnerability!
32 Remediation / Resolution » Apply the Pareto Principle – the 80/20 rule – Focus on the vital few not the trivial many – 80% of your risk can be eliminated by addressing 20% of the issues – The Risk Union will show you the way • Right assets • Relevant threats • Critical vulnerabilities
33 Remediation / Resolution » Patch or Mitigate – Impact on availability from a bad patch vs. the risk of not patching – Patch or mitigate – Recommendations: –QA security patches 24 hours –Determine if there are wide spread problems –Implement defense-in-depth
34 Measure
35 Measure » Current state of security metrics – You can’t manage what you can’t measure – No focus on quantifying “Security” • What is my real risk? – Only a relative scale of risk, not an absolute – Return on Security Investment (ROSI) is extremely difficult to calculate – No accountability in security
36 Measure » Future Look: – Accountability – A universal standard to quantify risk – Common nomenclature – Dashboard view of risk and vulnerabilities across disparate organizations – Technologies that will help answer the questions: • Am I secure? • Who is accountable and by when? • Am I getting better or worse? • How am I trending over time? • How do I compare to my peers? • How do I compare outside my industry?
37 Summary » All assets are not created equally » You cannot respond to or even protect against all threats » An effective vulnerability management program focuses on Risk – Vulnerabilities – Assets – Threats » The hardest step in a 1000 mile journey is the first – start somewhere » Strategically manage vulnerabilities using a comprehensive process
38 10 Steps to Effective Vulnerability Management 1. Identify all the assets in your purview 2. Create an Asset Criticality Profile (ACP) 3. Determine exposures and vulnerabilities 4. Track relevant threats – realized and unrealized 5. Determine Risk - union of vulnerabilities x assets x threats 6. Take corrective action if risk > cost to eliminate or mitigate 7. Create meaningful metrics and hold people accountable 8. Identify and address compliance gaps 9. Implement an automated vulnerability management system 10. Convince someone with a budget that vulnerability management is important
39 Don’t Spend Another Dime On Security Until You Understand How To…. Protect The Right Assets From The Right Threats With The Right Measures
» Contact Information George Kurtz 949-297-5600 george.kurtz@foundstone.com www.foundstone.com
41 Questions? Submit your questions to George by clicking on the Ask a Question link on the lower left corner of the screen. George’s answers will be sent to you by e-mail.
42 Thank you Thank you for participating in this SearchSecurity.com on-demand webcast. If you have suggestions for future webcasts, e-mail the editor at webcast@searchSecurity.com For other SearchSecurity.com webcasts, visit http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14 _tax292632,00.html

Recommended

10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 

Recommended

10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Risk Based Security Management
Risk Based Security ManagementRisk Based Security Management
Risk Based Security ManagementLuis Martins
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Ir s 1_2_1_kovacs
Ir s 1_2_1_kovacsIr s 1_2_1_kovacs
Ir s 1_2_1_kovacsStefan Kovacs
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk ManagmentMLG College of Learning, Inc
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 
Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...karthikvcyber
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 

More Related Content

Similar to Vuln.ppt

Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdfdotco
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Ir s 1_2_1_kovacs
Ir s 1_2_1_kovacsIr s 1_2_1_kovacs
Ir s 1_2_1_kovacsStefan Kovacs
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksMatthew Rosenquist
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 

Similar to Vuln.ppt (20)

Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Ir s 1_2_1_kovacs
Ir s 1_2_1_kovacsIr s 1_2_1_kovacs
Ir s 1_2_1_kovacs
 
Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the Vulnerabilities
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
 
Strategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity RisksStrategic Leadership for Managing Evolving Cybersecurity Risks
Strategic Leadership for Managing Evolving Cybersecurity Risks
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 

More from karthikvcyber

Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...karthikvcyber
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritykarthikvcyber
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdfkarthikvcyber
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.pptkarthikvcyber
 
Authentication.pptx
Authentication.pptxAuthentication.pptx
Authentication.pptxkarthikvcyber
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxkarthikvcyber
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptxkarthikvcyber
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptxkarthikvcyber
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptxkarthikvcyber
 
Authorisation.pptx
Authorisation.pptxAuthorisation.pptx
Authorisation.pptxkarthikvcyber
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptxkarthikvcyber
 
OSI TCP-IP.pptx
OSI TCP-IP.pptxOSI TCP-IP.pptx
OSI TCP-IP.pptxkarthikvcyber
 

More from karthikvcyber (20)

Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...Security Incident machnism Security Incident machnismSecurity Incident machni...
Security Incident machnism Security Incident machnismSecurity Incident machni...
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
cybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecuritycybersecurity
cybersecuritycybersecuritycybersecuritycybersecurity
 
Standards & Framework.pdf
Standards & Framework.pdfStandards & Framework.pdf
Standards & Framework.pdf
 
Standards & Framework.ppt
Standards & Framework.pptStandards & Framework.ppt
Standards & Framework.ppt
 
OSINT.pptx
OSINT.pptxOSINT.pptx
OSINT.pptx
 
Encrypto.pptx
Encrypto.pptxEncrypto.pptx
Encrypto.pptx
 
PID-PPID.pptx
PID-PPID.pptxPID-PPID.pptx
PID-PPID.pptx
 
Authentication.pptx
Authentication.pptxAuthentication.pptx
Authentication.pptx
 
SIEM.pptx
SIEM.pptxSIEM.pptx
SIEM.pptx
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
cryptography-Final.pptx
cryptography-Final.pptxcryptography-Final.pptx
cryptography-Final.pptx
 
fileanddirectory-PID.pptx
fileanddirectory-PID.pptxfileanddirectory-PID.pptx
fileanddirectory-PID.pptx
 
CS_Tuto.ppt
CS_Tuto.pptCS_Tuto.ppt
CS_Tuto.ppt
 
IP_Subnet training.pptx
IP_Subnet training.pptxIP_Subnet training.pptx
IP_Subnet training.pptx
 
Authorisation.pptx
Authorisation.pptxAuthorisation.pptx
Authorisation.pptx
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
CCNP.ppt
CCNP.pptCCNP.ppt
CCNP.ppt
 
subnet.pptx
subnet.pptxsubnet.pptx
subnet.pptx
 
OSI TCP-IP.pptx
OSI TCP-IP.pptxOSI TCP-IP.pptx
OSI TCP-IP.pptx
 

Recently uploaded

POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 

Recently uploaded (20)

POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 

Vuln.ppt

  • 1. » Vulnerability Management for the Real World » Successful Approaches » What is Vulnerability Management? » Challenges to Effective VM » The Problem Contents: George Kurtz Chief Executive Officer Foundstone
  • 3. 3 Question » What won’t you see in this presentation? Answer: Another CSI /FBI slide! We all know the problem, what about a solution!
  • 4. 4 VA Is Dead….. They Just Haven’t Buried The Body! Proclamation
  • 5. 5 Organizations are Feeling the Pain 1. What causes the damage? 95% of breaches target known vulnerabilities 2. How do you prevent the damage? What are your options? RISK= Assets x Vulnerabilities x Threats You can control vulnerabilities. 3. How do you successfully deal with vulnerabilities? Vulnerabilities Business complexity Human resources Financial resources 4. How do you make the best security decisions? Focus on the right assets, right threats, right measures.
  • 6. » What is Vulnerability Management?
  • 7. 7 What Is Vulnerability Management A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.
  • 8. 8 What Is Vulnerability Management » At a high level, the ”intelligent confluence” of… Assessment What assets? Analysis What to fix first? Remediation Fix the problem + + • Component of Risk Management • Balance the demands of business goals and processes
  • 9. » Challenges to Effective VM
  • 10. 10 Challenges – Assessment » Traditional desktop scanners cannot handle large networks » Provide volumes of useless checks » Chopping up scans and distributing them is cumbersome » Garbage In- Garbage Out (GIGO)– volumes of superfluous data » Coverage at all OSI layers is inadequate » Time consuming and resource intensive » Finding the problem is only half the battle
  • 11. 11 Challenges – Analysis » Manual and resource intensive process to determine – What to fix – If you should fix – When to fix » No correlation between vulnerabilities, threats and assets » No way to prioritize what vulnerabilities should be addressed – What order » Stale data – Making decisions on last quarter’s vulnerabilities » No credible metrics
  • 12. 12 Challenges – Remediation » Security resources are often decentralized » The security organization often doesn’t own the network or system » Multiple groups may own the asset » Presenting useful and meaningful information to relevant stakeholders » Determining if the fix was actually made
  • 13. 13 Challenges – Time Asset Criticality Vulnerability discovered Exploit public Automated exploit Discovery Remediation Cost to ignore vulnerability is greater than the cost to repair Threat Level Risk Threshold
  • 14. 14 Challenges – Time Vulnerability discovered Cost to ignore vulnerability is greater than the cost to repair Exploit public Automated exploit Discovery Remediation Goal = compress time from discovery to remediation Cost to ignore vulnerability is greater than the cost to repair Threat Level Asset Criticality Risk Threshold
  • 15. 15 Challenges – Time Vulnerability discovered Cost to ignore vulnerability is greater than the cost to repair Exploit public Automated exploit Goal = compress time from discovery to remediation x 15 new vulnerabilities per day across many assets Discovery Remediation Threat Level Asset Criticality Risk Threshold
  • 18. » Successful Approaches: Implementing An Effective VM Strategy
  • 19. 19 Successful Approaches » Focus on four key areas: – Prioritize Assets – Determine Risk Level (assets, threats, vulnerabilities) – Remediate Vulnerabilities – Measure
  • 20. 20 Asset: Any function, task, capability, equipment or information that has value to the organization or supports the ability of the organization to conduct business
  • 21. 21 Threat: Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function
  • 22. 22 Vulnerability: Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process
  • 24. 24 Asset Prioritization » Identify assets by: – Networks • Logical groupings of devices • Connectivity - None, LAN, broadband, wireless – Network Devices • Wireless access points, routers, switches – Operating System • Windows, Unix – Applications • IIS, Apache, SQL Server – Versions • IIS 5.0, Apache 1.3.12, SQL Server V.7
  • 25. 25 Asset Prioritization » Network-based discovery – Known and “unknown” devices – Determine network-based applications – Excellent scalability » Agent-based discovery – In-depth review of the applications and patch levels – Deployment disadvantages » Network- and agent-based discovery techniques are optimal – Agents - Cover what you already know in great detail – Network - Identify rogue or new devices » Frequency – Continuous, daily, weekly – Depends on the asset
  • 27. 27 Correlate Threats » Not all threat and vulnerability data have equal priority » Primary goal is to rapidly protect your most critical assets » Identify threats – Worms – Exploits – Wide-scale attacks – New vulnerabilities » Correlate with your most critical assets » Result = Prioritization of vulnerabilities within your environment
  • 29. 29 Risk Calculation » The Union of: – Vulnerabilities – Assets – Threats » Based upon the criticality of VAT » Focus your resources on the true risk
  • 31. 31 Remediation / Resolution » Perfection is unrealistic (zero vulnerabilities) – Think credit card fraud – will the banks ever eliminate credit card fraud? » You have limited resources to address issues » The question becomes: – Do I address or not? » Factor in the business impact costs + remediation costs – If the risk outweighs the cost – eliminate or mitigate the vulnerability!
  • 32. 32 Remediation / Resolution » Apply the Pareto Principle – the 80/20 rule – Focus on the vital few not the trivial many – 80% of your risk can be eliminated by addressing 20% of the issues – The Risk Union will show you the way • Right assets • Relevant threats • Critical vulnerabilities
  • 33. 33 Remediation / Resolution » Patch or Mitigate – Impact on availability from a bad patch vs. the risk of not patching – Patch or mitigate – Recommendations: –QA security patches 24 hours –Determine if there are wide spread problems –Implement defense-in-depth
  • 35. 35 Measure » Current state of security metrics – You can’t manage what you can’t measure – No focus on quantifying “Security” • What is my real risk? – Only a relative scale of risk, not an absolute – Return on Security Investment (ROSI) is extremely difficult to calculate – No accountability in security
  • 36. 36 Measure » Future Look: – Accountability – A universal standard to quantify risk – Common nomenclature – Dashboard view of risk and vulnerabilities across disparate organizations – Technologies that will help answer the questions: • Am I secure? • Who is accountable and by when? • Am I getting better or worse? • How am I trending over time? • How do I compare to my peers? • How do I compare outside my industry?
  • 37. 37 Summary » All assets are not created equally » You cannot respond to or even protect against all threats » An effective vulnerability management program focuses on Risk – Vulnerabilities – Assets – Threats » The hardest step in a 1000 mile journey is the first – start somewhere » Strategically manage vulnerabilities using a comprehensive process
  • 38. 38 10 Steps to Effective Vulnerability Management 1. Identify all the assets in your purview 2. Create an Asset Criticality Profile (ACP) 3. Determine exposures and vulnerabilities 4. Track relevant threats – realized and unrealized 5. Determine Risk - union of vulnerabilities x assets x threats 6. Take corrective action if risk > cost to eliminate or mitigate 7. Create meaningful metrics and hold people accountable 8. Identify and address compliance gaps 9. Implement an automated vulnerability management system 10. Convince someone with a budget that vulnerability management is important
  • 39. 39 Don’t Spend Another Dime On Security Until You Understand How To…. Protect The Right Assets From The Right Threats With The Right Measures
  • 40. » Contact Information George Kurtz 949-297-5600 george.kurtz@foundstone.com www.foundstone.com
  • 41. 41 Questions? Submit your questions to George by clicking on the Ask a Question link on the lower left corner of the screen. George’s answers will be sent to you by e-mail.
  • 42. 42 Thank you Thank you for participating in this SearchSecurity.com on-demand webcast. If you have suggestions for future webcasts, e-mail the editor at webcast@searchSecurity.com For other SearchSecurity.com webcasts, visit http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14 _tax292632,00.html