What's Wrong with Vulnerability Management & How Can We Fix It
•Download as PPTX, PDF•
2 likes•1,189 views
The document discusses challenges with traditional vulnerability management programs and provides recommendations for improvement. It summarizes findings from a survey of vulnerability management professionals that found dissatisfaction with current scanning, analysis, and remediation capabilities. The document recommends that organizations focus on maturity of their vulnerability management process, strive for continuous assessment, use network and security context to prioritize risks, and speed up remediation times.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to What's Wrong with Vulnerability Management & How Can We Fix It
Similar to What's Wrong with Vulnerability Management & How Can We Fix It (20)
More from Skybox Security
More from Skybox Security (16)
Recently uploaded
Recently uploaded (20)
What's Wrong with Vulnerability Management & How Can We Fix It
- 1. What’s Wrong with Vulnerability Management, and How Do We Fix It? Michelle Johnson Cobb VP Marketing, Skybox Security July 23, 2015 info@skyboxsecurity.com www.skyboxsecurity.com
- 2. © 2015 Skybox Security Inc. 2 Today’s Agenda Skybox Security and our Vulnerability Research 2015 Enterprise Vulnerability Trends Report Analysis and Recommendations Product Demo – Skybox Vulnerability Control
- 3. © 2015 Skybox Security Inc. 3 Skybox Security Overview Powerful security management platform – Vulnerability and threat management – Firewall management – Network visibility and compliance Popular Use Cases – Discover risks that can lead to attack – Analyze and prioritize vulnerabilities – Suggest remediation actions – patch, block, reconfigure Risk Analytics for Cyber Security
- 4. © 2015 Skybox Security Inc. 4 Skybox Vulnerability Research Team Skybox Vulnerability Database Research team aggregates 20+ vulnerability and threat feeds Over 43,000 vulnerabilities on 1,400 products Including products, vulnerabilities, IPS signatures, patches, malware patterns (worms) Proprietary intelligence added by analysts – Exploitation pre-conditions – Likelihood of attack – Conflict resolution – Vulnerabilities with no CVE – Remediation solutions – Cross-references Advisories Adobe Cisco PSIRT Microsoft Security Bulletin Oracle Scanners eEye Retina IBM Scanner IMcAfee Foundstone Qualys Guard Rapid7 Nexspose Tenable Nessus Tripwire nCircle IPS Fortinet FortiGate HP TippingPoint IBM Proventia McAfee IPS Palo Alto Networks Cisco Sourcefire Other CERT Mitre CVE NIST’s NVD Rapid7 Metasploit Secunia Symantec Security Focus Symantec Worms
- 5. © 2015 Skybox Security Inc. 5 5 Financial Services Technology Healthcare Government & Defense Consumer Service Providers Energy & Utilities Global 2000 Organizations Worldwide Choose Skybox Security
- 6. © 2015 Skybox Security Inc. 6 Face it, You Have (Lots of) Vulnerabilities Most Vulnerable Vendors 2014 Source: Skybox Vulnerabilitycenter.com, enterprise vulnerability database 5027 Vulnerabilities (2014 Skybox enterprise vulnerability database) Enterprise-scale network, 10K to 100K+ vulnerabilities at any time
- 7. © 2015 Skybox Security Inc. 7 How’s Your Vulnerability Management Program? Well-coordinated process? Constant whack-a-mole?OR
- 8. © 2015 Skybox Security Inc. 8 2015 Enterprise Vulnerability Trends Report 2015 analysis based on survey conducted Dec 2014 CIO/CISO, Security & Network Managers, Risk & Compliance Managers Goals: – VM tools used today – Most common challenges – Changes desired
- 9. © 2015 Skybox Security Inc. 9 Survey Demographics 974 respondents, 59 countries 66% large enterprise 17% mid-size, 17% SMB Top 4 verticals: Financial Services 14%, ISP/Telecom 9%, Technology 7%, Gov/Defense 7%
- 10. © 2015 Skybox Security Inc. 10 Vulnerability Management Program Goals In line with SANS critical controls guidelines for vulnerability identification, prioritization, remediation Strong support for using vulnerability data for threat response Surprise: PCI compliance down the list 52%
- 11. © 2015 Skybox Security Inc. 11 On the Road to Mature VM Policies
- 12. © 2015 Skybox Security Inc. 12 Finding Vulnerabilities: Multiple Scanners to Cover the Bases
- 13. © 2015 Skybox Security Inc. 13 How often do you scan? Today vs. Ideal 0 5 10 15 20 25 30 35 40 45 50 Never Quarterly or less often Monthly Weekly Multiple per week Vulnerability Assessment Frequency Current vs. Ideal Current Frequency Ideal Frequency
- 14. © 2015 Skybox Security Inc. 14 Previous survey (2012) asked: Why don’t you scan as often as you’d like? Source: 2012 Skybox Security Vulnerability Management Survey
- 15. © 2015 Skybox Security Inc. 15 How’s that Working for You? Vulnerability assessment satisfaction: It’s a coin toss CISO’s: more ownership of VM process; less likely to be satisfied with it
- 16. © 2015 Skybox Security Inc. 16 Less Satisfied with Analysis & Prioritization, and Remediation Many respondents use 3rd party tools for analysis and prioritization – Splunk – Excel – Skybox Security – SIEMs – Internally developed tools
- 17. © 2015 Skybox Security Inc. 17 Formal Policies Linked to Higher Satisfaction with VM Scanning
- 18. © 2015 Skybox Security Inc. 18 Top 10 Desired Improvements for VM 1 Update vulnerability data quickly following a new vulnerability or threat announcement 2 Include network and security context to prioritize risk more accurately 3 Reduce false positives 4 Get vulnerability data for network devices like firewalls 5 Remediate - Verify closure of vulnerabilities (track remediation) 6 Get accurate data without the need for authenticated scan 7-10 All operational improvements – reduce time to prioritize, reduce disruption, reduce time to scan, automate remediation
- 19. © 2015 Skybox Security Inc. 19 Recommendations
- 20. © 2015 Skybox Security Inc. 20 #1: Focus on VM Process Maturity No policy? Create one. Have a policy? Make it better. Track key metrics Integrate with security controls Automate the process as much as possible
- 21. © 2015 Skybox Security Inc. 21 #2 Strive for Continuous Assessment 0 50 100 150 200 250 300 350 10% 20% 30% 40% 50% 60% 70% 80% 90% Frequency and Coverage Frequencyx/year % of Network Scanned Where you need to be Daily process 90%+ hosts Partner/External networks Avg. scan: every 60-90 days <50% of hosts Critical systems, DMZ Avg. scan: every 30 days 50-75% of hosts Source: Skybox 2012 VM Survey
- 22. © 2015 Skybox Security Inc. 22 Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks Vulnerabilities Location Criticality Threats Hackers Insiders Worms #3 - Use Context to Triage Risks
- 23. © 2015 Skybox Security Inc. 23 Source: 2015 Verizon DBIR 50% of CVE’s have known exploits 1 month after publish #4 – Go Faster. Speed up Remediation.
- 24. Contact our Sales Team for a Demo! http://lp.skyboxsecurity.com/ContactMe.html Skybox Vulnerability Control
- 25. © 2015 Skybox Security Inc. 25 Resources 2015 Enterprise Vulnerability Management Trends Report – www.skyboxsecurity.com/resources/survey-reveals-general- dissatisfaction-current-vulnerability-management- programs#.VbKEkPlViko Vulnerability Center – www.vulnerabilitycenter.com
Editor's Notes
- Hello Welcome Michelle Johnson Cobb
- In the next 20 minutes, I’ll cover Skybox Survey data on VM trends Our analysis and some takeaways for your job Then Cliff Chase, Sales Engineer, will take you through a demo of our Vuln Control product
- Skybox Security is a company that believes the answer to challenging security problems can be extracted from your network and security data We do the same thing that security expert on your team does – analyze a lot of complex information to figure out what to do But we integrate data from 80+ systems, we apply advanced analytics, and we automate it to analyze your entire infrastructure for risks We apply that analytics-based approach to solve some of the most challenging problems for large enterprised Go over points on the slide Focus on the attack surface Continuous visibility of attack surface is critical Combine network and endpoint data Use analytics to examine attack vectors Integrate into the security process Drive automation at every step Stay ahead of the attacks
- Supporting our solutions is our vuln team Largest enterprise-focused database for vulns Scope and scale Cover points on slide CVE compliant, CVSS v2 standard Updated daily
- And of course, we are pleased that the most security-conscious customers all over the world choose Skybox to give them the comprehensive view and information They need to keep environments secure
- Let’s turn to the vulnerabilities question. Orgs have a lot of vulns Numbers each year, Applied to the systems on the right Total numbers in their network Unmanageable, right?
- SANS critical control 4 and other security best practices and compliance requirements say You’ve gotta have a process in place to deal with these But does your VM program work like a well-oiled machine? Or constant whack a mole, dealing with a stream of new vulns, new scan info, without seeming to get ahead
- We decided to ask Points on the slide
- Who answered the survey? Cover the points Nearly 1000, which was great, because for nearly all questions we had statistically relevant samples regardless of how we filtered the data Heavily large enterprises, but enough of a mix Fin Svc leads the way, but good representation from all verticals
- Asked about their goals Not surpisingly, identifying risk level and prioritizing at top of the list Means everyone is following best practice recommendations Quite a bit of support for using VM with threat intel and IR processes Compliance – may still be a concern, but not a driving force
- Policy… we see in our customer base significant differences in how companies approach VM More mature – well defined, documented, responsibilities clear, audited regularly Less – more adhoc, occasional scanning Differs between size of company, but distinction was pretty high, most companies under 5000 fell into the same general breakdown, about half with formal policies, rest with informal and a minority with no policy defined. We’ll come back to some insights about the impact of policy maturity after we look at a couple additional questions
- Use of scanners Very interesting Let’s talk about the right side first Just over 1/3 use one scanner, but that leaves nearly 2/3 using several What do they use – on the left side In use column – you can see who leads But we also asked what they use as primary – very interesting Why? We took to interviews to get more detail Coverage – types of hosts, types of vulns Legacy scanners in place over time, or inherited via merger/acq Sense that multiple scanners help reduce false positives
- Narrative: One clear takeaway is that everyone wants to increase their scan frequency, regardless of how much they scan today. Organizations that scan on quarterly intervals want to move to monthly, organizations that scan for vulnerabilities monthly want to step up to weekly intervals. The split by size of company was telling, with SMB and mid-size companies tending to scan on a quarterly basis, large ent monthly. Few on a weekly or better schedule as recommended by SANS This puts the pressure on vulnerability solution providers to ensure that solutions can scale to accommodate the demand for faster cycles of data collection, analysis, and remediation.
- For answers why, we didn’t ask it in this survey because we had in a previous one So these answers go back a couple of years, but all indications from interviews are that they are still relevant
- Points on slide Interesting note – the more responsibility for the process, the less likely they are satisfied So don’t get complacent – even if you are thinking the process works well, your boss may think otherwise. Btw – I didn’t cover it here, but 875 of CISO’s surveyed said they had direct responsibility for VM, highest Vm responsibility of any job title. So they care, they are committed, and about And don’t pay too much attention to the opinios for those outside the security function, because their impression is that the VM process is ok. But they aren’t involved in it directly everyday.
- Left side charts – satisfaction with the second half of the process is a bit lower. Matches our observations in speaking with customers. It’s relatively easy to amass a pile of vulnerability info, harder to figure out how to prioritize it and act on the information. Narrative for right side points - Additional tools are necessary to make sense of scanner data We also asked about other tools that security professionals use to analyze vulnerability data. It’s common practice to use data analysis tools to correlate multiple sources of data, allow querying of results, or feed vulnerability data into other systems like SIEM or GRC solutions. Splunk was the most frequently noted data analysis tool, followed by Excel and then a host of other analysis solutions including Skybox, Arcsight, homegrown solutions, and good old ‘brainpower’.
- Now back to that combo I told you about. When you have all this data in excel, you get to do pivot chart magic. So we looked at the combination of policy with levels of satisfaction. And we can see that the time spent to formalize everything pays off. So if you need to explain to your boss why your team needs to spend months to plan, document, establish metrics, and set up internal and external auditing plan, here is your answer. Formal policies are directly related to your future happiness. Or satisfaction level – same difference. Policy means processes to follow, fewer surprises, less fire-fighting, fewer headaches. What was interesting though, is that regardless of policy level, one again CISO’s stood out. They are less satisfied than other security or IT staff at every level of policy. So once again, just because you think things are going well does not mean that your CISCO wouldn’t like to see changes. Most likely they are interested in imrpovements
- Regardless of their level of satisfaction with current vulnerability management program, all respondents were asked about their interest in potential improvements. A list of 16 potential improvements to vulnerability assessment (scanning), analysis and prioritization, and remediation activities were provided, and respondents ranked their interest level from ‘No interest’ to ‘High interest’. The top 10 improvements as ranked by number of ‘High Interest’ responses are: (see chart) It is not surprising that the three highest ranking potential improvements : #1 Update vulnerability data quickly following a new vulnerability or threat announcement #2 Include network and security context to prioritize risk more accurately #3 Reduce false positives all have to do with having accurate information with which to respond quickly to new threats. New vulnerabilities and threat alerts occur daily, but it can take weeks for an organization to run through a vulnerability scan/prioritize/remediate cycle to fix known vulnerability risks. For example, when the Heartbleed vulnerability was disclosed (link to vulnerability center entry for this vuln), many organizations experienced weeks of delay in being able to generate an accurate list of vulnerable systems. Moreover, each vulnerability assessment cycle can generate tens or hundreds of thousands of vulnerabilities in a large network, which can take extended periods to review and develop remediation plans. <Gartner or other report> recommends using context about network topology or existing security controls to help IT security teams prioritize those vulnerabilities that can impact critical assets over those where an existing security control offers protection. These two potential improvements would allow organizations to access and analyze vulnerability data faster, which could shorten response times to new vulnerability announcements, and lower risk of attack. Reducing false positives (#3) is a related concern, indicating that respondents may feel that they are spending valuable time on false positives instead of risks which can truly impact their network. Improvement #4, Get vulnerability data for network devices like firewalls, indicates an interest in extending vulnerability data to systems that are not covered by traditional active scanners today. The next six improvements are largely about operational improvements to vulnerability management processes – tracking closure of vulnerabilities, automating process steps, removing task roadblocks like system authentication requirements and potential service disruptions. How do you achieve these improvements? Let’s discuss recommendations
- Prevent more, detect faster, resolve sooner Policy counts to achieve this goal Points on the slide
- Coverage and continuous assessment counts From out 2012 survey – most companies the first two orange dots, but you need to be here Scanners alone probably not going to get you there – you need to look at the process holistically. Discovery, analysis, remediation, automation…
- Context is critical, allows you to know what systems to focus on, figure out which vulnerabilities are important, and get accurate recommendations for what to do about it How do you do that if you don’t understand the infrastructure When you think of context, think of all these things. Any missing elements are blind spots, and blind spots mean unrecognized vulnerabilities and unknown attack paths
- Speed counts. Chart from Verizon data breach investigation report Fast ramp, after CVE’s are announced, takes attackers about 2 weeks to compromise 25%, by week 4 they’ve compromised about half of them. So if you are scanning monthly, you can assume an exploit exists for 50 % of your vulnerabilities. You need to reduce that scanning and analysis time.
- Now let’s switch to Cliff Chase to talk about the Skybox solution and how working with Skybox can help address your VM needs.