Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Planning and Deploying an Effective Vulnerability Management Program


Published on

This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.

Key take-aways:

* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management

Published in: Technology

Planning and Deploying an Effective Vulnerability Management Program

  1. 1. Fast Track: Planning & Deploying an Effective Vulnerability Management Program By Jonathan Bitle, Technical Director, Qualys, Inc.
  2. 2. Problems affecting implementation <ul><ul><li>There are 3 main categories of importance </li></ul></ul><ul><ul><li>When planning an effective Vulnerability </li></ul></ul><ul><ul><li>Management Program: </li></ul></ul><ul><ul><li>Technology </li></ul></ul><ul><ul><li>People </li></ul></ul><ul><ul><li>Process </li></ul></ul>
  3. 3. Technology: Solution Design <ul><ul><li>Design is the simple part of a production roll-out </li></ul></ul>
  4. 4. Technology: Appliances <ul><ul><li>Plan for the number of scanning Appliances </li></ul></ul><ul><ul><li># of active hosts = # of appliances required </li></ul></ul><ul><ul><ul><li>Frequency of scans alter requirements </li></ul></ul></ul><ul><ul><li>Network Topology can complicate the design </li></ul></ul><ul><ul><ul><li>Firewalls / Access Control Devices </li></ul></ul></ul><ul><ul><ul><li>Low speed bandwidth links </li></ul></ul></ul><ul><ul><ul><li>Geographic and political boundaries </li></ul></ul></ul>
  5. 5. Technology: Gather Basic Information <ul><ul><li>IP addresses for each planned scanning appliance </li></ul></ul><ul><ul><li>Subnet Mask for each planned network interface </li></ul></ul><ul><ul><li>Hostname for each appliance </li></ul></ul><ul><ul><li>DNS information </li></ul></ul>
  6. 6. Technology: Utilize The Technology <ul><ul><li>Take advantage of Automation capabilities of the </li></ul></ul><ul><ul><li>technology to save time for more important tasks </li></ul></ul><ul><ul><li>such as remediation. </li></ul></ul><ul><ul><li>Schedule Scans </li></ul></ul><ul><ul><li>Develop alerts for severe risk issues </li></ul></ul><ul><ul><li>Automate report generation and distribution </li></ul></ul>
  7. 7. People <ul><ul><li>People are the cornerstone of an effective security policy and risk reduction. </li></ul></ul>
  8. 8. People: Know Your Target Audience <ul><ul><li>Make a list of key team members and know </li></ul></ul><ul><ul><li>Their needs. If possible, interview them to </li></ul></ul><ul><ul><li>Better understand how to streamline information. </li></ul></ul><ul><ul><li>CISO / CIO </li></ul></ul><ul><ul><ul><li>Ultimate owner of risk in the environment </li></ul></ul></ul><ul><ul><ul><li>Signs off on regulatory compliance measures </li></ul></ul></ul><ul><ul><ul><li>Needs high-level metrics (pass/fail?) to ensure risk reduction </li></ul></ul></ul><ul><ul><li>Executive Staff </li></ul></ul><ul><ul><ul><li>Makes resource allocation decisions </li></ul></ul></ul><ul><ul><ul><li>Needs trend information to understand effectiveness of security program </li></ul></ul></ul><ul><ul><li>Directors / Managers </li></ul></ul><ul><ul><ul><li>Oversees system owners and helps prioritize work efforts </li></ul></ul></ul><ul><ul><ul><li>Needs visibility into system owner performance </li></ul></ul></ul><ul><ul><li>System Owner </li></ul></ul><ul><ul><ul><li>Own the systems and responsible for remediation efforts </li></ul></ul></ul><ul><ul><ul><li>Need detailed technical reports with prioritization </li></ul></ul></ul>
  9. 9. People: Know Your System Owners <ul><ul><li>Remediation will require significant resource </li></ul></ul><ul><ul><li>allocation and time. </li></ul></ul><ul><ul><li>Important to properly identify system owners </li></ul></ul><ul><ul><ul><li>Enables Automated host ownership reports </li></ul></ul></ul><ul><ul><ul><li>By geographical region or business unit </li></ul></ul></ul><ul><ul><ul><li>Based on Operating System </li></ul></ul></ul><ul><ul><ul><li>Based on applications </li></ul></ul></ul><ul><ul><li>Streamline the information provided </li></ul></ul><ul><ul><ul><li>Provide information to the owner, don’t rely on them to find it </li></ul></ul></ul><ul><ul><ul><li>Irrelevant information will create push-back </li></ul></ul></ul><ul><ul><ul><li>A list of 1000 issues will rarely get fixed </li></ul></ul></ul><ul><ul><ul><li>A list of 10 high risk issues will get done immediately </li></ul></ul></ul>
  10. 10. People: Problems Will Occur <ul><ul><li>Expect that problems will occur and develop a </li></ul></ul><ul><ul><li>strategy to deal with them. </li></ul></ul><ul><ul><li>Hosts or applications will have interoperability issues with the scans </li></ul></ul><ul><ul><ul><li>Work with vendors to identify root cause </li></ul></ul></ul><ul><ul><li>Team members may not meet performance goals </li></ul></ul><ul><ul><ul><li>Look into prioritization issues </li></ul></ul></ul><ul><ul><li>Vendors may not have patches to resolve discovered issues </li></ul></ul><ul><ul><ul><li>Develop ways to mitigate risk (firewalls, port filtering, etc) </li></ul></ul></ul><ul><ul><li>Evangelize. Evangelize. Evangelize. </li></ul></ul><ul><ul><li>It is imperative that numerous groups in the organization understand the importance of your vulnerability management program. </li></ul></ul><ul><ul><ul><li>System Administrators must understand the importance of reducing risk, and how it ultimately effects system uptime </li></ul></ul></ul><ul><ul><ul><li>Executive buy-in is required for effective risk reduction </li></ul></ul></ul><ul><ul><li>Provide product demos and training sessions </li></ul></ul>
  11. 11. People: Create a list of stated goals <ul><ul><li>Provide an accurate assessment of risk for each host and relative network segments </li></ul></ul><ul><ul><li>Facilitate a security assessment that leads to best practices with regard to remediation actions </li></ul></ul><ul><ul><li>Provide system administrators with the tools to optimize and validate remediation efforts </li></ul></ul><ul><ul><li>Provide a common language and metrics to discuss risk across the organization </li></ul></ul><ul><ul><li>Provide for prioritization of vulnerabilities and remediation efforts in the environment </li></ul></ul><ul><ul><li>Provide executive staff with risk metrics and measure adherence to corporate policies </li></ul></ul><ul><ul><li>Provide a feedback loop for current and future system policy </li></ul></ul><ul><ul><li>Provide constant monitoring and measurement of risk in the environment for adherence to regulatory compliance initiatives </li></ul></ul><ul><ul><li>Measure overall effectiveness of the security program </li></ul></ul><ul><ul><li>Provide automated workflow capabilities that reduce resource requirements </li></ul></ul><ul><ul><li>Protect the organization from successful exploit of vulnerabilities </li></ul></ul>
  12. 12. People: Work Toward a Single Goal <ul><ul><li>The ultimate goal of our Vulnerability Management solution is to measure, manage and reduce risk in our environment. </li></ul></ul><ul><ul><li>Always work towards this main goal. </li></ul></ul>
  13. 13. Process: Define Your Security Policy <ul><ul><li>Recognize that your security policy should fit the needs and goals of YOUR organization, and as such every there is no one-size-fits-all solution. However, there are commonalities and guidelines that will help you define an effective policy. </li></ul></ul>
  14. 14. Process: Heterogeneous Environment <ul><ul><li>Most environments are highly heterogeneous </li></ul></ul><ul><ul><li>creating numerous challenges. </li></ul></ul><ul><ul><li>Rarely a clear understanding of the types of hosts for each network segment </li></ul></ul><ul><ul><li>Multitude of host and application owners </li></ul></ul><ul><ul><li>Asset management systems are rarely kept up to date </li></ul></ul>
  15. 15. Process: Define “In / Out of Scope” <ul><ul><li>What are the total networks in use? </li></ul></ul><ul><ul><ul><li>Is network information stored in an asset management system? </li></ul></ul></ul><ul><ul><ul><li>Utilize automated discovery process of the tool </li></ul></ul></ul><ul><ul><li>Which networks should be excluded? </li></ul></ul><ul><ul><ul><li>Networks that should never be scanned, given the ramification of an application interaction issue. (ie process control systems like SCADA devices) </li></ul></ul></ul><ul><ul><ul><li>Networks that have serious bandwidth constraints (defer these to a different phase?) </li></ul></ul></ul><ul><ul><ul><li>Small subnets that do not contain hosts (ie router to router subnets – exclude all /29 and up?) </li></ul></ul></ul><ul><ul><ul><li>Systems that are known to have application interaction issues that can not be resolved </li></ul></ul></ul><ul><ul><ul><li>Systems that are obstructed by Access Control devices </li></ul></ul></ul>
  16. 16. Process: Classify Your Assets <ul><ul><li>We can get mired down in classification schemes, </li></ul></ul><ul><ul><li>However it is more important to have some form of </li></ul></ul><ul><ul><li>classification no matter how simple. </li></ul></ul><ul><ul><li>Start with a simple classification system and adjust as necessary: </li></ul></ul><ul><ul><li>Critical Assets </li></ul></ul><ul><ul><ul><li>Mission / business critical </li></ul></ul></ul><ul><ul><ul><li>Related to regulatory compliance </li></ul></ul></ul><ul><ul><ul><li>* PCI </li></ul></ul></ul><ul><ul><ul><li>* Sarbanes Oxley </li></ul></ul></ul><ul><ul><ul><li>* HIPAA </li></ul></ul></ul><ul><ul><ul><li>* NERC / FERC </li></ul></ul></ul><ul><ul><li>High </li></ul></ul><ul><ul><ul><li>General server category </li></ul></ul></ul><ul><ul><li>Medium </li></ul></ul><ul><ul><ul><li>Workstations & Laptops </li></ul></ul></ul><ul><ul><li>Low </li></ul></ul><ul><ul><ul><li>Printers, etc </li></ul></ul></ul>
  17. 17. Process: Prioritization <ul><ul><li>You can’t fix everything so prioritization is key. </li></ul></ul><ul><ul><li>Critical (48 hours to resolve) </li></ul></ul><ul><ul><ul><li>High & Critical vulnerability on critical asset </li></ul></ul></ul><ul><ul><li>High (one week to resolve) </li></ul></ul><ul><ul><ul><li>Medium vulnerability on critical asset </li></ul></ul></ul><ul><ul><ul><li>High vulnerability on High asset </li></ul></ul></ul><ul><ul><li>Medium (one month to resolve) </li></ul></ul><ul><ul><ul><li>Low vulnerability on critical asset </li></ul></ul></ul><ul><ul><ul><li>Medium vulnerability on High asset </li></ul></ul></ul><ul><ul><ul><li>High vulnerability on Low asset </li></ul></ul></ul><ul><ul><li>Low (6 months to resolve) </li></ul></ul><ul><ul><ul><li>Medium vulnerability on Low Asset </li></ul></ul></ul>
  18. 18. Process: Oversight & Accountability <ul><ul><li>Some organizations will have a mandate, possibly </li></ul></ul><ul><ul><li>driven by external regulatory measures. However, </li></ul></ul><ul><ul><li>many organizations do not start off in this way. </li></ul></ul><ul><ul><li>Bonus tied to remediation </li></ul></ul><ul><ul><ul><li>Most effective way to ensure compliance to security policy </li></ul></ul></ul><ul><ul><li>Remediation Managers </li></ul></ul><ul><ul><ul><li>Provide oversight of risk reduction process </li></ul></ul></ul><ul><ul><li>“ Wall of Shame” </li></ul></ul><ul><ul><ul><li>Peer pressure can be effective! </li></ul></ul></ul>
  19. 19. Process: Deployment Phases <ul><ul><li>Recommend phasing in scans to determine application interaction issues </li></ul></ul><ul><ul><li>Phased approach not necessary for all networks, but recommended for critical infrastructure </li></ul></ul><ul><ul><li>Perform Initial testing of critical infrastructure in change windows </li></ul></ul>
  20. 20. Summary <ul><ul><li>Technology is the simple part of your Vulnerability Management solution </li></ul></ul><ul><ul><ul><li>Utilize Automation wherever possible </li></ul></ul></ul><ul><ul><li>People are key to getting the job done, use them wisely and build a good working relationship. </li></ul></ul><ul><ul><ul><li>Know the key players, their roles and responsibilities </li></ul></ul></ul><ul><ul><ul><li>Don’t overwhelm people with data </li></ul></ul></ul><ul><ul><ul><li>Get buy-in from multiple groups in your organization, especially the executive staff </li></ul></ul></ul><ul><ul><li>Process is necessary to an effective solution - keep it simple to understand and follow </li></ul></ul><ul><ul><ul><li>Classify your assets; always work on the most important assets first </li></ul></ul></ul><ul><ul><ul><li>Prioritize remediation; always work on the most critical issues first </li></ul></ul></ul><ul><ul><ul><li>Create and use Service Level Agreements </li></ul></ul></ul><ul><ul><ul><li>Monitor progress and make policy adjustments as necessary </li></ul></ul></ul>