Vulnerability Management Programs & The Lessons Learned

Slides:



Advertisements
Similar presentations
The 7 days at “x” Revised May The 7 “Days” at “X” A Real POC This is a real story with the name(s) changed to protect the innocent Each step.
Advertisements

OWASP Periodic Table of Vulnerabilities James Landis
1 1 Risk Management: How to Comply with Everything July 11, 2013.
Copyright © 2011 Integrated Technology Systems All rights reserved. IT Solutions More Reliable Networks Are Our Business Robert Sweet
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard.
Applied Software Project Management 1 Introduction Dr. Mengxia Zhu Computer Science Department Southern Illinois University Carbondale.
Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.
Vulnerability Assessments
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.
Acquisitions: Your Latest Zero Day Presented by: Mitch Greenfield, CISA, CEH, Scott MacArthur, CISSP, CISA, CEH, LPT 1.
1©2012 Check Point Software Technologies Ltd. Squashing Politics with Policy.
ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.
NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
»Vulnerability Management for the Real World » Successful Approaches » What is Vulnerability Management? » Challenges to Effective VM » The Problem Contents:
Auditing Information Systems (AIS)
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
IT Security – Scanning / Vulnerability Assessment David Geick State of Connecticut IT Security.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.
South Wales Cyber Security Cluster A networking group with a purpose Membership Open to anyone with an interest in Cyber Security.
Application Security in a cyber security program
Cloud Computing Use Case Draft v2.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
INNOVATE THROUGH MOTIVATION MSP Services Overview KEVIN KIRKPATRICK – OWNER, MSP INC LOGO.
Information Security tools for records managers Frank Rankin.
Changing IT Managing Networks in a New Reality Alex Bakman Founder and CEO Ecora Software.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
David C. Brown, CISSP, PMP, CEH IUP Information Assurance Day 2011 November 10, 2011 Four Essential Requirements for Securing Your Enterprise.
CLOUD SECURITY. CREDIT UNION 2.0 For Credit Unions to succeed – they need to shift their business model and focus all of their technology resources on:
Enterprise Vulnerability Management
Defining your requirements for a successful security (and compliance
Managed IT Solutions More Reliable Networks Are Our Business
IS YOUR ORGANISATION’S INFORMATION SECURE?
Manuel Brugnoli, Elisa Heymann UAB
IS4550 Security Policies and Implementation
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Security Testing Methods
THE RISKS OF ‘NOT’ PATCHING…
Lessons Learned: Implementing a Vulnerability Management Program
Compliance with hardening standards
Putting It All Together
Putting It All Together
Leverage What’s Out There
John Butters Running Tiger Teams
IS4680 Security Auditing for Compliance
IT Development Initiative: Status and Next Steps
Risk Assessment = Risky Business
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Validating Your Information Security Program (ISP 3 of 3)
A Web-based Integrated Console for Controlling a Set of Networks
WHAT SHOULD AN EXECUTIVE EXPECT FROM INFORMATION SECURITY
National Cyber Security
Small Business Technical Checkup for the 21st Century
Risk Management CSCE 489/689 (Software Security) Fall 2018
JOINED AT THE HIP: DEVSECOPS AND CLOUD-BASED ASSETS
IT Development Initiative: Status & Next Steps
AppointmentmentPeach Appointment Manager
V1.1 1.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Vulnerability Management Programs & The Lessons Learned Bill Olson Technical Director

Intro & Agenda 18 plus years in security 20 Months With Tenable 8th Years with Qualys 9 Years with a NJ consultancy Lessons Learned What does not work and why What does work War Stories

What is a Vulnerability? Why Should Anyone Care? System and Applications not patched for known security flaws Hardware Operating System Application Database Network Equipment Browser and Plugins Not up to date Not patched for known security flaw Client Tier Desktop – Web Browser Internet/Intranet Tier Network Web Server Tier Apache IIS, etc Application Server Tier PHP, Java/J2EE, Ruby, Wordpress, etc Database Tier MySQL, Oracle, DB2 Applications and OSs not Configured to Secure Standards Never configured Configuration Change Web Applications and Web Services With known security issues Incorrectly Code Not patched for known security flaws Why Should Anyone Care? 3

What is the difference between Vulnerability Assessment & Vulnerability Management?

Vulnerability Assessment Often simply only a scanning program Hard to measure success long-term Is it checking patch levels? Is it lowering risk overall? What processes are working? Where is it not working in the organization? Are you compliant? Generally too much data as it lacks context Point in time only

Vulnerability Management Accountability Not just about vulnerability scanning A process to find, rate, remediate, track, progress Should be about context, context and more context Need to build a program that allows for the following Meeting compliance or regulator goals Defined success factors Measurable Repeatable Involved with other programs, patch management, ticketing, asset management, configuration management

Lesson #0 Vulnerability Management What is the goal of your VM program? Risk Management Threat Management Security Intelligence Security Patch Auditing All of the above?

Lesson #1 What Makes VM Programs Fail Bad Data (False Positives, etc) Data Without Relevancy or Context What does the data mean to the organization What does the data mean to the people reading the data (more on this later Data that is not timely Scanning more frequently is a good idea Reporting with periodicity

Why Patching Doesn’t Happen Lesson #2 Why Patching Doesn’t Happen Can not find the owner Who owns the asset Who owns the OS Who owns the application Can not be patched It will break something Out of support Can not afford the downtime Some is broken People Process Technology

What makes Programs Work Lesson #3 What makes Programs Work People Process Security Politics

Vulnerability Management People What do they do? Ops Security Admins What is important to them? Uptime Looking good in their group Looking good in the organization Their Place in the organization Management / Team lead Director CIO CISO Board of Directors 1111

Vulnerability Management Process How often do you scan? Daily Weekly Monthly How often do you report? What is being measured? Open Vulnerabilities Closed Vulnerabilities Overdue Vulnerabilities How do you prioritize patches? High Risk High Severity Asset Criticality When do you patch? By OS By Server By Workstation How do you classify assets? By business Application By Business Unit 1212

Vulnerability Management Security Are ALL vulnerabilities treated equally? How many vulnerabilities do you have? What is the context of each vulnerability? How do you classify assets? Do you manually rank vulnerability?** How do you measure the Security in the organization? SLAs Open Closed Risk Is your Security Audited? PCI SOX HIPAA ISM ISO COBIT etc 1313

Vulnerability Management Politics You are not alone Find a partner within IT Operations Audit Management Respect People Empathy This should not be punitive It is about helping people It is about improving process Reporting If you write it down it must be true Get your counts as perfect as possible Know people will have hurt feelings Create reports that tell a story 1414

Lesson #4 Think Different Change the paradigm Many clients are focused on the wrong things Trying to fix all the vulnerabilities they have Focusing only vulnerabilities without context Looking to match patching tools Measuring the wrong things (how many open) Not integrating into other systems Change the paradigm Admit you can not fix them all Look for areas of weakness Perform Root Cause Analysis each of theses lessons

Exceptions Lesson #5 Think even more Different What is the goal of your program? Some of the best programs are working towards one common goal Focusing only on the Exceptions

Bill Olson bolson@tenable.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.