Lessons Learned: Implementing a Vulnerability Management Program Michael Zimmer Information Security Analyst, Northern Arizona University Grant Johnson Technical Account Manager, Qualys

Who Are We In addition to all of that, we are situated in the largest Ponderosa Pine Forest in the world at 6,000 feet elevation and we get snow. Yes, in AZ we get snow. Also, it’s about an 80-minute drive to Grand Canyon.

Why Vulnerability Management?

Our Challenges Leadership Support Training & Learning Budget & Resources

Our Challenges Change Management Ease Fear & Reduce Doubt Inventory of Critical Assets

Our Approach Training and Learning Find free training In-person, online Reference guides Demos or videos

Our Approach Build a Current Inventory Qualys Maps can Help Meet with Admins, Team Leads

Our Approach Organize the Assets Asset Groups Tags Easier to scan Easier to report Easier to distribute permissions

Our Approach Start slow, with low impact scans Get baseline scans, reports Meet with admins to review Identify critical vulnerabilities Remediate and rescan Rinse and repeat

Our Results Continuous Monitoring Scheduled scans Credentialed Scans Once per year currently Required Remediation Levels Confirmed 4s & 5s are to be fixed

Results Sample Views Red = Confirmed Yellow = Potential

Lessons Learned Leadership Support Inventory Build, Organize, Maintain Relationship Building Start Slow, Low Impact Initial Scans Schedule Scans & Reports Mix of Internal & External Scans Authenticated Scanning

What Lies Ahead Credentialed/Authenticated Scans Integrations with other products Splunk ServiceNow ticketing Scanning-as-a-Service Offer to scan department nets Web Application Scanning We are just starting up!

Best Practices for VM Change from Michael, NAU, to Grant and Qualys.

Scan Frequency Scan Interval should match the risk of loss associated with the data and system or patch cycles Frequency can range from monthly/bi monthly to continuous – Mind the GAP Scan signature should be VERY current – Auto-update is recommended

Scan Exclusions Some systems should not be scanned BUT make them prove it! Document, Document, Document….Formalize this process Remove the entire device from scanning – Don’t exclude test (IMHO) Exclusions should be formally reviewed at regular intervals – by the data owners Scan signature should be VERY current – Auto-update is recommended

Figuring out where to start.. Three Risks to consider.. 1 Public and Customer- Facing systems need to be prioritized Public Network 2 - Have a defined data classification scheme - Need to know where the data is stored - Need to know how the data gets there

Risk Based Vulnerability Strategy How do you priorities which high severity findings to fix first? Prioritize vulnerabilities with known exploits and malware. Good VM tools constantly correlate exploitability information from real-time feeds to provide up to date references to exploits and related security resources. 3 Prioritize the vulnerability can be exploited from the outside or detected via (unauthenticated) scanning. Death of a million Begin with vulnerabilities that are fixable. Give IT actionable information Exclude Zero day vulnerabilities from metrics

Vulnerability Metrics Target metrics to the non-technical data owners - not just IT Report the number of vulnerabilities FIXED over the last number of days or since last scan Average age of the vulnerabilities – reduces impact of individual Missing Patches are a good starting point Report % of coverage and % Authenticated Report “risk accepted” vulnerabilities along side others - “risk accepted does not mean risk mitigated… Report exclusions – hosts, vulnerabilities, times, etc.. Interval – weekend only – afterhours scanning…

www.qualys.com/freetools Maybe you could do some key takeaways as a wrap up – and both you and Grant present? Will leave this one to Grant.

Some Good Free References WWW.qualys.com/freetools

Q&A Michael.Zimmer@nau.edu gjohnson@qualys.com