Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Management Programs & The Lessons Learned

Published byNoreen Cross Modified over 7 years ago

Similar presentations

Presentation on theme: "Vulnerability Management Programs & The Lessons Learned"— Presentation transcript:

1 Vulnerability Management Programs & The Lessons Learned
Bill Olson Technical Director

2 Intro & Agenda 18 plus years in security 20 Months With Tenable
8th Years with Qualys 9 Years with a NJ consultancy Lessons Learned What does not work and why What does work War Stories

3 What is a Vulnerability? Why Should Anyone Care?
System and Applications not patched for known security flaws Hardware Operating System Application Database Network Equipment Browser and Plugins Not up to date Not patched for known security flaw Client Tier Desktop – Web Browser Internet/Intranet Tier Network Web Server Tier Apache IIS, etc Application Server Tier PHP, Java/J2EE, Ruby, Wordpress, etc Database Tier MySQL, Oracle, DB2 Applications and OSs not Configured to Secure Standards Never configured Configuration Change Web Applications and Web Services With known security issues Incorrectly Code Not patched for known security flaws Why Should Anyone Care? 3

4 What is the difference between Vulnerability Assessment & Vulnerability Management?

5 Vulnerability Assessment
Often simply only a scanning program Hard to measure success long-term Is it checking patch levels? Is it lowering risk overall? What processes are working? Where is it not working in the organization? Are you compliant? Generally too much data as it lacks context Point in time only

6 Vulnerability Management
Accountability Not just about vulnerability scanning A process to find, rate, remediate, track, progress Should be about context, context and more context Need to build a program that allows for the following Meeting compliance or regulator goals Defined success factors Measurable Repeatable Involved with other programs, patch management, ticketing, asset management, configuration management

7 Lesson #0 Vulnerability Management
What is the goal of your VM program? Risk Management Threat Management Security Intelligence Security Patch Auditing All of the above?

8 Lesson #1 What Makes VM Programs Fail
Bad Data (False Positives, etc) Data Without Relevancy or Context What does the data mean to the organization What does the data mean to the people reading the data (more on this later Data that is not timely Scanning more frequently is a good idea Reporting with periodicity

9 Why Patching Doesn’t Happen
Lesson #2 Why Patching Doesn’t Happen Can not find the owner Who owns the asset Who owns the OS Who owns the application Can not be patched It will break something Out of support Can not afford the downtime Some is broken People Process Technology

10 What makes Programs Work
Lesson #3 What makes Programs Work People Process Security Politics

11 Vulnerability Management
People What do they do? Ops Security Admins What is important to them? Uptime Looking good in their group Looking good in the organization Their Place in the organization Management / Team lead Director CIO CISO Board of Directors 1111

12 Vulnerability Management
Process How often do you scan? Daily Weekly Monthly How often do you report? What is being measured? Open Vulnerabilities Closed Vulnerabilities Overdue Vulnerabilities How do you prioritize patches? High Risk High Severity Asset Criticality When do you patch? By OS By Server By Workstation How do you classify assets? By business Application By Business Unit 1212

13 Vulnerability Management
Security Are ALL vulnerabilities treated equally? How many vulnerabilities do you have? What is the context of each vulnerability? How do you classify assets? Do you manually rank vulnerability?** How do you measure the Security in the organization? SLAs Open Closed Risk Is your Security Audited? PCI SOX HIPAA ISM ISO COBIT etc 1313

14 Vulnerability Management
Politics You are not alone Find a partner within IT Operations Audit Management Respect People Empathy This should not be punitive It is about helping people It is about improving process Reporting If you write it down it must be true Get your counts as perfect as possible Know people will have hurt feelings Create reports that tell a story 1414

15 Lesson #4 Think Different Change the paradigm
Many clients are focused on the wrong things Trying to fix all the vulnerabilities they have Focusing only vulnerabilities without context Looking to match patching tools Measuring the wrong things (how many open) Not integrating into other systems Change the paradigm Admit you can not fix them all Look for areas of weakness Perform Root Cause Analysis each of theses lessons

16 Exceptions Lesson #5 Think even more Different
What is the goal of your program? Some of the best programs are working towards one common goal Focusing only on the Exceptions

17 Bill Olson

Download ppt "Vulnerability Management Programs & The Lessons Learned"

Similar presentations

The 7 days at “x” Revised May 12 2002. The 7 “Days” at “X” A Real POC This is a real story with the name(s) changed to protect the innocent Each step.

The 7 days at “x” Revised May The 7 “Days” at “X” A Real POC This is a real story with the name(s) changed to protect the innocent Each step.
OWASP Periodic Table of Vulnerabilities James Landis

OWASP Periodic Table of Vulnerabilities James Landis
1 1 Risk Management: How to Comply with Everything July 11, 2013.

1 1 Risk Management: How to Comply with Everything July 11, 2013.
Copyright © 2011 Integrated Technology Systems All rights reserved. IT Solutions More Reliable Networks Are Our Business Robert Sweet

Copyright © 2011 Integrated Technology Systems All rights reserved. IT Solutions More Reliable Networks Are Our Business Robert Sweet
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard.

Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard.
Applied Software Project Management 1 Introduction Dr. Mengxia Zhu Computer Science Department Southern Illinois University Carbondale.

Applied Software Project Management 1 Introduction Dr. Mengxia Zhu Computer Science Department Southern Illinois University Carbondale.
Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.

Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.
Vulnerability Assessments

Vulnerability Assessments
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014.

Relevant Impact Building an Enterprise Security Program Tech Security ConferenceMinneapolis April 10, 2014.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.
Acquisitions: Your Latest Zero Day Presented by: Mitch Greenfield, CISA, CEH, Scott MacArthur, CISSP, CISA, CEH, LPT 1.

Acquisitions: Your Latest Zero Day Presented by: Mitch Greenfield, CISA, CEH, Scott MacArthur, CISSP, CISA, CEH, LPT 1.
1©2012 Check Point Software Technologies Ltd. Squashing Politics with Policy.

1©2012 Check Point Software Technologies Ltd. Squashing Politics with Policy.
ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.

ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.
NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.

NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.

Similar presentations

Ads by Google