Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons Learned: Implementing a Vulnerability Management Program

Published byLynne Weaver Modified over 6 years ago

Similar presentations

Presentation on theme: "Lessons Learned: Implementing a Vulnerability Management Program"— Presentation transcript:

1 Lessons Learned: Implementing a Vulnerability Management Program
Michael Zimmer Information Security Analyst, Northern Arizona University Grant Johnson Technical Account Manager, Qualys

2 Who Are We In addition to all of that, we are situated in the largest Ponderosa Pine Forest in the world at 6,000 feet elevation and we get snow. Yes, in AZ we get snow. Also, it’s about an 80-minute drive to Grand Canyon.

3 Why Vulnerability Management?

4 Our Challenges Leadership Support Training & Learning
Budget & Resources

5 Our Challenges Change Management Ease Fear & Reduce Doubt
Inventory of Critical Assets

6 Our Approach Training and Learning Find free training
In-person, online Reference guides Demos or videos

7 Our Approach Build a Current Inventory Qualys Maps can Help
Meet with Admins, Team Leads

8 Our Approach Organize the Assets Asset Groups Tags Easier to scan
Easier to report Easier to distribute permissions

9 Our Approach Start slow, with low impact scans
Get baseline scans, reports Meet with admins to review Identify critical vulnerabilities Remediate and rescan Rinse and repeat

10 Our Results Continuous Monitoring Scheduled scans Credentialed Scans
Once per year currently Required Remediation Levels Confirmed 4s & 5s are to be fixed

11 Results Sample Views Red = Confirmed Yellow = Potential

12 Lessons Learned Leadership Support Inventory Build, Organize, Maintain
Relationship Building Start Slow, Low Impact Initial Scans Schedule Scans & Reports Mix of Internal & External Scans Authenticated Scanning

13 What Lies Ahead Credentialed/Authenticated Scans
Integrations with other products Splunk ServiceNow ticketing Scanning-as-a-Service Offer to scan department nets Web Application Scanning We are just starting up!

14 Best Practices for VM Change from Michael, NAU, to Grant and Qualys.

15 Scan Frequency Scan Interval should match the risk of loss associated with the data and system or patch cycles Frequency can range from monthly/bi monthly to continuous – Mind the GAP Scan signature should be VERY current – Auto-update is recommended

16 Scan Exclusions Some systems should not be scanned BUT make them prove it! Document, Document, Document….Formalize this process Remove the entire device from scanning – Don’t exclude test (IMHO) Exclusions should be formally reviewed at regular intervals – by the data owners Scan signature should be VERY current – Auto-update is recommended

17 Figuring out where to start.. Three Risks to consider..
1 Public and Customer- Facing systems need to be prioritized Public Network 2 - Have a defined data classification scheme - Need to know where the data is stored - Need to know how the data gets there

18 Risk Based Vulnerability Strategy How do you priorities which high severity findings to fix first?
Prioritize vulnerabilities with known exploits and malware. Good VM tools constantly correlate exploitability information from real-time feeds to provide up to date references to exploits and related security resources. 3 Prioritize the vulnerability can be exploited from the outside or detected via (unauthenticated) scanning. Death of a million Begin with vulnerabilities that are fixable. Give IT actionable information Exclude Zero day vulnerabilities from metrics

19 Vulnerability Metrics
Target metrics to the non-technical data owners - not just IT Report the number of vulnerabilities FIXED over the last number of days or since last scan Average age of the vulnerabilities – reduces impact of individual Missing Patches are a good starting point Report % of coverage and % Authenticated Report “risk accepted” vulnerabilities along side others - “risk accepted does not mean risk mitigated… Report exclusions – hosts, vulnerabilities, times, etc.. Interval – weekend only – afterhours scanning…

20 Maybe you could do some key takeaways as a wrap up – and both you and Grant present? Will leave this one to Grant.

21 Some Good Free References WWW.qualys.com/freetools

22 Q&A

Download ppt "Lessons Learned: Implementing a Vulnerability Management Program"

Similar presentations

September 2, 2013 VM Evolution via API Parag Baxi, Technical Account Manager.

September 2, 2013 VM Evolution via API Parag Baxi, Technical Account Manager.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
A A A N C N U I N F O R M A T I O N T E C H N O L O G Y : IT OPERATIONS 1 Problem Management Jim Heronime, Manager, ITSM Program Tanya Friehauf-Dungca,

A A A N C N U I N F O R M A T I O N T E C H N O L O G Y : IT OPERATIONS 1 Problem Management Jim Heronime, Manager, ITSM Program Tanya Friehauf-Dungca,
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.
Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.

Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.
OSF/ISD Project Portfolio Management Framework January 17, 2011.

OSF/ISD Project Portfolio Management Framework January 17, 2011.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
EEye Digital Security  1.866.339.3732   On the Frontline of the Threat Landscape: Simple configuration goes a long way.

EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

Similar presentations

Ads by Google