1. v1.3 1

2. Vulnerability Management
for the Real World
Contents:
The Problem
What is Vulnerability Management?
Challenges to Effective VM
Successful Approaches 2

3. The Problem 3

4. Organizations are Feeling the Pain
1. What causes the damage?
95% of breaches target
known vulnerabilities
2. How do you prevent the damage? What are your options?
RISK=
Assets x Vulnerabilities x Threats
You can control vulnerabilities.
4. How do you make the best security decisions?
Focus on the right assets, right threats, right measures.
3. How do you successfully deal with vulnerabilities?
Vulnerabilities
Business complexity
Human resources
Financial resources

5. What is Vulnerability Management?

6. What Is Vulnerability Management (VM)
A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.
Methodologies Available for VM:
Vulnerability Analysis (VA)
Penetration Tests (PT)
DAST (Dynamic Application Security Test)
SAST (Static Application Security Test)

7. What Is Vulnerability Management
At a high level, the “intelligent confluence” of…
Assessment
What assets?
Analysis
What to fix first?
Remediation
Fix the problem + +
As a component of Risk Management
And balance the demands of business goals and processes

8. Difference between Vulnerability Assessment & Vulnerability Management
One time project with defined start and end date.
External IS Consultant studies network, prepares report and assessment ends.
Report lists identified vulnerabilities and provide actionable recommendations for remediation.
Vulnerability Management:
Ongoing/continuous process that aims at managing an organization’s vulnerabilities in a holistic manner.
Assessment is continuously done in a cyclic/scheduled manner of critical assets & vulnerabilities identified are reported for further action.

9. Challenges to Effective VM

10. Challenges – Assessment
• Handling large networks • Scan distribution is cumbersome • Time consuming and resource intensive • Compliance challenges

11. Challenges – Analysis
• Manual and resource intensive process to determine
• What to fix
• If you should fix
• When to fix
• Correlation between vulnerabilities, threats and assets
• A way to prioritize what vulnerabilities should be addressed
• What order
• Avoiding Stale data
• Making decisions on last quarter’s vulnerabilities
• Creating credible metrics

12. Challenges – Remediation
• Security resources are often decentralized
• The security organization often doesn’t own the network or system
• Multiple groups may own the asset
• Presenting useful and meaningful information to relevant stakeholders
• Determining if the fix was actually made

13. Asset
Any equipment or device or end-point (identifiable using an IP) that has value to the organization or supports the ability of the organization to conduct business

14. Threat
Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function

15. Vulnerability
Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process

16. Challenges – Time Threat Level Risk Threshold Asset Criticality
Vulnerability
discovered
Exploit
public
Automated
exploit
Discovery
Remediation
Cost to ignore vulnerability is greater than the cost to repair
Threat Level
Risk Threshold

17. Challenges – Time Threat Level Risk Threshold Asset Criticality
Vulnerability
discovered
Cost to ignore vulnerability is greater than the cost to repair
Exploit
public
Automated
exploit
Discovery
Remediation
Goal = compress time from discovery to remediation
Threat Level
Asset Criticality
Risk Threshold

18. Challenges – Time Threat Level Risk Threshold Asset Criticality
Vulnerability
discovered
Cost to ignore vulnerability is greater than the cost to repair
Exploit
public
Automated
exploit
Goal = compress time from discovery to remediation
x 15 new vulnerabilities per day across many assets
Discovery
Remediation
Threat Level
Asset Criticality
Risk Threshold

19. Vulnerability Management Lifecycle

20. Vulnerability Management Lifecycle

21. Successful Approaches:
Implementing An Effective VM Strategy

22. Successful Approaches
• Focus on four key areas:
• Prioritize Assets
• Determine Risk Level (assets, threats, vulnerabilities)
• Remediate Vulnerabilities
• Measure

23. Prioritize
Assets

24. Asset Prioritization • Identify assets by: • Networks
• Logical groupings of devices
• Connectivity - None, LAN, broadband, wireless
• Network Devices
• Wireless access points, routers, switches
• Operating System
• Windows, Unix
• Applications
• IIS, Apache, SQL Server
• Versions
• IIS 5.0, Apache , SQL Server V.7

25. Asset Prioritization • Network-based discovery
• Known and “unknown” devices
• Determine network-based applications
• Excellent scalability
• Agent-based discovery
• In-depth review of the applications and patch levels
• Deployment disadvantages
• Network- and agent-based discovery techniques are optimal
• Agents - Cover what you already know in great detail
• Network - Identify rogue or new devices
• Frequency
• Continuous, daily, weekly
• Depends on the asset

26. Correlate Threats

27. Correlate Threats (with your critical assets)
• Not all threat and vulnerability data have equal priority
• Primary goal is to rapidly protect your most critical assets
• Identify threats
• Worms
• Exploits
• Wide-scale attacks
• New vulnerabilities
• Correlate with your most critical assets
• Result = Prioritization of vulnerabilities within your environment

28. Determine Risk Level

29. Risk Calculation The Union of: Vulnerabilities Assets Threats
Based upon the criticality of VAT
Focus your resources on the true risk

30. Remediation

31. Remediation / Resolution
Perfection is unrealistic (zero vulnerabilities)
Think credit card fraud – will the banks ever eliminate credit card fraud?
You have limited resources to address issues
The question becomes:
Do I address or not?
Factor in the business impact costs + remediation costs
If the risk outweighs the cost – eliminate or mitigate the vulnerability!

32. Remediation / Resolution
Apply the Pareto Principle – the 80/20 rule
Focus on the vital few not the trivial many
80% of your risk can be eliminated by addressing 20% of the issues
The Risk Union will show you the way
Right assets
Relevant threats
Critical vulnerabilities
Patch or Mitigate
Impact on availability from a bad patch vs. the risk of not patching
Patch or mitigate
Recommendations:
QA security patches 24 hours
Determine if there are wide spread problems
Implement defense-in-depth

33. Measure

34. Measure Nemasis OutLook:
Distribute Accountability (based on Asset, Asset-owner, Group)
A universal standard to quantify risk (CVSS)
Dashboard view of risk and vulnerabilities
Nemasis will help answer the questions:
Am I secure?
Who is accountable and by when?
Am I getting better or worse?
How am I trending over time?

35. Summary All assets are not created equally
You cannot respond to or even protect against all threats
An effective vulnerability management program focuses on Risk
Vulnerabilities
Assets
Threats
The hardest step in a 1000 mile journey is the first – start somewhere
Strategically manage vulnerabilities using a comprehensive process

36. 10 Steps to Effective Vulnerability Management
Identify all the assets in your purview
Create an Asset Criticality Profile (ACP)
Determine exposures and vulnerabilities
Track relevant threats – realized and unrealized
Determine Risk - union of vulnerabilities x assets x threats
Take corrective action if risk > cost to eliminate or mitigate
Create meaningful metrics
Identify and address compliance gaps
Implement an automated vulnerability management system
Convince customer that vulnerability management is important

37. Protect The Right Assets With The Right Measures
From The Right Threats
With The Right Measures

38. Introducing Nemasis – Comprehensive Vulnerability Management Suite
‘Nemasis’ is a Vulnerability Management Suite which assists in implementing a comprehensive GRC (Governance, Risk Management, and Compliance) strategy for managing an organization's overall governance, risk, and compliance with regulations.
‘Nemasis’ offers various advantages like eliminating redundant costs, performing in-depth vulnerability scan, optimizing investments on assets by eliminating vulnerabilities and optimizing their performance, securing business reputation, asset discovery, and more.
Contact for more information.
Web:

39. Nemasis – Brief
Nemasis solution proactively supports the entire Vulnerability Management Lifecycle, that includes:
Discovery
Detection
Verification
Classification
Prioritization
Reporting
Compliance
Mitigation
Designed for organizations with diverse networks and virtualized infrastructure, which require the highest levels of performance and scalability, Nemasis assists organizations in effectively improving their risk posture.

40. Nemasis Core Capabilities*:
Unrivalled breadth of unified vulnerability scanning: Scans for over 51,000 vulnerabilities with more than 112,000 vulnerability checks in networks, operating systems, applications, web applications and databases across a wide range of platforms.
Continuous, Real-time Vulnerability Updates: Automatically provides vulnerability and module updates without user intervention. Delivers Microsoft Patch Tuesday and Zero-day vulnerability updates within 24 hours to stay current with the changing threat landscape.
Risk Prioritization: Provides intelligence about real risk of each identified vulnerability using in-depth research on Exploit availability, CVSS Score, Malware Exposure and vulnerability proliferation.

41. Nemasis Core Capabilities*:
Renders easy-to-understand remediation strategy: Nemasis give you easy-to-understand and deploy remediation plans, which allows the IT team to focus on rapidly increasing security posture.
Distributed Scan Architecture: Allows administrators to divide work-load across multiple networks in order to rapidly scan and provide reports.
Comprehensive compliance and policy checks: Determine if systems comply with corporate or regulatory policies such as PCI, GLBA, HIPAA, NERC, or FISMA.
Strong security configuration assessment: Centrally detect insecure configurations in your environment of Operating Systems and Databases.

42. Nemasis Core Capabilities*:
Continuous discovery of assets using Passive Scans: Allows you to discover "hidden" or "newly-introduced" assets which may have not been actively assigned to a group.
Create and manage dynamic groups: Administrators can group assets and assign ownership to track and streamline remediation efforts.
Predefined and Customizable Reports and Dashboards: Leverage multiple pre-defined reports and view executive dashboards to obtain an insight into your security posture.

43. Nemasis Core Capabilities*:
360-degree Enterprise Workflow: Manages and helps automate complete Vulnerability Management Lifecycle including discovery, detection, testing, validation, and remediation. Effectively manages exceptions and policy overrides with approvals and escalations.
Powerful administration management: Supports centralized administration for dispersed network environments and provide role-based access for delegated administration and reporting with LDAP compliant directory integration.
Flexible deployment models: Deploy as virtual appliance, hardware appliance, managed service or private cloud to meet your unique security assessment needs.

44. Key Benefits*:
Get Enterprise-Class protection with up-to-date scans for over 51,000 vulnerabilities and 112,000 checks across your physical and virtual networks, operating systems, databases, applications, and web applications.
Improve and expidite strategic decision making with intelligent scoring & prioritization for rapid remediation.
Ensure compliance with policies, auditing guidelines and regulations such as PCI, GLBA, CIS, HIPAA, SOX, FISMA, FDCC, USGCB, and NERC
Automate all steps in your vulnerability management lifecycle from discovery to prioritization and issue resolution.

45. Key Benefits*:
Gain accurate visibility with continuous discovery of all physical and virtual assets, including IPv6 enabled devices.
Reduce costs for vulnerability and configuration assessment from a single unified console.
Accurate and expert support services available for training, guidance & remediation.
*Few of the features are still under active development & internal tests. Please confer with MicroWorld Engineering team to check availability of a specific feature.

47. Authenticated Scanning
An Authenticated Vulnerability scan uncovers possible vulnerabilities that a logged in user could exploit. Nemasis provides following types of Authenticated scans.
• SNMP
• SMB
• SSH
• ESXi

48. 1. Consolidated Reporting
Combine data collected from every scans for reporting
2. Quick Report Scheduling and Distribution
Quick Report Scheduling and Distribution for quick vulnerability fixes
3. Compliance Reporting
Compliance assessments using industry-recommended best practices such as CIS Benchmarks, OWASP 2010, PCI
4. Report Options
Select from multiple report options such as below
CVSS SCORE, Patch, Microsoft patch, NVT
Port/Protocol/Service
5. Report Template Types
Choose this report template from following options
OWASP 2010, PCI,CIS
6. Multiple Report formats
Multiple report formats such as Text, PDF, HTML, RTF, CSV,
Native XML

58. Dashboard Date Sources
Nemasis combines the information From following sources and displays data Comfortably in the web interface in dashboards.
CVEs (Common Vulnerability and Exposures) by CVSS
Scan Plugins by Severity Class

59. Risk Scoring with CVSS Rating CVSS Score Issue for Risk Rating None
0.0
3.5
Low 3
Medium
2.5
High 2
Critical
1.5 1
0.5
Critical
High
Medium
None
Low

60. User Access Control Module Level Permissions Organization Hierarchy
Assigning Roles and Profile to Users
Relates users and Roles to Groups

61. 1 2 3 4 5 6 Monitoring Assets Alert Teams Custom Fitted Alerts
Continues Monitoring
and Alerts
This determines which systems you want to monitor. you can recognize system to monitor via asset tagging or by range. 2
Alert Teams
Constant monitoring and alerts help teams to proactively be alerted about potential threats so problems can be tackled before turning into breaches. 3
Custom Fitted Alerts
Alerts can be custom fitted for a wide variety of situations affecting systems
certificates, ports services and software. 4
Quick Incident Response
It also continuously recognizes and proactively locates issues, instead of delayed response to incidents. 5
Define Rulesets
Determines what (i.e. which events) you want to monitor. For example, you can define rulesets to only monitor for new ports on systems.
Assets 6
Notifications
Determines which individuals or teams receive alerts

62. No Access Visibility Mode Authority Mode Configure Mode
When a scan or policy is created, no other users or groups have access to it.
Visibility Mode
Users and groups set to visibility mode can view the results of the scan.
Authority Mode
Users and groups set to authority mode can launch, pause, and stop a scan, as well as view its results.
Configure Mode
Users and groups set to configure mode can
modify the configuration of the scan in addition to all other permissions.

63. Configuration Auditing/Management
Ensures that the IT assets/ systems are configured securely according to
industry benchmarks and best
practices and are compliant with policy
and standards.
Scans against benchmarks such as below.
USGCB 2.0 policies
USGCB 1.0 policies
FDCC policies
CIS benchmarks
SCAP
NIST
PCI

64. THANK YOU
v1.3 64