Presentation is loading. Please wait.

Presentation is loading. Please wait.

V1.1 1.

Published byAhti Keskinen Modified over 5 years ago

Similar presentations

Presentation on theme: "V1.1 1."— Presentation transcript:

1 v1.1 1

2 Vulnerability Management for the Real World
Contents: The Problem What is Vulnerability Management? Challenges to Effective VM Successful Approaches 2

3 The Problem 3

4 Organizations are Feeling the Pain
1. What causes the damage? 95% of breaches target known vulnerabilities 2. How do you prevent the damage? What are your options? RISK= Assets x Vulnerabilities x Threats You can control vulnerabilities. 4. How do you make the best security decisions? Focus on the right assets, right threats, right measures. 3. How do you successfully deal with vulnerabilities? Vulnerabilities Business complexity Human resources Financial resources

5 What is Vulnerability Management?

6 What Is Vulnerability Management (VM)
A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability. Methodologies Available for VM: Vulnerability Analysis (VA) Penetration Tests (PT) DAST (Dynamic Application Security Test) SAST (Static Application Security Test)

7 What Is Vulnerability Management
At a high level, the ”intelligent confluence” of… Assessment What assets? Analysis What to fix first? Remediation Fix the problem + + As a component of Risk Management And balance the demands of business goals and processes

8 Difference between Vulnerability Assessment & Vulnerability Management
Vulnerability Assessment: One time project with defined start and end date. External IS Consultant studies network, prepares report and assessment ends. The report will list identified vulnerabilities and provide actionable recommendations for remediation. Vulnerability Management: Ongoing/continuous process that aims at managing an organization’s vulnerabilities in a holistic manner. Assessment is continuously done in a cyclic/scheduled manner of critical assets & vulnerabilities identified are reported for further action.

9 Challenges to Effective VM

10 Challenges – Assessment
Handling large networks Scan distribution is cumbersome Time consuming and resource intensive Compliance challenges

11 Challenges – Analysis Manual and resource intensive process to determine What to fix If you should fix When to fix Correlation between vulnerabilities, threats and assets A way to prioritize what vulnerabilities should be addressed What order Avoiding Stale data Making decisions on last quarter’s vulnerabilities Creating credible metrics

12 Challenges – Remediation
Security resources are often decentralized The security organization often doesn’t own the network or system Multiple groups may own the asset Presenting useful and meaningful information to relevant stakeholders Determining if the fix was actually made

13 Asset Any equipment or device or end-point (identifiable using an IP) that has value to the organization or supports the ability of the organization to conduct business

14 Threat Any person, circumstance or event that has the potential to cause damage to an organizational asset or business function

15 Vulnerability Any flaw in the design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process

16 Challenges – Time Threat Level Risk Threshold Asset Criticality
Cost to ignore vulnerability is greater than the cost to repair Asset Criticality Risk Threshold Vulnerability discovered Exploit public Automated exploit Discovery Remediation

17 Challenges – Time Threat Level Risk Threshold Asset Criticality
Goal = compress time from discovery to remediation Cost to ignore vulnerability is greater than the cost to repair Cost to ignore vulnerability is greater than the cost to repair Asset Criticality Risk Threshold Exploit public Automated exploit Vulnerability discovered Discovery Remediation

18 Challenges – Time Threat Level Risk Threshold Asset Criticality
Goal = compress time from discovery to remediation Cost to ignore vulnerability is greater than the cost to repair Asset Criticality Risk Threshold x 15 new vulnerabilities per day across many assets Exploit public Automated exploit Vulnerability discovered Discovery Remediation

19 Vulnerability Management Lifecycle

20 Vulnerability Management Lifecycle

21 Successful Approaches:
Implementing An Effective VM Strategy

22 Successful Approaches
Focus on four key areas: Prioritize Assets Determine Risk Level (assets, threats, vulnerabilities) Remediate Vulnerabilities Measure

23 Prioritize Assets

24 Asset Prioritization Identify assets by: Networks Network Devices
Logical groupings of devices Connectivity - None, LAN, broadband, wireless Network Devices Wireless access points, routers, switches Operating System Windows, Unix Applications IIS, Apache, SQL Server Versions IIS 5.0, Apache , SQL Server V.7

25 Asset Prioritization Network-based discovery Agent-based discovery
Known and “unknown” devices Determine network-based applications Excellent scalability Agent-based discovery In-depth review of the applications and patch levels Deployment disadvantages Network- and agent-based discovery techniques are optimal Agents - Cover what you already know in great detail Network - Identify rogue or new devices Frequency Continuous, daily, weekly Depends on the asset

26 Correlate Threats

27 Correlate Threats (with your critical assets)
Not all threat and vulnerability data have equal priority Primary goal is to rapidly protect your most critical assets Identify threats Worms Exploits Wide-scale attacks New vulnerabilities Correlate with your most critical assets Result = Prioritization of vulnerabilities within your environment

28 Determine Risk Level

29 Risk Calculation The Union of: Based upon the criticality of VAT
Vulnerabilities Assets Threats Based upon the criticality of VAT Focus your resources on the true risk

30 Remediation

31 Remediation / Resolution
Perfection is unrealistic (zero vulnerabilities) Think credit card fraud – will the banks ever eliminate credit card fraud? You have limited resources to address issues The question becomes: Do I address or not? Factor in the business impact costs + remediation costs If the risk outweighs the cost – eliminate or mitigate the vulnerability!

32 Remediation / Resolution
Apply the Pareto Principle – the 80/20 rule Focus on the vital few not the trivial many 80% of your risk can be eliminated by addressing 20% of the issues The Risk Union will show you the way Right assets Relevant threats Critical vulnerabilities Patch or Mitigate Impact on availability from a bad patch vs. the risk of not patching Patch or mitigate Recommendations: QA security patches 24 hours Determine if there are wide spread problems Implement defense-in-depth

33 Measure

34 Measure Nemasis OutLook:
Distribute Accountability (based on Asset, Asset-owner, Group) A universal standard to quantify risk (CVSS) Dashboard view of risk and vulnerabilities Nemasis will help answer the questions: Am I secure? Who is accountable and by when? Am I getting better or worse? How am I trending over time?

35 Summary All assets are not created equally
You cannot respond to or even protect against all threats An effective vulnerability management program focuses on Risk Vulnerabilities Assets Threats The hardest step in a 1000 mile journey is the first – start somewhere Strategically manage vulnerabilities using a comprehensive process

36 10 Steps to Effective Vulnerability Management
Identify all the assets in your purview Create an Asset Criticality Profile (ACP) Determine exposures and vulnerabilities Track relevant threats – realized and unrealized Determine Risk - union of vulnerabilities x assets x threats Take corrective action if risk > cost to eliminate or mitigate Create meaningful metrics Identify and address compliance gaps Implement an automated vulnerability management system Convince customer that vulnerability management is important

37 Protect The Right Assets With The Right Measures
From The Right Threats With The Right Measures

38 Introducing Nemasis – Comprehensive Vulnerability Management Suite
‘Nemasis’ is a Vulnerability Management Suite which assists in implementing a comprehensive GRC (Governance, Risk Management, and Compliance) strategy for managing an organization's overall governance, risk, and compliance with regulations. ‘Nemasis’ offers various advantages like eliminating redundant costs, performing in-depth vulnerability scan, optimizing investments on assets by eliminating vulnerabilities and optimizing their performance, securing business reputation, asset discovery, and more. Contact for more information. Web:

Download ppt "V1.1 1."

Similar presentations

1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.

1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.

Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.
Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.

Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Vulnerability Assessments

Vulnerability Assessments
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
»Vulnerability Management for the Real World » Successful Approaches » What is Vulnerability Management? » Challenges to Effective VM » The Problem Contents:

»Vulnerability Management for the Real World » Successful Approaches » What is Vulnerability Management? » Challenges to Effective VM » The Problem Contents:
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.

Copyright Security-Assessment.com 2004 Vulnerability Management Explained By Peter Benson.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.

.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.

Similar presentations

Ads by Google