Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

Published bySilvester Jordan Modified over 9 years ago

Similar presentations

Presentation on theme: "Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc."— Presentation transcript:

1 Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc.

2 ATTACKS 80 % More than 80% of attacks target known vulnerabilities 79 % PATCHES 79% of vulnerabilities have patches available on day of disclosure Most Breaches Exploit Known Vulnerabilities 2

3 Threats vs. Vulnerabilities 3

4 Patch and Vulnerability Management A security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The continuous process of identifying, classifying, remediating, and mitigating vulnerabilities. 4

5 Configuration Management The process of evaluating, coordinating, approving, disapproving, and implementing changes to systems and software. Security Perspective: The process of ensuring systems are configured to prevent successful cyber attacks and stay that way. 5

6 Major Constraints on Security Teams 6

7 Attack-Defend Cycle (OODA Loop) 7

8 Laws of Vulnerabilities Half-Life – time interval for reducing occurrence of a vulnerability by half. Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year. Persistence – total lifespan of vulnerabilities Exploitation – time interval between an exploit announcement and the first attack 8

9 Half-Life 29.5 Days 9

10 Prevalence 8 critical vulnerabilities retained a constant presence in the Top 20 10

11 Persistence Indefinite Stabilize at 5-10% 11

12 Exploitation Average: < 10 days Critical client vulnerabilities: < 48 hours –Exploit Kits offer money back guarantees / Next day delivery 12

13 Cyber Hygiene Campaign Multi-year effort that provides key recommendations for a low-cost security program that any organization can adopt to achieve immediate and effective defenses against cyber security attacks. 13

14 14 Pilot of scanning baselines completed Using Qualys, CIS provided a baseline network and app scan, for 12 States, at the following key agencies: o health o public safety o revenue Reports were sent to each State with the results and information to remediate; follow up discussions were available if needed Re-scans provided to remediate findings Feedback from the pilot states has helped to improve the process. CIS is ready to offer the same baseline scans to other governments, for further information, contact Kathleen Patentreger at info@msisac.org

15 Cyber Hygiene Scans 15

16 Summary Results Network Based Vulnerabilities 16

17 Summary Results Application Based Vulnerabilities 17

18 Summary Results Types of Vulnerabilities 18

19 MS-ISAC Guidance The goal of your security team is to reduce risk by identifying and eliminating weaknesses in your network assets. To do this, there are a few questions you need to ask about your organization. 19

20 MS-ISAC Guidance 1.Do you maintain an asset inventory? Is it up to date? 2.Manage the flow of information -- what machines have access to critical information, how does that information get dispersed across your network? 3.Are your network assets classified? If not, assign them a position in a hierarchy. The systems at the top being the most critical. 4.Have you done a risk assessment on these systems? What level of risk is your organization okay with? 5.How often do you perform vulnerability assessments on these hosts? 6.How is the remediation of these hosts being tracked? How long does it take to remediate hosts on average? 7.If a host was compromised, how would you respond? 20

21 Case Studies State of New York University of Colorado State of Michigan State of Ohio Colorado Statewide Internet Portal Authority 21

22 The Great Divide 22

23 Vulnerability & Compliance Scanning Automated Remediation SecOps integration Vulnerability Information Matched vulnerabilities and patches SecOps Integration If then 23

24 Best Practices Vulnerability and configuration management should be an essential part of any security program Obtain executive level support –Identify and obtain an executive level champion –Build partnerships with other execs who need the same data –When selling security, keep it simple –Establish supporting written policies and procedures Communicate vertically and horizontally within your Organization –Essential to remove fear, uncertainty, and doubt 24

25 Best Practices Continued Scan everything and scan often –Scan anything connected to your network –Scan your perimeter daily and servers and endpoints weekly –Be prepared for zero days / use predictive analytics Use credentialed scanning Use metrics to drive risk reduction and program support Use tags to manage VM/CM processes / workflows –Use tags for business value, ownership, and compliance 25

26 Best Practices Continued Measure the security and ops teams’ performance by the half-life results & treatment of the persistence law –Include results in HR performance reviews Use metrics to communicate with senior management Integrate VM/CM solution with patch management systems, asset inventory systems, ticketing systems, configuration systems (Chef / Puppet), and reporting systems for best results 26

27 Best Practices Continued Focus patching on those things that will hurt you most Select a VM/CM solution with strong APIs, integration, and that limits resources spent on system administration Learn to speak the language of Ops staff / Ensure VM/CM data are reported in the most useful format 27

28 Question and Answers 28

29 jtrull@qualys.com @jonathantrull Government Series Webcasts: https://lps.qualys.com/gov-webcast-series-1-2015.html More Resources: Qualys Top 4 Security Controls https://www.qualys.com/forms/top-4-security-controls/ Qualys Free Tools and Trials https://www.qualys.com/free-tools-trials/ Cyber Hygiene Toolkits https://www.cisecurity.org/about/CHToolkits.cfm

Download ppt "Vulnerability and Configuration Management Best Practices for State and Local Governments Jonathan Trull, CISO, Qualys, Inc."

Similar presentations

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Boost your network security with NETASQ Vulnerability Manager.

Boost your network security with NETASQ Vulnerability Manager.
Prepared: October, 2005 1 Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network security policy: best practices

Network security policy: best practices
Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.

Get Complete IT Compliance: Reduce Risk and Cost Jonathan CISO, Qualys Seth Automation Specialist, BMC.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Introduction to Network Defense

Introduction to Network Defense
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Similar presentations

Ads by Google