Download presentation
Presentation is loading. Please wait.
1
VEGA TERRY WELLIVER GREG SYME JUANA WELLS NAVAL POSTGRADUATE SCHOOL
2
VULNERABILITY MANAGEMENT
3
FACTS THERE ARE AND WILL CONTINUE TO BE BUGS AND HOLES IN SOFTWARE THAT CAN BE EXPLOITED
4
FACTS VENDORS WILL (OR AT LEAST SHOULD) DO THEIR BEST TO FIX THEM AS FAST AS THEY CAN
5
FACTS BUT THE FIXES WON’T HELP IF YOU DON’T KNOW YOU NEED THEM AND THEN DON’T DEPLOY THEM
6
FACTS APPLYING FIXES IS GOING TO BE DISRUPTIVE TO NORMAL OPERATIONS, SO YOU NEED AN ACTIVE PLAN AND PROVEN PROCESS FOR ENSURING THAT THE WORK GETS DONE IN A TIMELY FASHION
7
NAVY MANDATES A FORMAL VULNERABILITY SCANNING PROCESS IN PLACE AND AN ACTIVE PLAN TO ADDRESS VULNERABILITIES THAT ARE DISCOVERED
8
TIME AND MONEY BUDGETS ARE TIGHT AND TIME IS FINITE
9
SOLUTION FIND THE BUGS YOU NEED TO FIX TAKE ACTION ON THE FINDINGS (PDF, CSV) EMAIL THE SYSTEM ADMINISTRATORS CREATE YET ANOTHER EXCEL FILE TO TRACK THEM VULNERABILITY SCANNER EXPORT THE REPORTS DISTRIBUTE THE REPORTS TRACK THE FIXES VALIDATE THE FIXES SCAN AGAIN AND START OVER
10
INTERNET NETWORK PERIMETERDMZ INTERNAL NETWORK
11
SOLUTION FIND THE BUGS YOU NEED TO FIX TAKE ACTION ON THE FINDINGS (PDF, CSV) EMAIL THE SYSTEM ADMINISTRATORS CREATE YET ANOTHER EXCEL FILE TO TRACK THEM VULNERABILITY SCANNER EXPORT THE REPORTS DISTRIBUTE THE REPORTS TRACK THE FIXES VALIDATE THE FIXES SCAN AGAIN AND START OVER
12
PROBLEM FIND THE BUGS YOU NEED TO FIX TAKE ACTION ON THE FINDINGS (PDF, CSV) EMAIL THE SYSTEM ADMINISTRATORS CREATE YET ANOTHER EXCEL FILE TO TRACK THEM VULNERABILITY SCANNER EXPORT THE REPORTS DISTRIBUTE THE REPORTS TRACK THE FIXES VALIDATE THE FIXES SCAN AGAIN AND START OVER
13
PROBLEM
14
THINK DIFFERENT
15
SCANNERDATABASEWEBSITE
16
SCANNERDATABASEISSUE TRACKING
17
RETINAPOSTGRESJIRA RUBY SCRIPTS JIRA API DATA TYPES NORMALIZATION USER INTERFACE WORKFLOW ACCOUNTABILITY DOCUMENTATION TRACKING FEEDBACK
18
FUTURE NESSUS IS REPLACING RETINA IDENTIFY FALSE POSITIVE AND WON’T FIX MORE, MORE, MORE BECAUSE IT’S DAMN GOOD NEW VULNERABILITY SCANNER GLOBAL RISK ACCEPTANCE AUTOMATION DELICIOUS CAKE
19
FUTURE NESSUS IS REPLACING RETINA IDENTIFY FALSE POSITIVE AND WON’T FIX MORE, MORE, MORE MMMMMM, MMMMMM, GOOD NEW VULNERABILITY SCANNER GLOBAL RISK ACCEPTANCE AUTOMATION DELICIOUS CAKE
20
BE THE CHANGE YOU SEEK
23
Do we have a formal vulnerability scanning process in place and an active plan to address vulnerabilities that are discovered? There are and will continue to be bugs and holes in software we that can be exploited. Your vendors will (or at least should) be doing their best to fix them as fast as they can, but the fixes won’t help if you don’t know you need them and then don’t deploy them. Remediation is going to be disruptive to normal operations, so you need an active plan and proven process for ensuring that the work gets done in a timely fashion.
Similar presentations
