aglobalvulnerabilitymanagement … · 2019. 8. 29. · feb. 2014 11 refine standards &...
TRANSCRIPT
A Global Vulnerability Management Program to Protect the Global Brand
Myles Higa Vulnerability Management Lead
Toyota Financial Services Informa;on Security
Feb. 2014 1 Qualys - RSA Conference 2014
For hackers, Big Brands are …
2 Feb. 2014 Qualys - RSA Conference 2014
TFS’ Global VM Strategy & Approach
4 Feb. 2014
Incorporate the global VM program on the global security roadmap
Implement an operaDonal and managerial VM program in all offices worldwide
Adapt Toyota’s Kaizen Principles
Plan-‐Do-‐Check-‐Act Con;nuous improvement
Respect for people
Plan
Do Act
Qualys - RSA Conference 2014
“PLAN” The Global VM Program IniDaDve
5 Feb. 2014
Set the global program objectives
Scope the global program
Assess
Analyze
Remediate
Validate
Identify key sponsors and stakeholders
Prepare the business plan
Obtain corporate leadership approval
Qualys - RSA Conference 2014
“PLAN” The Global VM Program Project
6 Feb. 2014
Establish the T-E-A-M Prepare the plan
Solicit & evaluate alternative solutions
Select solution & consummate the contract
Define the requirements
Scan at 34 offices
Global & regional reporting
Easy deployment & administration
Clarify the problem
Qualys - RSA Conference 2014
“DO” The Global VM Program Deployment
7 Feb. 2014
Develop the global deployment plan
Execute a pilot deployment
Setup the global subscription in QualysGuard
Develop standards & procedures
Conduct site analysis Engage the Qualys TAM
Qualys - RSA Conference 2014
Assess
Analyze
Remediate
Validate
“DO” The Global VM Program Deployment
8 Feb. 2014
Roll out in regions Set up training Ship appliances
Install the appliance Test & validate scanning Resolve scanning issues
Americas Europe/ Africa
Asia Pacific
Qualys - RSA Conference 2014
“DO” The Global VM Program Deployment
9 Feb. 2014
Generate operational reports Implement operational VM scanning
Implement or improve the patching process
Implement a remediation framework
Qualys - RSA Conference 2014
“CHECK” The Global VM Program ImplementaDon
10 Feb. 2014
Weekly regional collaboration
Set up compliance & audit reporting Monitor & track activity
Get feedback from local offices
Develop VM metrics
Set up global administrative & operational support
Qualys - RSA Conference 2014
“ACT” The Global VM Program ImplementaDon
11 Feb. 2014
Refine standards & processes
Initiate Global VM program improvements
Initiate Web Application Scanning & Policy Compliance
Communicate progress to stakeholders & partners
Qualys - RSA Conference 2014
TFS’ Global VM Program
12 Feb. 2014 Qualys - RSA Conference 2014
Global Management & Administration
Regional Management & Administration
Local administration & operations
Keys to Success
Global leadership sponsorship Global Security, Risk, & IT
Communicate, communicate, communicate Corporate, regional, & individual countries
QualysGuard Solu;on Fully func;onal, rapid deployment, scalable,
reliable, low maintenance
T-‐E-‐A-‐M-‐W-‐O-‐R-‐K Horizontally & ver;cally
Plan-‐Do-‐Check-‐Act Con;nuous improvement & respect for people
13 Feb. 2014 Qualys - RSA Conference 2014
THANKS YOU! QUESTIONS?
14 Feb. 2014 Qualys - RSA Conference 2014
Agenda Why protect the Brand? Sony, Target, Nordstrom's, TJ Maxx, Ci;bank, Google, Yahoo What do these companies have in common? Toyota Quality, customer loyalty, What keeps up our CEO, CIO, & CISO? Incident response It not a maZer of if but when
Key points RFP Evalua;on, proof of concept Selec;on and contract nego;a;ons Global drivers
► Cultural change Scoping & Planning
► 34 SFCs not connected or integrated ► Vulnerabili;es, websites, compliance ► Deployment plan
Global Team – Qualys Technical Account Manager (TAM); regional teams Global policies, standards & baselines Communica;ons with each SFC (country)
► Small deployments, no dedicated security Average of three months for tes;ng Deployment plan: Map, vuln scan, authen;ca;on, WAS, PC Qualys business unit/asset group/ asset tag structure Physical versus virtual scanners Pros/Cons Resistance from IT, developers Global administra;on – collabora;on; leveraging tools for security SDLC (WAS & VM scanning), opera;onal scans, patch management, baseline configura;ons SIEM integra;on, CMDB Priori;ze patching Authen;ca;on, firewalls Overlapping IPs KRI – Define risk; risk management Interna;onal vulnerabili;es Analysis of vulnerabili;es, discovery of assets; printers, VOIP, cameras, etc.
15 3/14/14
Road map to global deployment Key points
RFP Evalua;on, proof of concept Selec;on and contract nego;a;ons Global drivers
► Cultural change Scoping & Planning
► 34 SFCs not connected or integrated ► Vulnerabili;es, websites, compliance ► Deployment plan
Global Team – Qualys Technical Account Manager (TAM); regional teams Global policies, standards & baselines Communica;ons with each SFC (country)
► Small deployments, no dedicated security Average of three months for tes;ng Deployment plan: Map, vuln scan, authen;ca;on, WAS, PC Qualys business unit/asset group/ asset tag structure Physical versus virtual scanners Pros/Cons Resistance from IT, developers Global administra;on – collabora;on; leveraging tools for security SDLC (WAS & VM scanning), opera;onal scans, patch management, baseline configura;ons SIEM integra;on, CMDB Priori;ze patching Authen;ca;on, firewalls Overlapping IPs KRI – Define risk; risk management Interna;onal vulnerabili;es Analysis of vulnerabili;es, discovery of assets; printers, VOIP, cameras, etc.
16 3/14/14