aglobalvulnerabilitymanagement … · 2019. 8. 29. · feb. 2014 11 refine standards &...

A Global Vulnerability Management Program to Protect the Global Brand

Myles Higa Vulnerability Management Lead

Toyota Financial Services Informa;on Security

[email protected]

Feb. 2014 1 Qualys - RSA Conference 2014

For hackers, Big Brands are …

2 Feb. 2014 Qualys - RSA Conference 2014

TFS’ Global VM Strategy & Approach

4 Feb. 2014

  Incorporate the global VM program on the global security roadmap

  Implement an operaDonal and managerial VM program in all offices worldwide

  Adapt Toyota’s Kaizen Principles

  Plan-‐Do-‐Check-‐Act   Con;nuous improvement

  Respect for people

Plan

Do Act

Qualys - RSA Conference 2014

“PLAN” The Global VM Program IniDaDve

5 Feb. 2014

Set the global program objectives

Scope the global program

Assess

Analyze

Remediate

Validate

Identify key sponsors and stakeholders

Prepare the business plan

Obtain corporate leadership approval


“PLAN” The Global VM Program Project

6 Feb. 2014

Establish the T-E-A-M Prepare the plan

Solicit & evaluate alternative solutions

Select solution & consummate the contract

Define the requirements

Scan at 34 offices

Global & regional reporting

Easy deployment & administration

Clarify the problem


“DO” The Global VM Program Deployment

7 Feb. 2014

Develop the global deployment plan

Execute a pilot deployment

Setup the global subscription in QualysGuard

Develop standards & procedures

Conduct site analysis Engage the Qualys TAM


Assess

Analyze

Remediate

Validate


8 Feb. 2014

Roll out in regions Set up training Ship appliances

Install the appliance Test & validate scanning Resolve scanning issues

Americas Europe/ Africa

Asia Pacific



9 Feb. 2014

Generate operational reports Implement operational VM scanning

Implement or improve the patching process

Implement a remediation framework


“CHECK” The Global VM Program ImplementaDon

10 Feb. 2014

Weekly regional collaboration

Set up compliance & audit reporting Monitor & track activity

Get feedback from local offices

Develop VM metrics

Set up global administrative & operational support


“ACT” The Global VM Program ImplementaDon

11 Feb. 2014

Refine standards & processes

Initiate Global VM program improvements

Initiate Web Application Scanning & Policy Compliance

Communicate progress to stakeholders & partners


TFS’ Global VM Program


Global Management & Administration

Regional Management & Administration

Local administration & operations

Keys to Success

  Global leadership sponsorship   Global Security, Risk, & IT

  Communicate, communicate, communicate   Corporate, regional, & individual countries

  QualysGuard Solu;on   Fully func;onal, rapid deployment, scalable,

reliable, low maintenance

  T-‐E-‐A-‐M-‐W-‐O-‐R-‐K   Horizontally & ver;cally

  Plan-‐Do-‐Check-‐Act   Con;nuous improvement & respect for people


THANKS YOU! QUESTIONS?


Agenda   Why protect the Brand?   Sony, Target, Nordstrom's, TJ Maxx,   Ci;bank, Google, Yahoo   What do these companies have in common?   Toyota   Quality, customer loyalty,   What keeps up our CEO, CIO, & CISO?   Incident response   It not a maZer of if but when

  Key points   RFP   Evalua;on, proof of concept   Selec;on and contract nego;a;ons   Global drivers

►  Cultural change   Scoping & Planning

►  34 SFCs not connected or integrated ►  Vulnerabili;es, websites, compliance ►  Deployment plan

  Global Team – Qualys Technical Account Manager (TAM); regional teams   Global policies, standards & baselines   Communica;ons with each SFC (country)

►  Small deployments, no dedicated security   Average of three months for tes;ng   Deployment plan: Map, vuln scan, authen;ca;on, WAS, PC   Qualys business unit/asset group/ asset tag structure   Physical versus virtual scanners   Pros/Cons   Resistance from IT, developers   Global administra;on – collabora;on; leveraging tools for security   SDLC (WAS & VM scanning), opera;onal scans, patch management, baseline configura;ons   SIEM integra;on, CMDB   Priori;ze patching   Authen;ca;on, firewalls   Overlapping IPs   KRI – Define risk; risk management   Interna;onal vulnerabili;es   Analysis of vulnerabili;es, discovery of assets; printers, VOIP, cameras, etc.

15 3/14/14

Road map to global deployment   Key points

  RFP   Evalua;on, proof of concept   Selec;on and contract nego;a;ons   Global drivers

►  Cultural change   Scoping & Planning

►  34 SFCs not connected or integrated ►  Vulnerabili;es, websites, compliance ►  Deployment plan

  Global Team – Qualys Technical Account Manager (TAM); regional teams   Global policies, standards & baselines   Communica;ons with each SFC (country)

►  Small deployments, no dedicated security   Average of three months for tes;ng   Deployment plan: Map, vuln scan, authen;ca;on, WAS, PC   Qualys business unit/asset group/ asset tag structure   Physical versus virtual scanners   Pros/Cons   Resistance from IT, developers   Global administra;on – collabora;on; leveraging tools for security   SDLC (WAS & VM scanning), opera;onal scans, patch management, baseline configura;ons   SIEM integra;on, CMDB   Priori;ze patching   Authen;ca;on, firewalls   Overlapping IPs   KRI – Define risk; risk management   Interna;onal vulnerabili;es   Analysis of vulnerabili;es, discovery of assets; printers, VOIP, cameras, etc.

16 3/14/14

aglobalvulnerabilitymanagement … · 2019. 8. 29. · feb. 2014 11 refine standards &...

Documents