vulnerability managementilta.personifycloud.com/.../1878011/lss_vuln_mgt.pdf · 2014. 6. 9. ·...
Post on 29-Jan-2021
1 Views
Preview:
TRANSCRIPT
-
Vulnerability ManagementIf you only budget for one project this year...
-
Lombard, ILSeptember 12, 2014
William KyrouzSenior Manager, Information Security & Governance, Bingham McCutchen
Nathaniel McInnisInformation Security Lead, Risk Management & Compliance, Sidley Austin
Jeff HansonInformation Security Manager, McGuireWoods
-
AgendaWhy do I need this stuff?
Compliance with NIST, ISO, SANS and clients oh my!
Vulnerability Management On The Cheap
Taking it to the next level…
Enterprise Class
Lessons Learned
Now what?
-
ComplianceNIST, ISO, SANS and Clients oh my!
SANS Institute Critical Security Controls 1 through 4:1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
Source:
http://www.sans.org/critical‐security‐controls
-
NIST Framework for Improving Critical Infrastructure Cybersecurity● ID.AM‐1: Physical devices and systems within the organization are
inventoried● ID.AM‐2: Software Platforms and applications within the
organization are inventoried● ID.RA‐1: Asset vulnerabilities are identified and documented● ID.RA‐2: Threat and vulnerability information is received from
information sharing forums and sources
ISO 27001 A.12.6.1 ‐Management of technical vulnerabilities
Source:http://www.nist.gov/cyberframework/upload/cybersecurity‐framework‐021214.pdf
ComplianceNIST, ISO, SANS and Clients oh my!
-
Vulnerability Management On The Cheap
FreeOpenVAS (use on Backtrack/Kali)NmapInexpensiveNessus Professional Feed ($1500)
Leverage What You Already OwnSCCM, WSUS – Learn How To Query
-
Vulnerability Management On The Cheap
Limitations of the free/cheap solutionsPossible licensing restrictions ‐ read carefullyEnterprise level support may not be availableReporting is usually not as robustLack of centralized management
-
Taking It To The Next Level
Meaningful report = management supportWindows 7 machines high/crit vulns & patch > 90 days oldHeartbleed Vulnerable SystemsTime to 95% patch compliance
You are now an interpreterClean up the clutter ‐ false positives and other useless infoRemediation procedures ‐ don’t just throw it over the wallHow often should I scan?Get others involved
-
Enterprise Class
Do you know all the devices connected to your Firms network?
What Operating Systems (Windows, Mac, Linux, iOS, etc)Heartbleed impact to appliances?
Software installations – inc. obsolete and vulnerable versions
Vulnerability Management = Validation of your patching processes
Do end users have the local administrator rights to install applications?
-
The Great Debate
Authenticated or Unauthenticated scans against devices on your network?
Authenticated:Fewer vulnerability false positivesLess intrusive on the devices
Unauthenticated“See what attackers see” mentalitySecurity team doesn’t need admin credentials
Vulnerability Management != Penetration TestingShould not be performed as a “black box” test
-
Enterprise Class: Covering the Network
Which network segments to Scan?Office DataVoiceDMZServerStorage
Does your network team keep you informed of changes?New officeOffice expansionNetwork range expansion (/24 vs. /23)
-
Enterprise Class: Covering the Network
Prioritize your targets: ● Microsoft devices, Internet Facing● Infrastructure
○ LAN/WAN, Firewalls○ SAN/NAS
● Non‐Microsoft servers, Appliances● Print Devices● Web Applications (if applicable)
Prioritize Remediation● High Priority Vulnerabilities● Use automated reporting when cloning yourself fails
-
Security Team Reporting & Analysis
Extended analysis capabilities outside of spreadsheets
-
Security Team Reporting & Analysis
-
Remediation Tracking
Create tickets in your internal IT ticketing toolUsed for start and end dates the vulnerability was in your
environment
Email is unreliable as vulnerability information is constantly changing
Don’t just give the “CVE” number / Vulnerability Description!
-
Remediation Tracking
Building alliances is key Server TeamsApplication TeamsDeskside Support
Determine what level of detail they need to support vulnerability remediation tickets
Some want more information some want less (some want a regular discussion)
-
Management Dashboards
-
Key Performance Indicators
-
Lessons Learned
Do you really know how many IP’s are on your network? (Licensing)
Devices to scan with particular caution: Print devices, firewalls (at or through)
More local scannersLower Latency = Faster ResultsHandling DMZNetwork Traffic Monitoring/IDS‐like functionality
You will collect a LOT of data, don’t digest all at once
-
Lessons Learned
Use to document your network, leverage features like dynamic asset lists to group by:
SiteOperating SystemTelecom DevicesDevices with broken AV“Fragile” devices that you don’t scan as often
-
Now what?
DO try this at home (and work, but be careful):Try a free scanner
Vendors to consider:● Tenable Network Security (Nessus/SecurityCenter)● Qualys● Rapid7● Tripwire● BeyondTrust (Retina)● SAINTscanner● Lumension
-
We’ll now open it up for questions
Questions
-
Thank You
Jeff Hanson ‐ jhanson@mcguirewoods.comNathaniel McInnis ‐ nmcinnis@sidley.comWilliam Kyrouz ‐ wkyrouz@bingham.com or Twitter @Kyrouz
top related