is your vulnerability management program keeping pace with risks?
DESCRIPTION
To effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks continuously. This is required in order to match or exceed the daily rate of attacks. Why bother to assess your risks every 90 days when new threats are unleashed every day? See how you can: • Transform vulnerability discovery from a ‘round robin’ schedule to continuous monitoring for vulnerabilities • Prioritize vulnerabilities based on exploitability and potential business impact • Focus remediation efforts and track progress to show a measurable reduction of risk • Make vulnerability management an essential part of daily change management processes These slides will include case studies, survey data, and best practices – ideal for IT security practitioners who are considering, or already implementing, next-generation vulnerability management to effectively and measurably mitigate risk.TRANSCRIPT
Michelle Cobb, VP Marketing, Skybox Security
Ed Mosquera, Security Consultant, Skybox Security
May 2013
Best Practices for Next-Generation
Vulnerability Management
© 2013 Skybox Security Inc. 2
Skybox Security Overview
Predictive risk analytics for best decision support
Complete visibility of network and risks
Designed for continuous, scalable operations
Leader in Proactive Security Risk Management
Proven Effective in Complex Network Environments
© 2013 Skybox Security Inc. 3
Vulnerability Management is Not Dead
… It Is Just Not Working
Risks Levels Keep Rising
Compliance, continuous monitoring
Proliferation of mobile, cloud
Protect against financial loss due
to cybercrime
Deal with advanced
threats, targeted attacks
Need to secure new services
and users
© 2013 Skybox Security Inc. 4
Is Your Vulnerability Management Program
Keeping Pace?
Then
Now
Find Analyze Fix
© 2013 Skybox Security Inc. 5
2012 Survey Highlights the Vulnerability
Discovery Gap
0
50
100
150
200
250
300
350
60% 70% 80% 90%
Fre
quency c
ycle
s /
year
% of Network Scanned
How often do you scan? How much coverage?
Critical systems, DMZ
Scan every 30 days
50-75% of hosts
To keep pace with threats?
Daily updates
90%+ hosts
?
© 2013 Skybox Security Inc. 6
We just don’t need to scan more
Unable to gain credentialed access to scanportions of the network
The cost of licenses is prohibitive
Some hosts are not scannable due to their use
We don't have the resources to deal withbroader patching activity
We don’t have the resources to analyze more frequent scan data
We are concerned about disruptions fromscanning 59%
58%
41%
34%
29%
12%
5%
Reasons that respondents don’t scan more often
Disruptive, Inaccurate Picture of Risk
Challenges with Traditional Scan Approach
© 2013 Skybox Security Inc. 7
Polling Question #1
When you analyze scan data to determine how to
remediate vulnerabilities, generally how old is the
scan data?
– <5 days
– <15 days
– <30 days
– Older than 30 days
© 2013 Skybox Security Inc. 8
All vulnerabilities in environment
30,000
Identified by scanner
50-75%
Naïve Analysis Results in Costly and
Ineffective Remediation
Attack vectors
using
exploitable
vulnerabilities
Patch/Fix Patching
may miss
attack vectors
© 2013 Skybox Security Inc. 9
Now
First Generation Vulnerability Management
Processes Are No Longer Effective
30-60 days to scan
and catalog 75% of
vulnerabilities
2-4 weeks to
analyse, and still
get it wrong
60 days to patch,
£ 200,000 per year
Cycle Time: Typically 2-4 months
New vulnerabilities, threats, changes: Hundreds per day
Result: Risk level never reduced
Find Analyze Fix
Big Disconnect …
© 2013 Skybox Security Inc. 10
Self-Test:
What are Your VM Program Challenges?
Discover Analyse and
Prioritise Mitigate
How often is
vulnerability data
collected?
How much of the
network is covered?
Is scanning disruptive
to the business?
Are you able to find
alternatives to
patching?
Do you prioritise
by possible
business
impact?
Are you
considering the
network context?
Is risk level
increasing or
decreasing
over time?
Continuous, Automated, Scalable?
© 2013 Skybox Security Inc. 11
Discover Analyse and
Prioritise Mitigate
Introduction to
Next Generation Vulnerability Management
Non-disruptive
discovery
Scalable
Automated analysis
Risk-based
prioritisation
Using network and
security context
Actionable
Optimal
Easy to track
Scalable Program to Address Critical Vulnerabilities
Continuously and Efficiently
© 2013 Skybox Security Inc. 12
Vulnerability Discovery:
Use the Right Approach for Your Network
Asset Data
Patch Data
Threat Intel.
Active Scanning Non-disruptive
Scan-less Detection
Continuous identification
Relevant vulnerabilities
Infrequent scanning
Large number of vulnerabilities
© 2013 Skybox Security Inc. 13
Main Uses of Skybox Dictionary
Skybox Dictionary
Vulnerability Detector
Attack Simulation Data Collection into
security model
Data normalization
(vulnerabilities, IPS
signatures)
Product and vulnerability
profiling rules
Attack vectors
information
© 2013 Skybox Security Inc. 14
Polling Question #2
What approach do you use most often to prioritize
patching activities?
– Primarily by risk posed to business assets
– Primarily by vulnerability severity level from the scanner
– Primarily by scope; the number of systems affected by the
vulnerability
– Primarily by ease of applying the patch (eg. patches that could
be disruptive applied last)
© 2013 Skybox Security Inc. 15
Skybox Vulnerability and Threat
Management
Network Devices Firewalls / IPS
Prioritized
Threats
Remediation
Options
Threat
Reports
Attack Simulation
Threat Correlation
Asset Data
Vulnerability
Data
Threat
Intelligence
Network Modeling Attack
Scenarios
Risk-Based Prioritization
© 2013 Skybox Security Inc. 16
Skybox Data-Driven Approach
Use a Network Model
Firewall Load Balancer
Router IPS Vulnerability
Scanner Patch
© 2012 Skybox Security 16
System Config
© 2013 Skybox Security Inc. 17
“Scanless” Vulnerability Discovery
Missing Patches
Installed Products
On-going
Synchronization
Normalization & Merging
Hosts, Products, Vulnerabilities,
Patches
The Organizational Assets
Vulnerability
Detector
Configuration
Files, Asset,
Patch, and AV
Managers
Active Scan
Vulnerability Feeds
Vulnerabilities
Hosts
Vulnerability
Scanners
Scanner
Connectors
© 2013 Skybox Security Inc. 18
Finding Exploitable Vulnerabilities
Compromised
Partner
Rogue Admin
Vulnerabilities • CVE 2009-203
• CVE 2006-722
• CVE 2006-490
Internet
Hacker
© 2012 Skybox Security 18
© 2013 Skybox Security Inc. 19
Predictive Analytics via Attack Simulation
Compromised
Partner
Attack
Simulations
Rogue Admin
Vulnerabilities • CVE 2013-203
• CVE 2012-722
• CVE 2010-490
Internet
Hacker
© 2012 Skybox Security 19
© 2013 Skybox Security Inc. 20
All vulnerabilities in environment
30,000
Identified vulnerabilities
90+%
Automated Analysis – Attack Surface,
Exploitable Attack Vectors, Risks
Prioritize by
potential
impact Attack
Surface
Patch/
Fix
High
priority
remediation
© 2013 Skybox Security Inc. 21
Actionable Remediation Process,
Leveraging Attack Vectors Information
Install security patch on server
Change firewall access
rule
Activate signature on
IPS
© 2013 Skybox Security Inc. 22
High Level Visibility for Vulnerability Management
Monitor Impact and Risk Metrics over Time
Most Critical
Actions
Vulnerabilities
Threats
© 2013 Skybox Security Inc. 23
Comparison – Old and Next Generation VM
Old Generation Next Generation
Discovery Scanning Only Scan-less discovery +
scanning
Analysis Manual; inaccurate Automated; risk-based
Remediation Hit & Miss with Patching Optimal risk mitigation
Scope Limited to traditional
assets
Enterprise-wide
program
Automation Only scanning;
Cycle time 2-4 months
From A-Z;
Continuous process
Effectiveness Costly program; little
benefits
Optimal Risk Mitigation
© 2013 Skybox Security Inc. 24
In Summary –
Steps to Effective Vulnerability Management
• Know what’s really exploitable in your network
• Rank by business impact, end unnecessary patching
• Increase coverage of vulnerability assessment
• Increase frequency of vulnerability discovery
Ensure Frequent & Complete Knowledge of Your Vulnerabilities
• Evaluate alternatives to patching
• Verify impact on risk, and track progress
Close the Loop with Optimal Mitigation and Effective Tracking
Use Risk Analytics to Determine the Exposure
© 2013 Skybox Security Inc. 25
Thank you
www.skyboxsecurity.com
Download the Skybox Vulnerability Management Tool Kit
http://lp.skyboxsecurity.com/O_VulnerabilityManagement.html