samwel orwa itilv3, cisa, cism, crisc, qualysguard certified after hours seminar, 26.6.2012,
DESCRIPTION
Effective Enterprise Vulnerability Management. Minimizing Risk by Implementing Vulnerability Management Process. Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter. Agenda. 1. The Problem. 2. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/1.jpg)
1
Effective Enterprise Vulnerability Management.
Minimizing Risk by Implementing Vulnerability Management Process
Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 2: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/2.jpg)
2
What is Vulnerability Management ?2
The Problem1
Challenges to Effective VM3
Vulnerability Management Lifecycle4
Successful Approaches5
Agenda
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 3: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/3.jpg)
3
The Problem
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 4: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/4.jpg)
4
Organizations are Feeling the Pain
1. What causes the damage?
95% of breaches target known vulnerabilities
2. How do you prevent the damage? What are your options?
RISK= Assets x Vulnerabilities x Threats
You can control vulnerabilities.
3. How do you successfully deal with vulnerabilities?
Vulnerabilities
Business complexity
Human resources
Financial resources
4. How do you make the best security decisions?
Focus on the right assets, right threats,
right measures.
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 5: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/5.jpg)
5Vulnerability Management
The Enterprise TodayMountains of data, many
stakeholders
How do you collect & protect all the data necessary to secure your network and comply with critical regulations?
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Switch logs
Windows logs
Client & file server logs
Wireless access
logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs
Linux, Unix, Windows OS
logs
Mainframe logs
Database Logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
UnauthorizedService Detection
IP Leakage
Configuration ControlLockdown enforcement
False Positive Reduction
Access Control EnforcementPrivileged User Management
Malicious Code DetectionSpyware detection
Real-Time MonitoringTroubleshooting
User Monitoring
SLA Monitoring
![Page 6: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/6.jpg)
6
What is Vulnerability Management?
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 7: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/7.jpg)
7
What Is Vulnerability Management?
A process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 8: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/8.jpg)
8
Challenges to Effective VM
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 9: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/9.jpg)
9
Challenges – Assessment• Traditional desktop scanners cannot handle large networks
• Provide volumes of useless checks
• Confidentiality, Storage of scan data outside the Organization legal resident
• Chopping up scans and distributing them is cumbersome
• Garbage In- Garbage Out (GIGO)– volumes of superfluous data
• Coverage at all OSI layers is inadequate
• Time consuming and resource intensive
• Finding the problem is only half the battle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 10: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/10.jpg)
10
Challenges – Analysis• Manual and resource intensive process to determine
– What to fix– If you should fix– When to fix
• No correlation between vulnerabilities, threats and assets• No way to prioritize what vulnerabilities should be
addressed – What order
• Stale data– Making decisions on last quarter’s vulnerabilities
• No credible metrics
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 11: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/11.jpg)
11
Challenges – Remediation• Security resources are often decentralized
• The security organization often doesn’t own the network or system
• Multiple groups may own the asset
• Presenting useful and meaningful information to relevant stakeholders
• Determining if the fix was actually made
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 12: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/12.jpg)
12
Vulnerability Management Lifecycle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 13: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/13.jpg)
13
Vulnerability Management
Lifecycle
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 14: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/14.jpg)
14
Successful Approaches:Implementing An Effective VM Strategy
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 15: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/15.jpg)
15
Network Discovery
– Mapping• Gives hacker’s eye view of you
network• Enables the detection of rogue
devices (Shadow IT)
15After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 16: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/16.jpg)
16
Vulnerability Management Lifecycle
1. DISCOVERY(Mapping)
2. ASSET PRIORITISATION(and allocation)
3. ASSESSMENT (Scanning)
4. REPORTING(Technical and Executive)
5. REMEDIATION(Treating Risks)
6. VERIFICATION(Rescanning)
16After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 17: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/17.jpg)
17
Question
1) What is the Primary goal of vulnerability assessment ?
a. To determine the likelihood of identified risk
b. To assess the criticality of information resources
c. To verify that controls are working as intended
d. To detect known deficiencies in a particular environment
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 18: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/18.jpg)
18After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
Prioritize Assets
![Page 19: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/19.jpg)
19
Asset Prioritization• Identify assets by:
– Networks • Logical groupings of devices• Connectivity - None, LAN, broadband, wireless
– Network Devices• Wireless access points, routers, switches
– Operating System• Windows, Unix
– Applications• IIS, Apache, SQL Server
– Versions• IIS 5.0, Apache 1.3.12, SQL Server V.7
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 20: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/20.jpg)
20
Correlate Threats
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 21: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/21.jpg)
21
Correlate Threats• Not all threat and vulnerability data have equal priority• Primary goal is to rapidly protect your most critical
assets • Identify threats
– Worms– Exploits– Wide-scale attacks– New vulnerabilities
• Correlate with your most critical assets• Result = Prioritization of vulnerabilities within your
environment
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 22: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/22.jpg)
22
Determine Risk Level
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 23: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/23.jpg)
23
Remediation
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 24: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/24.jpg)
24
Remediation / Resolution• Perfection is unrealistic (zero vulnerabilities)
– Think credit card fraud – will the banks ever eliminate credit card fraud?
• You have limited resources to address issues
• The question becomes:– Do I address or not?
• Factor in the business impact costs + remediation costs– If the risk outweighs the cost – eliminate or mitigate the
vulnerability!
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 25: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/25.jpg)
25
Measure
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 26: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/26.jpg)
26
Measure
• Current state of security metrics– You can’t manage what you can’t measure– No focus on quantifying “Security”
• What is my real risk?
– Only a relative scale of risk, not an absolute– Return on Security Investment (ROSI) is extremely
difficult to calculate– No accountability in security
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 27: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/27.jpg)
27
Scanner Appliance Architecture
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter
![Page 28: Samwel Orwa ITILv3, CISA, CISM, CRISC, QualysGuard Certified After Hours Seminar, 26.6.2012,](https://reader035.vdocuments.net/reader035/viewer/2022062315/56815dec550346895dcc153e/html5/thumbnails/28.jpg)
28
QualysGuard- Global Cloud Architecture
After Hours Seminar, 26.6.2012, ISACA Switzerland Chapter