230 likes | 335 Views
Vulnerability Management Explained. By Peter Benson. By the Numbers….
E N D
Vulnerability Management Explained By Peter Benson
By the Numbers… • 67% of senior tech executives admit their organization has experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study • 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center • 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT • $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g
Why Vulnerability Management? • Building a strong program based on mitigating known vulnerabilities has transformed from a security centric process to an operational necessity for business success. • The root cause of the problem is the existence of vulnerabilities in the corporate network. • Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.
Why Vulnerability Management? • Patch Management is ineffective and inefficient. • The most intelligent equation is investing in a vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.
What is Vulnerability Management? • Dynamic best practices (Yankee Group, 2004) • Classify. Assign network resources with a heirarchy based on criticality • Measure. Assess security performance in reducing exposures to key vulnerabilities • Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning. • Audit. Regularly audit the effectiveness of integrated vulnerability processes
The Law of Half Life • Lessons learned: • You can’t patch them all at once • Mitigate more than the remaining half of the vulnerabilities over the next month • Improve the reduction in risk in the enterprise by shrinking the half life to less than 30 days • Best practices: Patch within 21 days for critical systems, and a rollout procedure to other assets based on their priority level
The Law of Prevalence • Lessons Learned: • New critical vulnerabilities occur throughout the year • Half of the vulnerabilities still exist in the network a year later • Vulnerability Management is a never-ending process • Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase
The Law of Persistence • Lessons Learned: • Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network • Be alert for vulnerabilities that may be lurking in application code • Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process
The Law of Exploitation • Lessons Learned: • Keep an eagle eye on key vendors for early warnings of available patches for critical resources • Make a team decision on when to patch • Integrate with automated patch management and configuration control systems. Verify the patch has eliminated the weakness • Be prepared to scan for vulnerabilities on an attack basis
Dynamic Best Practice - Classify • Classify network resources • Tier the hierarchy of assets by value to the business
Dynamic Best Practice - Measure • Measure your network against the half life and persistence curves • Measure team performance by the half life results and the treatment of the persistence law • Use gathered metrics to communicate the security problem to Senior Management
Dynamic Best Practice - Integrate • Integrate with discovery systems such as network integrity systems • Integrate with patch management systems to confirm completion of the task • Integrate into management reporting portals. Take the mystery out of security.
Dynamic Best Practice - Audit • Evaluate actual vulnerability management results against targeted metrics • Regularly review vulnerability management reports with the security teams • Measure the performance of security teams by the reduction of critical vulnerabilities
Vulnerability Management Business Models Model 2 Model 1