1 / 21

Vulnerability Management Explained

Vulnerability Management Explained. By Peter Benson. By the Numbers….

manny
Download Presentation

Vulnerability Management Explained

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Management Explained By Peter Benson

  2. By the Numbers… • 67% of senior tech executives admit their organization has experienced a security breach in the past 12 months. (But 41% did not report the incident to authorities.) — BusinessWeek from PricewaterhouseCoopers/CIO Magazine study   • 99% of security breaches target known vulnerabilities for which there are existing countermeasures. — CERT Coordination Center   • 150,000+ network security incidents occurred in 2003. The number of reported incidents has been approximately doubling annually since 2000. — CERT • $42 billion in economic damages worldwide was inflicted last year due to digital attacks. — mi2g  

  3. Why Vulnerability Management? • Building a strong program based on mitigating known vulnerabilities has transformed from a security centric process to an operational necessity for business success. • The root cause of the problem is the existence of vulnerabilities in the corporate network. • Vulnerability Management, the discovery of vulnerabilities and assessment of the risk to the network, is a critical part of the business landscape for long term success.

  4. Why Vulnerability Management? • Patch Management is ineffective and inefficient. • The most intelligent equation is investing in a vulnerability management process that allows you to automatically and cost-effectively determine whether to eliminate, mitigate or tolerate threats based upon risk and the cost associated with repair.

  5. What is Vulnerability Management? • Dynamic best practices (Yankee Group, 2004) • Classify. Assign network resources with a heirarchy based on criticality • Measure. Assess security performance in reducing exposures to key vulnerabilities • Integrate. Vulnerability Management bolsters effectiveness of patch management, configuration control, and early warning. • Audit. Regularly audit the effectiveness of integrated vulnerability processes

  6. Laws of Vulnerabilities

  7. The Law of Half Life • Lessons learned: • You can’t patch them all at once • Mitigate more than the remaining half of the vulnerabilities over the next month • Improve the reduction in risk in the enterprise by shrinking the half life to less than 30 days • Best practices: Patch within 21 days for critical systems, and a rollout procedure to other assets based on their priority level

  8. The Law of Prevalence • Lessons Learned: • New critical vulnerabilities occur throughout the year • Half of the vulnerabilities still exist in the network a year later • Vulnerability Management is a never-ending process • Best Practices: Continually test assets for weaknesses, test critical assets as minimum of every 5 – 10 days. This frequency may need to increase

  9. The Law of Persistence • Lessons Learned: • Scan configurations of new equipment to be sure they do not reintroduce old vulnerabilities to the network • Be alert for vulnerabilities that may be lurking in application code • Best practices: Continually test assets to uncover reintroduced weaknesses. Scan critical assets a minimum of every 5 – 10 days. This is an ongoing process

  10. The Law of Exploitation • Lessons Learned: • Keep an eagle eye on key vendors for early warnings of available patches for critical resources • Make a team decision on when to patch • Integrate with automated patch management and configuration control systems. Verify the patch has eliminated the weakness • Be prepared to scan for vulnerabilities on an attack basis

  11. Yankee Group Dynamic Best Practice Model

  12. Dynamic Best Practice - Classify • Classify network resources • Tier the hierarchy of assets by value to the business

  13. Dynamic Best Practice - Measure • Measure your network against the half life and persistence curves • Measure team performance by the half life results and the treatment of the persistence law • Use gathered metrics to communicate the security problem to Senior Management

  14. Dynamic Best Practice - Integrate • Integrate with discovery systems such as network integrity systems • Integrate with patch management systems to confirm completion of the task • Integrate into management reporting portals. Take the mystery out of security.

  15. Dynamic Best Practice - Audit • Evaluate actual vulnerability management results against targeted metrics • Regularly review vulnerability management reports with the security teams • Measure the performance of security teams by the reduction of critical vulnerabilities

  16. Vulnerability Management Business Models Model 2 Model 1

  17. Summary of Dynamic Best Practices

  18. VM and Qualys Solutions

  19. Business Reporting and Risk Management

  20. Business Reporting

  21. Questions?

More Related