Is Your Vulnerability Management

Program Irrelevant?

© 2012 Enterprise Management Associates, Inc.

Scott Crawford

Managing Research Director

Enterprise Management Associates

www.enterprisemanagement.com

Vulnerability management:

Seems pretty important…

• A security fundamental

• PDCA: Find and fix exploitable exposures

Slide 2 © 2012 Enterprise Management Associates, Inc.

• Is it actually working in your organization?

• How do you know?

Polling Question 1

• Do you experience any of the following challenges with your

vulnerability management program? (choose all that apply)

• Disruptions due to active scanning

• Lack the resources to analyze vulnerabilities in a timely manner

• Lack the resources to mitigate vulnerabilities (eg. patch) in a timely

manner

• Some hosts are not scannable

• Unable to gain credentialed access to some parts of network

© 2012 Skybox Security - Confidential

3

Is it making a difference?

Slide 4 © 2012 Enterprise Management Associates, Inc.

Discovery Correlation Prioritization Mitigation

Lots of emphasis

here…up to a

point

Too many missed

opportunities here

“Here be

dragons…”

• Discovery that fails to culminate in effective mitigation isn’t

vulnerability management. At best, it’s vulnerability assessment

(and often, not even a thorough job of that…)

Issues often

overlooked here

Vulnerability discovery:

Not comprehensive enough

• Scope of assessment is

often constrained

• Thousands of systems

• Distribution of assets

• Limitations on access

• The paradox of

assessment impact

• “Don’t touch these most

critical systems!”

• “OK, we’ll make sure to

let attackers know…”

• What often happens?

• Assessment not

frequent enough

• Scope not adequate

Slide 5 © 2012 Enterprise Management Associates, Inc.

Does IT risk assessment in your organization include

actual testing of systems for their resistance to

penetration, exploit, or other threats?

From: IT Risk Management: Five Aspects of High Performers that

Set Them Apart, EMA Research Note, July 2011

Vulnerability correlation

• All right, so now you have a laundry list

of vulns

• …or at least some vulns…

• How accurate is the assessment?

• How specific is the vuln?

E.g.: Affected versions?

• How accurate is the correlation to

assets?

E.g. Update/patch history?

• What often happens?

• Correlation may not be accurate or

specific enough to individual assets

• Can lead to downstream issues in

remediation

Slide 6 © 2012 Enterprise Management Associates, Inc.

Polling Question 2

• What information sources do you use to prioritize vulnerability data?

(choose all that apply)

• Vendor vulnerability rankings (eg. Microsoft vuln criticality levels)

• Network infrastructure

• Configuration of security controls (firewalls, IPS, etc)

• Asset data

• Patch history

• Threat data

© 2012 Skybox Security - Confidential

7

Vulnerability prioritization

• How to prioritize?

• CVSS score? Configuration issue?

• An even better question:

• What is the asset anyway?

Customer payments processing system handling

cardholder data? Or the employee satisfaction survey?

• How do you know?

• What is its relationship to other assets?

• Is it actually exploitable?

• Where will exploit lead?

• What often happens?

• Priority based on vendor vulnerability ranking, not by

what’s actually exploitable in the environment.

• Exacerbated by inadequate insight into assets

Slide 8 © 2012 Enterprise Management Associates, Inc.

Vulnerability remediation

• What are your options?

• Patching? Reconfig? Access control? Network?

• What about “unpatchable” vulnerabilities?

• Non-COTS, custom apps, factors of system integration

• Can the system be changed?

• E.g. availability-critical physical infrastructure? SCADA?

Slide 9 © 2012 Enterprise Management Associates, Inc.

• Is change necessary?

• E.g. Sensitive asset, highly-rated vuln, access tightly controlled

• How do remediation options factor into prioritization?

• What often happens?

• Patching becomes overwhelming (or is not an option)

• Opportunities missed when mitigation excludes possible alternatives

• Remediation takes too long or is ineffective

Completing the process:

What did you learn?

• How do you know your efforts are successful?

• Remediation success?

• …and did remediation go as planned?

• What data are you using to verify?

• Incident data?

• Attempts against unremediated vulns?

What about historical data? <- Evidence of exploit

before vulns became known

• Attempts against remediated vulns?

Success? Further penetration?

• Numbers of incidents that result in exposure?

• Reductions in “significant” incidents? (i.e.

investigation/response beyond “normal” resource

allocation)

• Do findings factor into refining processes?

Slide 10 © 2012 Enterprise Management Associates, Inc.

The upshot:

What happens to security?

• Checklist mentality

• Only cover most

“important” obligations

• Scope of assessment not

comprehensive enough

• Correlation &

prioritization lost in a sea

of noise…or not enough

information

• Remediation bogs down

(time, complexity)

Slide 11 © 2012 Enterprise Management Associates, Inc.

Compliance rulez! (NOT!)

Is there a secret to getting us beyond these

obstacles?

Slide 12 © 2012 Enterprise Management Associates, Inc.

Hint #1:

Slide 13 © 2012 Enterprise Management Associates, Inc.

It’s

in

the

data!

The rise of “data-driven” security

In a 2012 EMA survey of 200

organizations worldwide,*

• 38% are currently expanding

investment in technologies

for improving security data

management

• 40% plan such expansion in

the next 1 to 3 years

• 32% are expanding

investment in personnel

expertise in security data

management

• 44% plan to do so in next 1

to 3 years

Slide 14 © 2012 Enterprise Management Associates, Inc.

Would your organization collect more

data, or a wider variety of data,

relevant to information security if you

could make use of it?

*The Rise of Data-Driven Security, EMA Research Report, May 2012

Why?

Many reasons – One important example:

• Is this confidence

validated by the

evidence?

• Verizon 2010 DBIR:

86% had breach

evidence in log data

• 2012: 92% of

breaches discovered

by 3rd party

• EMA 2012 survey:

57% spend

unplanned work on

security incidents 2-

3x/month or more

(12% do so daily)

Slide 15 © 2012 Enterprise Management Associates, Inc.

Are you confident or doubtful that your

organization could detect an important security

issue before it has a significant impact?

From: The Rise of Data-Driven Security, EMA Research Report, May 2012

Data-driven vulnerability management

• If you cannot scan more often or

include a wider sample, what data

do you already have?

• Some examples:

• Asset inventory

• Asset detail

• Network topology

• Access privileges

• How can you improve it?

• Better correlation of vulnerability

data to asset specifics

• Factors of exploitability

• How can you use it?

Slide 16 © 2012 Enterprise Management Associates, Inc.

Hint #2 (and #3)

• Better

performance =

better

outcomes

• High

performers are

more thorough

in PDCA – In

other words,

they complete

their

processes

Slide 17

© 2012 Enterprise Management Associates, Inc.

Which of the following best characterizes your organization’s

IT change control processes?

• 94% of High

Performers

• Half the median

incidence of

security events

requiring

response

From: IT Risk Management: Five Aspects of High Performers that

Set Them Apart, EMA Research Note, July 2011

• An example from a closely related aspect of IT ops:

Change management

Making vulnerability management relevant:

Linking data with completing the process

• Automate and integrate

• The volume of available data may be excessive without tools to automate its application

• Integration of assessment with prioritization and remediation often depends on integration of data

• Prioritization depends on knowing which assets are affected – as specifically and accurately as possible

• Have a way to compare remediation options

• Patching may not be your only – or even your best – option

• …and for “unpatchable” vulns, it isn’t an option at all!

• Here are a few questions that don’t get asked often enough:

• What are your outcomes?

• How do you know your VM program is succeeding?

• How and where can you best apply resources to improvement?

Slide 18 © 2012 Enterprise Management Associates, Inc.

Skybox Security Overview

© 2012 Skybox Security

• Global 2000 customers

• Financial Services, Government, Defense,

Energy & Utilities, Retail, Service

Providers, Manufacturing, Tech

Proven Solutions

19

• Automated Firewall Management

• Risk and Vulnerability Management

Leader in Security Risk Management

Polling Question 3

• On average, how long does it take for your company

to complete one cycle of scanning, prioritizing, and

mitigating critical vulnerabilities across your entire

network? (choose one answer)

• 1. 1-3 days

• 2. 3-7 days

• 3. 7-30 days

• 4. 30-60 days

• 5. never

• 6. don’t know

© 2012 Skybox Security - Confidential 20

Need vs. Reality Gap

Too Little, Too Late

0

50

100

150

200

250

300

350

10% 20% 30% 40% 50% 60% 70% 80% 90%

Frequency and Coverage

Fre

quency x

/year

% of Network Scanned

Where you need to be

Daily process

90%+ hosts

Partner/External networks

Avg. scan: every 60-90

days

<50% of hosts

Critical systems, DMZ

Avg. scan: every 30 days

50-75% of hosts

© 2012 Skybox Security - Confidential 21

The Skybox Security Solution:

Next Generation

Vulnerability Management

Data-driven approach links vuln, network, asset data

Continuous, non-disruptive vuln discovery

Prioritize vulns according to business risk

Evaluate mitigation options and change impact

Automated and integrated with IT processes

© 2012 Skybox Security - Confidential 22

Skybox Data-Driven Approach

Use a Network Model

Firewall Load Balancer

Router IPS Vulnerability

Scanner Patch

© 2012 Skybox Security 23

System Config

Vulnerability Detector

Non-Invasive Vulnerability Discovery

© 2012 Skybox Security - Confidential 24

Traditional “Active” Vuln Scanner

Active

Scanner Test thousands of signatures

against hosts

Vulnerability

List

System,

Asset,

Patch Info

Profile Vulns

based on

Rules

Extract

Product

Catalog

Skybox “Scanless” Vulnerability Discovery

Vulnerability

List

Skybox Vulnerability Detector

hosts

Finding Exploitable Vulnerabilities

Compromised

Partner

Rogue

Admin

Vulnerabilities • CVE 2009-203

• CVE 2006-722

• CVE 2006-490

Internet

Hacker

© 2012 Skybox Security 25

Predictive Analytics via

Attack Simulation

Compromised

Partner

Attack

Simulations

Rogue

Admin

Vulnerabilities • CVE 2009-203

• CVE 2006-722

• CVE 2006-490

Internet

Hacker

© 2012 Skybox Security 26

Plan Defensive Strategy

Monitor Vulnerability KPI’s

Most Critical

Actions

Vulnerabilities

Threats

© 2012 Skybox Security 27

Recap… Steps to Effective

Vulnerability Management

Prioritize by Business Impact

• Evaluate options beyond patching, sync

with change management process

Close the Loop with Mitigation and Metrics

• Able to gather and process more

vulnerability and risk data, faster

Data Driven

© 2012 Skybox Security - Confidential 28

• Know what’s really exploitable, rank by

business impact

Find out more…

Download our VM Whitepaper

or VM Survey Results

Ask for a demo of our solutions

www.skyboxsecurity.com

Thank you!

© 2012 Skybox Security - Confidential 29

Questions?

© 2012 Skybox Security - Confidential 30

Scott Crawford

Managing Research Director

Enterprise Management Associates

scrawford@enterprisemanagement.com

www.enterprisemanagement.com

Michelle Johnson Cobb

VP Worldwide Marketing

Skybox Security

michelle.cobb@skyboxsecurity.com

www.skyboxsecurity.com