Michelle Cobb, VP Marketing, Skybox Security

Ed Mosquera, Security Consultant, Skybox Security

May 2013

Best Practices for Next-Generation

Vulnerability Management

© 2013 Skybox Security Inc. 2

Skybox Security Overview

Predictive risk analytics for best decision support

Complete visibility of network and risks

Designed for continuous, scalable operations

Leader in Proactive Security Risk Management

Proven Effective in Complex Network Environments

© 2013 Skybox Security Inc. 3

Vulnerability Management is Not Dead

… It Is Just Not Working

Risks Levels Keep Rising

Compliance, continuous monitoring

Proliferation of mobile, cloud

Protect against financial loss due

to cybercrime

Deal with advanced

threats, targeted attacks

Need to secure new services

and users

© 2013 Skybox Security Inc. 4

Is Your Vulnerability Management Program

Keeping Pace?

Then

Now

Find Analyze Fix

© 2013 Skybox Security Inc. 5

2012 Survey Highlights the Vulnerability

Discovery Gap

0

50

100

150

200

250

300

350

60% 70% 80% 90%

Fre

quency c

ycle

s /

year

% of Network Scanned

How often do you scan? How much coverage?

Critical systems, DMZ

Scan every 30 days

50-75% of hosts

To keep pace with threats?

Daily updates

90%+ hosts

?

© 2013 Skybox Security Inc. 6

We just don’t need to scan more

Unable to gain credentialed access to scanportions of the network

The cost of licenses is prohibitive

Some hosts are not scannable due to their use

We don't have the resources to deal withbroader patching activity

We don’t have the resources to analyze more frequent scan data

We are concerned about disruptions fromscanning 59%

58%

41%

34%

29%

12%

5%

Reasons that respondents don’t scan more often

Disruptive, Inaccurate Picture of Risk

Challenges with Traditional Scan Approach

© 2013 Skybox Security Inc. 7

Polling Question #1

When you analyze scan data to determine how to

remediate vulnerabilities, generally how old is the

scan data?

– <5 days

– <15 days

– <30 days

– Older than 30 days

© 2013 Skybox Security Inc. 8

All vulnerabilities in environment

30,000

Identified by scanner

50-75%

Naïve Analysis Results in Costly and

Ineffective Remediation

Attack vectors

using

exploitable

vulnerabilities

Patch/Fix Patching

may miss

attack vectors

© 2013 Skybox Security Inc. 9

Now

First Generation Vulnerability Management

Processes Are No Longer Effective

30-60 days to scan

and catalog 75% of

vulnerabilities

2-4 weeks to

analyse, and still

get it wrong

60 days to patch,

£ 200,000 per year

Cycle Time: Typically 2-4 months

New vulnerabilities, threats, changes: Hundreds per day

Result: Risk level never reduced

Find Analyze Fix

Big Disconnect …

© 2013 Skybox Security Inc. 10

Self-Test:

What are Your VM Program Challenges?

Discover Analyse and

Prioritise Mitigate

How often is

vulnerability data

collected?

How much of the

network is covered?

Is scanning disruptive

to the business?

Are you able to find

alternatives to

patching?

Do you prioritise

by possible

business

impact?

Are you

considering the

network context?

Is risk level

increasing or

decreasing

over time?

Continuous, Automated, Scalable?

© 2013 Skybox Security Inc. 11

Discover Analyse and

Prioritise Mitigate

Introduction to

Next Generation Vulnerability Management

Non-disruptive

discovery

Scalable

Automated analysis

Risk-based

prioritisation

Using network and

security context

Actionable

Optimal

Easy to track

Scalable Program to Address Critical Vulnerabilities

Continuously and Efficiently

© 2013 Skybox Security Inc. 12

Vulnerability Discovery:

Use the Right Approach for Your Network

Asset Data

Patch Data

Threat Intel.

Active Scanning Non-disruptive

Scan-less Detection

Continuous identification

Relevant vulnerabilities

Infrequent scanning

Large number of vulnerabilities

© 2013 Skybox Security Inc. 13

Main Uses of Skybox Dictionary

Skybox Dictionary

Vulnerability Detector

Attack Simulation Data Collection into

security model

Data normalization

(vulnerabilities, IPS

signatures)

Product and vulnerability

profiling rules

Attack vectors

information

© 2013 Skybox Security Inc. 14

Polling Question #2

What approach do you use most often to prioritize

patching activities?

– Primarily by risk posed to business assets

– Primarily by vulnerability severity level from the scanner

– Primarily by scope; the number of systems affected by the

vulnerability

– Primarily by ease of applying the patch (eg. patches that could

be disruptive applied last)

© 2013 Skybox Security Inc. 15

Skybox Vulnerability and Threat

Management

Network Devices Firewalls / IPS

Prioritized

Threats

Remediation

Options

Threat

Reports

Attack Simulation

Threat Correlation

Asset Data

Vulnerability

Data

Threat

Intelligence

Network Modeling Attack

Scenarios

Risk-Based Prioritization

© 2013 Skybox Security Inc. 16

Skybox Data-Driven Approach

Use a Network Model

Firewall Load Balancer

Router IPS Vulnerability

Scanner Patch

© 2012 Skybox Security 16

System Config

© 2013 Skybox Security Inc. 17

“Scanless” Vulnerability Discovery

Missing Patches

Installed Products

On-going

Synchronization

Normalization & Merging

Hosts, Products, Vulnerabilities,

Patches

The Organizational Assets

Vulnerability

Detector

Configuration

Files, Asset,

Patch, and AV

Managers

Active Scan

Vulnerability Feeds

Vulnerabilities

Hosts

Vulnerability

Scanners

Scanner

Connectors

© 2013 Skybox Security Inc. 18

Finding Exploitable Vulnerabilities

Compromised

Partner

Rogue Admin

Vulnerabilities • CVE 2009-203

• CVE 2006-722

• CVE 2006-490

Internet

Hacker

© 2012 Skybox Security 18

© 2013 Skybox Security Inc. 19

Predictive Analytics via Attack Simulation

Compromised

Partner

Attack

Simulations

Rogue Admin

Vulnerabilities • CVE 2013-203

• CVE 2012-722

• CVE 2010-490

Internet

Hacker

© 2012 Skybox Security 19

© 2013 Skybox Security Inc. 20

All vulnerabilities in environment

30,000

Identified vulnerabilities

90+%

Automated Analysis – Attack Surface,

Exploitable Attack Vectors, Risks

Prioritize by

potential

impact Attack

Surface

Patch/

Fix

High

priority

remediation

© 2013 Skybox Security Inc. 21

Actionable Remediation Process,

Leveraging Attack Vectors Information

Install security patch on server

Change firewall access

rule

Activate signature on

IPS

© 2013 Skybox Security Inc. 22

High Level Visibility for Vulnerability Management

Monitor Impact and Risk Metrics over Time

Most Critical

Actions

Vulnerabilities

Threats

© 2013 Skybox Security Inc. 23

Comparison – Old and Next Generation VM

Old Generation Next Generation

Discovery Scanning Only Scan-less discovery +

scanning

Analysis Manual; inaccurate Automated; risk-based

Remediation Hit & Miss with Patching Optimal risk mitigation

Scope Limited to traditional

assets

Enterprise-wide

program

Automation Only scanning;

Cycle time 2-4 months

From A-Z;

Continuous process

Effectiveness Costly program; little

benefits

Optimal Risk Mitigation

© 2013 Skybox Security Inc. 24

In Summary –

Steps to Effective Vulnerability Management

• Know what’s really exploitable in your network

• Rank by business impact, end unnecessary patching

• Increase coverage of vulnerability assessment

• Increase frequency of vulnerability discovery

Ensure Frequent & Complete Knowledge of Your Vulnerabilities

• Evaluate alternatives to patching

• Verify impact on risk, and track progress

Close the Loop with Optimal Mitigation and Effective Tracking

Use Risk Analytics to Determine the Exposure

© 2013 Skybox Security Inc. 25

Thank you

www.skyboxsecurity.com

Download the Skybox Vulnerability Management Tool Kit

http://lp.skyboxsecurity.com/O_VulnerabilityManagement.html