5 Steps to an Effective Vulnerability Management Program
description
Transcript of 5 Steps to an Effective Vulnerability Management Program
Foundational Intelligence
Network Situational Awareness
Confidence and Trust
20% Gap in Network Visibility
“You can’t defend what you don’t know.”
Mark Orndorff, Director of Mission Assurance and Network Operations
Defense Information Systems Agency
Network Element Government Manufacturing Financial Technology
Assumed Device Count ~150,000 ~60,000 ~800,000 ~100,000
Discovered Devices ~170,000 89,860 842,400 ~114,000
Visibility Gap ~12% ~33% ~5% ~12%
Unknown Networks 3,278 24 771 433
Unauthorized Devices 520 n/a n/a 2,026
Non-Responding Networks 33,256 4 16,828 45
Established VM Program Yes Yes Yes Yes
Network change and complexity outpacing policy and procedures
Organizations can only manage and secure what they know
How much risk does this gap introduce?
An effective Vulnerability Management strategy must incorporate
comprehensive Network Situational Awareness, in order to
actively reduce overall risk
Network Situational Awareness represents the foundation of comprehensive
vulnerability management
DISCOVER
Networks & Devices
Edge & Boundaries
Profiles & Vulnerabilities
COMPREHEND
Assess & Score
Prioritize & Trend
Visualization & Reporting
MITIGATE
Reduce Risk
Minimize Threat Surface
Prevent Intrusion
“Organizations that operationally implement applicable IT controls
through a vulnerability management program will achieve the
strongest security posture.”
Step Goal
1 Validate Network
Address Space
Discover entire scope of IP address space in use with the environment
2 Determine Network
Edge
Understand the boundary of the network under management
3 Discover & Profile
Endpoints
Understand the presence of all devices on the network
4 Identify
Vulnerabilities
Evaluate and comprehend network vulnerabilities for remediation
5 Mitigate
Risk
Remediate risks in priority order with patches/changes or accept lesser risks.
•
Inventory of Authorized and Unauthorized
Hardware and Software
•
•
•
•
INFO
INFO
LOW
LOW
LOW
MEDIUM
MEDIUM
MEDIUM
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
HIGH
Executive Audit & Compliance
Security IT Operations
DISCOVER
Networks & Devices
Edge & Boundaries
Profiles & Vulnerabilities
COMPREHEND
Assess & Score
Prioritize & Trend
Visualization & Reporting
MITIGATE
Reduce Risk
Minimize Threat Surface
Prevent Intrusion
• Dollars & resources are being spent on things that don’t increase security
• Outdated (10 yrs old) security regulations require manual testing every three years on systems
• Diverse tool sets implemented across the civil landscape
What is the challenge?
• Refocus dollars and resources on what increases security
• CDM stops 85% of cyber attacks by: Searching for, finding, fixing, and reporting the worst cyber problems first in near-real time
• Understand networks, devices, software and people’s interaction with the network in real time
What can be done?
• In 2010, OMB assigns Cybersecurity responsibility to DHS
• In FY 2013, DHS proposes to deploy proven continuous monitoring technology across the .gov network
Who is responsible?
Source: http://www.verisgroup.com/2014/07/17/ongoing-authorization-and-near-real-time-risk-management/
Source: https://www.us-cert.gov/sites/default/files/cdm_files/training_materials/Overview%20Modules.pdf
• Control of HW assets through visibility
• Unauthorized/unmanaged HW discovery
• ID, block, or manage vulnerable assets
• Group assets based on risk profiles
Hardware Asset Management (HWAM)
• Unauthorized/unmanaged SWCI discovery
• Remove and/or block vulnerable SWCI
• Dynamic, complete, and accurate inventory
• Timely response to malware vulnerabilities
Software Asset Management (SWAM)
• Increased control through visibility
• Establishment of trusted “Gold Builds”
• Reduce and avoid misconfigurations
• Improved security patch asset maintenance
Configuration Management
(CM)
• Perform threat and vulnerability analysis
• Discover vulnerabilities
• Support remediation
• Automate response to known threats
Vulnerability Management
(VUL)
Continuous Monitoring•Maps to risk tolerance•Adapts to ongoing needs•Actively involves
management
Dynamic 360 degree CDM and CMaaS capability defending against asymmetric cyber threats
Continuous Asset Evaluation, Situational Awareness, Risk Scoring
• DHS DAA ATO• Agency DAA updates ATO for CDM sensors• DHS DAA establishes ESSA/EISA
Innovation Targets: Enhanced Analytics, DAD, Global Threat Intelligence and Process Optimization
CMaaS System
6-Monitor Security
State 2-SelectSecurity Controls
3-ImplementSecurity Controls
5-AuthorizeInformation
System
• Operate CDM tools internally to ID malware and prevent propagation
• Share CDM outputs to support ongoing A&A for CMaaS, ESSA/ISA and agency systems containing CDM sensors, agency dashboards
• Support SP 800-137 D/A ISCM strategy development and
maintenance, including CyberScope alignment
• Match outputs to governance training, mentoring, and change management
• Support DHS critical control review• Conduct site security assessment to identify differences impacting
A&A baseline• Provide outputs to DHS and Agency DAAs to Develop POA&Ms
• Apply NIST SP 800-53 High and SSH
4300 Baseline for TS Systems
• Develop Pre-Populated Templates and
Artifacts for SO Agencies
4-AssessSecurity Controls
• Apply Type Accreditation Strategy.o Unclass CMaaS System High
Categorization and Tools Selection Promotes Maximum Scalability and Tools Inheritance.
• Classified CMaaS System is classified at Top Secret.
1-CategorizeInformation
System
http://www.csc.com/public_sector/ds/11237/107249-cdm_cmaas?ref=ls
https://engage.csc.com/groups/cmaasbpa
http://www.gsa.gov/portal/content/176671?utm_source=FAS&utm_medium=
print-radio&utm_term=cdm&utm_campaign=shortcuts
http://www.dhs.gov/cdm
http://www.us-cert.gov/cdm
Contact Phone Email
Josh Canary, BPA Program Mgr 703-908-7030 [email protected]
Eliminate Gaps in Network Intelligence
Maximize Visibility and Control
Enhance Security
Reduce Risk
tripwire.com | @TripwireInc