Enterprise Class Vulnerability Management Like A Boss

Enterprise Class Vulnerability Management Like A BossRockie BrockwayBusiness Risk DirectorBlack Box Network Services

Bio

23 Year veteran in InfoSec/Risk

All certs have expired (including those I’ve taught)

Business Systems and Impact Analyst (Risk)

Enterprise Security Architect

Penetration/Red Team Tester

Speaker/Trainer/BSidesCLE

Musician/Woodworker/Landscaper/Hacker

[email protected]://www.linkedin.com/pub/rockie-brockway/9/634/641

@rockiebrockway

Brief History Lesson

The Compliance Conundrum

Sure are lots of them

Sure are a lot of tools that map out overlaps

Many are focused on protecting certain data types

Others are best practice frameworks

But at the end of the day …

Information is Beautiful

Breach Business Impact Continues to Grow

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

IT Spend vs. Breaches

IT/InfoSec spend increasing, breaches continue to increase

As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect

Gartner Verizon DBIR

2007 2008 2009 2010 2011 2012 2013 20142.9

3

3.1

3.2

3.3

3.4

3.5

3.6

3.7

3.8

Spend (T)

2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

Breaches

Project and/or Compliance = Incorrect

Breach Business Impact Continues to Grow

Reasons:While most orgs understand data protection is a crucial strategic business issue, they continue to approach it on either

• A project by project basis and/or• From a Compliance perspective

The reality is that data security inherently relates to financial business risk and must be treated as a function of the business itself

Complexity in the Enterprise

From the Enterprise to the Application, more complexity means less security

Simple, individual projects do not need “Architecture”

“Architecture” is required to successfully fit an individual project into a larger, more complex set of projects

Organizing Complexity Through Architecture

The SABSA Information Systems Architecture paper lays out the following (paraphrasing):

Like the design of buildings and cities, information architecture must take into consideration:

• Organizational goals to be achieved by the systems• The environment where the systems will be built

and used• The technical capabilities required to build and

operate the systems

Enterprise Security Architecture

Benefits of Enterprise Security Architecture

• Brings focus to the key areas of concern for the business

• Allows business owners to make educated security/risk decisions without having to be an infosec professional

• Enables disparate Enterprise Security groups to understand their role in the business

• METRICS!• Encourages repeatable processes• Organizes your Enterprise’s complexity• Focuses on Security, not Compliance (but still maps to

compliance, we still have auditors :P)• Reduce the likelihood your organization will contribute

to informationisbeatiful.net

Enterprise Security Architecture

Security inherently relates to business risk and must be treated as a board supported function of the business

Enterprise Security Architecture aligns organizational business strategy and goals with the protection of the organization’s business critical data

Process

Vulnerability Management

The set of all processes for discovering, reporting and mitigating known vulnerabilities at any layer

Vulnerability Management is typically broken down into Intelligence/Patching activities and Scanning activities

It is critical to have vulnerability accountability and ownership throughout the enterprise, with the associated metrics

Process

Vulnerability Management Challenges

• Moore’s Law – Malware evolves at equal speed• Reactionary – In order for vulnerability scanning tools to be

effective, they must already know about the vulnerability• Intelligence – Having knowledge of the latest attacks and

trends and if/how they affect your assets is crucial• Communication – Effectively transferring the knowledge of

vulnerability data to the service owners• Accountability – Ensuring that the discovered vulnerabilities

are remediated/mitigated and communicated back out to the service owners

• Metrics – IS needs to be able to communicate the value of the vulnerability management program back to the business

Process

Vulnerability Management Goals

• Improved intelligence for quicker decision making and response

• Buy in from all service owner/stakeholders• All primary asset types being regularly scanned

• Servers• Web Applications• Network assets• User endpoints• Network enabled printers/UPS/NAS/etc.

• Integration of existing Vulnerability Management tools with existing business ticketing systems

• Service Owner and Stakeholder reporting with associated metrics

Inspiration

OWASP Application Security Verification Standard (ASVS) 2014

http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf

Inspiration


Level 0

Cursory – Indicates that some type of organizationally defined review has been performed on the application, and that the verification requirements were not provided by ASVS

Inspiration


Level 1 (ASVS L1)

Opportunistic – Indicates that the application can adequately defend itself against application security vulnerabilities that are easy to discover

Such vulnerabilities are typically discovered with minimal to low effort, and cannot be considered a thorough inspection of the application

Threats to the application will most likely come from attackers using simple techniques and automated tools

Inspiration


Level 2 (ASVS L2)

Standard – Indicates that the application can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk

Such vulnerabilities include the OWASP Top 10 and Business Logic vulnerabilities

The majority of business applications should work towards this level

Threats to the application will most likely come from opportunistic attackers, and possibly some motivated actors

Inspiration


Level 3 (ASVS L3)

Advanced – Indicates that the application can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design

Level 3 requires an inspection of an application’s design

Level 3 is appropriate for critical applications that protect life, critical infrastructure and/or defense functions

Threats to the application will be from motivated actors and nation-states

Inspiration

We can build on and improve this

Application

Applying ASVS 2014 to Vulnerability Management

Level 0 (ASVS Vuln L0)

Cursory – Indicates that some type of organizationally defined vulnerability analysis has been performed on the organization’s application space, and that the verification requirements were not provided by this hybrid framework

• Org understands vulnerabilities should be patched

• May have some loose patching process• Not using vulnerability scanning tools

Application



Opportunistic – Indicates that the organization can adequately defend itself against application security vulnerabilities that are easy to discover

Such vulnerabilities are typically discovered with minimal to low effort, and cannot be considered a thorough inspection of the applications

Threats to the application will most likely come from attackers using simple techniques and automated tools

Application



• No dedicated Infosec/Risk group• Reliance on MS patch Tuesday alerts• Process in place for monthly MS patches on

user workstations and servers within a reasonable time frame (~45 days)

• User workstation non-MS applications based on app alerts and user willingness (Java, Flash, etc.)

• Sporadic additional “threat intelligence” (infoworld, the register, etc.)

• May have an open source vulnerability scanning tools

Application



Standard – Indicates that the organization can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk

Such vulnerabilities include the SANS Top 20 and OWASP Top 10

The majority of business applications should work towards this level

Threats to the application will most likely come from opportunistic attackers, and possibly some motivated actors

Application



• Dedicated InfoSec/Risk group• Vulnerability Intelligence feed/subscriptions• Formal monthly review of previous 30 days

worth of MS and non-MS known vulnerabilities

• Centralized CMS for vulnerability intelligence data (probably manual, could be automated)

• InfoSec/Risk group may manually enter vuln events into enterprise ticketing system

• Defined standard for reviewing intelligence with escalation processes

Application



• Commercial/Open Source tools used for enterprise scanning

• Standard for business asset scanning (off hours, no DOS, authenticated vs. unauthenticated, etc.)

• Focused on primarily WIN/*NIX and network assets

Application



Advanced – Indicates that the organization can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design

Level 3 requires inspections of in house application’s design and 3rd party risk standards

Level 3 is appropriate for critical applications that protect life, critical infrastructure and/or defense functions

Threats to the organization will be from motivated actors and nation-states

Application



• Vulnerability intelligence feeds tied to enterprise inventory systems

• InfoSec/Risk team analyzes/flags intelligence alerts in CMS systems that auto-create tickets in enterprise ticketing system

• Support teams work tickets as part of normal workflows

• Sample sets of workstation vulnerability scans• Phones/Printers/UPS/NAS devices scanned• All scan reports are auto-posted to internal

vulnerability management CMS• InfoSec/Risk team reviews scan reports and

flags for ticket creation

Application



• Flagged scan reports trigger ticket auto-creation in enterprise ticketing system

• Support teams work on tickets as part of normal workflows

• Stakeholder and service owner reporting

Also …

Metrics!!!

Metrics!!!

Vulnerability Management MetricsAccurate Asset InventoryScan Periods• How often are assets scanned?

• Internal servers• DMZ servers• Public Facing servers• User endpoints• Network infrastructure• Network enabled printers/UPS/NAS/etc

Metrics!!!

Vulnerability Management MetricsScope of Scan• Discovery• Unauthenticated• Authenticated with User credentials• Authenticated with Admin credentials

Number and Types of Hosts Scanned• Percentages vs. entire asset population

Number of Vulnerabilities Discovered• Critical• High• Moderate• Low

Metrics!!!

Vulnerability Management MetricsVulnerabilities by Status• New• Active• Reopened• Verified• Excepted• Pending Remediation• Fixed

Metrics!!!

Vulnerability Management MetricsTime to Remediation

Examples

Wrap Up

ASVS/Vulnerability Management Application Gains

Security Focused, business aligned ESA element

Implementable Framework Based on Business Need

L3 CMS/Ticketing Integration

Vulnerability Ownership and Accountability

Metrics

Q&A and References

ARCTEC PAPER http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf

Application Security Verification Standard 2014https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf

Contact:[email protected]@rockiebrockway

https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf

https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf

mailto:[email protected]

mailto:[email protected]

Enterprise Class Vulnerability Management Like A Boss

Internet

Transcript of Enterprise Class Vulnerability Management Like A Boss