Enterprise Class Vulnerability Management Like A Boss
Transcript of Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossRockie BrockwayBusiness Risk DirectorBlack Box Network Services
Bio
23 Year veteran in InfoSec/Risk
All certs have expired (including those I’ve taught)
Business Systems and Impact Analyst (Risk)
Enterprise Security Architect
Penetration/Red Team Tester
Speaker/Trainer/BSidesCLE
Musician/Woodworker/Landscaper/Hacker
[email protected]://www.linkedin.com/pub/rockie-brockway/9/634/641
@rockiebrockway
Brief History Lesson
The Compliance Conundrum
Sure are lots of them
Sure are a lot of tools that map out overlaps
Many are focused on protecting certain data types
Others are best practice frameworks
But at the end of the day …
Information is Beautiful
Breach Business Impact Continues to Grow
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
IT Spend vs. Breaches
IT/InfoSec spend increasing, breaches continue to increase
As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect
Gartner Verizon DBIR
2007 2008 2009 2010 2011 2012 2013 20142.9
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
Spend (T)
2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
Breaches
Project and/or Compliance = Incorrect
Breach Business Impact Continues to Grow
Reasons:While most orgs understand data protection is a crucial strategic business issue, they continue to approach it on either
• A project by project basis and/or• From a Compliance perspective
The reality is that data security inherently relates to financial business risk and must be treated as a function of the business itself
Complexity in the Enterprise
From the Enterprise to the Application, more complexity means less security
Simple, individual projects do not need “Architecture”
“Architecture” is required to successfully fit an individual project into a larger, more complex set of projects
Organizing Complexity Through Architecture
The SABSA Information Systems Architecture paper lays out the following (paraphrasing):
Like the design of buildings and cities, information architecture must take into consideration:
• Organizational goals to be achieved by the systems• The environment where the systems will be built
and used• The technical capabilities required to build and
operate the systems
Enterprise Security Architecture
Benefits of Enterprise Security Architecture
• Brings focus to the key areas of concern for the business
• Allows business owners to make educated security/risk decisions without having to be an infosec professional
• Enables disparate Enterprise Security groups to understand their role in the business
• METRICS!• Encourages repeatable processes• Organizes your Enterprise’s complexity• Focuses on Security, not Compliance (but still maps to
compliance, we still have auditors :P)• Reduce the likelihood your organization will contribute
to informationisbeatiful.net
Enterprise Security Architecture
Security inherently relates to business risk and must be treated as a board supported function of the business
Enterprise Security Architecture aligns organizational business strategy and goals with the protection of the organization’s business critical data
Process
Vulnerability Management
The set of all processes for discovering, reporting and mitigating known vulnerabilities at any layer
Vulnerability Management is typically broken down into Intelligence/Patching activities and Scanning activities
It is critical to have vulnerability accountability and ownership throughout the enterprise, with the associated metrics
Process
Vulnerability Management Challenges
• Moore’s Law – Malware evolves at equal speed• Reactionary – In order for vulnerability scanning tools to be
effective, they must already know about the vulnerability• Intelligence – Having knowledge of the latest attacks and
trends and if/how they affect your assets is crucial• Communication – Effectively transferring the knowledge of
vulnerability data to the service owners• Accountability – Ensuring that the discovered vulnerabilities
are remediated/mitigated and communicated back out to the service owners
• Metrics – IS needs to be able to communicate the value of the vulnerability management program back to the business
Process
Vulnerability Management Goals
• Improved intelligence for quicker decision making and response
• Buy in from all service owner/stakeholders• All primary asset types being regularly scanned
• Servers• Web Applications• Network assets• User endpoints• Network enabled printers/UPS/NAS/etc.
• Integration of existing Vulnerability Management tools with existing business ticketing systems
• Service Owner and Stakeholder reporting with associated metrics
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
http://www.irongeek.com/i.php?page=videos/bsidescolumbus2015/defense00-got-software-need-a-security-test-plan-got-you-covered-bill-sempf
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 0
Cursory – Indicates that some type of organizationally defined review has been performed on the application, and that the verification requirements were not provided by ASVS
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 1 (ASVS L1)
Opportunistic – Indicates that the application can adequately defend itself against application security vulnerabilities that are easy to discover
Such vulnerabilities are typically discovered with minimal to low effort, and cannot be considered a thorough inspection of the application
Threats to the application will most likely come from attackers using simple techniques and automated tools
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 2 (ASVS L2)
Standard – Indicates that the application can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk
Such vulnerabilities include the OWASP Top 10 and Business Logic vulnerabilities
The majority of business applications should work towards this level
Threats to the application will most likely come from opportunistic attackers, and possibly some motivated actors
Inspiration
OWASP Application Security Verification Standard (ASVS) 2014
Level 3 (ASVS L3)
Advanced – Indicates that the application can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design
Level 3 requires an inspection of an application’s design
Level 3 is appropriate for critical applications that protect life, critical infrastructure and/or defense functions
Threats to the application will be from motivated actors and nation-states
Inspiration
We can build on and improve this
Application
Applying ASVS 2014 to Vulnerability Management
Level 0 (ASVS Vuln L0)
Cursory – Indicates that some type of organizationally defined vulnerability analysis has been performed on the organization’s application space, and that the verification requirements were not provided by this hybrid framework
• Org understands vulnerabilities should be patched
• May have some loose patching process• Not using vulnerability scanning tools
Application
Applying ASVS 2014 to Vulnerability Management
Level 1 (ASVS Vuln L1)
Opportunistic – Indicates that the organization can adequately defend itself against application security vulnerabilities that are easy to discover
Such vulnerabilities are typically discovered with minimal to low effort, and cannot be considered a thorough inspection of the applications
Threats to the application will most likely come from attackers using simple techniques and automated tools
Application
Applying ASVS 2014 to Vulnerability Management
Level 1 (ASVS Vuln L1)
• No dedicated Infosec/Risk group• Reliance on MS patch Tuesday alerts• Process in place for monthly MS patches on
user workstations and servers within a reasonable time frame (~45 days)
• User workstation non-MS applications based on app alerts and user willingness (Java, Flash, etc.)
• Sporadic additional “threat intelligence” (infoworld, the register, etc.)
• May have an open source vulnerability scanning tools
Application
Applying ASVS 2014 to Vulnerability Management
Level 2 (ASVS Vuln L2)
Standard – Indicates that the organization can adequately defend itself against prevalent application security vulnerabilities of moderate to serious risk
Such vulnerabilities include the SANS Top 20 and OWASP Top 10
The majority of business applications should work towards this level
Threats to the application will most likely come from opportunistic attackers, and possibly some motivated actors
Application
Applying ASVS 2014 to Vulnerability Management
Level 2 (ASVS Vuln L2)
• Dedicated InfoSec/Risk group• Vulnerability Intelligence feed/subscriptions• Formal monthly review of previous 30 days
worth of MS and non-MS known vulnerabilities
• Centralized CMS for vulnerability intelligence data (probably manual, could be automated)
• InfoSec/Risk group may manually enter vuln events into enterprise ticketing system
• Defined standard for reviewing intelligence with escalation processes
Application
Applying ASVS 2014 to Vulnerability Management
Level 2 (ASVS Vuln L2)
• Commercial/Open Source tools used for enterprise scanning
• Standard for business asset scanning (off hours, no DOS, authenticated vs. unauthenticated, etc.)
• Focused on primarily WIN/*NIX and network assets
Application
Applying ASVS 2014 to Vulnerability Management
Level 3 (ASVS Vuln L3)
Advanced – Indicates that the organization can adequately defend itself against all advanced application security vulnerabilities and shows principles of good security design
Level 3 requires inspections of in house application’s design and 3rd party risk standards
Level 3 is appropriate for critical applications that protect life, critical infrastructure and/or defense functions
Threats to the organization will be from motivated actors and nation-states
Application
Applying ASVS 2014 to Vulnerability Management
Level 3 (ASVS Vuln L3)
• Vulnerability intelligence feeds tied to enterprise inventory systems
• InfoSec/Risk team analyzes/flags intelligence alerts in CMS systems that auto-create tickets in enterprise ticketing system
• Support teams work tickets as part of normal workflows
• Sample sets of workstation vulnerability scans• Phones/Printers/UPS/NAS devices scanned• All scan reports are auto-posted to internal
vulnerability management CMS• InfoSec/Risk team reviews scan reports and
flags for ticket creation
Application
Applying ASVS 2014 to Vulnerability Management
Level 3 (ASVS Vuln L3)
• Flagged scan reports trigger ticket auto-creation in enterprise ticketing system
• Support teams work on tickets as part of normal workflows
• Stakeholder and service owner reporting
Also …
Metrics!!!
Metrics!!!
Vulnerability Management MetricsAccurate Asset InventoryScan Periods• How often are assets scanned?
• Internal servers• DMZ servers• Public Facing servers• User endpoints• Network infrastructure• Network enabled printers/UPS/NAS/etc
Metrics!!!
Vulnerability Management MetricsScope of Scan• Discovery• Unauthenticated• Authenticated with User credentials• Authenticated with Admin credentials
Number and Types of Hosts Scanned• Percentages vs. entire asset population
Number of Vulnerabilities Discovered• Critical• High• Moderate• Low
Metrics!!!
Vulnerability Management MetricsVulnerabilities by Status• New• Active• Reopened• Verified• Excepted• Pending Remediation• Fixed
Metrics!!!
Vulnerability Management MetricsTime to Remediation
Examples
Examples
Examples
Examples
Examples
Examples
Examples
Examples
Wrap Up
ASVS/Vulnerability Management Application Gains
Security Focused, business aligned ESA element
Implementable Framework Based on Business Need
L3 CMS/Ticketing Integration
Vulnerability Ownership and Accountability
Metrics
Q&A and References
ARCTEC PAPER http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
Application Security Verification Standard 2014https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf
Contact:[email protected]@rockiebrockway