Vulnerability Management Article Anthology, Vol. 1

Vulnerability ManageMent article anthology, Vol. 1Five Tripwire CyberseCuriTy pros share Their experTise on how To reduCe risk From vulnerabiliTies and ThreaTs

CONFIDENCE:SECURED

advanCed ThreaT proTeCTion, seCuriTy and ComplianCe

2CONFIDENCE:SECURED

ArticlesClick to jump to page Page

3CONFIDENCE:SECURED

ARTICLE 1: Adapting VM to Address Advanced Persistent Threats

David Meltzer | March 13, 2014

there are two things that just about every ciSo in the world has today: First, a vulnerability management program. in addition to being one of the top SanS critical Security controls and part of numerous other compliance frameworks, vulnerability management is generally accepted as basic security hygiene today for corporate networks. Second, they worry about how advanced persistent threats (aPts) may impact their business. More than just on the mind of the ciSo, aPts are now front-page news. unfortunately, there is no silver bullet solution to protect against aPts, but are there ways to adjust and tailor the products and programs already in place to raise the bar against this new breed of more sophisticated attackers? the answer for vulnerability management is undoubtedly yes.

ATTACkERs ARE fInDIng vuLnERAbILITIEs fAsTER, AnD so shouLD youWhen i talk to people about how often theyre scanning as part of their vulner-ability management programs, weekly or monthly is a much more frequent response than hourly or daily. but an attacker that has already gotten to a soft target inside the network today is using techniques to lock-in and attack core targets far more frequently than that. the techniques themselves are not new.

i gave a demonstration in 2004 on how a sophisticated attacker can watch corporate networks for new servers. once powered on, the servers are remotely exploited before an administrator even gets the first prompt to login to the system, much less apply the first set of updates. it was theoretical a decade ago today it is reality.

it is not practical or actionable to scan every device every hour across a large network, but it is certainly possible to increase the frequency of scanning on the most critical assets within a network and identify new critical security risks quickly after they first appear. ask the question: how can we scan the most important assets more frequently and take action on critical issues that are found?

ExPLoIT youR own ADvAnTAgE AgAInsT ATTACkERsCREDEnTIALsit can feel like a losing battle trying to stay ahead of attackers who are armed with more sophisticated tools for breaking into the network than we have for protecting it. So you had better exploit every advantage you have. an attacker would love to be able to log right into your servers and see what they might attack, but they have to start on the outside and work their way in. you dont!

the days of effective non-credentialed scanning is winding down for vulner-ability management if it is not already dead. there are simply too many client-side and local vulnerabilities, and it is dramatically more effective, effi-cient, and comprehensive to scan a device from the inside than take a purely external view. if you do not already have credentialed access to your critical assets as part of your vulnerability management program, its time to get that done.

TAkE A fREsh Look AT sCoPEattackers with aPt are looking for the softest, easiest way into the network. all too often, it turns out these are places that ended up out of scope of vulnerability management programs in the past. the old network view of desk-tops, servers, and network devices isnt cutting it in 2014. remote offices, cloud servers, mobile devices, and homes are all vectors of attack.

take homes for example; it is easy enough to ignore them completely, and quite frankly most companies do. but does it make sense to think about the risks here? Would an attacker think about them? While you certainly do not want to treat an employees home network the same way you would the most critical corporate servers, it may be time to stop ignoring those networks completely.

even if its only an educational outreach, something can and should be done to reduce the risk. Many broadband providers provide free security products for their users, many consumer-oriented anti-malware security vendors have free

4CONFIDENCE:SECURED

offerings, and in vulnerability management we offer a solution in the form of tripwire SecureScan.

Will adapting your vulnerability management program with these 3 ideas total-ly secure your network from aPts? absolutely not. be wary of any vendor that claims it has a miracle solution. Will making some incremental improvements to vulnerability management this year further reduce risk and maybe make it just a little bit harder for a sophisticated attacker to succeed with an attack?

absolutely yes.

ARTICLE 1: Adapting VM to Address Advanced Persistent Threats (cont.)

5CONFIDENCE:SECURED

ARTICLE 2: System Hardening: Defend Like An Attacker

IRfAhn khIMJI | March 16, 2014

in information Security, there are attackers and defenders. attackers usually stay attackers and defenders usually stay defenders; defenders tend to think like defenders and attackers tend to think like both attackers and defenders.

See something missing? Defenders also need to think like attackers. easier said than done. if you were an attacker, where would you start? Sun tzu wrote the art of War ~2500 years ago outlining some attacker guiding principles that we can apply in information security today.

1. Speed is the essence of war

2. travel by unexpected routes

3. take advantage of the enemys unpreparedness

4. Strike him where he has taken no precaution

now lets take these attacking principles and look at how we in infoSec can defend against attacks:

numbers one and two fall into the category of knowing your environ-ment. you cant protect what you dont know. if the attacker figures it out before you do, they have an advantage. all they need is a point of entry. once they find the weakest link, they can work their way up the chain.

number three involves being prepared for an attack. once youve figured out what you have, you need to make sure that its locked down in a state. not locked to the point that it is rendered unusable, but configured in a way that makes it difficult enough for attackers to be deterred.

number four leads into ensuring you are checking and continuously are checking for any holes. as defenses wear down, like water wears down a rock, holes may open up. ensuring you are continuously checking for holes, gives you the opportunity to find and fill those holes before an attacker does.

these three defending principles tie in exactly to the first four of what the council on cyberSecurity calls the top 20 critical Security controls. here are the first four along with some of the steps the council recommends to get some quick wins for your organization:

InvEnToRy youR AuThoRIzED AnD unAuThoRIzED hARDwAREactively manageinventory, track, correctall hardware devices on your network. only authorized devices should be allowed on the network. attackers are always looking for forgotten systems, be they byoD that wasnt patched, or something that was turned on and forgotten about, to use a stepping-stone into the organization.

Know what you have before they do! Quick wins:

Deploy an asset discovery tool which actively scans the organizations public and private networks to build an inventory.

Deploy a DhcP server which logs and improves the inventory through the DhcP information

ensure all new equipment is updated in your asset management system

6CONFIDENCE:SECURED

ARTICLE 2: System Hardening: Defend Like An Attacker (cont.)

InvEnToRy youR AuThoRIzED AnD unAuThoRIzED sofTwAREactively manage inventory, track, correct software installed on the devices you found in the previous control. only authorized software should be allowed on the network. attackers are always looking for quick wins. unpatched software or vulnerabilities that they can point and shoot with automated and remote exploit kits to own our systems.

Sometimes its as simple as opening an e-mail attachment or clicking a link (check out my family vacation pictures! uPS has a package waiting for you!)

Know what you have before they do! Quick wins:

build a list of authorized software and match against what you have installed

track changes to that list either through change monitoring or whitelisting

Perform regular scanning for unauthorized software or monitor in real time

sECuRE ConfIguRATIon MAnAgEMEnTDefault configurations are an attackers dream they know the defaults, so its like walking into a building with the blueprints!

before systems are deployed in the network they should be hardened. this could be the operating system, applications, ports, and/or services on the devices. common best practice frameworks include ciS, iSo, SoX, Pci, etc. there are plenty out there, more or less the same with minor differences. Pick what works best for you and your industry.

almost every organization ive talked to, takes one of these standards, examines to see which controls are viable to their environment (eg. Password length 8 instead of 6) and applies them.

if you already have a regulatory body overseeing your devices, then youre already familiar with this. an all too frequent error i see, however, is the sys-tems in scope of that audit are very well taken care of, but everything outside of that scope, fall into the forgotten system category. Quick wins:

establish and ensure the use of standard secure configurations of your operating systems

update operating systems and software if theyre too old to be updated, remove them

limit administrative privileges

Follow strict ScM practices, exceptions/modifications should be docu-mented in change management

have a master image that is integrity checked and protected compro-mised systems should be reimaged

vuLnERAbILITy MAnAgEMEnT AnD REMEDIATIonShrink that attack surface! continuously scan for vulnerabilities and patch high-risk findings. if you are able to patch vulnerabilities that are automated or easy to exploit and they give the attacker remote and/or privileged access, youve just made the life of the attacker very difficult.

When they do eventually find a hole (no one can patch everything), they will see that it is very difficult to get in, deterring them from doing the work.

7CONFIDENCE:SECURED

ARTICLE 2: System Hardening: Defend Like An Attacker (cont.)

attackers love low hanging fruit! if they are determined enough to get in, then having secure configurations, as described above, covers you for integrity check-ing and monitoring their activity. Quick wins:

run automated vulnerability scans at least weekly and target remediation of high risk vulnerabilities

correlate findings with event logs to identify which exploits detected on the exterior are vulnerable on the interior

Perform authenticated vulnerability scans with a dedicated administrative account

Subscribe to vulnerability intelligence feeds to stay aware of emerging threats

to sum it up: Know your environment, lockdown and secure, and shrink that attack surface!

8CONFIDENCE:SECURED

ARTICLE 3: Configuration Compliance Also Includes Vulnerability Management

fEDERICo DELAMoRA | SEPTEMbEr 16, 2013

around twenty years ago, several individuals associated with universities started building the first vulnerability checkers.

ironically, these nascent tools were designed mainly to scan the configuration of unix workstations and servers instead of looking for actual vulnerabilities in the code.

the latter functionality was developed commercially a few years later. i said ironically because the industry has now moved in the reverse direction; several vulnerability management vendors are now developing configuration checks within their vulnerability scanners or even developing or acquiring full configuration auditing scanners.

bAsIC ConfIguRATIon ChECksi have seen two main types of organizations where the technology has turned a full circle. in the first type, organizations relatively new to vulnerability management require vendors to included basic configuration checks in their vulnerability scanners. basic configuration checks typically include identifica-tion of easyto-guess credentials and detection of shared file systems.

EnTERPRIsE-gRADE vuLnERAbILITy sCAnnERsthe second type of organization has deployed an enterprise-grade vulnerability scanner, but they have additional configuration auditing and reporting needs that cannot be met with the existing solution. on the one hand, vulnerability scanners work mainly (but not exclusively) in binary mode, their job is to answer with a simple yes or no whether a given vulnerability is present or not (a binary answer).

as a result, vulnerability data is fairly compact (e.g. Vulnerability iD 1234 is present) and can be presented in a few pages, assuming some level of de-dupli-cation is used when generating a report.

ConfIguRATIon AuDITIng sCAnnERson the other hand, configuration auditing scanners can execute tens of thousands of technical configuration checks across many heterogeneous it platforms. in addition, configuration data is multi-value, instead of being just binary. lets take a Directory Service like Microsoft active Directory as (aD) an example.

When the configuration scanner interrogates aD for a list of users, aD will return a variable number of usernames in addition to a variable amount of con-figuration information for each username, including group memberships and access rights. this process generates enormous amounts of data that far exceeds the amount of vulnerability data collected by a similar or the same scanner.

another platform that can return widely variable amount of configuration information is a Web Server. one of the first queries the scanner will have to send to the server is a request for each one of the virtual web servers. this is followed for a query requesting the configuration information from each web server; e.g. folders and access rights, urls, installed plug-ins, etc.

the amount and complexity of the data gathered by a configuration auditing solution is significant. if the vulnerability data is merged into the compliance data, the former would become a tiny subset of the overall configuration of each asset.

configuration reports on a specific asset could include operating system configuration, including hotfixes, and middleware and enterprise application configuration, as well as vulnerability information sitting side by side with the other, larger slices of configuration data.

the integration of vulnerability and compliance solutions will bring tremen-dous benefits to organizations. First, it could reduce administrative overhead

9CONFIDENCE:SECURED

ARTICLE 3: Configuration Compliance Also Includes Vulnerability Management (cont.)

and facilitate credentials management, as currently each scanner might require a separate set of credentials to scan a given asset.

Second, an integrated solution would simplify vulnerability and compliance data correlation, analysis and reporting. Finally, an integrated view would allow risk managers to easily visualize vulnerability and configuration issues that, when combined, would increase the overall risk of the asset e.g. a password policy issue that combined with a remotely exploitable vulnerability in the oper-ating system that could lead to full remote access.

10CONFIDENCE:SECURED

ARTICLE 4: Common Vulnerability Management Questions

IRfAhn khIMJI | MArCH 4, 2014

in the field, i hear a lot of questions on vulnerability management. the ques-tions i hear most often are how do i know what to fix first? and thats a false positive! okay, so the second one is more of a statement; a statement that aggravates information security analysts and management alike.

in this post, im going to talk a bit about these two questions and then i want to hear from you. tell me what types of questions you hear about vulnerability management and how you address them.

i hope i get enough feedback to spur a follow up post here we go!

how Do I know whAT To fIx fIRsT?there are many ways various vendors classify their vulnerabilities and prioritize their patches. Some of our favorites release patch updates once a month on a regular cycle and say to start with some and finish with others.

criticals, highs, Mediums, lows, 1-10, etc. there are many various ways of scoring. Most people ive talked to will start with their criticals or highs or 10s depending on what system they are using and export it to a spread sheet.

next, they will take in various feeds to determine what the criticality of those already marked critical vulnerabilities are. this is done through assessing what privilege the attacker will get upon successful exploitation and how easy is it for an attacker to exploit that vulnerability.

this process yields a prioritization matrix of some sort, which the analyst will then pick the top ones to send to their system administrator to go and remediate. give or take on the minor details, this is a very common, yet time consuming practice.

the matrix often yields a result similar to this:

ThATs A fALsE PosITIvE!this one is a bit trickier. is it a false positive, is it potentially vulnerable, or is it something that we actually need to fix?

there are different vulnerability scanning methodologies out there. each vul-nerability is generally tied to a specific, file version, registry key, service, etc. or a combination of one or more. if you are actually checking for those particular vulnerable versions, then you know whether you have a vulnerability or not.

on the other hand, if youre working backwards and checking for the absence of remediation, you could end up in a less accurate situation. For example: Vulnerabilities 1, 2, 3, 4, and 5 all have individual patches but also have Patch a that remediates them all.


ARTICLE 4: Common Vulnerability Management Questions (cont.)

METhoD 1 vuLnERAbILITy sCAnnIng METhoDoLogy:i ran a vulnerability scan and found that i was vulnerable to vulnerabili-

ties 2 and 4

i can remediate both vulnerabilities with Patch a or the individual patches for each of those two vulnerabilities

METhoD 2 PATCh DETECTIon METhoDoLogy:i ran a vulnerability scan that uses the missing patches methodology

and found that i am missing Patch a therefore it says i am vulnerable or potentially vulnerable to vulnerabilities 1, 2, 3, 4, and 5

ive already patched 1, 3, and 5 individually, so this type of detection yields in a high level of false positives or potentially vulnerable instances that i need to go and investigate.

Personally, i think method one is the smarter way to go. it is more accurate and saves a lot of time investigating potential false positives


ARTICLE 5: Five Tips for Measuring Progress In Information Security

TIM ERLIn | SEPTEMbEr 24, 2013

in my post on Measuring and reporting on Vulnerability risk, i talked about how rankings and categories make for some easy to understand graphs, but they tend to fail at meaningfully measuring progress over time.

its tempting to use the standard output of your information security products as the basis for tracking progress, but counting the numbers of highs, mediums and lows simply isnt an accurate a representation overall progress.

these kinds of operational metrics, such as vulnerability counts, are attractive as a means of measuring progress, or more importantly for communicating progress, because theyre intuitive; if we focus on patching vulnerabilities, then the vulnerability count should go down.

there are, however, a number of important considerations to take into account when measuring progress in vulnerability management specifically, or informa-tion security in general. here are 5 tips for improving your ability to measure progress and communicate effectively in information security.

1. usE METRICs ThAT MATTERin order to communicate progress, you need a destination. Very simply, secu-rity is not a destination by itself. Weve all heard that phrase that security is a process, not a destination. its true, but its misleading.

youre not going to suddenly arrive at security, no doubt, but that doesnt mean information security shouldnt have objectives and measure progress against them. Start with objectives, and build metrics to measure progress against them. if youre not sure what your objectives are, then thats a good indicator that you wont achieve them.

an outside framework, like the council on cybersecuritys critical Security controls, can help give structure to your efforts. information Security has a

tendency to be myopic about risk. When you talk about risk at the business level, risk and opportunity are a pair.

too often, we pick metrics in information security that inherently foster fear, uncertainty and doubt. Measuring things like vulnerability counts, number of attacks, or viruses blocked are very effective at ensuring information security remains irrelevant to the business.

What are the metrics that matter to the business? that depends on *your* business, and perhaps more important, on the objectives of your information security organization.

2. MEAsuRE PERfoRMAnCE, noT ACTIvITyall metrics are not the same; there are different types, such as state, operational and performance. When aiming to track progress in information security, make sure youre using performance metrics. State metrics measure some kind of fact, like anti-virus signature versions or scan progress.

operational metrics measure an activity; this is where the suspect counts tend to show up, such as SPaM blocked and vulnerabilities found. Performance metrics measure against a goal or objective. these types of metrics are what measure progress, and thats what you want to communicate outside of infor-mation security.

3. unDERsTAnD ThAT vEnDoRs ARE gEnERALIsTsas a vendor, our objective is to solve problems by selling product. in order to do that effectively, we need to solve a problem that lots of people are willing to pay for. by definition, that means were generalists, rather than specialists, when it comes to your business.


ARTICLE 5: Five Tips for Measuring Progress In Information Security (cont.)

When specificity is required, successful product vendors add flexibility, not features. that means you cant blindly rely on the product to produce the results you require to measure performance. Vendors should be very good at operational and state metrics, but performance is specific to your objectives (see Measure to objectives)

4. PLAn foR sCALEWe all know that you cant protect what you dont know about. an effec-tive measurement of performance includes some indication of the unknown unknowns. if youre running a vulnerability management project, then you have to include comprehensiveness of coverage (are you scanning all your assets?).

if youre auditing for policy compliance, you need to articulate what percentage of the relevant assets are being measured. if you leave this aspect of program performance out, you are simply providing misleading results.

5. gET RoLL uPs RIghTindividual key performance indicators arent enough, or more accurately, theyre too much. you may have KPis to measure many aspects of a project, and many projects running in parallel, but you get one or two slides at best to represent performance to non-security executives.

inside information security you dont have the time to review every KPi for every group. you need a series of tiered roll-ups that represent abstracted perfor-mance to objectives, with the ability to drill into problem areas and get at the underlying KPis.

on the surface, this may seem straightforward, but it gets tricky when you start trying to combine different types of metrics into a single roll up. consider

how you can normalize the metrics into a roll-up by measuring distance from a target.

it can be challenging to change any organization, but when you start measur-ing performance to objectives, you start to behave more like the business, which ultimately fosters more effective communication within and outside of information Security.


ARTICLE 6: Microsoft Patches: Friend or Foe?

TyLER REguLy | NOVEMbEr 10, 2013

If You Could Change One Thing about Your Job, What Would it Be?

i think this is a universally great question interview candidates, colleagues, friends and family, and even strangers. everyone has an answer; no one loves everything about his or her job.

if you want to have an interesting conversation at home, ask your significant other this question and follow it up with Why? its a question i often ask myself when im interested in self-reflection. after all, if the answer ismy boss or everyone i work with its probably time to look for a new job.

i figured, since the answer wasnt my boss that id share the one item i could change with everyone:

Question: If you could change one thing about your job, what would it be?

answer: Microsofts Patch Process

Question: Why?

answer: This is going to take a while

it doesnt matter who i talk to customers, colleagues, partners, friends, family, or strangers Microsoft Security is one of the most confusing orga-nizations in the world, and most people dont even realize the source of the problem they just see something thats difficult to understand.

LETs CoMPARE MICRosofT To A CouPLE of oThER vEnDoRs:

MICRosofTs APPRoACh To PATChIngat least once a month a series of patches will be released. these patches will fix vulnerabilities across a number of products. Sometimes you install one patch and sometimes you install 20 patches.

Sometimes you install three patches for a single vulnerability and some-times you install three patches for three instances of the same vulnerability. Sometimes the patches replace previous patches, some patches dont. Sometimes the patches replace a previous patch but only on certain software and some-times 4 patches replace a single patch.

APPLEs APPRoACh To PATChInga new point release of oS X comes out or a giant bundle named Security update - is released. the exceptions are itunes and Safari they get their own patches. the downside is that the patches do not ship on a regular basis.

ADobEs APPRoACh To PATChInga patch is available. your client updates or prompts you to update. youre done. these generally ship once a month.

Which process confuses you the most? Some people will say, but Microsoft has the most products. this is true but ive seen Microsoft security bulletins that include Windows, office, SharePoint, groove Server, and a dozen other platforms. each will have their own patch (or multiple patches), and some wont be available via automatic updates or WSuS.

Which brings us to the next issue: Microsoft / Windows update. raise your hand if you remember when this was introduced. Windows update only had


ARTICLE 6: Microsoft Patches: Friend or Foe? (cont.)

your oS patches; Microsoft update had your office patches and others. then it became a single service or did it?

Did you know that if you run automatic updates like a good consumer, that youre not necessarily fully patched? given that Microsoft has an unprecedented end-of-life policy (a statement of how long software is supported), some of their software doesnt work with automatic updates (home user) and WSuS (enter-prise user).

to make matters worse, since Microsoft cant get an automatic update mecha-nism that works with the same ease as other vendors update systems, third party patch management software was introduced. ive never seen one of these products work 100% correctly either. theyre all flawed. the consumerthinks they are patched though. lets just heap on additional confusion.

one last point Microsoft only releases patches for supported software, and they dont support all versions of an application, just the most recent service pack (or two). this means that a lot of products, their own Microsoft baseline Security analyzer included, will tell you that you arent vulnerable to known vulnerabilities simply because the version of Windows you are running is con-sidered outdated.

yes, you should update, but theres a big difference between Fully Patched and Patches cannot be applied.

over the next few months i intend to introduce some of the caveats of the Microsoft Patch system in a series of blog posts. i want to add clarity for con-sumers of Microsoft patches. Stay tuned for more on the subjected.

While youre waiting, tell me if you could change one thing about your job, what would it be and why?


ARTICLE 7: Improving Microsoft Patch Error Messages

TyLER REguLy | DECEMbEr 2, 2013

in the previous chapter, i mentioned that the one thing id change about my job would be Microsofts Patch Process. this is the first of several follow-up blog posts detailing how i would fix Microsoft bulletins and Patches in order to change my answer.

im starting with the change that i feel would be easiest for Microsoft to imple-ment error messages in updates.

Microsoft may have the vaguest error messages of any vendor. When youre installing a security update, you should expect a working feedback system. if the patch doesnt install, you should know why from the error message.

if the update wont apply, you should know why it doesnt apply. clearly the update was able to determine why it didnt apply, shouldnt there be an easy way to communicate that detection logic to the end user?

lets take a look at a few of my favourite error messages:

this update has already been applied or is included in an update that has already been applied.

the expected version of the product was not found on the system.

the update does not apply to your system.

now, before anyone says, run the update with logging, i want to point out a few things:

1. logging doesnt always capture the reasons for the decisions.

2. rerunning the patch to generate a log and reviewing said log is often outside the comfort zone of the end user.

3. taking a more complex approach to solve a simple problem is not a valid solution.

So, lets take a look at these three error messages and how Microsoft could easily improve them.

This update has already been applied or is included in an update that has already been applied.

in many ways this is the easiest fix include the line of detection logic that determined the update has already been applied. is it a registry key? Display it. is it a specific file version? tell us which file and the version. is there another indicator? let us know.

the slightly harder part would be the removal of the or, depending on how the updates applicability was determined. either way, itd be nice if an error message was accurate enough to tell us exactly what was going on, rather than giving us a few possibilities.

The expected version of the product was not found on the system.

this is the message that i find the most infuriating. there must be a dependen-cy check that determines which versions of the application the update applies to, so tell me why the expected version was not found.

Does the update only apply to certain language packs? Do i have an older version of the product that is no longer supported? am i missing a checkbox during the application install for a component that this update needs?


ARTICLE 7: Improving Microsoft Patch Error Messages (cont.)

this could solve a lot of issues. the biggest one being that a person walks away thinking they arent vulnerable to a critical issue but in reality they are. if the error message simply said, the expected version of office 2010 was not found on the system. Please update to a supported version. users would know to update their software.

The update does not apply to your system.

this is another error message that causes issues. Why doesnt the update apply? ive got the software from the bulletin installed, so wheres the problem? this generally implies that a component is affected that you dont have installed.

again, this could be easily resolved by simply telling the user which component you are looking for. the update does not apply to your system because you havent installed url lockdown for iiS.

not only would these changes make life easier for end users, help desks, and vendors theyd also increase security. a lot of people walk away from a system when they get one of these errors and assume they are safe.

this isnt always the case. Systems often end up more vulnerable due to the vague error messages and it seems like fixing them would be an easy step to improving the global security ecosystem.


AbouT ThE AuThoRs

fEDERICo DELAMoRAFederico is the Director of enterprise Sales teams hunting for new busi-ness across uK, Western europe and Middle east & africa (eMea) for tripwire, and is responsible for expanding the distribution channel.

TIM ERLIntim erlin is a Director of Product Management at tripwire, and is responsible for the Suite360 prod-uct line including Vulnerability Management, configuration auditing, and Policy compliance. Previously, in his nearly 10 year tenure at ncircle, he has also held the positions of Senior Sales engineer and Qa engineer. tims career in information technology began with project management, customer ser-vice, as well as systems and network administration. tim is a member of iSSa, and frequently hosts corporate webinars on various topics, including regulatory compliance.

IRfAhn khIMJIirfahn brings a wide range of expertise in the field of information Security specializing in Vulnerability Management, compliance, risk identification and Scoring, as well as Social engineering. he is a recognized leader in building information Security Solutions and customer Satisfaction. he has experience providing technical security leadership and guidance to Fortune 500 accounts, as well as smaller companies, in several verticals including financial, energy/commercial, healthcare, and retail. See what hes thinking on twitter @therealKhimji Continued


AbouT ThE AuThoRs (cont.)

DAvID MELTzERDavid is VP/engineering at tripwire where he is responsible for the devel-opment of tripwires vulnerability management products including iP360 and Purecloud, as well as tripwire configuration compliance Manager. David came to tripwire in 2013 through its acquisition of ncir-cle where he was chief technology officer and VP/engineering. David has been an entrepreneur, leader, software developer, security researcher, and generally obsessed with network security for the last two decades.

TyLER REguLytyler reguly is a Manager of Software Development with tripwire, and a key member of Vert (Vulnerability and exposure research team), where he focuses on web application security and vulner-ability detection. tyler is involved in industry initiatives such as cVSS-Sig and WaSSec, and has spoken at many security events, including Sector and oWaSP toronto. additionally, he has contributed to the computer Systems technology curriculum at Fanshawe college in london, ontario by developing and teaching a number of security related courses. tyler is frequently quoted by security industry press and is a prolific blogger.

CONFIDENCE:SECURED

u Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation through enterprise integration. Tripwires portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u

security news, trends and insights at tripwire.com/blog u follow us @tripwireinc on twitter

2014 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.All other product and company names are property of their respective owners. All rights reserved. brvmaav11a 201405

A1A2A3A4A5A6A7Authors

NAV page prev: Page 2: Page 3: Page 4: Page 5: Page 6: Page 7: Page 8: Page 9: Page 10: Page 11: Page 12: Page 13: Page 14: Page 15: Page 16: Page 17: Page 18: Page 19:

CSC126: Page 2: Page 3: Page 4: Page 5: Page 6: Page 7: Page 8: Page 9: Page 10: Page 11: Page 12: Page 13: Page 14: Page 15: Page 16: Page 17: Page 18: Page 19:

CSC01: CSC02: CSC03: CSC04: CSC05: CSC06: CSC07: CSC08: CSC125: Home Return 2: Page 4: Page 7: Page 9: Page 11: Page 13: Page 15: Page 17: Page 19:

CSC127: CSC128: CSC129: CSC130: CSC131:

Vulnerability Management Article Anthology, Vol. 1

Documents

Transcript of Vulnerability Management Article Anthology, Vol. 1