What's Wrong with Vulnerability Management & How Can We Fix It

What’s Wrong with Vulnerability Management, and How Do We Fix It?

Michelle Johnson CobbVP Marketing, Skybox Security

July 23, 2015

[email protected]

© 2015 Skybox Security Inc. 2

Today’s Agenda

Skybox Security and our Vulnerability Research

2015 Enterprise Vulnerability Trends Report

Analysis and Recommendations

Product Demo – Skybox Vulnerability Control


Skybox Security Overview

Powerful security management platform– Vulnerability and threat management– Firewall management– Network visibility and compliance

Popular Use Cases– Discover risks that can lead to attack– Analyze and prioritize vulnerabilities– Suggest remediation actions – patch,

block, reconfigure

Risk Analytics for Cyber Security


Skybox Vulnerability Research Team

Skybox Vulnerability Database

Research team aggregates 20+ vulnerability and threat feeds

Over 43,000 vulnerabilities on 1,400 products

Including products, vulnerabilities, IPS signatures, patches, malware patterns (worms)

Proprietary intelligence added by analysts– Exploitation pre-conditions

– Likelihood of attack

– Conflict resolution

– Vulnerabilities with no CVE

– Remediation solutions

– Cross-references

Advisories Adobe Cisco PSIRT Microsoft Security Bulletin Oracle

Scanners eEye Retina IBM Scanner IMcAfee Foundstone Qualys Guard Rapid7 Nexspose Tenable Nessus Tripwire nCircle

IPS Fortinet FortiGate HP TippingPoint IBM Proventia McAfee IPS Palo Alto Networks Cisco Sourcefire

Other CERT Mitre CVE NIST’s NVD Rapid7 Metasploit Secunia Symantec Security Focus Symantec Worms

© 2015 Skybox Security Inc. 5 5

Financial Services

Technology HealthcareGovernment & Defense

ConsumerService

ProvidersEnergy & Utilities

Global 2000 Organizations Worldwide Choose Skybox Security

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=aAC499QQ8lL3tM&tbnid=lHSuSmN90Y6JzM:&ved=0CAUQjRw&url=http://www.bestlawyers.com/firms/deloitte-abogados/44343/ES/&ei=yLbEU9ScLYWqyATThYGYBw&bvm=bv.70810081,d.aWw&psig=AFQjCNGa3dw5Bnh5I4rbd0k2oTlUNsvcyg&ust=1405487168638710

http://www.svb.com/

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=kOT0t4JgcT6WDM&tbnid=9R00KmUPSIPtuM:&ved=0CAUQjRw&url=http://subseaworldnews.com/2014/01/24/omv-petrom-invites-tenders-for-diving-and-rov-services/&ei=lrnEU-nnGo6MyASXioDQBg&bvm=bv.70810081,d.aWw&psig=AFQjCNGzi-Mc5V2emtrdcZ3ycvP0pJ3s0Q&ust=1405487886091677

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=jabkPsOzexDQOM&tbnid=_bJG-Usw0GshEM:&ved=0CAUQjRw&url=http://www.buildingalifestyle.com/news-stories-press-releases/&ei=mLrEU--TKYKbyATblYK4CQ&bvm=bv.70810081,d.aWw&psig=AFQjCNGAGCzkqUDiM21p2_vLCRgrc4Ofnw&ust=1405488140712761

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=sXC-QkOmVsIbVM&tbnid=SGUg3_I77pR1FM:&ved=0CAUQjRw&url=http://news.hamlethub.com/bethel/publicsafety/40473-danbury-line-commuters-to-use-harlem-line&ei=Jr3EU-ruFoWXyATVu4LIBg&bvm=bv.70810081,d.aWw&psig=AFQjCNEawa0pN9ddbMSjrhunS07YNlTeKQ&ust=1405488801992361

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=uIiw_FIBKRFyZM&tbnid=q63R5fHzxC9OlM:&ved=0CAUQjRw&url=http://cenytmercosur.blogspot.com/2008_02_01_archive.html&ei=WMTEU-DRNoalyATj8YHoBg&bvm=bv.70810081,d.aWw&psig=AFQjCNGBBasElvWlbX2rTgZZDU7fzfn1Gg&ust=1405490643213823

http://www.edison.com/home.html


Face it, You Have (Lots of) Vulnerabilities

Most Vulnerable Vendors 2014

Source: Skybox Vulnerabilitycenter.com, enterprise vulnerability database

5027 Vulnerabilities

(2014 Skybox enterprise vulnerability database)

Enterprise-scale network,

10K to 100K+ vulnerabilities at any time


How’s Your Vulnerability Management Program?

Well-coordinated process? Constant whack-a-mole?OR


2015 Enterprise Vulnerability Trends Report

2015 analysis based on survey conducted Dec 2014

CIO/CISO, Security & Network Managers, Risk & Compliance Managers

Goals:– VM tools used today

– Most common challenges

– Changes desired


Survey Demographics

974 respondents, 59 countries

66% large enterprise

17% mid-size, 17% SMB

Top 4 verticals: Financial Services 14%, ISP/Telecom 9%, Technology 7%, Gov/Defense 7%


Vulnerability Management Program Goals

In line with SANS critical controls guidelines for vulnerability identification, prioritization, remediation

Strong support for using vulnerability data for threat response

Surprise: PCI compliance down the list

52%


On the Road to Mature VM Policies


Finding Vulnerabilities:Multiple Scanners to Cover the Bases


How often do you scan? Today vs. Ideal

Never Quarterly or less often Monthly Weekly Multiple per week0

5

10

15

20

25

30

35

40

45

50

Vulnerability Assessment FrequencyCurrent vs. Ideal

Current Frequency Ideal Frequency


Previous survey (2012) asked: Why don’t you scan as often as you’d like?

Source: 2012 Skybox Security Vulnerability Management Survey


How’s that Working for You?

Vulnerability assessment satisfaction: It’s a coin toss

CISO’s: more ownership of VM process; less likely to be satisfied with it


Less Satisfied with Analysis & Prioritization, and Remediation

Many respondents use 3rd party tools for analysis and prioritization– Splunk

– Excel

– Skybox Security

– SIEMs

– Internally developed tools


Formal Policies Linked to Higher Satisfaction with VM Scanning


Top 10 Desired Improvements for VM

1 Update vulnerability data quickly following a new vulnerability or threat announcement

2 Include network and security context to prioritize risk more accurately

3 Reduce false positives

4 Get vulnerability data for network devices like firewalls

5 Remediate - Verify closure of vulnerabilities (track remediation)

6 Get accurate data without the need for authenticated scan

7-10 All operational improvements – reduce time to prioritize, reduce disruption, reduce time to scan, automate remediation


Recommendations


#1: Focus on VM Process Maturity

No policy? Create one. Have a policy? Make it better.

Track key metrics

Integrate with security controls

Automate the process as much as possible


#2 Strive for Continuous Assessment

10% 20% 30% 40% 50% 60% 70% 80% 90%0

50

100

150

200

250

300

350

Frequency and Coverage

Fre

qu

ency

x/y

ear

% of Network Scanned

Where you need to beDaily process90%+ hosts

Partner/External networksAvg. scan: every 60-90 days

<50% of hosts

Critical systems, DMZAvg. scan: every 30 days

50-75% of hosts

Source: Skybox 2012 VM Survey


Security ControlsFirewalls

IPS

VPNs

Network TopologyRouters

Load Balancers

Switches

AssetsServers

Workstations

Networks

VulnerabilitiesLocation

Criticality

ThreatsHackers

Insiders

Worms

#3 - Use Context to Triage Risks


Source: 2015 Verizon DBIR

50% of CVE’s have known exploits 1 month after publish

#4 – Go Faster. Speed up Remediation.

Contact our Sales Team for a Demo!http://lp.skyboxsecurity.com/ContactMe.html

Skybox Vulnerability Control

http://lp.skyboxsecurity.com/ContactMe.html

http://lp.skyboxsecurity.com/ContactMe.html


Resources

2015 Enterprise Vulnerability Management Trends Report– www.skyboxsecurity.com/resources/survey-reveals-general-diss

atisfaction-current-vulnerability-management-programs#.VbKEkPlViko

Vulnerability Center– www.vulnerabilitycenter.com

http://www.skyboxsecurity.com/resources/survey-reveals-general-dissatisfaction-current-vulnerability-management-programs#.VbKEkPlViko




http://www.vulnerabilitycenter.com/

What's Wrong with Vulnerability Management & How Can We Fix It

Technology

Transcript of What's Wrong with Vulnerability Management & How Can We Fix It