SlideShare a Scribd company logo

Vulnerability Management: What You Need to Know to Prioritize Risk

Download as PPTX, PDF
AlienVault
AlienVault

Abstract: While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security. Join AlienVault for this session to learn: *The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated *Vulnerability scores and how to interpret them *Best practices for prioritizing vulnerability remediation *How threat intelligence can help you pinpoint the vulnerabilities that matter
 most

1 of 20
Vulnerability Management: What You Need to Know to Prioritize Risk
Agenda Vulnerability scans Vulnerability scores Vulnerability remediation Threat intelligence USM demo Q&A
About AlienVault Unified Security Management Threat Detection Incident Response Policy Compliance
Yeah, It’s Bad Vulnerabilities by Vendor – 2013 Source: http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/
But It’s Always Been Bad Source: Symantec Internet Security Threat Report - 2013
Nothing Goes Away…Ever Source: Symantec Internet Security Threat Report - 2013
The Need for Vulnerability Management Too many compromises due to: • Unknown systems • Unknown data • Unpatched vulns Need a process to determine what to patch, work around, or live with
Vulnerability Management Lifecycle Assess Prioritize Monitor Remediate Mitigate
Poll #1 How many of you have an active Vulnerability Management program? Yes No  Don’t Know
Poll #2 For those who said No, what is keeping you from deploying a Vulnerability Management program? Tools Staff time Staff training  I’m protected by UTM / NGFW / IPS / Advanced Antimalware …  Don’t know
Detection is the New Black “There's a trend underway in the information security field to shift from a prevention mentality to a focus on rapid detection” “Your detection & response capabilities are more important than blocking & prevention”
Assessment Scans Combination of Techniques is Ideal Passive/Continuous: Monitors network traffic Active: Sends data to devices to generate a response Credential: Logs on to individual systems Agent: Dedicated agent installed on subset of devices Benefits: Visibility, Assets Values, Grouping
Vulnerability Prioritization CVSS: Common Vulnerability Scoring System • Base Metric Score from 0-10 - 7.0 - 10.0 = High - 4.0 - 6.9 = Medium - 0 - 3.9 = Low - Average = 6.8 Sources: www.first.org/cvss www.cvedetails.com
Prioritizing Remediation & Mitigation Understanding the Context Other software installed on these systems? What systems communicate with these systems? What traffic do these vulnerable hosts generate? Are these systems targeted by malicious hosts? Have these systems generated any alarms previously? Is there a patch or workaround available?
Threat Correlation & Intelligence Risk = Assets x Vulnerabilities x Threats Correlation is Essential • Correlate asset information with vulnerability data and threat data • Correlate IDS alarms with vulnerabilities - Is the host being attacked actually vulnerable to the exploit attempt? Threat Intelligence • Threat landscape is constantly changing • Tools need to keep pace
No Silver Bullet Limitations of Vulnerability Management • Can’t patch everything at once • Patch ≠ No Compromise - Focused, patient attacker will get in • BYOD = No patch • Zero-day = No patch • Do the names Edward Snowden or Bradley Manning ring a bell?
5 Tips 1. Think like an attacker • They may not be after your data 2. It all starts with the network • Regular network assessment scans are essential 3. Unify & automate security controls • You can’t keep up with the data 4. Use threat intelligence to prioritize remediation • Only way to keep up with changing landscape 5. Remember it is an ongoing process • It does not end with a checkbox
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response Our Approach
OTX + AlienVault Labs Threat Intelligence Powered by Open Collaboration
USM Demo Tom D’Aquino VP Worldwide Systems Engineering

More Related Content

Vulnerability Management: What You Need to Know to Prioritize Risk

  • 2. Agenda Vulnerability scans Vulnerability scores Vulnerability remediation Threat intelligence USM demo Q&A
  • 3. About AlienVault Unified Security Management Threat Detection Incident Response Policy Compliance
  • 4. Yeah, It’s Bad Vulnerabilities by Vendor – 2013 Source: http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/
  • 5. But It’s Always Been Bad Source: Symantec Internet Security Threat Report - 2013
  • 6. Nothing Goes Away…Ever Source: Symantec Internet Security Threat Report - 2013
  • 7. The Need for Vulnerability Management Too many compromises due to: • Unknown systems • Unknown data • Unpatched vulns Need a process to determine what to patch, work around, or live with
  • 8. Vulnerability Management Lifecycle Assess Prioritize Monitor Remediate Mitigate
  • 9. Poll #1 How many of you have an active Vulnerability Management program? Yes No  Don’t Know
  • 10. Poll #2 For those who said No, what is keeping you from deploying a Vulnerability Management program? Tools Staff time Staff training  I’m protected by UTM / NGFW / IPS / Advanced Antimalware …  Don’t know
  • 11. Detection is the New Black “There's a trend underway in the information security field to shift from a prevention mentality to a focus on rapid detection” “Your detection & response capabilities are more important than blocking & prevention”
  • 12. Assessment Scans Combination of Techniques is Ideal Passive/Continuous: Monitors network traffic Active: Sends data to devices to generate a response Credential: Logs on to individual systems Agent: Dedicated agent installed on subset of devices Benefits: Visibility, Assets Values, Grouping
  • 13. Vulnerability Prioritization CVSS: Common Vulnerability Scoring System • Base Metric Score from 0-10 - 7.0 - 10.0 = High - 4.0 - 6.9 = Medium - 0 - 3.9 = Low - Average = 6.8 Sources: www.first.org/cvss www.cvedetails.com
  • 14. Prioritizing Remediation & Mitigation Understanding the Context Other software installed on these systems? What systems communicate with these systems? What traffic do these vulnerable hosts generate? Are these systems targeted by malicious hosts? Have these systems generated any alarms previously? Is there a patch or workaround available?
  • 15. Threat Correlation & Intelligence Risk = Assets x Vulnerabilities x Threats Correlation is Essential • Correlate asset information with vulnerability data and threat data • Correlate IDS alarms with vulnerabilities - Is the host being attacked actually vulnerable to the exploit attempt? Threat Intelligence • Threat landscape is constantly changing • Tools need to keep pace
  • 16. No Silver Bullet Limitations of Vulnerability Management • Can’t patch everything at once • Patch ≠ No Compromise - Focused, patient attacker will get in • BYOD = No patch • Zero-day = No patch • Do the names Edward Snowden or Bradley Manning ring a bell?
  • 17. 5 Tips 1. Think like an attacker • They may not be after your data 2. It all starts with the network • Regular network assessment scans are essential 3. Unify & automate security controls • You can’t keep up with the data 4. Use threat intelligence to prioritize remediation • Only way to keep up with changing landscape 5. Remember it is an ongoing process • It does not end with a checkbox
  • 18. Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response Our Approach
  • 19. OTX + AlienVault Labs Threat Intelligence Powered by Open Collaboration
  • 20. USM Demo Tom D’Aquino VP Worldwide Systems Engineering