What's Wrong with Vulnerability Management & How Can We Fix It

Editor's Notes

1. Hello Welcome Michelle Johnson Cobb
2. In the next 20 minutes, I’ll cover Skybox Survey data on VM trends Our analysis and some takeaways for your job Then Cliff Chase, Sales Engineer, will take you through a demo of our Vuln Control product
3. Skybox Security is a company that believes the answer to challenging security problems can be extracted from your network and security data We do the same thing that security expert on your team does – analyze a lot of complex information to figure out what to do But we integrate data from 80+ systems, we apply advanced analytics, and we automate it to analyze your entire infrastructure for risks We apply that analytics-based approach to solve some of the most challenging problems for large enterprised Go over points on the slide Focus on the attack surface Continuous visibility of attack surface is critical Combine network and endpoint data Use analytics to examine attack vectors Integrate into the security process Drive automation at every step Stay ahead of the attacks
4. Supporting our solutions is our vuln team Largest enterprise-focused database for vulns Scope and scale Cover points on slide CVE compliant, CVSS v2 standard Updated daily
5. And of course, we are pleased that the most security-conscious customers all over the world choose Skybox to give them the comprehensive view and information They need to keep environments secure
6. Let’s turn to the vulnerabilities question. Orgs have a lot of vulns Numbers each year, Applied to the systems on the right Total numbers in their network Unmanageable, right?
7. SANS critical control 4 and other security best practices and compliance requirements say You’ve gotta have a process in place to deal with these But does your VM program work like a well-oiled machine? Or constant whack a mole, dealing with a stream of new vulns, new scan info, without seeming to get ahead
8. We decided to ask Points on the slide
9. Who answered the survey? Cover the points Nearly 1000, which was great, because for nearly all questions we had statistically relevant samples regardless of how we filtered the data Heavily large enterprises, but enough of a mix Fin Svc leads the way, but good representation from all verticals
10. Asked about their goals Not surpisingly, identifying risk level and prioritizing at top of the list Means everyone is following best practice recommendations Quite a bit of support for using VM with threat intel and IR processes Compliance – may still be a concern, but not a driving force
11. Policy… we see in our customer base significant differences in how companies approach VM More mature – well defined, documented, responsibilities clear, audited regularly Less – more adhoc, occasional scanning Differs between size of company, but distinction was pretty high, most companies under 5000 fell into the same general breakdown, about half with formal policies, rest with informal and a minority with no policy defined. We’ll come back to some insights about the impact of policy maturity after we look at a couple additional questions
12. Use of scanners Very interesting Let’s talk about the right side first Just over 1/3 use one scanner, but that leaves nearly 2/3 using several What do they use – on the left side In use column – you can see who leads But we also asked what they use as primary – very interesting Why? We took to interviews to get more detail Coverage – types of hosts, types of vulns Legacy scanners in place over time, or inherited via merger/acq Sense that multiple scanners help reduce false positives
13. Narrative: One clear takeaway is that everyone wants to increase their scan frequency, regardless of how much they scan today. Organizations that scan on quarterly intervals want to move to monthly, organizations that scan for vulnerabilities monthly want to step up to weekly intervals. The split by size of company was telling, with SMB and mid-size companies tending to scan on a quarterly basis, large ent monthly. Few on a weekly or better schedule as recommended by SANS This puts the pressure on vulnerability solution providers to ensure that solutions can scale to accommodate the demand for faster cycles of data collection, analysis, and remediation.
14. For answers why, we didn’t ask it in this survey because we had in a previous one So these answers go back a couple of years, but all indications from interviews are that they are still relevant
15. Points on slide Interesting note – the more responsibility for the process, the less likely they are satisfied So don’t get complacent – even if you are thinking the process works well, your boss may think otherwise. Btw – I didn’t cover it here, but 875 of CISO’s surveyed said they had direct responsibility for VM, highest Vm responsibility of any job title. So they care, they are committed, and about And don’t pay too much attention to the opinios for those outside the security function, because their impression is that the VM process is ok. But they aren’t involved in it directly everyday.
16. Left side charts – satisfaction with the second half of the process is a bit lower. Matches our observations in speaking with customers. It’s relatively easy to amass a pile of vulnerability info, harder to figure out how to prioritize it and act on the information. Narrative for right side points - Additional tools are necessary to make sense of scanner data We also asked about other tools that security professionals use to analyze vulnerability data. It’s common practice to use data analysis tools to correlate multiple sources of data, allow querying of results, or feed vulnerability data into other systems like SIEM or GRC solutions. Splunk was the most frequently noted data analysis tool, followed by Excel and then a host of other analysis solutions including Skybox, Arcsight, homegrown solutions, and good old ‘brainpower’.
17. Now back to that combo I told you about. When you have all this data in excel, you get to do pivot chart magic. So we looked at the combination of policy with levels of satisfaction. And we can see that the time spent to formalize everything pays off. So if you need to explain to your boss why your team needs to spend months to plan, document, establish metrics, and set up internal and external auditing plan, here is your answer. Formal policies are directly related to your future happiness. Or satisfaction level – same difference. Policy means processes to follow, fewer surprises, less fire-fighting, fewer headaches. What was interesting though, is that regardless of policy level, one again CISO’s stood out. They are less satisfied than other security or IT staff at every level of policy. So once again, just because you think things are going well does not mean that your CISCO wouldn’t like to see changes. Most likely they are interested in imrpovements
18. Regardless of their level of satisfaction with current vulnerability management program, all respondents were asked about their interest in potential improvements. A list of 16 potential improvements to vulnerability assessment (scanning), analysis and prioritization, and remediation activities were provided, and respondents ranked their interest level from ‘No interest’ to ‘High interest’. The top 10 improvements as ranked by number of ‘High Interest’ responses are: (see chart) It is not surprising that the three highest ranking potential improvements : #1 Update vulnerability data quickly following a new vulnerability or threat announcement #2 Include network and security context to prioritize risk more accurately #3 Reduce false positives all have to do with having accurate information with which to respond quickly to new threats. New vulnerabilities and threat alerts occur daily, but it can take weeks for an organization to run through a vulnerability scan/prioritize/remediate cycle to fix known vulnerability risks. For example, when the Heartbleed vulnerability was disclosed (link to vulnerability center entry for this vuln), many organizations experienced weeks of delay in being able to generate an accurate list of vulnerable systems. Moreover, each vulnerability assessment cycle can generate tens or hundreds of thousands of vulnerabilities in a large network, which can take extended periods to review and develop remediation plans. <Gartner or other report> recommends using context about network topology or existing security controls to help IT security teams prioritize those vulnerabilities that can impact critical assets over those where an existing security control offers protection. These two potential improvements would allow organizations to access and analyze vulnerability data faster, which could shorten response times to new vulnerability announcements, and lower risk of attack. Reducing false positives (#3) is a related concern, indicating that respondents may feel that they are spending valuable time on false positives instead of risks which can truly impact their network. Improvement #4, Get vulnerability data for network devices like firewalls, indicates an interest in extending vulnerability data to systems that are not covered by traditional active scanners today. The next six improvements are largely about operational improvements to vulnerability management processes – tracking closure of vulnerabilities, automating process steps, removing task roadblocks like system authentication requirements and potential service disruptions. How do you achieve these improvements? Let’s discuss recommendations
19. Prevent more, detect faster, resolve sooner Policy counts to achieve this goal Points on the slide
20. Coverage and continuous assessment counts From out 2012 survey – most companies the first two orange dots, but you need to be here Scanners alone probably not going to get you there – you need to look at the process holistically. Discovery, analysis, remediation, automation…
21. Context is critical, allows you to know what systems to focus on, figure out which vulnerabilities are important, and get accurate recommendations for what to do about it How do you do that if you don’t understand the infrastructure When you think of context, think of all these things. Any missing elements are blind spots, and blind spots mean unrecognized vulnerabilities and unknown attack paths
22. Speed counts. Chart from Verizon data breach investigation report Fast ramp, after CVE’s are announced, takes attackers about 2 weeks to compromise 25%, by week 4 they’ve compromised about half of them. So if you are scanning monthly, you can assume an exploit exists for 50 % of your vulnerabilities. You need to reduce that scanning and analysis time.
23. Now let’s switch to Cliff Chase to talk about the Skybox solution and how working with Skybox can help address your VM needs.