Vulnerability Management. If you only budget for one project this year...

Transcription

1 Vulnerability Management If you only budget for one project this year...

2 William Kyrouz Senior Manager, Information Security & Governance, Bingham McCutchen Nathaniel McInnis Information Security Lead, Risk Management & Compliance, Sidley Austin Jeff Hanson Information Security Manager, McGuireWoods Lombard, IL September 12, 2014

3 Compliance with NIST, ISO, SANS and clients oh my! Vulnerability Management On The Cheap Agenda Why do I need this stuff? Taking it to the next level Enterprise Class Lessons Learned Now what?

4 ComplianceNIST, ISO, SANS and Clients oh my! SANS Institute Critical Security Controls 1 through 4: 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation Source: security controls

5 ComplianceNIST, ISO, SANS and Clients oh my! NIST Framework for Improving Critical Infrastructure Cybersecurity ID.AM 1: Physical devices and systems within the organization are inventoried ID.AM 2: Software Platforms and applications within the organization are inventoried ID.RA 1: Asset vulnerabilities are identified and documented ID.RA 2: Threat and vulnerability information is received from information sharing forums and sources ISO A Management of technical vulnerabilities Source: framework pdf

6 Vulnerability Management On The Cheap Free OpenVAS (use on Backtrack/Kali) Nmap Inexpensive Nessus Professional Feed ($1500) Leverage What You Already OwnSCCM, WSUS Learn How To Query

7 Vulnerability Management On The Cheap Limitations of the free/cheap solutions Possible licensing restrictions read carefully Enterprise level support may not be available Reporting is usually not as robust Lack of centralized management

8 Taking It To The Next Level Meaningful report = management support Windows 7 machines high/crit vulns & patch > 90 days old Heartbleed Vulnerable Systems Time to 95% patch compliance You are now an interpreter Clean up the clutter false positives and other useless info Remediation procedures don t just throw it over the wall How often should I scan? Get others involved

9 Enterprise Class Do you know all the devices connected to your Firms network? What Operating Systems (Windows, Mac, Linux, ios, etc) Heartbleed impact to appliances? Software installations inc. obsolete and vulnerable versions Vulnerability Management = Validation of your patching processes Do end users have the local administrator rights to install applications?

10 The Great Debate Authenticated or Unauthenticated scans against devices on your network? Authenticated: Fewer vulnerability false positives Less intrusive on the devices Unauthenticated See what attackers see mentality Security team doesn t need admin credentials Vulnerability Management!= Penetration Testing Should not be performed as a black box test

11 Enterprise Class: Covering the Network Which network segments to Scan? Office Data Voice DMZ Server Storage Does your network team keep you informed of changes? New office Office expansion Network range expansion (/24 vs. /23)

12 Enterprise Class: Covering the Network Prioritize your targets: Microsoft devices, Internet Facing Infrastructure LAN/WAN, Firewalls SAN/NAS Non Microsoft servers, Appliances Print Devices Web Applications (if applicable) Prioritize Remediation High Priority Vulnerabilities Use automated reporting when cloning yourself fails

13 Security Team Reporting & Analysis Extended analysis capabilities outside of spreadsheets

14 Security Team Reporting & Analysis

15 Remediation Tracking Create tickets in your internal IT ticketing tool Used for start and end dates the vulnerability was in your environment is unreliable as vulnerability information is constantly changing Don t just give the CVE number / Vulnerability Description!

16 Remediation Tracking Building alliances is key Server Teams Application Teams Deskside Support Determine what level of detail they need to support vulnerability remediation tickets Some want more information some want less (some want a regular discussion)

17 Management Dashboards

18 Key Performance Indicators

19 Lessons Learned Do you really know how many IP s are on your network? (Licensing) Devices to scan with particular caution: Print devices, firewalls (at or through) More local scanners Lower Latency = Faster Results Handling DMZ Network Traffic Monitoring/IDS like functionality You will collect a LOT of data, don t digest all at once

20 Lessons Learned Use to document your network, leverage features like dynamic asset lists to group by: Site Operating System Telecom Devices Devices with broken AV Fragile devices that you don t scan as often

21 Now what? DO try this at home (and work, but be careful): Try a free scanner Vendors to consider: Tenable Network Security (Nessus/SecurityCenter) Qualys Rapid7 Tripwire BeyondTrust (Retina) SAINTscanner Lumension

22 Questions We ll now open it up for questions

23 Thank You Jeff Hanson Nathaniel McInnis William Kyrouz or