Threat Centric Vulnerability Management
Q. Which vulnerabilities should I address first? A. Your EXPOSED vulnerabilities AND the ones criminals are using.
Agenda Understanding exploited vulnerabilities Prioritizing vulnerabilities Threat-centric vulnerability management 3
Need to Modernize Vulnerability Management The top 10 vulnerabilities account for 85% of successful exploit traffic the other 15% consists of over 900 CVEs, which are also being exploited in the wild. Verizon DBIR 2016 Vulnerabilities and their exploitation are still the root cause of most breaches. IT security leaders should refocus their attention on how vulnerabilities are being managed and should track this metric to provide visibility as to how to reduce the biggest risks of being breached. Gartner, September 2016 It s Time to Align Your Vulnerability Management Priorities With the Biggest Threats 4
Overwhelming Number of Vulnerabilities 600-1200 new vulnerabilities EACH MONTH 5
Number of Vulnerabilities Vulnerabilities Exploited by Severity Most exploited vulnerabilities were not ranked critical 700 600 500 400 MEDIUM 300 HIGH 200 100 CRITICAL 0 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 LOW IBM X-Force/Analysis by Gartner, September 2016 6
Number of Vulnerabilities Successfully Exploited 120 100 80 60 40 85% of exploited vulnerabilities were more than 2 years old 20 0 2015 2013 2011 2009 2007 2005 2003 2001 1999 Verizon Data Breach Investigations Report 7
Distributed Cybercrime Growth of distributed attacks; technology infrastructure supports distributed model Ransomware is everywhere 25 new ransomware families are released every quarter Market leaders: Locky, Cerber, CryptXXX Hundreds of thousands of victims Consumers and businesses Source: Multi-State Information Sharing & Analysis Center $1B+ extorted from enterprises and institutions in 2016 8
Number of Vulnerabilities Ransomware Preys on a Few Key Vulnerabilities 40 35 30 25 20 15 10 5 Known vulnerabilities associated with all ransomware families 0 2015 2014 2013 2016 2012 2010 2011 Year Recorded Future, September 2016 9
Ask the Right Questions Is my data complete and up to date? Which critical assets are exposed? What exploits are publicly available? What exploits are involved in active attack campaigns? 10
Ingredients for Effective Vulnerability Prioritization Vulnerability-Centric Criticality of vulnerability (CVSS score, exploitation impact, public exploit available) Threat Centric Actively being targeted by malware, ransomware, exploit kits and threat actors in the wild Requires multiple perspectives Context Centric Business criticality, value and exposure of an asset (internet-facing, third party access, contains sensitive data, provides businesscritical functions) 11
Threat-Centric Vulnerability Management Attack Surface Model Context: Asset Exposure/Criticality Vulnerability Intelligence Prod FW Backbone Core Router Vulnerabilities + Exploits in the Wild Main Router GatewayEastA Main FW GatewayEastA IPS 12
Threat-Centric Vulnerability Management Attack Surface Model Context: Asset Exposure/Criticality Vulnerability Intelligence Analytics Prioritize Prod FW Imminent Threat High-priority remediation/mitigation Backbone Core Router Vulnerabilities + Exploits in the Wild Main Router Potential Threat Gradual risk reduction GatewayEastA Main FW GatewayEastA IPS 13
URGENCY Threat-Centric Vulnerability Prioritization IMMINENT THREAT High-priority remediation/mitigation Exposed to direct attack Exploited in the wild POTENTIAL THREAT Gradual risk reduction Vulnerabilities with known exploits Existing vulnerabilities 14
Importance of Prioritization Reduce To A Manageable Number IDENTIFY ALL KNOWN VULNERABILITIES TOTAL IDENTIFIED: 60K Skybox Vulnerability Database Potential Threat IDENTIFY YOUR VULNERABILITIES TOTAL IDENTIFIED: 7,122 Third-party scanners, Skybox Vulnerability Detector Potential Threat IDENTIFY EXPLOITS TOTAL IDENTIFIED: 1,105 Skybox Research Lab real-time threat intelligence Imminent Threat CORRELATE TO CVSS TOTAL IDENTIFIED CRITICAL: 3,578 CVSS scoring Potential/Imminent Threat IDENTIFY EXPOSURES TOTAL IDENTIFIED: 141 Skybox network modeling and attack vector analytics Imminent Threat IDENTIFY EXPOSED & EXPLOITED BIGGEST RISKS TOTAL IDENTIFIED: 13 Skybox Vulnerability Control Prioritization Center Imminent Threat 15
Detecting Vulnerabilities Through the Skybox Security Intelligence Feed Vulnerability and Threat Intelligence Skybox Research Lab + + 30+ security data sources: NVD, scanners, advisories, threat intelligence feeds, IPS security catalogs Partnership with Recorded Future: processing 700,000 dark web sites, gathering intelligence of exploits available and used in the wild Research analysts analyse, edit and verify vulnerability and threat intelligence 16
TCVM & WannaCry MARCH 14 Threat alert reported: SMB Remote code execution vulnerability APRIL 18 Identified as Exploited In The Wild MAY 12 WannaCrypt ransomware uses vulnerability APRIL 14 Vulnerability definition updated: SMBv2 exploits (EternalBlue) 17
Visualize Your Entire Attack Surface From Multiple Perspectives US Unsecure Device Configuration (Total: 72) Vulnerability Exposure Risky Access Rules Last 4 Months Name: UDP reply packets filtered Policy: Checkpoint FW Standard Policy Name: Encrypted Line Password - required Policy: Cisco IOS RTR Standard Policy #Violations: 1 #Violations: 1 Exploited in the Wild Vulnerabilities 311 Assets 5 Firewalls Site Details Unsecure Device Configuration March April May June Current Name: IP source routing - prohibited Policy: Cisco IOS RTR Standard Policy Name: Password Encryption Service - required Policy: Cisco IOS RTR Standard Policy Name: SNMPv3 Group - required Policy: Cisco IOS RTR Standard Policy #Violations: 1 #Violations: 1 #Violations: 1 Exploitable Vulnerabilities 18
Summary Discovery/Inventory Predict Vulnerability Assessment Assess Vulnerabilities/Exposures Threat Predict Intelligence Attacks Baseline Systems Penetration Testing Respond Patch Management Remediate/Make Change Design/Model Change Change Management Investigate/Forensics Continuous Integrated Monitoring & Solution Analytics Secure Configuration Prevent Anti-Malware Harden and Isolate Systems Divert Firewalls/IPS Attackers Prevent Attacks Detect Anti-Malware Detect Incidents Confirm and Prioritize Firewalls/IPS Contain Incidents 19