Vulnerability Management When you just can t patch richard dahl founder and ceo
Agenda Who am I When Can t You Patch Typical Vulnerability Process Four Options Resource Characteristics
Agenda Control Inheritance Vulnerability Analysis Risk Analysis Remediating Controls Vulnerability Documentation
Who am I? Founder and CEO of cmplid:// Inc. Security Management Automation solution Security professional with more than 23 years in security First 5 years as Counterintelligence Agent in US Army Consulting experience with many industries Security management methodology zealot Passion for repeatable and consistent processes that produce high quality security programs
Sounds like: Counterintelligence Agent
Looks like: Counterintelligence Agent
When you just can t patch NOT When patching is difficult When patching is inconvenient When you assume you can t patch When patching interferes with you time
When you just can t patch
When you just can t patch
Patch When You Can Set very high-bar for not patching Document the specific criteria Consistently follow guidance
Criteria For Not Patching Just Say No Vendor comes from the Nancy Reagan School of Patch Management
Criteria For Not Patching Vulnerability is not relevant
Criteria For Not Patching Vulnerability is Mitigated through alternate means AND Affected system is functioning properly AND Affected system is not normally administered
Normal Vulnerability Response Process
got vuln?
Four Options 1. Work with vendor to support patching
Four Options 2. Upgrade and support production system yourself
3. Replace Vulnerable Product Four Options
4. Do nothing (and hope for the best) Four Options
Resource Characterization Technical Resources Hardware Software Source Code Networks Media
Resource Characterization Business Resources Information Locations Personnel Organizations
Resource Attributes Define the characteristics necessary to disposition security requirements WHEN requirements are necessary HOW requirements will be fulfilled
Security Objectives Technical statement of purpose for each security control within program Corellate to indicating attributes
Consequence of failure or absence of control Simple statement of effect
Vulnerability Defined A Vulnerability is essentially: a condition that allows a security control to be bypassed.
Control Inheritance Common controls are security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.
Control Inheritance Security controls are deemed inheritable [ ] when the systems or components receive protection from [ ] controls [that] are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components Security capabilities [ ] can be inherited from many sources including, for example, [ ] other information systems.
Inheritance Examples Hardware inherits protection from: Firewalls on the network Locked doors of cabinets/rooms Users (Personnel) Managing organizations
Inheritance Examples Software inherits protection from: Hardware installed on Users (Personnel) Managing organizations
Vulnerability Analysis Classification Remediation Process Mitigation
Classification CVSS Base Score Temporal Score Environmental Score Impact of Functionality Risk Informed
Scoring
Scoring
Scoring
Remediation Usually one of two processes: Reconfigure Software OR Patch Software Eliminates Vulnerability
Mitigation Usually relies on control inheritance or Absence of consequence Limits Effect of Vulnerability
Risk Provides context Must tie to business process or system function
Risk Analysis Methods Many defined Choose one Apply consistently Simpler is better, but only as simple as possible
Vulnerability Documentation Correlate vulnerability to affected resources within the context of: Affected business process or system function Affected security objectives/ consequence of exploitation Mitigating controls Executive approval
Summary Document patch criteria Know your resources Embrace control inheritance Consistently apply guidance Document analysis Get approval
Thank You Questions? Comments. Concerns!