How to construct a sustainable vulnerability management program

Similar documents
whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Threat Centric Vulnerability Management

Vulnerability Management. If you only budget for one project this year...

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

RSA IT Security Risk Management

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Reinvent Your 2013 Security Management Strategy

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

A Practical Guide to Efficient Security Response

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

User Interface. An Introductory Guide

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

Adopting A Real-Time, Data-Driven Security Practice HOW SECURITY PRACTITIONERS CAN PRIORITIZE VULNERABILITY SCANNING DATA TO MAKE INTELLIGENT

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

10 FOCUS AREAS FOR BREACH PREVENTION

Chapter 5: Vulnerability Analysis

What every IT professional needs to know about penetration tests

CompTIA Cybersecurity Analyst+

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

Enabling Security Controls, Supporting Business Results

The State of Security

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Business Risk Management

THE POWER OF TECH-SAVVY BOARDS:

The Threat & Vulnerability Management Maturity Model

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Qualys Indication of Compromise

Machine-Based Penetration Testing

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Security Issues that deserve a logo

OPEN SOURCE SECURITY ANALYSIS The State of Open Source Security in Commercial Applications

Is Your Web Application Really Secure? Ken Graf, Watchfire

8 Must Have. Features for Risk-Based Vulnerability Management and More

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Machine-Based Penetration Testing

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

Exam : Title : ASAM Advanced Security for Account Managers Exam. Version : Demo

COST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE

Think Like an Attacker

Taking Control of Your Application Security

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Continuously Discover and Eliminate Security Risk in Production Apps

Protect Your Organization from Cyber Attacks

Security Automation Best Practices

Business Context: Key for Successful Risk Management

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits

IT Vulnerabilities: What an IT Auditor Should be Thinking About

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Cyber Resilience. Think18. Felicity March IBM Corporation

Developing a Model for Cyber Security Maturity Assessment

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Building a Resilient Security Posture for Effective Breach Prevention

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Practical OpenSCAP Security Standard Compliance and Reporting. Robin Price II Senior Solutions Architect Martin Preisler Senior Software Engineer

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

THE CYBERSECURITY LITERACY CONFIDENCE GAP

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

DOWNLOAD OR READ : THREAT AND VULNERABILITY MANAGEMENT COMPLETE SELF ASSESSMENT GUIDE PDF EBOOK EPUB MOBI

Un SOC avanzato per una efficace risposta al cybercrime

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Vulnerability Management. June Risk Advisory

Skybox Vulnerability Control

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Certified Information Security Manager (CISM) Course Overview

INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

CISO as Change Agent: Getting to Yes

Department of Management Services REQUEST FOR INFORMATION

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

A Risk Management Platform

Readiness, Response & Resilence:

CyBot Suite. Machine-based Penetration Testing

Threat Centric Vulnerability Management

IoT & SCADA Cyber Security Services

VESPER a tool for managing Vulnerabilities and Exploits in Software with Portscan-Endorsed Results

ForeScout CounterACT. Security Policy Templates. Configuration Guide. Version

Lab Test Report DR110208B. McAfee Risk Management Solution. February 8, 2011

IBM Rational Software

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Building Successful Threat Intelligence Programs

An Example of use the Threat Modeling Tool

CISO Success Strategies: On Becoming a Security Business Leader

K12 Cybersecurity Roadmap

Going Without CPU Patches on Oracle E-Business Suite 11i?

Think Like an Attacker

align security instill confidence

90% of data breaches are caused by software vulnerabilities.

See What You ve Been Missing

Vulnerability Management

Vulnerability Management

Establishing Technology Trust in a Containerised World

Transcription:

How to construct a sustainable vulnerability management program 1

#whoami -Howard Tsui -Senior Threat and Vulnerability Management Engineer -Financial industry in the United States -Contact teaupdate12@gmail.com TSUIUST twitter Howard Tsui Linkedin 2

Talk Outline: Why do we need Vulnerability Management? What do we need? Vulnerability Management Lifecycle What won t work? How to mature program? 3

Vulnerabilities- Are we vulnerable? Where? 1. OpenSSL 'Heartbleed 2. Shellshock 3. Stagefright 4. W32 conficker worm WPA2 Krack External RDP port 3389 Apache 5 Windows 2003 5. MS17-010 4

Most of the breaches are not from 0 Days Age of CVEs be exploited in 2015 sorted by publish date. Citied Verizon 2016 DBRI 5

Why do we need Vulnerability Management? Vulnerability and threats Improve organizational security resiliency Compliance requirement 6

What do you need in Vulnerability Management? Vulnerability scanner Ticketing System Asset Management (CMDB) Be a people person 7

Vulnerability Management Lifecycle Detect Verification Prioritize Remediate Report 8

Detect Vulnerability Scanning Detect Verification Prioritize Manual detection Automated detection Remediate Report Pro Pro Accurate, less false positives Much more in depth Easy to use (Depends) Enterprise level scanning capability Con Con Time consuming Highly skilled False positive Expensive 9

Vulnerability Prioritization Verification Detect Prioritize Always understand the vulnerability Prioritization The money making software and server Patch vulnerabilities that already have known exploits Unsupported software Look for the one solution that fix many vulnerabilities Remediate Report CVSS is a good start, but take them to the next level Apply system scoring and criticality ratings. Etc, environmental factors 10

Detect Report Verification Prioritize Remediate Report Target the audiences with the specific report type There is no one report fits all Report automation and template Integrate with current ticket and report process Always include SLA along with report 14, 30, 60 days, etc. 11

What to include in the report or ticket? Dear Sysadmin: Title: Body: [Some kind of security identifier ] [SLA] [vulnerability name] include patch name some where in the report where was found, IP, hostname, count. (excel is fine) Mention SLA again, nicely. 12

You don t want this look 13

Detect Remediation Verification Prioritize Remediate Report If the current patching process works, follow it. Try not to reinvent new patch process, it will cause confusion Involve risk management depending on the outcome, initiate risk exception Keep track of SLA and hold owners responsible. Don t fall into the ticket black hole 14

Verification Verification Detect Prioritize Remediate Report Verify the same way you found it for accurate result Verify the remediation solution did not introduce more vulnerabilities Document the verification procedures and report in a central location You will thank yourself later 15

Mix & Match the Lifecycle Detect Detect & Prioritize Verification Prioritize Verification Report Remediate Report Remediate 16

What won t work Inaccurate vulnerability report or metrics No Cooperation with Risk Management Insufficient patch management program 17

What won t work Inaccurate vulnerability report or metrics 18

What won t work Lack of team work with Risk Management 19

What won t work Insufficient patch management program 21

I have everything, now what I can do? Security configuration management Incorporate threat intel feed for organization specific threat vulnerabilities Look for things that attacker likes to find that aren t vulnerabilities Rely more on manual testing that can identify more complex vulnerabilities 22

To finish up, I want to leave you with this 23

Q&A Contact teaupdate12@gmail.com TSUIUST twitter Howard Tsui Linkedin 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback