Abstract: While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security. Join AlienVault for this session to learn: *The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated *Vulnerability scores and how to interpret them *Best practices for prioritizing vulnerability remediation *How threat intelligence can help you pinpoint the vulnerabilities that matter
 most

2. Agenda
Vulnerability scans
Vulnerability scores
Vulnerability remediation
Threat intelligence
USM demo
Q&A

3. About AlienVault
Unified Security Management
Threat Detection
Incident Response
Policy Compliance

4. Yeah, It’s Bad
Vulnerabilities by Vendor – 2013
Source: http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/

5. But It’s Always Been Bad
Source: Symantec Internet Security Threat Report - 2013

6. Nothing Goes Away…Ever
Source: Symantec Internet Security Threat Report - 2013

7. The Need for Vulnerability Management
Too many compromises due to:
• Unknown systems
• Unknown data
• Unpatched vulns
Need a process to determine what to patch, work
around, or live with

8. Vulnerability Management Lifecycle
Assess
Prioritize
Monitor
Remediate
Mitigate

9. Poll #1
How many of you have an active Vulnerability
Management program?
Yes
No
 Don’t Know

10. Poll #2
For those who said No, what is keeping you from
deploying a Vulnerability Management program?
Tools
Staff time
Staff training
 I’m protected by UTM / NGFW / IPS /
Advanced Antimalware …
 Don’t know

11. Detection is the New Black
“There's a trend underway in the information
security field to shift from a prevention
mentality to a focus on rapid detection”
“Your detection & response capabilities are
more important than blocking & prevention”

12. Assessment Scans
Combination of Techniques is Ideal
Passive/Continuous: Monitors network traffic
Active: Sends data to devices to generate a
response
Credential: Logs on to individual systems
Agent: Dedicated agent installed on subset of
devices
Benefits: Visibility, Assets Values, Grouping

13. Vulnerability Prioritization
CVSS: Common Vulnerability Scoring System
• Base Metric Score from 0-10
- 7.0 - 10.0 = High
- 4.0 - 6.9 = Medium
- 0 - 3.9 = Low
- Average = 6.8
Sources: www.first.org/cvss
www.cvedetails.com

14. Prioritizing Remediation & Mitigation
Understanding the Context
Other software installed
on these systems?
What systems
communicate with
these systems?
What traffic do these
vulnerable hosts
generate?
Are these systems
targeted by malicious
hosts?
Have these systems
generated any alarms
previously?
Is there a patch or
workaround available?

15. Threat Correlation & Intelligence
Risk = Assets x Vulnerabilities x Threats
Correlation is Essential
• Correlate asset information with vulnerability
data and threat data
• Correlate IDS alarms with vulnerabilities
- Is the host being attacked actually
vulnerable to the exploit attempt?
Threat Intelligence
• Threat landscape is constantly changing
• Tools need to keep pace

16. No Silver Bullet
Limitations of Vulnerability Management
• Can’t patch everything at once
• Patch ≠ No Compromise
- Focused, patient attacker will get in
• BYOD = No patch
• Zero-day = No patch
• Do the names Edward Snowden or Bradley
Manning ring a bell?

17. 5 Tips
1. Think like an attacker
• They may not be after your data
2. It all starts with the network
• Regular network assessment scans are essential
3. Unify & automate security controls
• You can’t keep up with the data
4. Use threat intelligence to prioritize remediation
• Only way to keep up with changing landscape
5. Remember it is an ongoing process
• It does not end with a checkbox

18. Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
Vulnerability
Assessment
• Network Vulnerability Testing
• Remediation Verification
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence
• SIEM Event Correlation
• Incident Response
Our Approach

19. OTX + AlienVault Labs
Threat Intelligence Powered by Open
Collaboration

20. USM Demo
Tom D’Aquino
VP Worldwide Systems Engineering