Murli Menon, Chief Security Officer & Head - Sustainability & CSR, Atos India

1. Murli Menon
Atos India Pvt Ltd
Case Study

2. Vulnerability Management (VM)
A process by which loopholes in IT systems are identified, risks
are evaluated & remediated
Why VM ?
 Cyber Crime Rise
 Compromise of Data
 Major Software flaws
 Inappropriate IT system administrations
 Identifications of weakness

3. On Ground
 13000 + IT Systems
 2200 + Critical Assets
 1200+ Network Systems
 8000+ Actual
Vulnerabilities
 34% False Positives
 600 + Customers
supported
 88% Critical SLA’s
 24x7 Business
Operations
 Minimal Down Times
 Maximum Privilege
Access
 Zero Risk Tolerance
Vs
Facts Business Challenges

4. Action Plans
 Dedicated team
 Assigned Roles and Responsibilities based on RASCI
Matrix including business representatives
 Defined policies on VMS considering the business &
Organization impacts
 Obtained business approvals on actions plans of
remediation's
 Formulation of vulnerability calculations vs Impact as a
Security KPI

5. VMS Cycle
Remediate
& Confirm
Search
EvaluatePrioritize
• Prioritizing the critical
assets + Vulnerabilities
• Focusing on Top Critical
• Developing plans to
test the remediation's
on Critical
• Approvals for
Remediation's
• Identify the assets
• Filtering False Positives
• Finalizing the reports
• Discovering the network
• Identify the scopes
• Initiate Scan with
schedules considering
the business operations
(Servers, devices
scanned during non
business hours)
• Patching /Remediate
• evaluating the impact
• rescanning & Confirm
for closure of
vulnerability
1
2
4
3

6. Long term Remediation's
• Identify the
consequences
of reported
vulnerabilities
• Detailed
analysis of
Root causes
• Targeting the
hidden gaps
• Designing the
solutions to
avoid
reoccurrences
• Testing &
Deploying the
solutions
• Monitoring for
any
reoccurrences
• Maintain the
Knowledge
base for future
remediation's

7. Advantages ..In 8 months
78 % vulnerabilities been remediated with Zero
impacts on business
36% Outdated Systems, Software's been
withdrawn
Patch Management improvised to 96%
Overall compliance 98.89% (WIR)
Minimum Risk Exceptions
Increase in Customer Confidence

8. Continuous Improvements
Regular Watch on latest Threats & Vulnerabilities
Daily Team meeting to understand the progress
Measure the performance of security teams by the
reduction of critical vulnerabilities
Evaluate actual vulnerability management results
against targeted metrics

9. Area of Challenge
Major Counts Adobe Vulnerabilities
Apache Vulnerabilities with weak Ciphers
Database patching was not easy
Client systems non availability
Poodle, Heartbleed

10. Key Consideration on VMS
 Meeting compliance requirements and legal boundaries
 Checking current security controls if proactive or
reactive
 Efficiency of Vulnerability Management tool
 Check current security state of your network
 Is confidential data sufficiently protected
 Latest Threats vs Assets

11. Thank You