Más contenido relacionado La actualidad más candente (20) Similar a Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong (20) Más de Skybox Security (14) Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong1. Sean Keef
Director, Sales Engineering
Skybox Security
Don’t be a Target: Everything You Know About
Vulnerability Prioritization is Wrong
2. © 2014 Skybox Security Inc., Confidential 2
Everything you ‘know’ about VM is wrong:
My active scanner finds all known vulnerabilities
Our traditional VM approach is reducing risk
We know what we need to fix first
Severity is a good indicator of what to fix
Low and medium severity vulnerabilities can be ignored
30 days scan cycle is acceptable
3. © 2014 Skybox Security Inc., Confidential 3
Agenda
The Present
The Purpose
The Pain
Relationships
The Prioritization
The Process
The Punchline
4. © 2014 Skybox Security Inc., Confidential 4
Definitions
Risk – The probability of
occurrence and degree of damage
an undesirable event will cause.
Vulnerability – Host-based,
application and operating system
vulnerabilities.
Vulnerability Management – The
process of discovering, prioritizing
and remediating vulnerabilities
5. © 2014 Skybox Security Inc., Confidential 5
Case Study (FinCorp Bank)
90% of the servers are scanned
every 30 days
50% Workstations are scanned
every 90 day
Average PC has ~117
vulnerabilities
Over 1 million vulnerabilities to be
remediated
Critical severity remediation SLA
is 15 days
6. © 2014 Skybox Security Inc., Confidential 6
The Present
Vulnerability Management
Discovery with an active scanner
Prioritization, remediation and
SLAs based on severity
Critical vulnerabilities are not
remediated before the next scan is
executed, leading to SLAs not
being met.
7. © 2014 Skybox Security Inc., Confidential 7
The Purpose
To ensure that risk causing vulnerabilities exist in an
exploitable state for the shortest amount of time possible
Risk
Time
8. © 2014 Skybox Security Inc., Confidential 8
Case Study (FinCorp Bank)
Spends ~100 man hours per week remediating vulnerabilities
Week to Week:
– Average ~1 million vulnerabilities
– Average ~20% Critical, ~50% High, ~30% Medium or lower
– No significant reduction of vulnerability count or breakdown week
over week. (Was actually growing.)
No real plan for how to reduce the overall number of
vulnerabilities or overall risk.
No prioritization plan beyond severity.
A realization that severity based remediation isn’t doing the job.
9. © 2014 Skybox Security Inc., Confidential 9
Risk
Time
The Pain
Risk is not decreased over time
Remediating low
risk-causing
vulnerabilities
Not remediating
high risk-causing
vulnerabilities
Remediating
high risk-causing
vulnerabilities
Severity Risk
10. © 2014 Skybox Security Inc., Confidential 10
Case Study (FinCorp Bank)
Priorities
1. Risk visibility and qualification
2. Prioritization
3. Communication
Solutions
– Collect more data
– Correlate the data
– Relationships
11. © 2014 Skybox Security Inc., Confidential 11
Relationships
Exploitability
Impact
SeveritySeverity
12. © 2014 Skybox Security Inc., Confidential 12
Host – Vulnerability Relationship
Hosts Vulnerabilities
13. © 2014 Skybox Security Inc., Confidential 13
Host – Vulnerability Relationship
VulnerabilitiesHosts
Asset DataNetwork Map Vulnerability Data
14. © 2014 Skybox Security Inc., Confidential 14
Host Value
Assets
Value
Function
Location
Asset Data
– Baby Steps
• Get the data that exists
• PIC CDE machines
• Important networks
• Known critical machines
• Incomplete is better than
nothing
– Asset classification is its
own project
15. © 2014 Skybox Security Inc., Confidential 15
Host Loss
Assets
C A IConfidentiality
Availability
Integrity
16. © 2014 Skybox Security Inc., Confidential 16
Host – Vulnerability Relationship
Vulnerabilities
C A I
17. © 2014 Skybox Security Inc., Confidential 17
Host – Vulnerability Relationship
Vulnerabilities
Expanded
Vulnerability
Data
18. © 2014 Skybox Security Inc., Confidential 18
Vulnerability Attributes
Vulnerability
Impact
IPS
Severity
Vector
Catalog
19. © 2014 Skybox Security Inc., Confidential 19
Host – Vulnerability Relationship
Vulnerability
Impact
IPS
Severity
Network
Catalog
Assets
20. © 2014 Skybox Security Inc., Confidential 20
Vulnerability + Host importance
(Impact)
Vulnerability + Time on host
Vulnerability + Host location
Vulnerability + Host type
Vulnerability + Patch
(Quick win)
Vulnerability + IPS Signature
(IPS shielding)
Prioritization – Simple Relationships
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Hard – (Application)
Hard – (Application)
21. © 2014 Skybox Security Inc., Confidential 21
Prioritization – IPS Signature to Vulnerability
22. © 2014 Skybox Security Inc., Confidential 22
Prioritization – Patch to Vulnerability
Quick Win!
23. © 2014 Skybox Security Inc., Confidential 23
Case Study (FinCorp Bank)
<Missing something>
Critical vulnerabilities on PCI
CDE Hosts
Vulnerabilities that can be IPS
Shielded
Patch that wipes out the most
vulnerabilities
24. © 2014 Skybox Security Inc., Confidential 24
Prioritization – Complex Relationships
Risk = Impact * Likelihood * Time
Vulnerability
&
Host
Host w/ Vulnerability
&
Network Security
25. © 2014 Skybox Security Inc., Confidential 25
Likelihood
Compromised Workstation
Foreign
Threat
Exploited
Partner
Attack
Simulations
Vulnerabilities
CVE 2014-0160
CVE 2014-0515
CVE 2014-1776
26. © 2014 Skybox Security Inc., Confidential 26
Stair Step Attacks
27. © 2014 Skybox Security Inc., Confidential 27
Prioritize Vulnerabilities by Multiple Factors
Vulnerabilities Prioritized
Directly Exploitable Vulnerabilities
Vulnerabilities on PCI hosts
IPS Shielded Vulnerabilities
Vulnerabilities remediated with a
single MS Bulletin
28. © 2014 Skybox Security Inc., Confidential 28
Risk
Time
The Result
Risk is reduced over time
Risk visibility and communication is increased
Remediating
high risk-causing
vulnerabilities Risk reduced by
reducing attack
surface
29. © 2014 Skybox Security Inc., Confidential 29
Case Study (FinCorp Bank)
Before
Losing the fixed vs found battle
Unfocused remediation
Risk not reduced over time
After
Full visibility into many
relationships
Risk and attack surface reduced
week over week
Understanding of network
topology + network map
Result – More effective understanding and
application of remediation options
30. © 2014 Skybox Security Inc., Confidential 30
The Process
Discovery – Is there a better way than active scanning?
31. © 2014 Skybox Security Inc., Confidential 31
Case Study
Large Multi-national
– Central IT / Strong Business Units
– Loosely controlled scanning / Business units can opt out.
– CISO needed to be able to ensure a single vulnerability was
wiped out.
– Had SCCM everywhere
32. © 2014 Skybox Security Inc., Confidential 32
Limited and Out of Date Information
The value of vulnerability information decays over time
Time
Add
knowledge
during scan
Decay of
knowledge
post scan
Month 1 Month 2 Month 3
80%
100%
Missing
data
60%
33. © 2014 Skybox Security Inc., Confidential 33
We just don’t need to scan more
Unable to gain credentialed access to scan
portions of the network
The cost of licenses is prohibitive
Some hosts are not scannable due to their use
We don't have the resources to deal with
broader patching activity
We don’t have the resources to analyze more
frequent scan data
We are concerned about disruptions from
scanning 59%
58%
41%
34%
29%
12%
5%
Reasons that respondents don’t scan more often
Why Not Scan More Often? (2012 Survey)
It’s Just Too Difficult
34. © 2014 Skybox Security Inc., Confidential 34
So Security Teams Try to Limit Impact
Disruption
“Oops, we took
down the net”
Scan
Today
Scan
Next Week
Scan
Next Month
Scan
Next Year
Scan NEVER
35. © 2014 Skybox Security Inc., Confidential 35
Scan Frequency and Coverage (2012 Survey)
0
50
100
150
200
250
300
350
10% 20% 30% 40% 50% 60% 70% 80% 90%
Frequency and Coverage
ScanFrequencyinDays
% of Network Scanned
Partner/External
Networks
~60-90 days
<50% of hosts
Critical
systems, DMZ
~30 days
50-75% of hosts
Goal
~Daily / Continuous
90%+ of hosts
36. © 2014 Skybox Security Inc., Confidential 36
Host – Vulnerability Relationship
Asset
Windows
7
Firefox
Adobe
Reader
10
Java SE
20
Buffer
Overflow
Window
7
Windows
2K SP2
Windows
2K SP1
Remote
Code
Execution
Adobe
Reader
8
Adobe
Reader
9
Adobe
Reader
10
Adobe
Reader
7.7
Security
Bypass
Firefox
Thunderbir
d
SeaMonke
y
Remote
DOS
IIS
6.0
IIS
7.5
Remote
Unspecified
Java
7.4
Java
FX
2.2.4
Java
JRE
6.7
Java
SE
7.11
37. © 2014 Skybox Security Inc., Confidential 37
Vulnerability Deduction Process
Vulnerability
Deduction
Product Catalog
(CPE)
OS version & patch level.
Application versions
Vulnerability
List
(CVE)
Vulnerability
Database
ProductProfiling
Asset / Patch
Management
Networking
Devices
Active
Scanner
38. © 2014 Skybox Security Inc., Confidential 38
Speed
Typical scanner Analytical Scan
250host/hour
100,000host/hour
VS
39. © 2014 Skybox Security Inc., Confidential 39
Analytics Give You a Continuous View
of Vulnerabilities
Time
Month 1 Month 2 Month 3
50%
Combining active scanning and analytics
based vulnerability detection
100%
Active
scanner
Analytics-based
detection
40. © 2014 Skybox Security Inc., Confidential 40
Case Study
Large MultiNational
– Visibility on ~100% of hosts in less than
a week.
– Able to eradicate Heartbleed on 98% of
PCs (over 500k) in less than a week.
– Complete eradication in 23 days.
– Has visibility into network devices.
– Able to discover vulnerabilities on
mission critical portions of the network.
41. © 2014 Skybox Security Inc., Confidential 41
Not all scanners have every vulnerability
Qualys McAfee TripWire Tenable
CVE-2014-4228 Jul 17 Jul 29 Not Added Jul 16
CVE-2014-4943 Jul 28 Jul 24 Jul 19 Jul 17
CVE-2013-1741 Apr 4 Dec 11 Nov 18 Dec 6
CVE-2014-4607 Jul 14 Jul 10 Jan 1 Jun 27
CVE-2014-2804 Apr 28 Jun 25 Jul 8 Jul 8
CVE-2014-2783 Apr 28 Jul 8 Sep 26 Jul 8
CVE-2014-1375 Jul 2 Not Added Jun 30 Jul 1
CVE-2014-1369 Not Added Jul 10 Not Added Jun 30
CVE-2014-0015 Not Added Jul 9 Jun 30 Not Added
Date vulnerability was added to scanner by vendor
42. © 2014 Skybox Security Inc., Confidential 42
Your scanner needs to be part of a greater
plan
The more data sources you can include, the better.
Advisories Scanners IPS Other Sources
Adobe eEye Retina* HP Tipping Point CERT
Cisco PSIRT ISS Internet Scanner* ISS Proventia Mitre CVE
Microsoft Security
Bulletin
McAfee Foundstone Palo-Alto Networks NIST’s NVD
Oracle Qualys Guard SourceFire Rapid7 Metasploit
Rapid7 Nexpose SourceFite Rapid7 Metasploit
Tenable Nessus Symantec
SecurityFocus
Tripwire nCirce Symantec Worms
43. © 2014 Skybox Security Inc., Confidential 43
The Power of Seven Scanners at Once
44. © 2014 Skybox Security Inc., Confidential 44
The Process
Remediation and Tracking – Do you know how you are
doing?
45. © 2014 Skybox Security Inc., Confidential 45
Remediation Reporting
46. © 2014 Skybox Security Inc., Confidential 46
The Punchline
To ensuring that risk causing vulnerabilities exist in an
exploitable state for the shortest amount of time
possible, you must:
– Discover vulnerabilities quickly – Challenge the Active Scanner
Status Quo
– Understand the relationship between the hosts and your
vulnerabilities to discover what matters
– Remediate or mitigate based on analysis or risk – not severity.
Enable reporting.
47. © 2014 Skybox Security Inc., Confidential 47
Thank you!
Interested in Skybox for Vulnerability Assessment and
Management? Start your 30-Day Trial today!
www.skyboxsecurity.com/trial
Notas del editor Sean Keef, I run Sales Engineering for Skybox Security. I’ll share with you a little about me and my company and then I’ll jump in to the preso.
I started in networking 25 year ago back in the Novell days and have spend my last 15 years working security products mostly on the SIEM and network security side of things. The company I’m with now, Skybox Security makes a piece of software that, among other things, helps organizations address issues found throughout the vulnerability management lifecycle.
Today I’m going to talk about some of those principles in a more generic format, addressing shortcomings in the current vulnerability management status quo and pointing out some strategies one could implement to improve the entire process. I spend a lot of time talking to organizations about their vm programs. What I’ll be sharing today comes from those conversations.
Show of hands – How many people are responsible for or work with the vulnerability management program for your company?