Presented at Black Hat 2014. Heartbleed. Target. Adobe … businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. It’s a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity. But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time. In this deep dive session on vulnerability analysis and prioritization, we’ll cover: - Calculating risk exposure: Risk = Impact * Likelihood * Time - The data you need to be collecting about assets and vulnerabilities - Prioritizing vulnerabilities using simple 2 factor relationships - Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data - Techniques to drive down the risk exposure time

1. Sean Keef
Director, Sales Engineering
Skybox Security
Don’t be a Target: Everything You Know About
Vulnerability Prioritization is Wrong

2. © 2014 Skybox Security Inc., Confidential 2
Everything you ‘know’ about VM is wrong:
 My active scanner finds all known vulnerabilities
 Our traditional VM approach is reducing risk
 We know what we need to fix first
 Severity is a good indicator of what to fix
 Low and medium severity vulnerabilities can be ignored
 30 days scan cycle is acceptable

3. © 2014 Skybox Security Inc., Confidential 3
Agenda
 The Present
 The Purpose
 The Pain
 Relationships
 The Prioritization
 The Process
 The Punchline

4. © 2014 Skybox Security Inc., Confidential 4
Definitions
 Risk – The probability of
occurrence and degree of damage
an undesirable event will cause.
 Vulnerability – Host-based,
application and operating system
vulnerabilities.
 Vulnerability Management – The
process of discovering, prioritizing
and remediating vulnerabilities

5. © 2014 Skybox Security Inc., Confidential 5
Case Study (FinCorp Bank)
 90% of the servers are scanned
every 30 days
 50% Workstations are scanned
every 90 day
 Average PC has ~117
vulnerabilities
 Over 1 million vulnerabilities to be
remediated
 Critical severity remediation SLA
is 15 days

6. © 2014 Skybox Security Inc., Confidential 6
The Present
Vulnerability Management
 Discovery with an active scanner
 Prioritization, remediation and
SLAs based on severity
 Critical vulnerabilities are not
remediated before the next scan is
executed, leading to SLAs not
being met.

7. © 2014 Skybox Security Inc., Confidential 7
The Purpose
 To ensure that risk causing vulnerabilities exist in an
exploitable state for the shortest amount of time possible
Risk
Time

8. © 2014 Skybox Security Inc., Confidential 8
Case Study (FinCorp Bank)
 Spends ~100 man hours per week remediating vulnerabilities
 Week to Week:
– Average ~1 million vulnerabilities
– Average ~20% Critical, ~50% High, ~30% Medium or lower
– No significant reduction of vulnerability count or breakdown week
over week. (Was actually growing.)
 No real plan for how to reduce the overall number of
vulnerabilities or overall risk.
 No prioritization plan beyond severity.
A realization that severity based remediation isn’t doing the job.

9. © 2014 Skybox Security Inc., Confidential 9
Risk
Time
The Pain
 Risk is not decreased over time
Remediating low
risk-causing
vulnerabilities
Not remediating
high risk-causing
vulnerabilities
Remediating
high risk-causing
vulnerabilities
Severity Risk

10. © 2014 Skybox Security Inc., Confidential 10
Case Study (FinCorp Bank)
 Priorities
1. Risk visibility and qualification
2. Prioritization
3. Communication
 Solutions
– Collect more data
– Correlate the data
– Relationships

11. © 2014 Skybox Security Inc., Confidential 11
Relationships
Exploitability
Impact
SeveritySeverity

12. © 2014 Skybox Security Inc., Confidential 12
Host – Vulnerability Relationship
Hosts Vulnerabilities

13. © 2014 Skybox Security Inc., Confidential 13
Host – Vulnerability Relationship
VulnerabilitiesHosts
Asset DataNetwork Map Vulnerability Data

14. © 2014 Skybox Security Inc., Confidential 14
Host Value
Assets
Value
Function
Location
 Asset Data
– Baby Steps
• Get the data that exists
• PIC CDE machines
• Important networks
• Known critical machines
• Incomplete is better than
nothing
– Asset classification is its
own project

15. © 2014 Skybox Security Inc., Confidential 15
Host Loss
Assets
C A IConfidentiality
Availability
Integrity

16. © 2014 Skybox Security Inc., Confidential 16
Host – Vulnerability Relationship
Vulnerabilities
C A I

17. © 2014 Skybox Security Inc., Confidential 17
Host – Vulnerability Relationship
Vulnerabilities
Expanded
Vulnerability
Data

18. © 2014 Skybox Security Inc., Confidential 18
Vulnerability Attributes
Vulnerability
Impact
IPS
Severity
Vector
Catalog

19. © 2014 Skybox Security Inc., Confidential 19
Host – Vulnerability Relationship
Vulnerability
Impact
IPS
Severity
Network
Catalog
Assets

20. © 2014 Skybox Security Inc., Confidential 20
 Vulnerability + Host importance
(Impact)
 Vulnerability + Time on host
 Vulnerability + Host location
 Vulnerability + Host type
 Vulnerability + Patch
(Quick win)
 Vulnerability + IPS Signature
(IPS shielding)
Prioritization – Simple Relationships
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Easy – (Scanner / Spreadsheet / Script)
Hard – (Application)
Hard – (Application)

21. © 2014 Skybox Security Inc., Confidential 21
Prioritization – IPS Signature to Vulnerability

22. © 2014 Skybox Security Inc., Confidential 22
Prioritization – Patch to Vulnerability
Quick Win!

23. © 2014 Skybox Security Inc., Confidential 23
Case Study (FinCorp Bank)
 <Missing something>
 Critical vulnerabilities on PCI
CDE Hosts
 Vulnerabilities that can be IPS
Shielded
 Patch that wipes out the most
vulnerabilities

24. © 2014 Skybox Security Inc., Confidential 24
Prioritization – Complex Relationships
Risk = Impact * Likelihood * Time
Vulnerability
&
Host
Host w/ Vulnerability
&
Network Security

25. © 2014 Skybox Security Inc., Confidential 25
Likelihood
Compromised Workstation
Foreign
Threat
Exploited
Partner
Attack
Simulations
Vulnerabilities
 CVE 2014-0160
 CVE 2014-0515
 CVE 2014-1776

26. © 2014 Skybox Security Inc., Confidential 26
Stair Step Attacks

27. © 2014 Skybox Security Inc., Confidential 27
Prioritize Vulnerabilities by Multiple Factors
Vulnerabilities Prioritized
Directly Exploitable Vulnerabilities
Vulnerabilities on PCI hosts
IPS Shielded Vulnerabilities
Vulnerabilities remediated with a
single MS Bulletin

28. © 2014 Skybox Security Inc., Confidential 28
Risk
Time
The Result
 Risk is reduced over time
 Risk visibility and communication is increased
Remediating
high risk-causing
vulnerabilities Risk reduced by
reducing attack
surface

29. © 2014 Skybox Security Inc., Confidential 29
Case Study (FinCorp Bank)
Before
 Losing the fixed vs found battle
 Unfocused remediation
 Risk not reduced over time
After
 Full visibility into many
relationships
 Risk and attack surface reduced
week over week
 Understanding of network
topology + network map
Result – More effective understanding and
application of remediation options

30. © 2014 Skybox Security Inc., Confidential 30
The Process
 Discovery – Is there a better way than active scanning?

31. © 2014 Skybox Security Inc., Confidential 31
Case Study
 Large Multi-national
– Central IT / Strong Business Units
– Loosely controlled scanning / Business units can opt out.
– CISO needed to be able to ensure a single vulnerability was
wiped out.
– Had SCCM everywhere

32. © 2014 Skybox Security Inc., Confidential 32
Limited and Out of Date Information
The value of vulnerability information decays over time
Time
Add
knowledge
during scan
Decay of
knowledge
post scan
Month 1 Month 2 Month 3
80%
100%
Missing
data
60%

33. © 2014 Skybox Security Inc., Confidential 33
We just don’t need to scan more
Unable to gain credentialed access to scan
portions of the network
The cost of licenses is prohibitive
Some hosts are not scannable due to their use
We don't have the resources to deal with
broader patching activity
We don’t have the resources to analyze more
frequent scan data
We are concerned about disruptions from
scanning 59%
58%
41%
34%
29%
12%
5%
Reasons that respondents don’t scan more often
Why Not Scan More Often? (2012 Survey)
It’s Just Too Difficult

34. © 2014 Skybox Security Inc., Confidential 34
So Security Teams Try to Limit Impact
Disruption
“Oops, we took
down the net”
Scan
Today
Scan
Next Week
Scan
Next Month
Scan
Next Year
Scan NEVER

35. © 2014 Skybox Security Inc., Confidential 35
Scan Frequency and Coverage (2012 Survey)
0
50
100
150
200
250
300
350
10% 20% 30% 40% 50% 60% 70% 80% 90%
Frequency and Coverage
ScanFrequencyinDays
% of Network Scanned
Partner/External
Networks
~60-90 days
<50% of hosts
Critical
systems, DMZ
~30 days
50-75% of hosts
Goal
~Daily / Continuous
90%+ of hosts

36. © 2014 Skybox Security Inc., Confidential 36
Host – Vulnerability Relationship
Asset
Windows
7
Firefox
Adobe
Reader
10
Java SE
20
Buffer
Overflow
Window
7
Windows
2K SP2
Windows
2K SP1
Remote
Code
Execution
Adobe
Reader
8
Adobe
Reader
9
Adobe
Reader
10
Adobe
Reader
7.7
Security
Bypass
Firefox
Thunderbir
d
SeaMonke
y
Remote
DOS
IIS
6.0
IIS
7.5
Remote
Unspecified
Java
7.4
Java
FX
2.2.4
Java
JRE
6.7
Java
SE
7.11

37. © 2014 Skybox Security Inc., Confidential 37
Vulnerability Deduction Process
Vulnerability
Deduction
Product Catalog
(CPE)
OS version & patch level.
Application versions
Vulnerability
List
(CVE)
Vulnerability
Database
ProductProfiling
Asset / Patch
Management
Networking
Devices
Active
Scanner

38. © 2014 Skybox Security Inc., Confidential 38
Speed
Typical scanner Analytical Scan
250host/hour
100,000host/hour
VS

39. © 2014 Skybox Security Inc., Confidential 39
Analytics Give You a Continuous View
of Vulnerabilities
Time
Month 1 Month 2 Month 3
50%
Combining active scanning and analytics
based vulnerability detection
100%
Active
scanner
Analytics-based
detection

40. © 2014 Skybox Security Inc., Confidential 40
Case Study
 Large MultiNational
– Visibility on ~100% of hosts in less than
a week.
– Able to eradicate Heartbleed on 98% of
PCs (over 500k) in less than a week.
– Complete eradication in 23 days.
– Has visibility into network devices.
– Able to discover vulnerabilities on
mission critical portions of the network.

41. © 2014 Skybox Security Inc., Confidential 41
Not all scanners have every vulnerability
Qualys McAfee TripWire Tenable
CVE-2014-4228 Jul 17 Jul 29 Not Added Jul 16
CVE-2014-4943 Jul 28 Jul 24 Jul 19 Jul 17
CVE-2013-1741 Apr 4 Dec 11 Nov 18 Dec 6
CVE-2014-4607 Jul 14 Jul 10 Jan 1 Jun 27
CVE-2014-2804 Apr 28 Jun 25 Jul 8 Jul 8
CVE-2014-2783 Apr 28 Jul 8 Sep 26 Jul 8
CVE-2014-1375 Jul 2 Not Added Jun 30 Jul 1
CVE-2014-1369 Not Added Jul 10 Not Added Jun 30
CVE-2014-0015 Not Added Jul 9 Jun 30 Not Added
Date vulnerability was added to scanner by vendor

42. © 2014 Skybox Security Inc., Confidential 42
Your scanner needs to be part of a greater
plan
The more data sources you can include, the better.
Advisories Scanners IPS Other Sources
Adobe eEye Retina* HP Tipping Point CERT
Cisco PSIRT ISS Internet Scanner* ISS Proventia Mitre CVE
Microsoft Security
Bulletin
McAfee Foundstone Palo-Alto Networks NIST’s NVD
Oracle Qualys Guard SourceFire Rapid7 Metasploit
Rapid7 Nexpose SourceFite Rapid7 Metasploit
Tenable Nessus Symantec
SecurityFocus
Tripwire nCirce Symantec Worms

43. © 2014 Skybox Security Inc., Confidential 43
The Power of Seven Scanners at Once

44. © 2014 Skybox Security Inc., Confidential 44
The Process
 Remediation and Tracking – Do you know how you are
doing?

45. © 2014 Skybox Security Inc., Confidential 45
Remediation Reporting

46. © 2014 Skybox Security Inc., Confidential 46
The Punchline
 To ensuring that risk causing vulnerabilities exist in an
exploitable state for the shortest amount of time
possible, you must:
– Discover vulnerabilities quickly – Challenge the Active Scanner
Status Quo
– Understand the relationship between the hosts and your
vulnerabilities to discover what matters
– Remediate or mitigate based on analysis or risk – not severity.
Enable reporting.

47. © 2014 Skybox Security Inc., Confidential 47
Thank you!
Interested in Skybox for Vulnerability Assessment and
Management? Start your 30-Day Trial today!
www.skyboxsecurity.com/trial