Next-Generation Vulnerability Management
Transform Checkbox Compliance into a Powerful Risk Mitigation Tool
Skybox Security
whitepaper
,
June
201
4
Executive Summary
Vulnerability management is the process of identifying, classifying, and mitigating vulnerabilities.
Today, vulnerability management is a critical aspect of every enterprise’s security program. Just a single vulnerability can be exploited by an attacker and enable an entry point to the network, and most large enterprises have hundreds of thousands of vulnerabilities on their network. In fact, targeted attacks and advanced persistent threats (APTs) are the new norm of cyber security threats, which frequently use vulnerabilities to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems.
Significant APTs such as Operation Aurora, LuckyCat, and
DigiNotar took advantage of application and network vulnerabilities to successfully steal valuable, proprietary information. Every successful breach comes with a heavy price to the organization in compromised brand reputation, customer turnover, and time and money costs related to repairs. For example, the Gozi-Prinimalka attack campaign is responsible for a reported $5 million in theft from U.S. bank accounts.
Vulnerability management is important to an organization’s overall security posture, and 90 percent of
firms indicate that they have an established vulnerability management program. Yet, 49 percent of
security professionals say their network is at least somewhat vulnerable to security threats.1 The reason
for this disconnect is largely attributed to organizations being unable to evaluate and prioritize vulnerability data effectively.
This whitepaper will explore the primary processes of the vulnerability management lifecycle, review
current areas of deficiency, and introduce next-generation vulnerability management.
49%
of security professionals say their network is at least somewhat vulnerable to security threats.Introduction to Vulnerability Management
Avulnerability is a security weakness or flaw of a component in
the technology stack of an organization. Vulnerabilities may
exist on network devices, servers, PCs, mobile devices,
applications, or any other elements connected to the network. Attackers exploit vulnerabilities on the attack surface (the part of the technology stack that is exposed) using various techniques, including APS, malware, script kiddies, and others. Many threats will leverage other exploitable vulnerabilities further downstream, using attack vectors that are typically in the inner part of the network.
In modern networks the attack surface can be extremely large.
Networks contain elements that are managed by the organization, such as the data center components,
enterprise network, and PCs, and elements that are partially managed or not managed at all, such as mobile devices (BYOD), and corporate assets in a public cloud.
A typical organization’s network has many vulnerabilities per device or system. Therefore, even a small organization may have tens of thousands of vulnerabilities, and a Global 2000 organization would generally have vulnerabilities in the millions. With ten to twenty new vulnerability advisories published
every day, finding and eliminating vulnerabilities is a continuous battle.
Vulnerability Management is the term used for the process of finding, analyzing, and remediating vulnerabilities in a systematic approach. Ideally, the process is used proactively to identify and fix
vulnerabilities before they can be exploited by malware or a human attacker.
A comprehensive vulnerability management process is a critical component to an organization’s risk management program. Multiple stakeholders have a vested interest in ensuring its success. This includes the security teams who are typically responsible for managing the lifecycle of vulnerabilities, the
compliance teams who are responsible for auditing the compliance of the vulnerability management program to regulations and corporate policies, and the IT operations teams who are responsible for
fixing, eliminating, and shielding the vulnerabilities.
10-20
finding and eliminating
vulnerabilities is a
continuous battle.
With
new vulnerability
advisories published
EVERY DAY,
A typical vulnerability management process entails a full lifecycle:
• Discovery: Creates an inventory of the assets across the network, identify the vulnerabilities of the
various elements of the technology stack, and stay current on breaking threat alerts.
• Analysis and Prioritization: Identifies the vulnerabilities that pose the greatest risk based on the
exposure to critical assets and corporate policies for vulnerability remediation.
• Compliance: Documents the level of business risk associated with assets, which is required or
recommended by regulations such as PCI DSS 2.0, security best practices, and company policies.
• Remediation: Prioritizes and fixes vulnerabilities by applying patches, shielding the vulnerability from
exploitation (typically by the use of Intrusion Prevention Systems), removing applications, closing
firewall ports, etc.
• Monitoring: Continuously monitors the network for vulnerabilities to prevent potential cyber attacks
and data breaches.
A well-established and executed vulnerability management process is needed because of both security and compliance requirements:
1. Detective and responsive controls are not sufficient in risk reduction
a. Detective controls, such as intrusion detection systems or advanced threat protection, do not
block many attacks, and have inherent latency when providing a signature file following the
introduction of a new vulnerability. Therefore, detective controls are unable to mitigate the risks to critical assets.
b. Responsive controls, such as SIEM technologies used for incident response, typically deal with the attack after the breach has happened and major damage has been done, if they deal with the attack at all.
c. Preventative approaches like vulnerability management programs reduce risks by eliminating exposure to attacks altogether and in the most cost-effective way (i.e. patching or shielding is much cheaper than recovery from a breach). For example, organizations report a reduction in risk assessment time by 90 percent and a reduction in patching work by more than 75 percent. 2. Implementing a vulnerability management program is a best practice recommendation and part of
multiple compliance requirements, including the PCI DDS. Vulnerability management is a standard process in most security organizations and part of the CISO’s defined responsibilities to understand
and lower overall risk and improve security by reducing the attack surface.
3. Continuous monitoring mandates, such as NIST SP 800-37 and NIST SP 800-53, require that the
vulnerability management process be executed as often as major changes in the threat landscape and the IT environment are made. The reality is that the threat landscape and IT environments change daily (typically many times a day). Therefore the vulnerability management process should be run on a truly continuous basis.
The vulnerability management process can be very useful and provide great return on investment when implemented carefully, monitored for effectiveness, and adjusted regularly. However, security
professionals often report a long list of implementation, management, and operational challenges, limitations, and disruptions inherent in previous-generation vulnerability scanners.
The 300-Page Report and Other Deficiencies of Current Approaches
Many people use the terms vulnerability scanning, vulnerability assessment, and vulnerability
management process interchangeably, but the terms are not synonymous. Vulnerability management is the complete lifecycle process. Vulnerability assessment is part of this process, and a vulnerability scanner is the tool most often used today for vulnerability discovery.
A vulnerability scanner is a tool (software, appliance, or a service) that discovers vulnerabilities in some or all of the technology stack by running thousands of tests on every node in the network. The number of distinct tests can be extremely large. For example, a 10,000 node network with 1,000 tests per node will result in 10,000,000 distinct tests for vulnerabilities.
There are some critical challenges with scanning technologies that significantly limit the usefulness of a
Vulnerability management process that uses a scanner:
Information Overload
• The result of a scanning process is typically a very long report that includes lists of thousands of vulnerabilities found in a small network and possibly millions of vulnerabilities in a large enterprise network. A 300-page report with long and boring tables is a common output from a scanner. Security analysts then have a choice—spend days or weeks sifting through the raw data or store the report in a drawer, out of sight.
In summary, organizations attempting to have a well-run vulnerability management process find that
vulnerability scanners create the following challenges:
• Provides only partial coverage of the network.
• Disrupts critical services.
• Exposes the organization to known vulnerabilities for weeks and even months.
• Requires significant cost and man hours to analyze scanning reports. • Does not provide clear action items for remediation.
Active Scanning Challenges
• Active-scanners send a huge amount of packets through the network to ports used by operative applications and services, which can result in serious disruption to critical network services. To compensate, organizations often refrain from frequent scanning
and limit scanning to well-defined windows. With these restrictions, it takes a long time to
complete one cycle—even several months in a large network—often making the vulnerability data obsolete by the time a complete report is available.
• This leaves organizations with an unbearable trade-off—disruption due to intrusive vulnerability discovery process or disruption due to a security breach.
• Moreover, many nodes in the expanded enterprise network cannot be scanned, such
as mobile devices (especially BYOD), assets in a public cloud, SCADA devices, and
medical devices.
Not Actionable
• Scanner reports prioritize vulnerabilities based on asset importance and a pre-defined vulnerability severity ranking, typically based on the Common Vulnerability Scoring System (CVSS) scoring. This methodology does not consider the network context of
each vulnerability. For example, is there a security control that prevents the exploitation and lowers the downstream risk on a critical asset? If so, then a high-severity
vulnerability could actually be low risk. This naïve methodology that does not consider
the network context leads administrators to fix the wrong vulnerabilities and ignore the
important ones.
• Network context should be considered again when it comes to remediation alternatives. For example, a high priority vulnerability may be shielded by turning on an IPS signature. However, if the scanning report does not take into account that an IPS is available in a location that can prevent the exploitation, then the mitigation recommendations will not include this option and may point to more complicated, less effective alternatives.
• Scanning reports are oriented for a security audience and do not provide the information required for the IT operations team to perform mitigating changes, such as which patches
WORKFLOW AND TICKETS REPORTS AND METRICS VULNERABILITY ANALYSIS NON-INVASIVE VULNERABILITY DETECTOR TRADITIONAL SCANNER DATA VULNERABILITY DICTIONARY NETWORK CONTEXT REMEDIATION OPTIONS ATTACK SIMULATION
As a result, many organizations see vulnerability management mainly as a way to “check the box” for compliance reporting, and not as an effective security tool.
Introduction to Next-Generation Vulnerability Management
As in many IT management tasks, the toughest roadblocks to improving the vulnerability management process are operational:
• How can vulnerability management be scalable?
• How can detection and remediation cycles be fast enough to minimize the exposure window?
• How can vulnerability discovery avoid disruption?
• How can the vulnerability management process be automated?
• How can the process ensure that security and IT operations teams are on the same page regarding risks and action items?
Next-Generation Vulnerability Management (NGVM) solutions are designed to effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, remove operational roadblocks, and provide up-to-date vulnerability visibility to the organization.
There are many benefits of a scanless discovery approach:
• Fast discovery cycle time enables analysis of huge networks with hundreds of thousands of nodes in hours and small networks with thousands of nodes in minutes.
• Non-disruptive discovery by analyzing information repositories as opposed to “touching” every node enables organizations to perform continuous vulnerability discovery, without the fear of network disruption.
• Broad coverage enables analysis of nodes that are banned from or not recommended for scanning, such as critical systems, network and mobile devices, and assets in the cloud.
This scanless discovery can work in conjunction with any scanner (e.g. network vulnerability scanners, web application scanners, and database scanners), so organizations don’t need to give up their other discovery techniques. However, organizations no longer need to be limited by the constraints of using vulnerability scanners as a standalone solution for vulnerability discovery.
Analytics-Driven Prioritization
Once fresh vulnerability data is available on a continuous basis, the next challenge is automating analysis of the vulnerabilities to focus on the critical risks and not waste time on low-risk exposures. The idea is to create a short list of action items that can be executed quickly in order to eliminate the risk of exploitation by attackers.
How can organizations determine which vulnerabilities are critical and which should be skipped? There are two approaches commonly used together for prioritization:
Hot Spots Analysis
This approach finds groups of hosts on the attack surface with a high density of severe vulnerabilities, which can be fixed en masse by broad action items, such as patching.
Attack Vectors Analysis
This is a surgical approach that finds specific, high-risk attack vectors around one or a few hosts that would require quick remediation (patching, shielding, network reconfiguration) to eliminate exposure to specific targeted assets.
Approach
Applicable Scenarios
Examples
Hot Spots
Analysis Large population of exploitable hosts in the network that are on or close to the attack surface and where relatively simple action items (such as patching a large set of clients) can be applied to solve the issue.
Organization has strict policy regarding remediation of vulnerabilities as a function of severity level.
Patching all 1,000 instances of Java-based client applications due to a new vulnerability advisory published by Oracle that shows how remote code execution is possible leveraging
a buffer overflow vulnerability.
Vulnerability remediation policy requires all high severity or critical vulnerabilities on database servers to be patched within 1 week. Attack
Vectors Analysis
Small population of exploitable hosts that are not necessarily on the attack surface (e.g. virtualization platform in the datacenter) or where simple remediation actions are not available at that point in time (e.g. a patch cannot by applied due to software dependen-cy or far away patch window).
Concern of targeted attacks by APT and other
threats that require surgical analysis and remediation of possible attack scenarios.
Turning on a specific IPS signature in front of
the virtualization platform management ports to avoid possible exploitation, which can be used as a temporary measure until a patch can be applied.
Contextual Remediation
Once a short list of action items is available, the organization needs to find the optimal remediation
alternatives, communicate effectively with the relevant IT operations team, and track progress.
Next-generation vulnerability management solutions do exactly that by providing the following capabilities:
• Context-aware remediation recommendations consider a variety of remedial actions, such as IPS signature activation, firewall configuration changes, patching, system configuration, and more. • Views fit operations teams. A quote to remember: “System operations don’t fix vulnerabilities, they
Operational Efficiency
Orchestrating remediation with the various IT operations teams allows each to see and act upon its
action items, enabling an operationally efficient remediation process.
Automated Remediation Tracking
Automated tracking of remediation progress provides visibility to executives on risk levels trend in the organization.
The Skybox Security Solution for Vulnerability Management
The Skybox Security Next-Generation Vulnerability Management solution, based on Skybox Risk
Control, continuously monitors the attack surface and critical attack vectors. This feeds vulnerability
data into automated risk-based prioritization and remediation, which allows security teams to
immediately remediate critical vulnerabilities. Skybox Risk Control can complete vulnerability discovery,
analysis, and remediation tasks in a large enterprise environment in a single work day, and complete vulnerability discovery at least 50 times faster compared to traditional vulnerability assessment with an active scanner.
Enterprises and government agencies using the Skybox vulnerability management solution report breakthrough results:
• Nearly 100 percent reporting accuracy every day, with no disruption.
• False positive reduction to near-zero levels.
• Elimination of 99 percent of irrelevant vulnerability data.
• Detection of 100,000 real vulnerabilities within hours of deployment.
• Same-day discovery, analysis and remediation of critical risks.
• Effective reduction of risk, prior to exploitation—for the first time.
Non-Disruptive, Scanless Vulnerability Discovery
Skybox is the first, vendor to provide a scalable solution for scanless discovery of
vulnerabilities. Skybox scanless discovery converts the product configuration and description
information stored in system and security management repositories into a detailed and accurate product catalog. It then accurately accurately deduces a list of vulnerabilities present in the network environment. With this information, more than 90 percent of the vulnerabilities in a typical enterprise network can be accurately discovered, without an active scan. This approach eliminates the many challenges associated with active
scanning and provides the following benefits:
• Continuous vulnerability discovery covers 90 percent of very large networks in less than
one day, compared to traditional vulnerability management processes that take 30-90 days to cover 50 percent of such networks.
• Comprehensive coverage enables organizations to detect vulnerabilities on previously
non-scannable parts of the network, such as critical systems, network devices, and mobile devices.
• Vulnerability assessment delivers detection at speeds of 12,000 hosts per hour, compared to the typical 250 hosts/per hour rate with a traditional active scanner.
• A non-disruptive technique discovers vulnerabilities from information repositories rather than “touching” every node.
• This approach to vulnerability management implements easily and effectively reduces the attack surface.
Automated Analytics-Based Prioritization
Skybox Security uses multiple, complementary analytic approaches to prioritize vulnerabilities in the context of the enterprise IT infrastructure:
• Hot Spot analysis of the attack surface allows a quick focus on the most exposed elements of the technology stack. This analysis highlights the root cause for the exposure and provides broad-brush action items that are relevant for a large group of
How It Works
• Attack Simulation analysis finds attack scenarios using chains of multiple attack vectors that lead to possible exploitation of critical assets, considering the configuration of all security controls, such as firewalls, IPS, network topology, and other factors. This analysis provides a surgical identification of critical attack vectors that must be eliminated
as soon as possible to prevent an advanced targeted attack or a fast spreading malware. Remediation prioritization is based on risk metrics that quantify the likelihood of the attack vector exploitation times the potential damage to the downstream asset.
The Skybox analytic approach provides organizations with significant advantages. Even
for a very large network with many vulnerabilities, Skybox analytic-driven prioritization reduces the number of distinct action items by 95 percent or more, compared to active scanning alone. In addition, the Skybox analysis is done automatically, which eliminates the need to manually analyze long lists of vulnerabilities and enables the process to be completed in hours instead of weeks or months.
Context-Aware Remediation
With the Skybox Security context-aware remediation, IT operations teams gain visibility into the critical ‘short-list’ of vulnerabilities that require immediate action. The solution then offers remediation alternatives and considers a variety of actions, such as IPS signatures
activation, firewall configuration changes, patching, system configuration, and more.
Skybox Security Next-Generation Vulnerability Management also provides a built-in workflow
environment that supports the day-to-day operations of triage and remediation, enabling a smooth connection between the vulnerability management and IT operations groups. This valuable integration enables actionable remediation through a streamlined process:
• Tickets (vulnerability or remediation items to be processed) are generated automatically
based on analysis results and predefined scope and priorities.
• Triage and vulnerability management groups can focus on the tickets that fall under their responsibility (technology, location), supported by rich, contextual analytic information.
• Remediation items are forwarded to the appropriate group via the ticketing system, emails, or reports.
• Automatic fix tracking provides up-to-date ticket status and automated ticket closure.
Conclusions
The face of the threat landscape continues to change. And by all accounts, advanced malware and targeted attacks are succeeding in their efforts to gain access to enterprise data and systems. This makes it all the more critical to have effective vulnerability management controls in place that enable
Organizations should pursue a next-generation vulnerability management solution that provides strong performance in the following areas:
• Non-disruptive, scanless vulnerability discovery
• Analytic-driven prioritization
• Context-aware remediation
• Short cycle times (i.e. one hour from start to remediation recommendations, even in large networks) With its risk analytics and extensive research and collaboration with its customers, Skybox Security has a deep understanding of vulnerability management processes and raises the bar with a next- generation, end-to-end vulnerability management solution that automates and integrates continuous vulnerability discovery, analysis and remediation, enabling same-day attention to critical cyber risks. Implementing next-generation vulnerability management in your budget will streamline security
management processes, ensure continuous compliance, and ultimately reduce costs. Contact Skybox
Security for more information and to learn what next-generation vulnerability management can do for you.
Skybox Security provides the most powerful risk analytics for cyber security, giving security management and operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall management, and continuous compliance monitoring.
To learn more about Skybox Security’s solution for vulnerability management, download the free trial at www.skyboxsecurity.com/trial. Additionally, you can contact your local Skybox Security representative at www.skyboxsecurity.com/contactus or view our demos at http://www.skyboxsecurity.com/resources/ demos-videos.
Next Steps
Established in 2002 and headquartered in San Jose, California, Skybox Security is a privately held company with worldwide sales and support teams that serve an international customer base of Global 2000
enterprises and large government agencies. Skybox Security customers are some of the most security-conscious organizations in the world, with mission-critical global networks and pressing regulatory