• No results found

Next-Generation Vulnerability Management

N/A
N/A
Protected

Academic year: 2021

Share "Next-Generation Vulnerability Management"

Copied!
13
0
0

Loading.... (view fulltext now)

Full text

(1)

Next-Generation Vulnerability Management

Transform Checkbox Compliance into a Powerful Risk Mitigation Tool

Skybox Security

whitepaper

,

June

201

4

(2)

Executive Summary

Vulnerability management is the process of identifying, classifying, and mitigating vulnerabilities.

Today, vulnerability management is a critical aspect of every enterprise’s security program. Just a single vulnerability can be exploited by an attacker and enable an entry point to the network, and most large enterprises have hundreds of thousands of vulnerabilities on their network. In fact, targeted attacks and advanced persistent threats (APTs) are the new norm of cyber security threats, which frequently use vulnerabilities to penetrate enterprises and government agencies for valuable data, trade secrets, and access to internal systems.

Significant APTs such as Operation Aurora, LuckyCat, and

DigiNotar took advantage of application and network vulnerabilities to successfully steal valuable, proprietary information. Every successful breach comes with a heavy price to the organization in compromised brand reputation, customer turnover, and time and money costs related to repairs. For example, the Gozi-Prinimalka attack campaign is responsible for a reported $5 million in theft from U.S. bank accounts.

Vulnerability management is important to an organization’s overall security posture, and 90 percent of

firms indicate that they have an established vulnerability management program. Yet, 49 percent of

security professionals say their network is at least somewhat vulnerable to security threats.1 The reason

for this disconnect is largely attributed to organizations being unable to evaluate and prioritize vulnerability data effectively.

This whitepaper will explore the primary processes of the vulnerability management lifecycle, review

current areas of deficiency, and introduce next-generation vulnerability management.

49%

of security professionals say their network is at least somewhat vulnerable to security threats.

(3)

Introduction to Vulnerability Management

Avulnerability is a security weakness or flaw of a component in

the technology stack of an organization. Vulnerabilities may

exist on network devices, servers, PCs, mobile devices,

applications, or any other elements connected to the network. Attackers exploit vulnerabilities on the attack surface (the part of the technology stack that is exposed) using various techniques, including APS, malware, script kiddies, and others. Many threats will leverage other exploitable vulnerabilities further downstream, using attack vectors that are typically in the inner part of the network.

In modern networks the attack surface can be extremely large.

Networks contain elements that are managed by the organization, such as the data center components,

enterprise network, and PCs, and elements that are partially managed or not managed at all, such as mobile devices (BYOD), and corporate assets in a public cloud.

A typical organization’s network has many vulnerabilities per device or system. Therefore, even a small organization may have tens of thousands of vulnerabilities, and a Global 2000 organization would generally have vulnerabilities in the millions. With ten to twenty new vulnerability advisories published

every day, finding and eliminating vulnerabilities is a continuous battle.

Vulnerability Management is the term used for the process of finding, analyzing, and remediating vulnerabilities in a systematic approach. Ideally, the process is used proactively to identify and fix

vulnerabilities before they can be exploited by malware or a human attacker.

A comprehensive vulnerability management process is a critical component to an organization’s risk management program. Multiple stakeholders have a vested interest in ensuring its success. This includes the security teams who are typically responsible for managing the lifecycle of vulnerabilities, the

compliance teams who are responsible for auditing the compliance of the vulnerability management program to regulations and corporate policies, and the IT operations teams who are responsible for

fixing, eliminating, and shielding the vulnerabilities.

10-20

finding and eliminating

vulnerabilities is a

continuous battle.

With

new vulnerability

advisories published

EVERY DAY,

(4)

A typical vulnerability management process entails a full lifecycle:

• Discovery: Creates an inventory of the assets across the network, identify the vulnerabilities of the

various elements of the technology stack, and stay current on breaking threat alerts.

• Analysis and Prioritization: Identifies the vulnerabilities that pose the greatest risk based on the

exposure to critical assets and corporate policies for vulnerability remediation.

• Compliance: Documents the level of business risk associated with assets, which is required or

recommended by regulations such as PCI DSS 2.0, security best practices, and company policies.

• Remediation: Prioritizes and fixes vulnerabilities by applying patches, shielding the vulnerability from

exploitation (typically by the use of Intrusion Prevention Systems), removing applications, closing

firewall ports, etc.

• Monitoring: Continuously monitors the network for vulnerabilities to prevent potential cyber attacks

and data breaches.

A well-established and executed vulnerability management process is needed because of both security and compliance requirements:

1. Detective and responsive controls are not sufficient in risk reduction

a. Detective controls, such as intrusion detection systems or advanced threat protection, do not

block many attacks, and have inherent latency when providing a signature file following the

introduction of a new vulnerability. Therefore, detective controls are unable to mitigate the risks to critical assets.

b. Responsive controls, such as SIEM technologies used for incident response, typically deal with the attack after the breach has happened and major damage has been done, if they deal with the attack at all.

c. Preventative approaches like vulnerability management programs reduce risks by eliminating exposure to attacks altogether and in the most cost-effective way (i.e. patching or shielding is much cheaper than recovery from a breach). For example, organizations report a reduction in risk assessment time by 90 percent and a reduction in patching work by more than 75 percent. 2. Implementing a vulnerability management program is a best practice recommendation and part of

multiple compliance requirements, including the PCI DDS. Vulnerability management is a standard process in most security organizations and part of the CISO’s defined responsibilities to understand

and lower overall risk and improve security by reducing the attack surface.

(5)

3. Continuous monitoring mandates, such as NIST SP 800-37 and NIST SP 800-53, require that the

vulnerability management process be executed as often as major changes in the threat landscape and the IT environment are made. The reality is that the threat landscape and IT environments change daily (typically many times a day). Therefore the vulnerability management process should be run on a truly continuous basis.

The vulnerability management process can be very useful and provide great return on investment when implemented carefully, monitored for effectiveness, and adjusted regularly. However, security

professionals often report a long list of implementation, management, and operational challenges, limitations, and disruptions inherent in previous-generation vulnerability scanners.

The 300-Page Report and Other Deficiencies of Current Approaches

Many people use the terms vulnerability scanning, vulnerability assessment, and vulnerability

management process interchangeably, but the terms are not synonymous. Vulnerability management is the complete lifecycle process. Vulnerability assessment is part of this process, and a vulnerability scanner is the tool most often used today for vulnerability discovery.

A vulnerability scanner is a tool (software, appliance, or a service) that discovers vulnerabilities in some or all of the technology stack by running thousands of tests on every node in the network. The number of distinct tests can be extremely large. For example, a 10,000 node network with 1,000 tests per node will result in 10,000,000 distinct tests for vulnerabilities.

There are some critical challenges with scanning technologies that significantly limit the usefulness of a

Vulnerability management process that uses a scanner:

Information Overload

• The result of a scanning process is typically a very long report that includes lists of thousands of vulnerabilities found in a small network and possibly millions of vulnerabilities in a large enterprise network. A 300-page report with long and boring tables is a common output from a scanner. Security analysts then have a choice—spend days or weeks sifting through the raw data or store the report in a drawer, out of sight.

(6)

In summary, organizations attempting to have a well-run vulnerability management process find that

vulnerability scanners create the following challenges:

• Provides only partial coverage of the network.

• Disrupts critical services.

• Exposes the organization to known vulnerabilities for weeks and even months.

• Requires significant cost and man hours to analyze scanning reports. • Does not provide clear action items for remediation.

Active Scanning Challenges

• Active-scanners send a huge amount of packets through the network to ports used by operative applications and services, which can result in serious disruption to critical network services. To compensate, organizations often refrain from frequent scanning

and limit scanning to well-defined windows. With these restrictions, it takes a long time to

complete one cycle—even several months in a large network—often making the vulnerability data obsolete by the time a complete report is available.

• This leaves organizations with an unbearable trade-off—disruption due to intrusive vulnerability discovery process or disruption due to a security breach.

• Moreover, many nodes in the expanded enterprise network cannot be scanned, such

as mobile devices (especially BYOD), assets in a public cloud, SCADA devices, and

medical devices.

Not Actionable

• Scanner reports prioritize vulnerabilities based on asset importance and a pre-defined vulnerability severity ranking, typically based on the Common Vulnerability Scoring System (CVSS) scoring. This methodology does not consider the network context of

each vulnerability. For example, is there a security control that prevents the exploitation and lowers the downstream risk on a critical asset? If so, then a high-severity

vulnerability could actually be low risk. This naïve methodology that does not consider

the network context leads administrators to fix the wrong vulnerabilities and ignore the

important ones.

• Network context should be considered again when it comes to remediation alternatives. For example, a high priority vulnerability may be shielded by turning on an IPS signature. However, if the scanning report does not take into account that an IPS is available in a location that can prevent the exploitation, then the mitigation recommendations will not include this option and may point to more complicated, less effective alternatives.

• Scanning reports are oriented for a security audience and do not provide the information required for the IT operations team to perform mitigating changes, such as which patches

(7)

WORKFLOW AND TICKETS REPORTS AND METRICS VULNERABILITY ANALYSIS NON-INVASIVE VULNERABILITY DETECTOR TRADITIONAL SCANNER DATA VULNERABILITY DICTIONARY NETWORK CONTEXT REMEDIATION OPTIONS ATTACK SIMULATION

As a result, many organizations see vulnerability management mainly as a way to “check the box” for compliance reporting, and not as an effective security tool.

Introduction to Next-Generation Vulnerability Management

As in many IT management tasks, the toughest roadblocks to improving the vulnerability management process are operational:

• How can vulnerability management be scalable?

• How can detection and remediation cycles be fast enough to minimize the exposure window?

• How can vulnerability discovery avoid disruption?

• How can the vulnerability management process be automated?

• How can the process ensure that security and IT operations teams are on the same page regarding risks and action items?

Next-Generation Vulnerability Management (NGVM) solutions are designed to effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, remove operational roadblocks, and provide up-to-date vulnerability visibility to the organization.

(8)

There are many benefits of a scanless discovery approach:

• Fast discovery cycle time enables analysis of huge networks with hundreds of thousands of nodes in hours and small networks with thousands of nodes in minutes.

• Non-disruptive discovery by analyzing information repositories as opposed to “touching” every node enables organizations to perform continuous vulnerability discovery, without the fear of network disruption.

• Broad coverage enables analysis of nodes that are banned from or not recommended for scanning, such as critical systems, network and mobile devices, and assets in the cloud.

This scanless discovery can work in conjunction with any scanner (e.g. network vulnerability scanners, web application scanners, and database scanners), so organizations don’t need to give up their other discovery techniques. However, organizations no longer need to be limited by the constraints of using vulnerability scanners as a standalone solution for vulnerability discovery.

Analytics-Driven Prioritization

Once fresh vulnerability data is available on a continuous basis, the next challenge is automating analysis of the vulnerabilities to focus on the critical risks and not waste time on low-risk exposures. The idea is to create a short list of action items that can be executed quickly in order to eliminate the risk of exploitation by attackers.

How can organizations determine which vulnerabilities are critical and which should be skipped? There are two approaches commonly used together for prioritization:

Hot Spots Analysis

This approach finds groups of hosts on the attack surface with a high density of severe vulnerabilities, which can be fixed en masse by broad action items, such as patching.

Attack Vectors Analysis

This is a surgical approach that finds specific, high-risk attack vectors around one or a few hosts that would require quick remediation (patching, shielding, network reconfiguration) to eliminate exposure to specific targeted assets.

(9)

Approach

Applicable Scenarios

Examples

Hot Spots

Analysis Large population of exploitable hosts in the network that are on or close to the attack surface and where relatively simple action items (such as patching a large set of clients) can be applied to solve the issue.

Organization has strict policy regarding remediation of vulnerabilities as a function of severity level.

Patching all 1,000 instances of Java-based client applications due to a new vulnerability advisory published by Oracle that shows how remote code execution is possible leveraging

a buffer overflow vulnerability.

Vulnerability remediation policy requires all high severity or critical vulnerabilities on database servers to be patched within 1 week. Attack

Vectors Analysis

Small population of exploitable hosts that are not necessarily on the attack surface (e.g. virtualization platform in the datacenter) or where simple remediation actions are not available at that point in time (e.g. a patch cannot by applied due to software dependen-cy or far away patch window).

Concern of targeted attacks by APT and other

threats that require surgical analysis and remediation of possible attack scenarios.

Turning on a specific IPS signature in front of

the virtualization platform management ports to avoid possible exploitation, which can be used as a temporary measure until a patch can be applied.

Contextual Remediation

Once a short list of action items is available, the organization needs to find the optimal remediation

alternatives, communicate effectively with the relevant IT operations team, and track progress.

Next-generation vulnerability management solutions do exactly that by providing the following capabilities:

• Context-aware remediation recommendations consider a variety of remedial actions, such as IPS signature activation, firewall configuration changes, patching, system configuration, and more. • Views fit operations teams. A quote to remember: “System operations don’t fix vulnerabilities, they

(10)

Operational Efficiency

Orchestrating remediation with the various IT operations teams allows each to see and act upon its

action items, enabling an operationally efficient remediation process.

Automated Remediation Tracking

Automated tracking of remediation progress provides visibility to executives on risk levels trend in the organization.

The Skybox Security Solution for Vulnerability Management

The Skybox Security Next-Generation Vulnerability Management solution, based on Skybox Risk

Control, continuously monitors the attack surface and critical attack vectors. This feeds vulnerability

data into automated risk-based prioritization and remediation, which allows security teams to

immediately remediate critical vulnerabilities. Skybox Risk Control can complete vulnerability discovery,

analysis, and remediation tasks in a large enterprise environment in a single work day, and complete vulnerability discovery at least 50 times faster compared to traditional vulnerability assessment with an active scanner.

Enterprises and government agencies using the Skybox vulnerability management solution report breakthrough results:

• Nearly 100 percent reporting accuracy every day, with no disruption.

• False positive reduction to near-zero levels.

• Elimination of 99 percent of irrelevant vulnerability data.

• Detection of 100,000 real vulnerabilities within hours of deployment.

• Same-day discovery, analysis and remediation of critical risks.

• Effective reduction of risk, prior to exploitation—for the first time.

(11)

Non-Disruptive, Scanless Vulnerability Discovery

Skybox is the first, vendor to provide a scalable solution for scanless discovery of

vulnerabilities. Skybox scanless discovery converts the product configuration and description

information stored in system and security management repositories into a detailed and accurate product catalog. It then accurately accurately deduces a list of vulnerabilities present in the network environment. With this information, more than 90 percent of the vulnerabilities in a typical enterprise network can be accurately discovered, without an active scan. This approach eliminates the many challenges associated with active

scanning and provides the following benefits:

• Continuous vulnerability discovery covers 90 percent of very large networks in less than

one day, compared to traditional vulnerability management processes that take 30-90 days to cover 50 percent of such networks.

• Comprehensive coverage enables organizations to detect vulnerabilities on previously

non-scannable parts of the network, such as critical systems, network devices, and mobile devices.

• Vulnerability assessment delivers detection at speeds of 12,000 hosts per hour, compared to the typical 250 hosts/per hour rate with a traditional active scanner.

• A non-disruptive technique discovers vulnerabilities from information repositories rather than “touching” every node.

• This approach to vulnerability management implements easily and effectively reduces the attack surface.

Automated Analytics-Based Prioritization

Skybox Security uses multiple, complementary analytic approaches to prioritize vulnerabilities in the context of the enterprise IT infrastructure:

• Hot Spot analysis of the attack surface allows a quick focus on the most exposed elements of the technology stack. This analysis highlights the root cause for the exposure and provides broad-brush action items that are relevant for a large group of

How It Works

(12)

• Attack Simulation analysis finds attack scenarios using chains of multiple attack vectors that lead to possible exploitation of critical assets, considering the configuration of all security controls, such as firewalls, IPS, network topology, and other factors. This analysis provides a surgical identification of critical attack vectors that must be eliminated

as soon as possible to prevent an advanced targeted attack or a fast spreading malware. Remediation prioritization is based on risk metrics that quantify the likelihood of the attack vector exploitation times the potential damage to the downstream asset.

The Skybox analytic approach provides organizations with significant advantages. Even

for a very large network with many vulnerabilities, Skybox analytic-driven prioritization reduces the number of distinct action items by 95 percent or more, compared to active scanning alone. In addition, the Skybox analysis is done automatically, which eliminates the need to manually analyze long lists of vulnerabilities and enables the process to be completed in hours instead of weeks or months.

Context-Aware Remediation

With the Skybox Security context-aware remediation, IT operations teams gain visibility into the critical ‘short-list’ of vulnerabilities that require immediate action. The solution then offers remediation alternatives and considers a variety of actions, such as IPS signatures

activation, firewall configuration changes, patching, system configuration, and more.

Skybox Security Next-Generation Vulnerability Management also provides a built-in workflow

environment that supports the day-to-day operations of triage and remediation, enabling a smooth connection between the vulnerability management and IT operations groups. This valuable integration enables actionable remediation through a streamlined process:

• Tickets (vulnerability or remediation items to be processed) are generated automatically

based on analysis results and predefined scope and priorities.

• Triage and vulnerability management groups can focus on the tickets that fall under their responsibility (technology, location), supported by rich, contextual analytic information.

• Remediation items are forwarded to the appropriate group via the ticketing system, emails, or reports.

• Automatic fix tracking provides up-to-date ticket status and automated ticket closure.

Conclusions

The face of the threat landscape continues to change. And by all accounts, advanced malware and targeted attacks are succeeding in their efforts to gain access to enterprise data and systems. This makes it all the more critical to have effective vulnerability management controls in place that enable

(13)

Organizations should pursue a next-generation vulnerability management solution that provides strong performance in the following areas:

• Non-disruptive, scanless vulnerability discovery

• Analytic-driven prioritization

• Context-aware remediation

• Short cycle times (i.e. one hour from start to remediation recommendations, even in large networks) With its risk analytics and extensive research and collaboration with its customers, Skybox Security has a deep understanding of vulnerability management processes and raises the bar with a next- generation, end-to-end vulnerability management solution that automates and integrates continuous vulnerability discovery, analysis and remediation, enabling same-day attention to critical cyber risks. Implementing next-generation vulnerability management in your budget will streamline security

management processes, ensure continuous compliance, and ultimately reduce costs. Contact Skybox

Security for more information and to learn what next-generation vulnerability management can do for you.

Skybox Security provides the most powerful risk analytics for cyber security, giving security management and operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall management, and continuous compliance monitoring.

To learn more about Skybox Security’s solution for vulnerability management, download the free trial at www.skyboxsecurity.com/trial. Additionally, you can contact your local Skybox Security representative at www.skyboxsecurity.com/contactus or view our demos at http://www.skyboxsecurity.com/resources/ demos-videos.

Next Steps

Established in 2002 and headquartered in San Jose, California, Skybox Security is a privately held company with worldwide sales and support teams that serve an international customer base of Global 2000

enterprises and large government agencies. Skybox Security customers are some of the most security-conscious organizations in the world, with mission-critical global networks and pressing regulatory

References

Related documents

尿路感染症の既往や尿路結石などの尿路の器質的異常

– Vulnerability management, patch management/vulnerability remediation, Vulnerability management, patch management/vulnerability remediation, security configuration

Also providing valuable insights into African on-the-ground knowledge governance modalities was the recent work of the World Intellectual Property Organisation (WIPO)

Recirculation studies are warrant- ed if some or all of the following clues are present: a decrease in adequacy from month to month, decreased blood pump speeds, increasing

The court, either on its own motion or by request of the parties made not later than fourteen days before the scheduled conference, may determine that a final pretrial conference

Queensland case have addressed some land tenure/title issues, while recent policy programs, including the Community Housing Infrastructure Program (CHIP), and the

Pennsylvania need someone to write my critical thinking on cold war for $10, Illinois custom thesis on statistics essay about fast food pdf type dissertation hypothesis on

C313.3 Ability to understand the reactive power-voltage interaction C313.4 Ability to understand the economic operation of power systems C313.5 Ability to design SCADA and