Transcription
YourVulnerabilityScannerManagementSucks ThatWorks 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Who Am I? Just a Security GuyOWASP OrlandoBsides OrlandoFLSECDC407Worked internal for 18 yearsSr Security Consultant GuidePoint Security 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
CSIRT vs Vulnerability Mgmt Not mutually exclusive Consider VM as a CSIRT Programcomponent Preparation Identification Containment Eradication Recovery Lessons Learned 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Why Do We Care? Compliance (I really wish this was fartherdown the list)– PCI DSS– HIPAA/Hi-Tech– Legislation– Others 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Who Needs Vulnerability Management? 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Whoops. 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
(Hard) Costs of an incident Breach Monitoring ServicesBreach NotificationFinesLawsuitsIncident Response/Remediation ServicesOvertime 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
(Soft) Costs of an Incident Reputation Loss (Jury is out on whether thisreally matters) Lost productivity is hard to measure A lot of incident related work may never befully documented Taking risks is part of business, becoming toorisk adverse stifles innovation 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
What if there is no impact?Try Harder(Hint: There is always impact) 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Resistance to VM Painful all aroundOps guys have different prioritiesSecurity guys often have no authorityCompliance drivenNobody has staffing resourcesLack of proper QAHard to keep up with VM (virtual machine)creep No workflows 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
But We Have Remediation Reports! 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Current State of Vuln Management Lots of detection tools Really good at telling you how hopelessthings are Really good at making money for tool vendors Huge Reports that aren’t terribly helpful Very few tools that actually help us fixanything 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Tickets Do you find tickets useful?Largely Self containedDon’t integrate with workflowsHow often does Ops log into VM tools?Can we integrate with Remedy already? 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Rapid7 NeXpose Community, Enterprise Metasploit Integration Very easy to write custom vuln checks (XMLformat) PCI DSS leadership Awesome for consultants Sales guys not as pushy anymore 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Qualys SASS modelVery PCI friendly – most popular ASV toolWeb scanning - Most do this to some degreeSSL Research (Ivan Ristic – SSL Labs)Reports painful to filter for uninitiated butreporting often listed as a core strength. 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
nCircle Suite of purchased productsCore developers went to Rapid7Support issuesExcellent MetricsCan assign asset values granularlyExcellent reportingReporting is licensed SEPARATELY! 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Retina First to market with mobile scanning3rd party patching w/ WSUS and SCCMIdentity aware with Power BrokerEasy to create custom checksHuge in Federal space – Gold DiskCompliance Runs on Windows Tends to be a little unstable 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Tenable Nessus vs Security CenterDashboardsWSUS/Altiris IntegrationDashboardsCan rescan from within ticketBest workflows 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Commercial Webapp Scanners AppScanNetsparkerWebInspectAcunetixHailstormBurp Suite Pro 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Free and Open Source Webapp Scanners BurpSkipfishW3AFArachniVegaZed Attack Proxy (OWASP ZAP)Specialty tools (Wpscan, joomscan, etc) andmany more! 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
2012 Web App Vuln Scanner Review2012 Comparison of 49 free and open 2012/07/2012web-application-scanner-benchmark.html 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Still Left Wanting None (or few) of these tools actuallyhelp us fix anything 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Oh Good, It’s Broken. Now what? 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
How do we Fix it? Lifecycle Management (See stages) Tracking Vulnerabilities Embedding Workflows/ticketing in operationsteams Metrics reporting to management Embedding VM in security incident responseteam processes 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
VM is a LifecycleIdentifyRemediateClassifyMitigate 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Identifying Vulnerabilities Network RangesPhysical LocationsInventory AssetsClassify AssetsExamine Trust RelationshipsAttack PathsWhat’s Vulnerable? 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Classifying VulnerabilitiesRisk Likelihood * Impact Assets already classified How likely is the vulnerability to be exploited? Does it matter? 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
If a tree falls in the forest 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Classification Continued Vulnerability Scanners may help to identifyrisk but typically have ZERO context. Include business value Trust relationships Operational impacts Need humans to decide 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Mitigating Vulnerabilities When the Fix is riskier than leaving it aloneCompensating ControlsCreating trust zonesReducing data footprintReduce focus, wrap controls around the dataChange Management 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Remediating Vulnerabilities Patch Management Configuration Control Writing secure code 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Tracking Vulnerabilities Centralized repository Spreadsheets are better than nothing Don’t wait for the perfect solution, start doingSOMETHING today! Enter SIEM! 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
SIEM Monitoring Can consume most logs, email events orother tool output. Consistent formatting to generate emails intoticketing system Single pane of glass to compare andcorrelate detected vulnerabilities with ongoingevents 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Custom Applications Only useful if people use them Need to understand the tools staff are usingtoday and integrate with whats workingcurrently. These are operational tasks. 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Vulnerability Mgmt ProcessScan/Identify 2013 GuidePoint igateCONFIDENTIAL AND PROPRIETARYRe-scanCloseWorkorder
Management Buy-In Operations gets their priorities list fromabove We have to educate management Metrics help 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Metrics that Work % of Critical Assets w/significantVulnerabilities Lag time to remediate vulnerabilities FTE time or other resources required to fix Vulnerabilities contributing to root cause forpast incidents or similar Correlation between attacks seen andprevented by vuln mgmt 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Useless Metrics We remediated X number ofvulnerabilities. Metrics and trending from groups thatare also experiencing scope creep orreduction Base CVSS scores 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Questions? Tony omtony.turner@owasp.org 2013 GuidePoint SecurityCONFIDENTIAL AND PROPRIETARY
Qualys. SASS model Very PCI friendly – most popular ASV tool Web scanning - Most do this to some degree SSL Research (Ivan Ristic – SSL Labs) Reports painful to filter for uninitiated but reporting often listed as a core strength. 2013 GuidePoint Security CONFIDENTIAL AND PROPRIETARY. nCircle.
