Transcription
A Provocative New Approach toIntegrated Security Intelligence:IBM Introduces QRadarVulnerability ManagerAn ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White PaperPrepared for IBMJuly 2013IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING
A Provocative New Approach to Integrated Security Intelligence:IBM Introduces QRadar Vulnerability ManagerTable of ContentsExecutive Summary. 1Tackling the Unfulfilled Promise of Vulnerability Management. 1Among the Biggest Challenges. 2Vulnerability Prioritization. 2Failure to Incorporate Real-Time Data. 3Fragmented Tactics Keep Gaps Exposed. 3Needed Today: Actionable Integration of Vulnerability Intelligence. 4The IBM Security Approach. 5Introducing IBM Security QRadar Vulnerability Manager. 5A More Comprehensive Approach. 5Key Advantages. 6A Truly Integrated Approach. 7Improved Performance. 7Centralized and Efficient Management and Intelligence. 8Example Use Cases. 8Today’s More Sophisticated Threats. 8Improved Compliance. 9EMA Perspective. 9About IBM. 10 2013 Enterprise Management Associates, Inc. All Rights Reserved. www.enterprisemanagement.com
A Provocative New Approach to Integrated Security Intelligence:IBM Introduces QRadar Vulnerability ManagerExecutive SummaryVulnerability management activities have long been a core requirement of every organization’s securitypractices, helping them fully understand the extent of their exposures and the overall security stateof their networks. Yet many security teams continue to struggle against the inherent operationallimitations – and resulting manual processes – of the available solutions typically deployed as isolatedsilos. Scan results are presented apart from other depictions of the security infrastructure, limiting theeffective context of these reports, and complicating the development of a comprehensive and actionablesecurity management plan. Excluding vital insight from the tools required to maintain vigilance over thesecurity posture and mitigate risk exposures further reduces the effectiveness of their security strategieswhile also driving up costs – yet few technologies and the intelligence they transmit are more critical tothe organization’s defense.With the introduction of QRadar Vulnerability Manager, IBM tackles these limitations of legacyapproaches to vulnerability management head-on. This offering is not just another commodityvulnerability scanner. By delivering vulnerability assessment as part of the QRadar Security IntelligencePlatform, IBM integrates vulnerability intelligence directly into the same system widely adopted by manyenterprises for actionable, easy-to-deploy Security Information and Event Management (SIEM). Thisreduces the proliferation of fragmented security tools that hamper security effectiveness – and associatedcosts – while enriching vulnerability insight and improving the efficiency of vulnerability remediation.In this ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) report, EMA explores these valuesof IBM Security QRadar Vulnerability Manager, the need for better integrated security architectureexpressed by enterprises worldwide, and example use cases that highlight the value of the IBM approach.Enterprises that seek to reduce their total security costs while improving their security posture – andwho recognize the value of comprehensive, integrated security intelligence – should be drawn to thisdistinctively different approach to a fundamental security practice.Tackling the Unfulfilled Promise of VulnerabilityManagementVulnerability management is an essential aspect of enterprise security. It is on the front lines of defenseagainst attacks, from sophisticated exploits of software and configuration defects by highly skilledadversaries to industrialized threats that target common exposures. The principle is fundamentallysound: Information on known exploitable vulnerabilities is collected and correlated to IT systemsin the environment. Techniques include on-host inventory, often through means of an endpoint orserver agent, or through an off-host scan that explores systems for indicators of a known or recognizedexposure. The intent is to enable focused remediation and prevent exploit of those exposures, whichcould lead to the compromise of sensitive information, or even of the business itself. For these reasons,vulnerability scanning has become a fundamental enterprise security practice, and one that is oftenrequired to meet regulatory compliance mandates such as the Payment Card Industry Data SecurityStandard (PCI DSS), among others.In practice, however, vulnerability management can be extraordinarily difficult. There may be a numberof exploitable software and configuration defects on any one host – and tens, hundreds or thousands ofhosts in the environment. The sheer volume of exposures often slows down even the most methodicalresolution efforts – and far too often, this is a matter of evaluating what are assumed to be the most1 2013 Enterprise Management Associates, Inc. All Rights Reserved. www.enterprisemanagement.comPage 1
A Provocative New Approach to Integrated Security Intelligence:IBM Introduces QRadar Vulnerability Managersignificant vulnerabilities on a case-by-case basis. Remediation poses further hurdles, since softwareupdates, patches and reconfigurations typically must be evaluated before deployment to head off anypossible disruptions they could cause.The result is that many vulnerabilities – even when acknowledged to be critical – can go unresolved forfar too long, if they are ever addressed at all. The years-long trajectory of Conficker is a discouragingexample. At its peak, variants of the Conficker worm had compromised as many as 7 million uniqueIP addresses.1 This is more than twice the size of SETI@Home, one of the largest legitimate distributedcomputing efforts to date, which currently numbers approximately 3.4 million hosts.2Conficker command-and-control was effectively decapitated by concerted industry efforts between2008 and 2010 – yet variants of the Conficker worm continue to spread. In late 2011, Microsoft wasstill detecting 1.6 million instances of Conficker-compromised systems.3 By the end of 2012, Microsoftresearchers found that Conficker was still number two among malware detected on domain-joinedcomputers – a figure that actually increased from the previous quarter.4 And as recently as spring2013, media reports documented the travails of the ministry of education in Schwerin, Germany,which had determined that it would be cheaper simply to discard Conficker-infested computers thanto restore them.5Perhaps the most disturbing aspect of this story is that Microsoft had provided resolution for Confickerexploited vulnerabilities as early as October 2008, with the publication of a security bulletin documentinga key vulnerability and patches for a number of Microsoft systems,6 as well as workarounds to mitigateadditional exposures exploited by Conficker variants.7 The fact that Conficker remains a prevalentconcern speaks to the challenges that so many face worldwide in taming their vulnerability exposures.Among the Biggest ChallengesWhat keeps organizations from realizing more effective vulnerability management?Vulnerability PrioritizationWith potentially hundreds or thousands of exploitable vulnerabilities in an enterprise environment– and only so many resources to spend on remediation in terms of time and expertise – how does anorganization determine which exposures deserve the most attention? Which should be resolved first,and which can wait?Vulnerability prioritization has been one of the greatest challenges to effective management. Effortshave attempted to address this concern, such as the Common Vulnerability Scoring System (CVSS)that rates the severity of documented issues. But it may not be feasible to address every high-severityexposure – and not every host with one or more such issues merits remediation. Business-critical systemsor hosts facing publicly accessible external networks may require greater attention for the same exposurethan a low-priority, isolated host on a protected internal network.12345672C onficker Working Group Lessons Learned document (http://confickerworkinggroup.org/wiki/uploads ConfickerWorking Group Lessons Learned 17 June 2010 /detailas of May 9, 2013Microsoft Security Intelligence Report, Vol. 12Microsoft Security Intelligence Report, Vol. 18.htmlMicrosoft Security Bulletin MS08-67 – Critical, l/threat/encyclopedia/entry.aspx?Name Worm%3aWin32%2fConficker.B 2013 Enterprise Management Associates, Inc. All Rights Reserved. www.enterprisemanagement.comPage 2
A Provocative New Approach to Integrated Security Intelligence:IBM Introduces QRadar Vulnerability ManagerFalse positives generated by vulnerability assessment tools compound the issue. Just because a certainvulnerability is associated with a given version of software, for example, does not necessarily meanthat it will be found on a specific host, if the affected functionality is absent or disabled on that system.Exploitability is another factor that adds to false positives. Even if a vulnerability is present, the exposuremay not be exploitable if the system cannot be accessed by an attacker.The correlation of vulnerabilities with asset criticality is one method often advocated for prioritizingremediation. But criticality may be difficult to determine – or worse, the determination may beunrealistic if based on too little information, or on data of little relevance. How does the organizationverify that a host serves the functions assumed? Does activity data justify the priority given to an asset?More to the point: Does a judgment of asset critically even take asset activity into account?The focus on servers highlights yet another gap in a realistic approach. Any vulnerable point in theinfrastructure between an attacker and their target can be exploited to gain a foothold and advancetoward a greater opportunity. Even “advanced” threats can capitalize on a compromised user endpointto target a higher-value objective, if the endpoint or its user has access to more sensitive resources.Without understanding these attack pathways and sequences, vulnerability prioritization is effectivelydisconnected from reality.Failure to Incorporate Real-Time DataThese examples suggest the lack of real-time data in many approaches that could sharpen vulnerabilityawareness. Surprisingly, many fail to recognize the impact of this oversight. If asset criticality is basedon static data such as some measure of value associated with an asset, it is effectively frozen in time andmay no longer be current.Keeping vulnerability data fresh is typically understood as keeping databases of Common Vulnerabilitiesand Exposures (CVE) records or CVSS scores up to date. But this narrow focus is in sharp contrast tothe methods of the attacker, who is often far more dynamic and systematic than the defender. Whena change is made to a host that introduces a vulnerability, an attacker may discover it within minutes,particularly if the host has wide network exposure. This may be far sooner than enterprise systemsmanagement tools can update a management database. When new hosts are introduced on a network,their unresolved security exposures are introduced as well, which may expose the network as a whole.One of the most fertile sources of real-time vulnerability intelligence can be found in systems thatmonitor and recognize potentially malicious activity. The nature of suspicious behavior, such as theform or frequency of interaction with a specific service, can directly indicate an attacker’s discovery of anexploitable vulnerability – and calling attention to where the need for remediation may be immediate.Many organizations, however, have yet to recognize the power of this insight, let alone put it to workdirectly in vulnerability awareness and resolution.Fragmented Tactics Keep Gaps ExposedAnother factor that often confounds effective vulnerability management is the sheer fragmentation ofthe toolset. A variety of assessment technologies exist, from host-based techniques that depend on thevisibility of an agent or other component of the target system, to network-based assessments. Networkbased techniques may be either active or passive. Active approaches interact with the target to determinethe presence of a vulnerability, using techniques that vary from probing the target for exposures tocollecting system inventory data such as software updates or version information. Passive approaches3 2013 Enterprise Management Associates, Inc. All Rights Reserved. www.enterprisemanagement.comPage 3
A Provocative New Approach to Integrated Security Intelligence:IBM Introduces QRadar Vulnerability Managermay monitor network traffic for evidence of vulnerable hosts based on information observable fromnetwork content. These techniques primarily collect data on system-level vulnerabilities; those thatfocus on applications represent yet another category of assessment, with technologies primarily dividedbetween dynamic runtime or “black box” analysis and static evaluation of exposures in source code.As this brief summary suggests, there may be a number of potential overlaps as well as gaps in thesevarious techniques. Gaps may go beyond assessment alone. Vulnerability management tools must, onthe one hand, maintain a wide scope of external vulnerability data such as CVEs, CVSS scores, andvendor-published bulletins; and on the other, they must maintain an equally large or larger volumeof internal data, such as asset inventories and configuration data from systems management tools,activity records from monitoring systems, and the results of vulnerability scans. The approach is onlyas comprehensive and complete as the ability of vulnerability assessment tools to incorporate this widerscope of data.An unfortunate consequence of these fragmented techniques is that they may not be well-aligned orwell-integrated with existing security infrastructure, which can lead to numerous “blind spots” in theenvironment. Security defenses, both host- and network-based, have considerable ability to recognizea potential vulnerability exploit, from the presence or movement of malware to an unauthorized accessattempt. Sadly, these detection capabilities may be underutilized in vulnerability management.As a result, much valuable insight simply gets lost in the noise, if not overlooked altogether. Forexample, the correlation of vulnerability scan data to monitored network activity via flows and packetcapture can reveal an actual exploit or malicious probe of a vulnerability discovered by an attacker.When vendors or other intelligence sources issue vulnerability bulletins, historical activity data can bereviewed to determine if the presence of the vulnerability has been discovered or exploited previously.Evidence of such activity may also be useful in revealing a “zero-day” vulnerability yet to be reported byintelligence sources. Insight into the actual topology of a given environment, meanwhile, can be usedto rule out false positives or vulnerabilities inaccessible to an attacker, such as those affecting assets onisolated or segmented network zones or inaccessible behind a firewall.The unification of these capabilities would do more than close many of these gaps. It would also helpto eliminate redundancies in security management tools, breaking down silos while simultaneouslyimproving the efficiency of security management and reducing its costs.Needed Today: Actionable Integration of Vulnerability IntelligenceIf today’s advances in security intelligence can resolve many of these gaps and oversights while reducingcosts, then perhaps the time has come to consider a different approach to vulnerability management.Security operations professionals have long recognized the central role played by security informationmanagement systems. Historically, however, these systems have largely focused on correlating log orevent data to raise alerts or produce reports that describe the security or compliance posture.Today, security intelligence systems can do much more. Modern information management technologiesare handling larger volumes of a wider variety of data than ever – and security can benefit from thistrend. Organizations should therefore consider vulnerability management techniques and the practicesthat follow: Today’s techniques should unify the correlation and rationalization of vulnerability data from avariety of sources – from a range of scan techniques to external vulnerability intelligence, internalactivity, and environment topology.4 2013 Enterprise Management Associates, Inc. All Rights Reserved. www.enterprisemanagement.comPage 4
A Provocative New Approach to Integrated Security Intelligence:IBM Introduces QRadar Vulnerability Manager They should be comprehensive, incorporating visibility across the entire landscape of systems,networks, applications, and resources that integrate complex environments – including securityand IT operations management infrastructure. They should clearly identify actionable items, based on more realistic and comprehensive insightgoing beyond static or less comprehensive approaches to include activity and topology data. They should centralize visibility and analysis, reducing or eliminating the need for multiplemanagement consoles for vulnerability assessment, activity insight, reporting or other relatedcapabilities.The IBM Security ApproachAs businesses emphasize the role of data management and analytics, IBM has earned a leadership stakein these fields, and security is no exception. The company’s QRadar platform for Security Informationand Event Management (SIEM) has become a highly popular offering for security teams worldwide,capitalizing on efficient techniques for delivering performance at scale from a wide variety of securityrelevant information. QRadar provides centralized, actionable insight into real-time activi
IBM Introduces QRadar Vulnerability Manager False positives generated by vulnerability assessment tools compound the issue. Just because a certain vulnerability is associated with a given ve
