Transcription
Lifecycle VulnerabilityManagement andContinuous Monitoringwith Rapid7 NexposeSPONSORED BYWhatWorks is a user-to-user program in which security managers whohave implemented effective Internet security technologies tell why theydeployed it, how it works, how it improves security, what problems theyfaced and what lessons they learned. Got a story of your own?A product you’d like to know about? Let us know.www.sans.org/whatworks
SummaryContinuously monitoring and mitigating vulnerabilities is widely accepted as basic securityhygiene for any security program that will be successful in avoiding or reducing the impact ofbreaches. While the value is clear, the obstacles to assessing vulnerabilities more frequentlyand more accurately have slowed adoption. However, many security leaders have investedin improved processes, more advanced security products and threat-driven prioritizationapproaches to show immediate and measurable increases in both the effectiveness and theefficiency of their security programs. This case study details the steps a Global Director of ITSecurity took to do just that.A b o u t t h e Us e rThe user interviewed for this case study has requested anonymity to maintain confidentiality,but has allowed us to refer to him as a Global Director of IT Security for a manufacturingcompany. The SANS WhatWorks program can help our security community at largemake more informed decisions by encouraging seasoned professionals from major userorganizations to share their stories without revealing the name of the organization.SANS WhatWorksLifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose
Q Can you tell us a little bit about your background andyour role at your Company?A I’m the Global Director of IT Security and I report to the CIO.I have been in this role for about four years and have spentthe majority of an 18 year career in both infrastructure andsecurity. Today I’m responsible for our risk and cyber securityprogram, areas of compliance, and our disaster recoveryprogram. The scope of all of the responsibilities is global.Q Did you have PCI exposure that required you todo quarterly compliance? Did you have any othercompliance-type drivers related to this?A The company I work for is a publicly-traded company. We dohave Sarbanes Oxley (SOX) compliance, and we do have aPCI environment, but it’s very small, isolated and segregated.So, we were able to, when that was built, provide all the PCIrequirements around that. But, no, this was a much larger task,not just regulations or compliance driving us to move forwardand better the environment.Q Can you walk us through the process you followed tofind and look for solutions that would work?A We ran a couple of proof of concepts. We had a good ideawho the market leaders were in the space and were veryimpressed with what we’d seen from Rapid7, not only froma product perspective, but the partnership that Rapid7, howthey engage their customers. We really feel that we’re not justgetting a product, but when there’s something that we need,something that’s important to us, that the Rapid7 team listensand is able to assist us. Beyond that, their support has beenphenomenal.Q Give us an idea of the scope and what business yourcompany is in.A We’re a global mid-western-based industrial manufacturer. Wehave been around for 120 years.Q What sort of problems drove you to look at andevaluate solutions?A When I first moved into the role, we really looked at what wasin the marketplace – what was expected, how other securityprograms were being built, developed. Visibility was first andforemost, something that we were lacking in many areas of oursecurity program. We had decided from a priority perspectiveto look at vulnerability management. We had been patchingoperating systems for many years, but we weren’t sure whatour success rate was, what that looked like globally, and beyondjust operating system patches, what did that look like forapplications, databases, both desktops and server systems.Q What was the baseline you were starting with as far asvulnerability assessment?A We had used some open-source tools and had been able tocobble together some reporting. But, by the time we had anyactionable intelligence, it was months out of date. We werelooking for something that was more real-time, so when scansrun, we wanted reporting to get right to the people who wereoperationally responsible for those areas to give them someintelligence to be able to execute and act on vulnerabilities inour environment.Q Was there an incident, an audit event, or how did youconvince management to fund the project and moveforward?A No, no specific incident. We had brought in companies toperform vulnerability assessments and penetration tests, andwe really felt like a vulnerability management program, beingrun internally, was going to provide a significant benefit in riskreduction for our overall company and environment. So, thiswas looked at by management as something that would notjust be cost effective, but a key cornerstone to our securityprogram.SANS WhatWorksQ When you set out to look at vulnerability assessmentmanagement products, what were some of the criticalevaluation criteria you were looking for in the products?A We wanted something that was, first and foremost,low operational impact – where it was not going to becumbersome for the security team or infrastructure team tomanage – where it was up, and it runs. We can’t spend a lotof time managing the application itself. We were also lookingfor something that the security team wouldn’t necessarily ownand operate all by itself, something that could be set up, deliverreports into different people’s mailboxes; a portal that theycould log into, run scans themselves once they were trainedup on the application. We wanted different people, differentareas of operational responsibility to be able to see what’simportant to them, whether it’s country specific, networkspecific, regionally specific or even type-of-device specific. Ournetwork team can see our network equipment as opposedto our Intel/Windows team who can see the servers anddesktops.Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose
areas that we’re not patching as well who had high counts ofvulnerabilities. This was an easy discussion to have with ourBoard of Directors, with our senior management and our CIO;something that could easily be grasped, questions could beasked: what isn’t getting done and why not, and it resulted in alot of action. We had seen a great reduction in vulnerabilitiesin the first six months, over 50 percent. I would say within 12months of deployment of the product, we had seen between65 and 75 percent reduction in vulnerabilities.Q So, ease of use and operationalizing was important.Onthe technical constraints side, did you have to look at howmuch traffic would be put on the network or how manyscanners would be required and where they could go?A We did look at architecture of the vulnerability managementconfiguration. What Rapid7 offers are remote scanners thatreport back to a console, reducing bandwith requirements andbusiness impact. That was something that we invested in aspart of our primary investment. So, we had chosen to installsome vulnerability scanners around the globe and have a singleconsole on our corporate data center.Q Did you do bake-off of multiple products, or did you domore of an RFP paper evaluation process?Q Can you give us an idea of the scope – a rough numberof scanners, a rough number of endpoints being scanned?A bout 12,000 endpoints around the globe. We have 15Ascanners globally to accommodate our scanning schedule.A More of a bake-off. WeQ Are you doing anyhad reviewed what wasI would say within 12 months of deploymentscanning of cloud-sideavailable in the marketplace:services or virtualof the product, we had seen between 65 and 75Tenable Nessus, Tenableenvironments, or is it allSecurityCenter, Qualys andphysical devices?percent reduction in vulnerabilities.Outpost24. We picked aA No, virtual environments.couple of products thatPhysical environments,we felt would fit our environment and that were consideredreallyanythingthatisIPV4addressableon our network getsmarket leaders. We’d brought them in for proof of conceptsscanned.Thatincludesanydevicesthatremotely accessfor a short period of time. We had also sought advice fromour environment. We aren’t doing anything today with anysome security advisors that we use.third-party-based cloud services. We are using it in our PCIenvironment, our hosted environments internally. We areQ So, obviously, you chose Rapid7. You mentioned thereviewing the cloud scanning service, as we would prefer to usesupport and the operationalization. Any other factorsthis on our public IP space.that they stood on that led you to choose Rapid7?A Yes. The community forum area. It’s probably a heavily underQ You said you’re at roughly 12,000 endpoints. So, whenutilized offering where people can exchange information aboutyou made the decision to get Rapid7 product in, howNexpose or other products from Rapid7. In that forum area,long did it take you to get up to the full capability you’rewe found a report that someone had built and essentiallyat now?opened up to the community that provided letter grades. WeA I think this is very interesting and something that should be awere trying to see how we can provide meaningful metrics notgreat story about Rapid7 and the Nexpose product. Whenonly to our staff, but to our senior management, our Board ofwe looked at this, we talked toDirectors, trying to provideother companies about deployinformation to them onFrom purchase to full deployment, full global deployment ment time. We were hearing,how well are we doing, andfor our Company, we had done it under three months. realistically, for a full global deletter grades seemed to beployment, of six to nine months.the easiest way. But, mostFrom purchase to full deployproducts out there will onlyment,fullglobaldeploymentforour Company, we had done itprovide counts of vulnerabilities and some risk levels, whichunder three months. We were very surprised and very excitedseemingly are arbitrary numbers. It’s hard to get a feeling whento be able to get it up so fast, and a lot of that had to do withyou see a score of 100 million or 100,000. We were lookingthe virtual scanner offering. So, we were able to send scannersfor something that was a little more basic, and this report reallyto other sites via file transfer, stand them up pretty quickly, andprovided that. And while the grade itself may be arbitrary, thisconnect them into the console. We had worked with Rapid7was really the line in the sand that helped drive engagement into help configure the environment, and that’s not to say thatour company. When we had seen one region who was gradedadditional tuning and updates haven’t happened since, but weas a C or a D and other regions were graded as A’s and B’s,were able to get full visibility inside of three months.there seemed to be a lot more engagement and focus on theSANS WhatWorksLifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose
Q You mentioned using fifteen scanners.like a Windows XP machine with no vulnerabilities in it,” butwhen we really look into it, it might be an industrial controlsystem. We’ve probably had also a handful of false positives onthe patches themselves or the vulnerabilities themselves. So,Nexpose might say that there is a vulnerability on a certainsystem when it was a patch that was superseded by anotherpatch. But, again, those have been few and far between. We’vebeen very happy with the results.Are those allvirtual scanners, or is it some mix?A All virtual.Q You started regular vulnerability scanning. Do you scaneverything, how frequently do you scan, and how doesthat work?A e do scan everything. A lot of the focus in the maturingWof the program has to do with visibility. So, some focus hasbeen spent on when we can not log into a device, why wecannot. Is this something that we should have credentials for?So, trying to identify those and remediate the things that wecannot identify. So, it really provides the visibility into what thevulnerabilities are on systems that we can’t see today. So, thereare a lot of improvements along the way and maturing thataspect of the program.Q How about the quality of the information thatcomes along with the vulnerability as far as aiding inremediation or aiding the operations side into saying,“I understand what the problem is and we can figure outhow to fix it?” How’s the quality of the information thatcomes along?A Very good. There are two key reports that we look atthat are delivered to the bulk of our infrastructure andoperational teams. Those reports are the top 25 remediationQ For production systems, do you have scan windowsreport, which show if you were able to patch these top 25where you can scan them or no scan times where youvulnerabilities – it would have this much impact on this manycan’t – how do you handle that?assets in your network. So, it really takes prioritization andA We had initially beenprovides that to the teams thatscanning everything aroundare responsible in these areas.We were looking to put good actionable intelligence And then, the other result is inthe globe about once everytwo weeks. We have sincethe other assets, and that is thein the hands of our operations teams wheremoved those up to weekly,top 10 most vulnerable systemsthey could get these reports and say, “this is a list of or assets. And again, that canand in some areas, we’reeven doing daily scans.be done by site. So, it can bethings for me to do in order to make an impact.”Those are sites that aredone by region, by country,changing drastically, maybeby network. We may have aacquisitions or whatever the case, where we’re trying toperson who’s responsible for a specific network or location orimprove the security posture day in and day out and trying toregion, and this gives them or their teams the prioritization thatimprove those sites. But, we really settled on once a week forthey need to make a significant impact in vulnerabilities.about 98 percent of our installed addressable network spaces.We do not differentiate if it’s a shop floor type network or aQ How do you get the information from Nexpose overprinter or a workstation space. We are always trying to get fullto the infrastructure and operations team? Are youvisibility. That’s how we sold this program. We don’t want tointegrating with a trouble ticket system? Are youturn a blind eye toward any part of our network. This is a realproviding them reports, and how does that work?true vulnerability view of how our network is at a given pointA We do two things. Nexpose itself has the ability to generatein time. So, we want as much information as we can get aboutreports. We do these post scan. So, once the scan isevery single asset that we have the ability to scan.completed or weekly scan has been completed, weekly reportsgo out to these teams: Here’s your new priorities for the week,Q Once you start doing the scanning, how do you find theand they can go and execute. It may be a Top 25 report sayingquality of the results from a false negative/false positive“Chrome and Adobe Flash need to be updated.” This giveskind of rating?them some prioritization. Once a week, we provide a scoringA Very good. We’ve had a very small number of false positivesthat goes up to our management that shows how well thealong the way. Many of those had to do with systems thatteams are executing on their patch management process, howcould not be logged in to. But, once we had the correctthey’re able to execute and reduce risk with our vulnerabilitycredentials installed on those remote systems, we were ablemanagement program.to fully see things. So, it may amount to “this system looksSANS WhatWorksLifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose
Q Those people who actually do the patching, they’reA For us, it’s been part of an FTE, and minimal dedicated staffingA None directly.Q Any future requests or requirements you’ve askedwas definitely one of our requirements. I mentioned wedidn’t want to spend a lot of time managing this. There areother security products we have that other companies haveA They’re actually getting the reports via email. We have notwhere it takes a DBA to administer a database. It takesintegrated with any ticketing system, so they get these reportssome infrastructure folks or server folks time to manage thedirectly. They understand what they’re doing with them, easy tooperating system or the systems themselves. This has reallyread, easy to execute. And again, we were looking to put goodbeen a hands-off product for us, which is a win/win. We mayactionable intelligence inspend two to four hours athe hands of our operationsweek doing management ofteams where they could getThis has really been a hands-off product for us,the Nexpose platform and allthese reports and say, “this isthe underlying architecture,whichisawin/win.a list of things for me to do inbut it’s largely been hands off,order to make an impact.”which is very important for myteam, which is very busy doing other things. We would ratherQ Last operational question, especially since you saidbe trying to investigate security incidents or trying to improveyou do it on the shop floor – one fear everybody hasthe overall security and not trying to spend time keepingwhen they start to do any vulnerability scanning is areour scanners and vulnerability management console up andthey going to knock over any servers, i.e. self-inflictedavailable.wounds. Did you run into any problems there?getting those reports, or is the scan output feeding intotheir trouble ticket system?I would say that we, like any operationallysensitive team, are going to tread lightly. This isn’t somethingthat you’re going to turn the key on and just let it run itscourse. You’re going to want to initially schedule these thingsfor, perhaps, late at night or off-production hours to limit thehealth and safety issues that go along with shop floor networks.There are very few systems that are fragile enough we havechosen not to scan, but that is the rare exception.Rapid7 you’d like to see added to the product?A Yes.I would say there’ve been several down the road, andthis is where that great partnership that we really feel wehave with Rapid7. We feel that we’re tied very closely intothe product management team, that when we have eitherideas or problems or things that we would like to see thatmay be specific to our environment or may be something thatwould be beneficial to otherQ How long have you beencustomers, as well, they’reoperational now?We’ve seen great advances in both functionalityalways willing to listen and putA A little over two years.that on the to-do list. Otherand performance in the feature set because of thecompanies that I’ve workedQ Knowing what you knowpartnership that Rapid7 has with its customers.with would allow you tonow after running for twosubmit feature requests, butyears, are there someRapid7 does a fantastic job ofthings you would have done differently in the beginningreally taking these, looking at them and rolling them into theiror lessons learned you can pass on to people?product. We’ve seen great advances in both functionality andperformance in the feature set because of the partnership thatA This is one of the few programs that we designed, built,Rapid7 has with its customers.implemented, and executed very well. I would say a verysmall number of things we would do differently. I believe thisQ Since you are in the manufacturing side, were thereis a key cornerstone of our security program. I think gettingSCADA devices and industrial control systems/ processthe operations teams involved, setting expectations thatcontrol-type of endpoints that you needed them
Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose SPONSORED BY WhatWorks is a user-to-user program in which security managers who have implemented effective Internet security technologies tell why they deployed it, how it works, how it improves security, what problems they faced and what lessons they learned.File Size: 290KB
