Best Practices and ROI for Risk-based Vulnerability Management
Download as PPTX, PDF6 likes965 views
This document discusses best practices for risk-based vulnerability management. It begins with an introduction and agenda. It then covers common vulnerability management challenges such as debate over metrics, prioritizing remediation, and lack of governance. Recommendations for improving vulnerability management programs are provided, including implementing strong governance, classifying assets, enriching vulnerability data with threat and exploit data, calculating risk scores, automating processes, and reporting. A case study is presented on the return on investment of automation. The document concludes with introductions to the RiskVision vulnerability management solution and representatives.
Best Practices and ROI for Risk-based Vulnerability Management
- 1. Best Practices and ROI for Risk- based Vulnerability Management October 2017
- 2. Nevra Ledwon Account Director nledwon@riskvisioninc.com Steve Finegan Product Manager sfinegan@riskvisioninc.com Introductions
- 3. Agenda Vulnerability Management Challenges Best Practices in Successful Programs About Resolver and RiskVision TVM Return on Investment – Case Study Solution Approaches, Benefits & Strategies
- 4. Challenge 1: Vulnerability MetricsWhat does this chart tell you?
- 5. Challenge 1: Vulnerability MetricsWhat does this chart tell you?
- 6. Challenge 1: Vulnerability Metrics Are these vulnerability metrics accurate? Are they the right metrics? Do they tell the full story?
- 7. Challenge 2: Which Vulnerability Should We Remediate First? CVSS 5 vulnerability (e.g., a SQLi) vulnerability that's facing the internet from your DMZ that's now actively being exploited in the wild DB2 vulnerability on an RS/6000 w/CVSS 10 on an internal host with segmentation and other controls applied that’s not yet been exploited in the wild
- 9. QUIZ TIME
- 10. The number of new vulnerabilities for which there exists a known exploit in the wild has: Grown Stayed flat Shrunk
- 11. The number of new vulnerabilities for which there exists a known exploit in the wild has: Grown Stayed flat Shrunk
- 12. Over the past 10 years, what percentage of the known vulnerabilities have ever been exploited in the wild? 12% 18% 23% 30%
- 13. Over the past 10 years, what percentage of the known vulnerabilities have ever been exploited in the wild? 12% 18% 23% 30%
- 14. Which severity of vulnerabilities is most often exploited in the wild? Critical High Medium Low
- 15. Which severity of vulnerabilities is most often exploited in the wild? Critical High Medium Low
- 16. Challenge 2: Which Vulnerability Should We Remediate First? CVSS 5 vulnerability (e.g., a SQLi) vulnerability that's facing the internet from your DMZ that's now actively being exploited in the wild DB2 vulnerability on an RS/6000 w/CVSS 10 on an internal host with segmentation and other controls applied that’s not yet been exploited in the wild
- 17. Challenge 3: Manual Administration & Shepherding Process
- 18. Challenge 4: Governance & Accountability
- 19. How to Prioritize Remediation Activities Debate Over Vulnerability Metrics Too Much Manual/ Administrative Work No Clear Governance, Accountability or Audit Trail Challenges Summary
- 20. Attendee Poll Which of the following challenges do you face in your organization? (more than one selection is ok) Debate Over Vulnerability Metrics How to Prioritize Remediation Activities Too Much Manual/Administrative Work No Clear Governance, Accountability or Audit Trail None or N/A
- 22. It’s All About Governance!!! Appropriate program sponsorship for the vulnerability management program Key stakeholder identification, representation and participation in the program Documented security policies, practices, and standards Documented roles and responsibilities Documented communication and escalation plans Asset identification (in-scope assets) SANS Components of an effective TVM Governance Process https://www.sans.org/reading-room/whitepapers/projectmanagement/building-vulnerability-management-program-project-management- approach-35932
- 23. 2. Enrich your Data 1. Classify your Assets 3. Calculate a Risk Score 4. Service Level Assignment 5. Automate Strategies for Making TVM Governance Easier
- 24. Step 1: Classify your Assets (Systems/Apps) PII PCI External FacingInternal Facing High Integrity High Availability Has Apache Port8080 Open On DMZ Europe
- 25. Step 1: Classify Your Assets (Systems/Apps) Classification Assessment Questionnaire Admin Setting Asset Classification
- 26. Step 1: Classify Your Assets (Systems/Apps)
- 27. Step 2: Enrich Your Data – Marry Vulns w/ Threat & Exploit Data Vulnerabilities In Your Environment Key Vulnerabilities to be Worried About All Disclosed Vulnerabilities Exploited Vulnerabilities Exploits Threats Are Focusing On
- 28. Step 2: Enrich Your Data – Marry Vulns w/ Threat & Exploit Data RiskVision leverages over 70 industry-leading applications, plus identity, security and IT technology
- 29. Step 3: Calculate a Risk Score
- 30. Risk Score CMDB asset factors, etc. CVSS Score + Other NVD Data Threat data, exploit data What goes into a Risk Score?
- 31. Step 3: Calculate a Risk Score VRF (Likelihood) • CVSS Score, or • Enhanced Vulnerability Score • e.g. Threat factor, # days open ACF (Impact) •H=10, M=7, L=3, or •Other numbers, or •Add additional custom attributes • e.g. internal vs external-facing • PCI-related Risk = Vulnerability Risk Factor (VRF) * Asset Criticality Factor (ACF) Vulnerability Risk = *
- 32. Step 3: Calculate a Risk Score – In RiskVision TVM Confidentiality Impact Vector • None = 0, Partial = 1, Complete = 2 Integrity Impact Vector • None = 0, Partial = 1, Complete = 2 Availability Impact Vector • None = 0, Partial = 1, Complete = 2 Access Complexity • Low = 1, Med = 3, High = 5 Access Vector • Local = 1, Adjacent Network = 3, Network = 5 Authentication Vector • Multiple = 1, Single = 3, None = 5 # Days Vuln was Open • = diff between current date and CVE vulnerability publish date Exploit Factor • local = .6, remote = 1, shellcode = .6, webapps = 1, dos = .5. No matching exploit = 0.25. • If >1 exploit maps to a vulnerability, highest Exploit Factor is used. Enhanced Vulnerability Score Factors
- 33. Step 3: Calculate a Risk Score – Risk Aggregation Enterprise BU 1 BU 2 BU 3 DBMS SERVE R SERVER SERVE R NVD CVE-2017-5638 CVE-2017-4187 CVE-…. CVE-.... CVE-2017-5632 AP PVULN VULN AP PVULN PATCH VULN
- 34. Step 3: Calculate a Risk Score – Risk Aggregation
- 35. Step 4: Service Level Assignment & Ticketing
- 36. Step 4: Service Level Assignment & Ticketing – Exception Process Exception Process
- 37. Step 4: Service Level Assignment & Ticketing – Exception Report
- 38. Step 5: Automate Where Possible De -Duping Vuln/Patch Prioritiz- ation Ticket Genera- tion Re- Scans
- 39. Attendee Poll Which of the following tasks have you already automated? (more than one selection is ok) Consolidation of Threat & Vulnerability Data Vuln/Patch prioritization Ticket generation Report generation Workflow processes (e.g. exception handling process) Patch validation/re-scan
- 40. Threat & Vuln Management: Key Capabilities Data Collection Remediatio n Validation Remediation Ticket Management Data Correlation 1 652 Workflow Orchestratio n Risk-Based Vulnerabilit y Prioritizatio n 3 4 Dashboards /Reporting 7
- 42. Auto Re-Scan
- 44. Step 6: Reports that are Useful/Relevant/Tell Whole Story
- 45. Report: Vulnerabilities Sorted by Risk Score
- 49. Return on Investment Case Study
- 51. Research Participant Spotlight ~50,000 assets, 18% “high risk”, ~1M Vulnerability Instances Management: ~20 FTEs, across various functions. Team breakdown and all-in costs (salary, benefits, overhead) - ~$2.9m per year Two (2) security manager ($195,200 each) Twelve (12) security analysts ($152,500 each) Six (6) IT remediation engineers ($122,000 each) Core tasks performed by the teams include creating trend reports, assessing & mitigating high risk vulnerabilities, and triaging monthly cyber-events RiskVision All In Subscription and Services Fees are $374,545 in Year 1 and $124,900 thereafter
- 53. Building the Case for Automation Investment
- 54. 2. Enrich your Data 1. Classify your Assets 3. Calculate a Risk Score 4. Service Level Assignment 5. Automate Strategies Summary
- 55. About RiskVision
- 57. Introducing RiskVision Enterprise Risk Intelligence Software 35+ solution, technology and content partners Highly Rated by Gartner (IRMS & SOAR), Blue Hill, SANS, ESG, Aite, Ovum, and IDC Introducing Resolver 1,000+ Customers Offices Around the Globe
- 58. RiskVision Solution Landscape 2m+ Assets 50m+ Vulnerabilities Scored for Risk 50% of RiskVision Customers 750k+ Assets 100k+ Incidents Scored for Risk 39% of RiskVision Customers 50k+ Assessments 200m+ Daily Control Checks 78% of RiskVision Customers 10k+ Practitioners 250k+ Third Parties Assessed 39% of RiskVision Customers CORE SOLUTIONS CUSTOMERS USAGE Incident / Issue Risk Response Coordinates classification, collaboration, evidence, policies, audit trail and reporting across the extra-prise for all operational and security risk events. Third Party (TP) Risk & Compliance Classifies third parties by risk level, and drives parallel workflows for diligence and security scoring, on-boarding, continuous monitoring and off-boarding. Technology (IT) Risk & Compliance Manages technology policies, maps policies to control, and assess multi-regulatory risk using an efficient Common Control Framework (CCF) to report for internal audit. SOARIRMS SCALABILITY Threat & Vulnerability Mitigation Automated continuous risk correlation, prioritization, and remediation of asset and operations criticality, threat reachability, control, and vulnerabilities.
- 59. Questions and Answers Nevra Ledwon, Account Director Office: +1.408.200.0435 Mobile: +1.703.351.8041