Service now vulnerability patching_move
- 1. Presented by Subrat Kumar Dash
- 3. The Last Mile Problem Most organizations are good at figuring out what to fix, but also knowing how to fix is important too.
- 4. Gartner (Risked Based Approach) Don’t patch everything Patch which are already weaponized Type of exploited Actively in used and talked about (In Wild/In Dark) Used by ransomware
- 5. Uday Sharma 30-45 Years old living in Tier 1/Tier 2 Cities Job Title: Security Consultant Education: Bachelors/MTech Income: 20L-30L Per Annum I want to make my company secure. Motivation Frustration • Want Dashboard to monitor everything in one place and easy extract to share the report to stakeholder. • Want to find the right threat before bad guys do. • Want to keep updated myself on latest information and trend on threat. • I don’t have any resource to support me. • I am more concerned about my company get attacked. • I might miss to flag something will put my company at risk. • Getting job done/ Convincing people is critical task for me. Uday comes from a middle-class family. He is tech-savvy and cares about aesthetics and looks. I wear lot of hats, but majority of my time spent monitoring and flagging risk, prioritize the risk and working with respective Reliability/IT Dev team to mitigate the risk.
- 6. Shakti Goyal 28-35 Years old living in Tier 1/Tier 2 Cities Job Title: Senior System Engineer/Reliability Team Education: Bachelors Income: 20L-30L Per Annum I want to deliver my sprint goal in deadline as well as I want to solve the incident in SLA. Motivation Frustration • want to have better communication between stakeholders, so I can deliver something they really need and use. • want to be the expert on some part of the system. • want to learn new tools and skills. • When requirements change on a project once it's already begun. • When work is inaccurately scoped, it causes stress and eats into time planned for other work. • When security team require urgent patch in short notice. • Managing vulnerability is tough without any solution. Shakti comes from a middle-class family. He is tech-savvy. I spend most of my time focused on completing planned development tasks, planning for the next sprint, and fixing bugs or customer requests as they arise. I work off of JIRA tickets.
- 7. Patching • 4 out of 10 data breaches reportedly occur because a patch was available but not applied. • On average it takes 12 days for teams to coordinate for applying a patch across all devices. • The average time for organizations to close a discovered vulnerability (caused by unpatched software and apps) is 67 days
- 8. Start Asset Validation Is Asset Impacted No Action Needed No Validate Asset Disposition Is server in DECOM Status? Call Decom Process Is Server Decom? Document/Close and Validate Prevention Yes Yes Yes No CMDB Is mitigation in available? Validate in Non-Prod Is non-prod Impacted Apply Patch Is it implemented Successfully? Discuss Alternative Is Solution Available Move to Prod Is it implemented Successfully? Rescan process Is it vulnerability remediated? Discuss Alternative N Y N Y N Y Y N Is there a solution available Risk Acceptance Is Risk Accepted Escalation and Priortize N N N Y Y N Call Risk Acceptance and Action Patch Rebuild Upgrade Disable Config DIT SIT UAT PREF Check if issue can be prevented in future
- 9. Current Patching Problem • Time wasted chasing and remediating false positives. • No tolerance for the downtime required for patching • Manual processes, including emails and spreadsheets, that let problems slip through the cracks. • Lack of coordination between the security and IT teams • Not enough resources to keep up with the volume of patches
- 11. Competitive Analysis Attribute Rapid7 Tenable Segment Enterprise Mid-Market Pricing Per Asset Yearly UI/UX Good Medium Customer Support Experience Low Medium Ease of Use Easy Easy Patch Management Exist No Dashboard (Filter/Queries) Medium Good False Positive Medium Low Priortization Model 4 Model Predictive
- 12. Game changer Tool perspective • Combination of risk-based vulnerability prioritization and automated patch intelligence. • Make patch recommendation with reliability score and current trend on patch.
- 13. Game changer Strategy perspective • Integrating vulnerability efforts and putting in development team product backlog makes more focus. • Balance between security and growth (Security Vulnerability are technical debt are hidden debt for technical organization). • Tracking of current patch lifecycle and risk acceptance will benefit organization and updating KB.
- 14. Thank you