NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
260 -
download
2
Transcript of NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
@NTXISSA#NTXISSACSC3
IntroducingtheVulnerabilityManagementMaturityModel- VM3
GordonMacKay- @gord_mackayChiefTechnologyOfficer
DigitalDefenseInc.October2016
@NTXISSA#NTXISSACSC3
Overview
• WhatisVulnerabilityManagementandhowhasitEvolved
• InsidetheCISO’sMind
• VulnerabilityManagementChallenges
• VulnerabilityManagementMaturityModel– VM3
• AcceleratingyourEvolution
• BringingitallTogether2
@NTXISSA#NTXISSACSC3
VulnerabilityManagement- Then
• ScanningtheNetworkOnceaYear
• ReportingonVulnerabilitiesMountainsofData
• FixingtheIssues OverwhelmingResources
3
@NTXISSA#NTXISSACSC3
VulnerabilityManagement- Now
• ManagementProcessOverview&Policy• DiscoverAssets/Applications
DataCenter,Cloud,Mobile
• DiscoverConsiderBusinessValue
• AssessWhat?Vulnerabilities,Configuration,People
• AssessHow?Unauthenticated,Authenticated,DAST,SAST
• PrioritizeFindingsBusinessValue,ThreatIntelligence,NetworkArchitecture
• AssignFindingsITOperations
• MeasureReport
4
@NTXISSA#NTXISSACSC3
CISOChallenges
• ThinkLikeaGeneralWhatisVulnerableNow?MinimizemyRisk
• ThinkLikeDetectiveWhereMightIAlreadyBeCompromised?NewlyDiscoveredThreatsRevealPossibleCompromisedAssets
6
@NTXISSA#NTXISSACSC3
HowModernCISOThinks– RealWorldLikeaGeneralandaDetective
HypotheticalUseCase:NewZeroDayImpactsApacheversion2.4.0– 2.4.22butfixedin2.4.23
7
Vulnerable Then Vulnerable Now Time
@NTXISSA#NTXISSACSC3
VulnerabilityManagementChallenges
• TooManyVulnerabilitiesHowtoPrioritize
• WhereisBusinessValueSituationalAwareness
• WhoOwnstheAssetsManyDifferentTeams
• ITSecurityandITOperationsHaveDifferentAgendas
• AccuracyofPastFindingsVMIntelligence
8
@NTXISSA#NTXISSACSC3
VMChallengeScan-to-ScanEndpointCorrelation
9
timeScan Week 1
ScanWeek 2
IP=192.168.40.6DNS HN= NoneNETBIOS HN= BlueMAC= Alpha
IP=192.168.40.7DNS HN= [email protected] HN= WhiteMAC= Undetected
IP=92.168.40.6DNS HN=crm.myorg.comNETBIOS HN= NoneMAC= Undetected
IP=192.168.40.5DNS HN= NoneNETBIOS HN= BlueMAC= Alpha
Asset A Asset B Asset C
Real World Network Assets
IP=192.168.40.5DNS [email protected] HN=NoneMAC= Undetected
@NTXISSA#NTXISSACSC3
PrevalenceofNetworkChurnDDIStudy
10
Source: https://www.ddifrontline.com/wp-content/uploads/2015/08/Network_Host_Reconciliation.pdf
@NTXISSA#NTXISSACSC3
VulnerabilityManagementMaturityModelVM3
WheredoIOperate?
11
Source: https://www.digitaldefense.com/vm3-whitepaper
@NTXISSA#NTXISSACSC3
VulnerabilityManagementMaturityMajorInfluencingFactors
• BusinessEnvironmentExecutiveManagementParticipationSecurityAwarenessBusinessITStructure
• PolicyRiskThresholdSetGoals(SLA)
• Discover&PrioritizeAssetsKnowYourBusinessCriticalAssets
• AssessType,Depth,Breadth,Frequency
12
@NTXISSA#NTXISSACSC3
VulnerabilityManagementMaturityMajorInfluencingFactors
• PrioritizeFindings• VulnerabilitySeverity,AssetCriticality,
ThreatIntelligence,AttackPath
• Remediate• WhoareAssetOwners?• SecurityOperationsvsITOperations• Remediation/MitigationSpeed?
• Measure– Report• Measure/ReportvsSetGoals• MeasureRisk• LearnandEvolveBasedonMeasurements
13
@NTXISSA#NTXISSACSC3
ManagedServiceVulnerabilityManagementCanHelp
• DesignandBuild• DiscoverNewAssetsOngoingBasis• Examine,Re-examineBusinessCriticality• Design,BuildAssessments
VaryingTypes,Depth,Breadth,Frequency
• Operate• PrioritizeFindings
Understandwhichvulnerabilitiesyoushouldtakeon• ManagedServiceHelpsBridgeGapBetweenSecurityOperationsandIT
OperationsTeams• Report
Reportonwhatmatterstoyou
14
@NTXISSA#NTXISSACSC3
WrapUp
• VulnerabilityManagement– AnEvolvingProcess
• VMChallenges• Time– Scan-To-ScanEndpointCorrelation• PrioritizingFindings• AssetOwners?• BusinessCommunication– ITOpsvsSecurityOps
• VulnerabilityManagementMaturationModel• HigherMaturityLevels->LowerRisk
• AcceleratingYourVMEvolution
15