Fast Track: Planning & Deploying an Effective Vulnerability Management Program

By Jonathan Bitle, Technical Director, Qualys, Inc. By Jonathan Bitle, Technical Director, Qualys, Inc.

Problems affecting implementation

There are 3 main categories of importance

When planning an effective Vulnerability

Management Program:

Technology

People

Process

Technology:Solution Design

Design is the simple part of a production roll-out

Technology:Appliances

Plan for the number of scanning Appliances

# of active hosts = # of appliances required– Frequency of scans alter requirements

Network Topology can complicate the design– Firewalls / Access Control Devices– Low speed bandwidth links– Geographic and political boundaries

Technology:Gather Basic Information

IP addresses for each planned scanning appliance

Subnet Mask for each planned network interface

Hostname for each appliance

DNS information

Technology:Utilize The Technology

Take advantage of Automation capabilities of the

technology to save time for more important tasks

such as remediation.

Schedule Scans

Develop alerts for severe risk issues

Automate report generation and distribution

People

People are the cornerstone of an effective security policy and risk reduction.

People:Know Your Target Audience

Make a list of key team members and know Their needs. If possible, interview them toBetter understand how to streamline information. CISO / CIO

– Ultimate owner of risk in the environment– Signs off on regulatory compliance measures– Needs high-level metrics (pass/fail?) to ensure risk reduction

Executive Staff– Makes resource allocation decisions– Needs trend information to understand effectiveness of security program

Directors / Managers– Oversees system owners and helps prioritize work efforts– Needs visibility into system owner performance

System Owner– Own the systems and responsible for remediation efforts– Need detailed technical reports with prioritization

People:Know Your System Owners

Remediation will require significant resourceallocation and time.

Important to properly identify system owners – Enables Automated host ownership reports– By geographical region or business unit– Based on Operating System– Based on applications

Streamline the information provided– Provide information to the owner, don’t rely on them to find it– Irrelevant information will create push-back– A list of 1000 issues will rarely get fixed– A list of 10 high risk issues will get done immediately

People:Problems Will Occur

Expect that problems will occur and develop a strategy to deal with them. Hosts or applications will have interoperability issues with the scans

– Work with vendors to identify root cause Team members may not meet performance goals

– Look into prioritization issues Vendors may not have patches to resolve discovered issues

– Develop ways to mitigate risk (firewalls, port filtering, etc)

Evangelize. Evangelize. Evangelize. It is imperative that numerous groups in the organization understand the importance of your

vulnerability management program.– System Administrators must understand the importance of reducing risk, and how it ultimately effects

system uptime– Executive buy-in is required for effective risk reduction

Provide product demos and training sessions

People:Create a list of stated goals

Provide an accurate assessment of risk for each host and relative network segments

Facilitate a security assessment that leads to best practices with regard to remediation actions

Provide system administrators with the tools to optimize and validate remediation efforts

Provide a common language and metrics to discuss risk across the organization

Provide for prioritization of vulnerabilities and remediation efforts in the environment

Provide executive staff with risk metrics and measure adherence to corporate policies

Provide a feedback loop for current and future system policy

Provide constant monitoring and measurement of risk in the environment for adherence to regulatory compliance initiatives

Measure overall effectiveness of the security program

Provide automated workflow capabilities that reduce resource requirements

Protect the organization from successful exploit of vulnerabilities

People:Work Toward a Single Goal

The ultimate goal of our Vulnerability Management solution is to measure, manage and reduce risk in our environment.

Always work towards this main goal.

Process:Define Your Security Policy

Recognize that your security policy should fit the needs and goals of YOUR organization, and as such every there is no one-size-fits-all solution. However, there are commonalities and guidelines that will help you define an effective policy.

Process:Heterogeneous Environment

Most environments are highly heterogeneous

creating numerous challenges.

Rarely a clear understanding of the types of hosts for each network segment

Multitude of host and application owners

Asset management systems are rarely kept up to date

Process:Define “In / Out of Scope”

What are the total networks in use?– Is network information stored in an asset management system?– Utilize automated discovery process of the tool

Which networks should be excluded?– Networks that should never be scanned, given the ramification of an

application interaction issue. (ie process control systems like SCADA devices)

– Networks that have serious bandwidth constraints (defer these to a different phase?)

– Small subnets that do not contain hosts (ie router to router subnets – exclude all /29 and up?)

– Systems that are known to have application interaction issues that can not be resolved

– Systems that are obstructed by Access Control devices

Process:Classify Your Assets

We can get mired down in classification schemes,However it is more important to have some form ofclassification no matter how simple. Start with a simple classification system and adjust as necessary:

Critical Assets– Mission / business critical– Related to regulatory compliance

* PCI* Sarbanes Oxley* HIPAA* NERC / FERC

High– General server category

Medium– Workstations & Laptops

Low– Printers, etc

Process:Prioritization

You can’t fix everything so prioritization is key.

Critical (48 hours to resolve)– High & Critical vulnerability on critical asset

High (one week to resolve)– Medium vulnerability on critical asset– High vulnerability on High asset

Medium (one month to resolve)– Low vulnerability on critical asset– Medium vulnerability on High asset– High vulnerability on Low asset

Low (6 months to resolve)– Medium vulnerability on Low Asset

Process:Oversight & Accountability

Some organizations will have a mandate, possiblydriven by external regulatory measures. However,many organizations do not start off in this way.

Bonus tied to remediation– Most effective way to ensure compliance to security policy

Remediation Managers– Provide oversight of risk reduction process

“Wall of Shame”– Peer pressure can be effective!

Process:Deployment Phases

Recommend phasing in scans to determine application interaction issues

Phased approach not necessary for all networks, but recommended for critical infrastructure

Perform Initial testing of critical infrastructure in change windows

Summary

Technology is the simple part of your Vulnerability Management solution

– Utilize Automation wherever possible

People are key to getting the job done, use them wisely and build a good working relationship.

– Know the key players, their roles and responsibilities– Don’t overwhelm people with data– Get buy-in from multiple groups in your organization, especially the executive staff

Process is necessary to an effective solution - keep it simple to understand and follow

– Classify your assets; always work on the most important assets first– Prioritize remediation; always work on the most critical issues first– Create and use Service Level Agreements– Monitor progress and make policy adjustments as necessary