Vulnerability management

19
2015 VULNERABILITY KILL CHAIN Carl Thorp MSc FBCS CITP M.Inst.ISP VRSM CISM CGEIT CISSP CLAS CCP.RA CCP.SA

TAGS:

Transcript of Vulnerability management

Page 1: Vulnerability management

2015

VULNERABILITY KILL CHAIN

Carl Thorp MSc FBCS CITP M.Inst.ISP VRSM CISM CGEIT CISSP CLAS CCP.RA CCP.SA

Page 2: Vulnerability management

Welcome

Page 3: Vulnerability management

What is Vulnerability

• Vulnerability is a measure of the extent to which a community, structure, service or geographical area is likely to be damaged or disrupted, on account of its nature or location, by the impact of a particular disaster hazard [OECD 2015]

Page 4: Vulnerability management

What is Vulnerability

• A weakness of an asset or group of assets that can be exploited by one or more threats [ISO/IEC 13335-1:2004]

• Or anything attackers find that they can exploit

Page 5: Vulnerability management

Vulnerability Management

• The identification of vulnerabilities that can be exploited within a system– Vulnerability Assessment– Penetration Testing

• The remediation / risk management of vulnerabilities

Page 6: Vulnerability management

Types of Testing

• SAST• DAST

– Web Layer– Host / Infrastructure– Database

• Manual validation• ITS NOT A PEN TEST

Page 7: Vulnerability management

Why is it difficult?

Page 8: Vulnerability management

• Business1

• Environmental2

• Threat3

Context

Page 9: Vulnerability management

Getting it Right

Page 10: Vulnerability management

Business Context

• Business drivers and objectives

• Understand your assets• We want to be Secure but we

DO NOT WANT Security– John Callas PGP, Apple, Entrust

& Silent Circle• System 1 & System 2 thinking

Page 11: Vulnerability management

Environmental Context

• Understand your assets• Understand the operating

environment• Deep knowledge of

compensating controls• Tool selection

Page 12: Vulnerability management

Threat Intel

• External Threats– Indirect Intel– Direct Intel

• Internal Threats

Page 13: Vulnerability management

Get Message Right

• Less blah blah blah• Use business context

examples• Negative to positive• Do not belittle people

– Israel Barrack ex-Israeli Defence Force Red Team Lead

Page 14: Vulnerability management

Kill Chain

Page 15: Vulnerability management

Kill Chain

Projects

Asset Mgmt.

Threat Intelligence

VMSOnboard Test Analysis Resolution Decom

a

Incidents

Report

Page 16: Vulnerability management

Conclusion

• Work with your organisation not against it

• Plan ahead• Understand your

environment• Develop threat intelligence

Page 17: Vulnerability management

QUESTIONS?

Page 18: Vulnerability management

APPENDIX

Page 19: Vulnerability management

Useful Links / FeedsRSS Feedshttps://isc.sans.edu/rssfeed.xmlrhttp://feeds.feedburner.com/sucuri/bloghttp://seclists.org/rss/fulldisclosure.rsshttp://www.intelligentexploit.com/feed/https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog

Podcastshttp://securityweekly.com/podcast/psw.xmlhttps://isc.sans.edu/dailypodcast.xmlhttp://leo.am/podcasts/sn

All Round Defence / WestThor Ltd take no responsibility for the content of these sites / podcasts

https://isc.sans.edu/rssfeed.xml
https://isc.sans.edu/rssfeed.xml
https://isc.sans.edu/rssfeed.xml
http://feeds.feedburner.com/sucuri/blog
http://feeds.feedburner.com/sucuri/blog
http://feeds.feedburner.com/sucuri/blog
http://seclists.org/rss/fulldisclosure.rss
http://seclists.org/rss/fulldisclosure.rss
http://www.intelligentexploit.com/feed/
http://www.intelligentexploit.com/feed/
https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog
https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog
http://securityweekly.com/podcast/psw.xml
http://securityweekly.com/podcast/psw.xml
http://securityweekly.com/podcast/psw.xml
http://securityweekly.com/podcast/psw.xml
https://isc.sans.edu/dailypodcast.xml
https://isc.sans.edu/dailypodcast.xml
https://isc.sans.edu/dailypodcast.xml
https://isc.sans.edu/dailypodcast.xml
http://leo.am/podcasts/sn
http://leo.am/podcasts/sn
http://leo.am/podcasts/sn
http://leo.am/podcasts/sn

Vulnerability Management

Vulnerability Management

Vulnerability Management Case Study · Vulnerability Management Case Study Page 4 of 16 3. What is Vulnerability Management? Vulnerability Management is a business process aimed at

Vulnerability Management Case Study · Vulnerability Management Case Study Page 4 of 16 3. What is Vulnerability Management? Vulnerability Management is a business process aimed at

Vulnerability Management needn’t be scary!index-of.co.uk/Security/Vulnerability Management for Dummies.pdf · Are thinking about using a vulnerability management application to

Vulnerability Management needn’t be scary!index-of.co.uk/Security/Vulnerability Management for Dummies.pdf · Are thinking about using a vulnerability management application to

The Future of Threat and Vulnerability Management TO ......The Future of Threat and Vulnerability Management to Control Cyber Risk EXECUTIVE OVERVIEW Threat and vulnerability management

The Future of Threat and Vulnerability Management TO ......The Future of Threat and Vulnerability Management to Control Cyber Risk EXECUTIVE OVERVIEW Threat and vulnerability management

Vulnerability Management - baramundi · 2019-04-09 · White Paper | Vulnerability Management Vulnerability overview2 of various software products While the vulnerability is lying

Vulnerability Management - baramundi · 2019-04-09 · White Paper | Vulnerability Management Vulnerability overview2 of various software products While the vulnerability is lying

The Value of Vulnerability Management*

The Value of Vulnerability Management*

VULNERABILITY MANAGEMENT€¦ · Vulnerability management is more than just running a vulnerability scanner and adjusting the resulting vulnerabilities on an annual basis. A vulnerability

VULNERABILITY MANAGEMENT€¦ · Vulnerability management is more than just running a vulnerability scanner and adjusting the resulting vulnerabilities on an annual basis. A vulnerability

New approaches to vulnerability management

New approaches to vulnerability management

Tripwire IP360 Vulnerability Management

Tripwire IP360 Vulnerability Management

Predictive Security Intelligence for Vulnerability Management · Unify and Streamline Vulnerability Management CORE Insight ™ and QualysGuard unify and streamline vulnerability

Predictive Security Intelligence for Vulnerability Management · Unify and Streamline Vulnerability Management CORE Insight ™ and QualysGuard unify and streamline vulnerability

Software Vulnerability Management at Microsoft

Software Vulnerability Management at Microsoft

Assignment No 5 Vulnerability Management

Assignment No 5 Vulnerability Management

QG Vulnerability Management Module

QG Vulnerability Management Module

DGRZETICH - Adv Vulnerability Management DRAFTto!examine!patch!management!in!the!contextof!vulnerability!management throughoutthis!paper.!

DGRZETICH - Adv Vulnerability Management DRAFTto!examine!patch!management!in!the!contextof!vulnerability!management throughoutthis!paper.!

Vulnerability management - PwC

Vulnerability management - PwC

PRODUCT SAFETY MANAGEMENT: VULNERABILITY …

PRODUCT SAFETY MANAGEMENT: VULNERABILITY …

An Approach to Vulnerability Management, Configuration Management

An Approach to Vulnerability Management, Configuration Management

Implementing Vulnerability Management Process 34180

Implementing Vulnerability Management Process 34180

APPSEC VULNERABILITY MANAGEMENT PIPELINES

APPSEC VULNERABILITY MANAGEMENT PIPELINES

Think Vulnerability Management Has Been Commoditized? …...Frontline Vulnerability Manager™ (Frontline VM™), the original Vulnerability Management as a Service (VMaaS) platform,

Think Vulnerability Management Has Been Commoditized? …...Frontline Vulnerability Manager™ (Frontline VM™), the original Vulnerability Management as a Service (VMaaS) platform,