Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Sean Keef
Director, Sales Engineering
Skybox Security
Don’t be a Target: Everything You Know About
Vulnerability Prioritiz...
© 2014 Skybox Security Inc., Confidential 2
Everything you ‘know’ about VM is wrong:
 My active scanner finds all known v...
© 2014 Skybox Security Inc., Confidential 3
Agenda
 The Present
 The Purpose
 The Pain
 Relationships
 The Prioritiza...
© 2014 Skybox Security Inc., Confidential 4
Definitions
 Risk – The probability of
occurrence and degree of damage
an und...
© 2014 Skybox Security Inc., Confidential 5
Case Study (FinCorp Bank)
 90% of the servers are scanned
every 30 days
 50%...
© 2014 Skybox Security Inc., Confidential 6
The Present
Vulnerability Management
 Discovery with an active scanner
 Prio...
© 2014 Skybox Security Inc., Confidential 7
The Purpose
 To ensure that risk causing vulnerabilities exist in an
exploita...
© 2014 Skybox Security Inc., Confidential 8
Case Study (FinCorp Bank)
 Spends ~100 man hours per week remediating vulnera...
© 2014 Skybox Security Inc., Confidential 9
Risk
Time
The Pain
 Risk is not decreased over time
Remediating low
risk-caus...
© 2014 Skybox Security Inc., Confidential 10
Case Study (FinCorp Bank)
 Priorities
1. Risk visibility and qualification
2...
© 2014 Skybox Security Inc., Confidential 11
Relationships
Exploitability
Impact
SeveritySeverity
© 2014 Skybox Security Inc., Confidential 12
Host – Vulnerability Relationship
Hosts Vulnerabilities
© 2014 Skybox Security Inc., Confidential 13
Host – Vulnerability Relationship
VulnerabilitiesHosts
Asset DataNetwork Map ...
© 2014 Skybox Security Inc., Confidential 14
Host Value
Assets
Value
Function
Location
 Asset Data
– Baby Steps
• Get the...
© 2014 Skybox Security Inc., Confidential 15
Host Loss
Assets
C A IConfidentiality
Availability
Integrity
© 2014 Skybox Security Inc., Confidential 16
Host – Vulnerability Relationship
Vulnerabilities
C A I
© 2014 Skybox Security Inc., Confidential 17
Host – Vulnerability Relationship
Vulnerabilities
Expanded
Vulnerability
Data
© 2014 Skybox Security Inc., Confidential 18
Vulnerability Attributes
Vulnerability
Impact
IPS
Severity
Vector
Catalog
© 2014 Skybox Security Inc., Confidential 19
Host – Vulnerability Relationship
Vulnerability
Impact
IPS
Severity
Network
C...
© 2014 Skybox Security Inc., Confidential 20
 Vulnerability + Host importance
(Impact)
 Vulnerability + Time on host
 V...
© 2014 Skybox Security Inc., Confidential 21
Prioritization – IPS Signature to Vulnerability
© 2014 Skybox Security Inc., Confidential 22
Prioritization – Patch to Vulnerability
Quick Win!
© 2014 Skybox Security Inc., Confidential 23
Case Study (FinCorp Bank)
 <Missing something>
 Critical vulnerabilities on...
© 2014 Skybox Security Inc., Confidential 24
Prioritization – Complex Relationships
Risk = Impact * Likelihood * Time
Vuln...
© 2014 Skybox Security Inc., Confidential 25
Likelihood
Compromised Workstation
Foreign
Threat
Exploited
Partner
Attack
Si...
© 2014 Skybox Security Inc., Confidential 26
Stair Step Attacks
© 2014 Skybox Security Inc., Confidential 27
Prioritize Vulnerabilities by Multiple Factors
Vulnerabilities Prioritized
Di...
© 2014 Skybox Security Inc., Confidential 28
Risk
Time
The Result
 Risk is reduced over time
 Risk visibility and commun...
© 2014 Skybox Security Inc., Confidential 29
Case Study (FinCorp Bank)
Before
 Losing the fixed vs found battle
 Unfocus...
© 2014 Skybox Security Inc., Confidential 30
The Process
 Discovery – Is there a better way than active scanning?
© 2014 Skybox Security Inc., Confidential 31
Case Study
 Large Multi-national
– Central IT / Strong Business Units
– Loos...
© 2014 Skybox Security Inc., Confidential 32
Limited and Out of Date Information
The value of vulnerability information de...
© 2014 Skybox Security Inc., Confidential 33
We just don’t need to scan more
Unable to gain credentialed access to scan
po...
© 2014 Skybox Security Inc., Confidential 34
So Security Teams Try to Limit Impact
Disruption
“Oops, we took
down the net”...
© 2014 Skybox Security Inc., Confidential 35
Scan Frequency and Coverage (2012 Survey)
0
50
100
150
200
250
300
350
10% 20...
© 2014 Skybox Security Inc., Confidential 36
Host – Vulnerability Relationship
Asset
Windows
7
Firefox
Adobe
Reader
10
Jav...
© 2014 Skybox Security Inc., Confidential 37
Vulnerability Deduction Process
Vulnerability
Deduction
Product Catalog
(CPE)...
© 2014 Skybox Security Inc., Confidential 38
Speed
Typical scanner Analytical Scan
250host/hour
100,000host/hour
VS
© 2014 Skybox Security Inc., Confidential 39
Analytics Give You a Continuous View
of Vulnerabilities
Time
Month 1 Month 2 ...
© 2014 Skybox Security Inc., Confidential 40
Case Study
 Large MultiNational
– Visibility on ~100% of hosts in less than
...
© 2014 Skybox Security Inc., Confidential 41
Not all scanners have every vulnerability
Qualys McAfee TripWire Tenable
CVE-...
© 2014 Skybox Security Inc., Confidential 42
Your scanner needs to be part of a greater
plan
The more data sources you can...
© 2014 Skybox Security Inc., Confidential 43
The Power of Seven Scanners at Once
© 2014 Skybox Security Inc., Confidential 44
The Process
 Remediation and Tracking – Do you know how you are
doing?
© 2014 Skybox Security Inc., Confidential 45
Remediation Reporting
© 2014 Skybox Security Inc., Confidential 46
The Punchline
 To ensuring that risk causing vulnerabilities exist in an
exp...
© 2014 Skybox Security Inc., Confidential 47
Thank you!
Interested in Skybox for Vulnerability Assessment and
Management? ...
Nächste SlideShare
Wird geladen in …5
×

Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong

1.303 Aufrufe

Veröffentlicht am

Presented at Black Hat 2014.

Heartbleed. Target. Adobe … businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. It’s a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity.

But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.

In this deep dive session on vulnerability analysis and prioritization, we’ll cover:

- Calculating risk exposure: Risk = Impact * Likelihood * Time
- The data you need to be collecting about assets and vulnerabilities
- Prioritizing vulnerabilities using simple 2 factor relationships
- Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data
- Techniques to drive down the risk exposure time

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong

  1. 1. Sean Keef Director, Sales Engineering Skybox Security Don’t be a Target: Everything You Know About Vulnerability Prioritization is Wrong
  2. 2. © 2014 Skybox Security Inc., Confidential 2 Everything you ‘know’ about VM is wrong:  My active scanner finds all known vulnerabilities  Our traditional VM approach is reducing risk  We know what we need to fix first  Severity is a good indicator of what to fix  Low and medium severity vulnerabilities can be ignored  30 days scan cycle is acceptable
  3. 3. © 2014 Skybox Security Inc., Confidential 3 Agenda  The Present  The Purpose  The Pain  Relationships  The Prioritization  The Process  The Punchline
  4. 4. © 2014 Skybox Security Inc., Confidential 4 Definitions  Risk – The probability of occurrence and degree of damage an undesirable event will cause.  Vulnerability – Host-based, application and operating system vulnerabilities.  Vulnerability Management – The process of discovering, prioritizing and remediating vulnerabilities
  5. 5. © 2014 Skybox Security Inc., Confidential 5 Case Study (FinCorp Bank)  90% of the servers are scanned every 30 days  50% Workstations are scanned every 90 day  Average PC has ~117 vulnerabilities  Over 1 million vulnerabilities to be remediated  Critical severity remediation SLA is 15 days
  6. 6. © 2014 Skybox Security Inc., Confidential 6 The Present Vulnerability Management  Discovery with an active scanner  Prioritization, remediation and SLAs based on severity  Critical vulnerabilities are not remediated before the next scan is executed, leading to SLAs not being met.
  7. 7. © 2014 Skybox Security Inc., Confidential 7 The Purpose  To ensure that risk causing vulnerabilities exist in an exploitable state for the shortest amount of time possible Risk Time
  8. 8. © 2014 Skybox Security Inc., Confidential 8 Case Study (FinCorp Bank)  Spends ~100 man hours per week remediating vulnerabilities  Week to Week: – Average ~1 million vulnerabilities – Average ~20% Critical, ~50% High, ~30% Medium or lower – No significant reduction of vulnerability count or breakdown week over week. (Was actually growing.)  No real plan for how to reduce the overall number of vulnerabilities or overall risk.  No prioritization plan beyond severity. A realization that severity based remediation isn’t doing the job.
  9. 9. © 2014 Skybox Security Inc., Confidential 9 Risk Time The Pain  Risk is not decreased over time Remediating low risk-causing vulnerabilities Not remediating high risk-causing vulnerabilities Remediating high risk-causing vulnerabilities Severity Risk
  10. 10. © 2014 Skybox Security Inc., Confidential 10 Case Study (FinCorp Bank)  Priorities 1. Risk visibility and qualification 2. Prioritization 3. Communication  Solutions – Collect more data – Correlate the data – Relationships
  11. 11. © 2014 Skybox Security Inc., Confidential 11 Relationships Exploitability Impact SeveritySeverity
  12. 12. © 2014 Skybox Security Inc., Confidential 12 Host – Vulnerability Relationship Hosts Vulnerabilities
  13. 13. © 2014 Skybox Security Inc., Confidential 13 Host – Vulnerability Relationship VulnerabilitiesHosts Asset DataNetwork Map Vulnerability Data
  14. 14. © 2014 Skybox Security Inc., Confidential 14 Host Value Assets Value Function Location  Asset Data – Baby Steps • Get the data that exists • PIC CDE machines • Important networks • Known critical machines • Incomplete is better than nothing – Asset classification is its own project
  15. 15. © 2014 Skybox Security Inc., Confidential 15 Host Loss Assets C A IConfidentiality Availability Integrity
  16. 16. © 2014 Skybox Security Inc., Confidential 16 Host – Vulnerability Relationship Vulnerabilities C A I
  17. 17. © 2014 Skybox Security Inc., Confidential 17 Host – Vulnerability Relationship Vulnerabilities Expanded Vulnerability Data
  18. 18. © 2014 Skybox Security Inc., Confidential 18 Vulnerability Attributes Vulnerability Impact IPS Severity Vector Catalog
  19. 19. © 2014 Skybox Security Inc., Confidential 19 Host – Vulnerability Relationship Vulnerability Impact IPS Severity Network Catalog Assets
  20. 20. © 2014 Skybox Security Inc., Confidential 20  Vulnerability + Host importance (Impact)  Vulnerability + Time on host  Vulnerability + Host location  Vulnerability + Host type  Vulnerability + Patch (Quick win)  Vulnerability + IPS Signature (IPS shielding) Prioritization – Simple Relationships Easy – (Scanner / Spreadsheet / Script) Easy – (Scanner / Spreadsheet / Script) Easy – (Scanner / Spreadsheet / Script) Easy – (Scanner / Spreadsheet / Script) Hard – (Application) Hard – (Application)
  21. 21. © 2014 Skybox Security Inc., Confidential 21 Prioritization – IPS Signature to Vulnerability
  22. 22. © 2014 Skybox Security Inc., Confidential 22 Prioritization – Patch to Vulnerability Quick Win!
  23. 23. © 2014 Skybox Security Inc., Confidential 23 Case Study (FinCorp Bank)  <Missing something>  Critical vulnerabilities on PCI CDE Hosts  Vulnerabilities that can be IPS Shielded  Patch that wipes out the most vulnerabilities
  24. 24. © 2014 Skybox Security Inc., Confidential 24 Prioritization – Complex Relationships Risk = Impact * Likelihood * Time Vulnerability & Host Host w/ Vulnerability & Network Security
  25. 25. © 2014 Skybox Security Inc., Confidential 25 Likelihood Compromised Workstation Foreign Threat Exploited Partner Attack Simulations Vulnerabilities  CVE 2014-0160  CVE 2014-0515  CVE 2014-1776
  26. 26. © 2014 Skybox Security Inc., Confidential 26 Stair Step Attacks
  27. 27. © 2014 Skybox Security Inc., Confidential 27 Prioritize Vulnerabilities by Multiple Factors Vulnerabilities Prioritized Directly Exploitable Vulnerabilities Vulnerabilities on PCI hosts IPS Shielded Vulnerabilities Vulnerabilities remediated with a single MS Bulletin
  28. 28. © 2014 Skybox Security Inc., Confidential 28 Risk Time The Result  Risk is reduced over time  Risk visibility and communication is increased Remediating high risk-causing vulnerabilities Risk reduced by reducing attack surface
  29. 29. © 2014 Skybox Security Inc., Confidential 29 Case Study (FinCorp Bank) Before  Losing the fixed vs found battle  Unfocused remediation  Risk not reduced over time After  Full visibility into many relationships  Risk and attack surface reduced week over week  Understanding of network topology + network map Result – More effective understanding and application of remediation options
  30. 30. © 2014 Skybox Security Inc., Confidential 30 The Process  Discovery – Is there a better way than active scanning?
  31. 31. © 2014 Skybox Security Inc., Confidential 31 Case Study  Large Multi-national – Central IT / Strong Business Units – Loosely controlled scanning / Business units can opt out. – CISO needed to be able to ensure a single vulnerability was wiped out. – Had SCCM everywhere
  32. 32. © 2014 Skybox Security Inc., Confidential 32 Limited and Out of Date Information The value of vulnerability information decays over time Time Add knowledge during scan Decay of knowledge post scan Month 1 Month 2 Month 3 80% 100% Missing data 60%
  33. 33. © 2014 Skybox Security Inc., Confidential 33 We just don’t need to scan more Unable to gain credentialed access to scan portions of the network The cost of licenses is prohibitive Some hosts are not scannable due to their use We don't have the resources to deal with broader patching activity We don’t have the resources to analyze more frequent scan data We are concerned about disruptions from scanning 59% 58% 41% 34% 29% 12% 5% Reasons that respondents don’t scan more often Why Not Scan More Often? (2012 Survey) It’s Just Too Difficult
  34. 34. © 2014 Skybox Security Inc., Confidential 34 So Security Teams Try to Limit Impact Disruption “Oops, we took down the net” Scan Today Scan Next Week Scan Next Month Scan Next Year Scan NEVER
  35. 35. © 2014 Skybox Security Inc., Confidential 35 Scan Frequency and Coverage (2012 Survey) 0 50 100 150 200 250 300 350 10% 20% 30% 40% 50% 60% 70% 80% 90% Frequency and Coverage ScanFrequencyinDays % of Network Scanned Partner/External Networks ~60-90 days <50% of hosts Critical systems, DMZ ~30 days 50-75% of hosts Goal ~Daily / Continuous 90%+ of hosts
  36. 36. © 2014 Skybox Security Inc., Confidential 36 Host – Vulnerability Relationship Asset Windows 7 Firefox Adobe Reader 10 Java SE 20 Buffer Overflow Window 7 Windows 2K SP2 Windows 2K SP1 Remote Code Execution Adobe Reader 8 Adobe Reader 9 Adobe Reader 10 Adobe Reader 7.7 Security Bypass Firefox Thunderbir d SeaMonke y Remote DOS IIS 6.0 IIS 7.5 Remote Unspecified Java 7.4 Java FX 2.2.4 Java JRE 6.7 Java SE 7.11
  37. 37. © 2014 Skybox Security Inc., Confidential 37 Vulnerability Deduction Process Vulnerability Deduction Product Catalog (CPE) OS version & patch level. Application versions Vulnerability List (CVE) Vulnerability Database ProductProfiling Asset / Patch Management Networking Devices Active Scanner
  38. 38. © 2014 Skybox Security Inc., Confidential 38 Speed Typical scanner Analytical Scan 250host/hour 100,000host/hour VS
  39. 39. © 2014 Skybox Security Inc., Confidential 39 Analytics Give You a Continuous View of Vulnerabilities Time Month 1 Month 2 Month 3 50% Combining active scanning and analytics based vulnerability detection 100% Active scanner Analytics-based detection
  40. 40. © 2014 Skybox Security Inc., Confidential 40 Case Study  Large MultiNational – Visibility on ~100% of hosts in less than a week. – Able to eradicate Heartbleed on 98% of PCs (over 500k) in less than a week. – Complete eradication in 23 days. – Has visibility into network devices. – Able to discover vulnerabilities on mission critical portions of the network.
  41. 41. © 2014 Skybox Security Inc., Confidential 41 Not all scanners have every vulnerability Qualys McAfee TripWire Tenable CVE-2014-4228 Jul 17 Jul 29 Not Added Jul 16 CVE-2014-4943 Jul 28 Jul 24 Jul 19 Jul 17 CVE-2013-1741 Apr 4 Dec 11 Nov 18 Dec 6 CVE-2014-4607 Jul 14 Jul 10 Jan 1 Jun 27 CVE-2014-2804 Apr 28 Jun 25 Jul 8 Jul 8 CVE-2014-2783 Apr 28 Jul 8 Sep 26 Jul 8 CVE-2014-1375 Jul 2 Not Added Jun 30 Jul 1 CVE-2014-1369 Not Added Jul 10 Not Added Jun 30 CVE-2014-0015 Not Added Jul 9 Jun 30 Not Added Date vulnerability was added to scanner by vendor
  42. 42. © 2014 Skybox Security Inc., Confidential 42 Your scanner needs to be part of a greater plan The more data sources you can include, the better. Advisories Scanners IPS Other Sources Adobe eEye Retina* HP Tipping Point CERT Cisco PSIRT ISS Internet Scanner* ISS Proventia Mitre CVE Microsoft Security Bulletin McAfee Foundstone Palo-Alto Networks NIST’s NVD Oracle Qualys Guard SourceFire Rapid7 Metasploit Rapid7 Nexpose SourceFite Rapid7 Metasploit Tenable Nessus Symantec SecurityFocus Tripwire nCirce Symantec Worms
  43. 43. © 2014 Skybox Security Inc., Confidential 43 The Power of Seven Scanners at Once
  44. 44. © 2014 Skybox Security Inc., Confidential 44 The Process  Remediation and Tracking – Do you know how you are doing?
  45. 45. © 2014 Skybox Security Inc., Confidential 45 Remediation Reporting
  46. 46. © 2014 Skybox Security Inc., Confidential 46 The Punchline  To ensuring that risk causing vulnerabilities exist in an exploitable state for the shortest amount of time possible, you must: – Discover vulnerabilities quickly – Challenge the Active Scanner Status Quo – Understand the relationship between the hosts and your vulnerabilities to discover what matters – Remediate or mitigate based on analysis or risk – not severity. Enable reporting.
  47. 47. © 2014 Skybox Security Inc., Confidential 47 Thank you! Interested in Skybox for Vulnerability Assessment and Management? Start your 30-Day Trial today! www.skyboxsecurity.com/trial

×