The document discusses challenges with traditional vulnerability management programs and provides recommendations for improvement. It summarizes findings from a survey of vulnerability management professionals that found dissatisfaction with current scanning, analysis, and remediation capabilities. The document recommends that organizations focus on maturity of their vulnerability management process, strive for continuous assessment, use network and security context to prioritize risks, and speed up remediation times.
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
What's Wrong with Vulnerability Management & How Can We Fix It
1. What’s Wrong with Vulnerability
Management, and How Do We Fix It?
Michelle Johnson Cobb
VP Marketing, Skybox Security
July 23, 2015
info@skyboxsecurity.com
www.skyboxsecurity.com
In the next 20 minutes, I’ll cover
Skybox
Survey data on VM trends
Our analysis and some takeaways for your job
Then Cliff Chase, Sales Engineer, will take you through a demo of our Vuln Control product
Skybox Security is a company that believes the answer to challenging security problems can be extracted from your network and security data
We do the same thing that security expert on your team does – analyze a lot of complex information to figure out what to do
But we integrate data from 80+ systems, we apply advanced analytics, and we automate it to analyze your entire infrastructure for risks
We apply that analytics-based approach to solve some of the most challenging problems for large enterprised
Go over points on the slide
Focus on the attack surface
Continuous visibility of attack surface is critical
Combine network and endpoint data
Use analytics to examine attack vectors
Integrate into the security process
Drive automation at every step
Stay ahead of the attacks
Supporting our solutions is our vuln team
Largest enterprise-focused database for vulns
Scope and scale
Cover points on slide
CVE compliant, CVSS v2 standard
Updated daily
And of course, we are pleased that the most security-conscious customers all over the world choose Skybox to give them the comprehensive view and information
They need to keep environments secure
Let’s turn to the vulnerabilities question.
Orgs have a lot of vulns
Numbers each year,
Applied to the systems on the right
Total numbers in their network
Unmanageable, right?
SANS critical control 4 and other security best practices and compliance requirements say
You’ve gotta have a process in place to deal with these
But does your VM program work like a well-oiled machine?
Or constant whack a mole, dealing with a stream of new vulns, new scan info, without seeming to get ahead
We decided to ask
Points on the slide
Who answered the survey?
Cover the points
Nearly 1000, which was great, because for nearly all questions we had statistically relevant samples regardless of how we filtered the data
Heavily large enterprises, but enough of a mix
Fin Svc leads the way, but good representation from all verticals
Asked about their goals
Not surpisingly, identifying risk level and prioritizing at top of the list
Means everyone is following best practice recommendations
Quite a bit of support for using VM with threat intel and IR processes
Compliance – may still be a concern, but not a driving force
Policy… we see in our customer base significant differences in how companies approach VM
More mature – well defined, documented, responsibilities clear, audited regularly
Less – more adhoc, occasional scanning
Differs between size of company, but distinction was pretty high, most companies under 5000 fell into the same general breakdown, about half with formal policies, rest with informal and a minority with no policy defined.
We’ll come back to some insights about the impact of policy maturity after we look at a couple additional questions
Use of scanners
Very interesting
Let’s talk about the right side first
Just over 1/3 use one scanner, but that leaves nearly 2/3 using several
What do they use – on the left side
In use column – you can see who leads
But we also asked what they use as primary – very interesting
Why? We took to interviews to get more detail
Coverage – types of hosts, types of vulns
Legacy scanners in place over time, or inherited via merger/acq
Sense that multiple scanners help reduce false positives
Narrative:
One clear takeaway is that everyone wants to increase their scan frequency, regardless of how much they scan today. Organizations that scan on quarterly intervals want to move to monthly, organizations that scan for vulnerabilities monthly want to step up to weekly intervals.
The split by size of company was telling, with SMB and mid-size companies tending to scan on a quarterly basis, large ent monthly. Few on a weekly or better schedule as recommended by SANS
This puts the pressure on vulnerability solution providers to ensure that solutions can scale to accommodate the demand for faster cycles of data collection, analysis, and remediation.
For answers why, we didn’t ask it in this survey because we had in a previous one
So these answers go back a couple of years, but all indications from interviews are that they are still relevant
Points on slide
Interesting note – the more responsibility for the process, the less likely they are satisfied
So don’t get complacent – even if you are thinking the process works well, your boss may think otherwise. Btw – I didn’t cover it here, but 875 of CISO’s surveyed said they had direct responsibility for VM, highest Vm responsibility of any job title. So they care, they are committed, and about
And don’t pay too much attention to the opinios for those outside the security function, because their impression is that the VM process is ok. But they aren’t involved in it directly everyday.
Left side charts – satisfaction with the second half of the process is a bit lower. Matches our observations in speaking with customers. It’s relatively easy to amass a pile of vulnerability info, harder to figure out how to prioritize it and act on the information.
Narrative for right side points - Additional tools are necessary to make sense of scanner data
We also asked about other tools that security professionals use to analyze vulnerability data. It’s common practice to use data analysis tools to correlate multiple sources of data, allow querying of results, or feed vulnerability data into other systems like SIEM or GRC solutions. Splunk was the most frequently noted data analysis tool, followed by Excel and then a host of other analysis solutions including Skybox, Arcsight, homegrown solutions, and good old ‘brainpower’.
Now back to that combo I told you about. When you have all this data in excel, you get to do pivot chart magic.
So we looked at the combination of policy with levels of satisfaction.
And we can see that the time spent to formalize everything pays off. So if you need to explain to your boss why your team needs to spend months to plan, document, establish metrics, and set up internal and external auditing plan, here is your answer. Formal policies are directly related to your future happiness. Or satisfaction level – same difference.
Policy means processes to follow, fewer surprises, less fire-fighting, fewer headaches.
What was interesting though, is that regardless of policy level, one again CISO’s stood out. They are less satisfied than other security or IT staff at every level of policy.
So once again, just because you think things are going well does not mean that your CISCO wouldn’t like to see changes. Most likely they are interested in imrpovements
Regardless of their level of satisfaction with current vulnerability management program, all respondents were asked about their interest in potential improvements. A list of 16 potential improvements to vulnerability assessment (scanning), analysis and prioritization, and remediation activities were provided, and respondents ranked their interest level from ‘No interest’ to ‘High interest’.
The top 10 improvements as ranked by number of ‘High Interest’ responses are:
(see chart)
It is not surprising that the three highest ranking potential improvements :
#1 Update vulnerability data quickly following a new vulnerability or threat announcement
#2 Include network and security context to prioritize risk more accurately
#3 Reduce false positives
all have to do with having accurate information with which to respond quickly to new threats. New vulnerabilities and threat alerts occur daily, but it can take weeks for an organization to run through a vulnerability scan/prioritize/remediate cycle to fix known vulnerability risks. For example, when the Heartbleed vulnerability was disclosed (link to vulnerability center entry for this vuln), many organizations experienced weeks of delay in being able to generate an accurate list of vulnerable systems.
Moreover, each vulnerability assessment cycle can generate tens or hundreds of thousands of vulnerabilities in a large network, which can take extended periods to review and develop remediation plans. <Gartner or other report> recommends using context about network topology or existing security controls to help IT security teams prioritize those vulnerabilities that can impact critical assets over those where an existing security control offers protection. These two potential improvements would allow organizations to access and analyze vulnerability data faster, which could shorten response times to new vulnerability announcements, and lower risk of attack.
Reducing false positives (#3) is a related concern, indicating that respondents may feel that they are spending valuable time on false positives instead of risks which can truly impact their network.
Improvement #4, Get vulnerability data for network devices like firewalls, indicates an interest in extending vulnerability data to systems that are not covered by traditional active scanners today.
The next six improvements are largely about operational improvements to vulnerability management processes – tracking closure of vulnerabilities, automating process steps, removing task roadblocks like system authentication requirements and potential service disruptions.
How do you achieve these improvements? Let’s discuss recommendations
Prevent more, detect faster, resolve sooner
Policy counts to achieve this goal
Points on the slide
Coverage and continuous assessment counts
From out 2012 survey – most companies the first two orange dots, but you need to be here
Scanners alone probably not going to get you there – you need to look at the process holistically. Discovery, analysis, remediation, automation…
Context is critical, allows you to know what systems to focus on, figure out which vulnerabilities are important, and get accurate recommendations for what to do about it
How do you do that if you don’t understand the infrastructure
When you think of context, think of all these things. Any missing elements are blind spots, and blind spots mean unrecognized vulnerabilities and unknown attack paths
Speed counts.
Chart from Verizon data breach investigation report
Fast ramp, after CVE’s are announced, takes attackers about 2 weeks to compromise 25%, by week 4 they’ve compromised about half of them.
So if you are scanning monthly, you can assume an exploit exists for 50 % of your vulnerabilities.
You need to reduce that scanning and analysis time.
Now let’s switch to Cliff Chase to talk about the Skybox solution and how working with Skybox can help address your VM needs.