Patch Management - Security B-Sides

offbeatnothingΛογισμικό & κατασκευή λογ/κού

2 Δεκ 2013 (πριν από 3 χρόνια και 4 μήνες)

66 εμφανίσεις

VULNERABILITY MANAGEMENT

Moving Away from the Compliance Checkbox Towards
Continuous Discovery

WHO AM
I
?


Derek Thomas


Security Consultant


VM, SSO/AM, SIEM


Active in local INFOSEC groups


Misec


OWASP


ISSA


AGENDA

Common Problems

What are Vulnerabilities

Objectives

of Vulnerability Management

Program

Approach

Questions

5

4

3

2

1

PROBLEMS


Limited Scope



External Network Centric



Unauthenticated Scans



Infrequent Assessments



Compliance Driven


Common Themes

THREATS ARE EVERYWHERE

Insider


Environmental


Target

Mobile
Devices


Malware


Hackivist


Improper

Configs


MINIMUM STANDARDS


Regulations are setting the standard


Example: NERC CIP


Requires R8. Cyber Vulnerability Assessment

“A
review to verify that only ports and services
required for operation of the Cyber Assets within the
Electronic Security Perimeter are enabled



A simple network command like “
Netstat
” would
satisfy this generic requirement





http
://www.nerc.com/files/CIP
-
007
-
1.pdf



MINIMUM STANDARDS = LIMITED INSIGHT


When
your goal is meeting
a minimum standard you
run the risk of missing
valuable insight into the
security posture of many
aspects of your
organization


LIMITED INSIGHT WILL NOT EXPOSE VULNERABILITIES

Patch Management


Outdated software exists on newer assets and
assets not on the domain.

Change Management

Ineffective Change Management allows for rogue
servers to appear on network

Security Monitoring

D
etection
is slow, tedious, or
non
-
existent
because there are an overabundance of false
positives

Incident Response

Data breach has lead to costly damages

PATH TO THE
DARKSIDE

Lightside

Darkside

Minimum Requirements

Minimal Insight

Vulnerabilities

Exploits

Suffering

AVOID THE DARK SIDE WITH A VM PROGRAM


Follow a d
efined
l
ifecycle


Proactively identify vulnerabilities


Technical


Process


Evaluate effectiveness with testing

NON
-
TECHNICAL VULNERABILITIES

What’s the first thing that comes to your
mind when you think of a vulnerability
?


Outdated software and insecure configurations
is often the answer


Non
-
technical vulnerabilities exist in security
processes as well


Understanding how each can be addressed is
the key to a successful program


THE “WHAT”

Availability

THE “HOW”


Security controls can fall into 3 categories

Prevention

Detection

Correction

THE “WHY” (AVOID THE DARKSIDE)


Incident Reduction


Risk Reduction


Minimize threat vectors


Risk Reporting


Tracking


VM PROGRAM APPROACH


Define a Plan


Assign Responsibilities


Define Scope


Define Critical Controls


Utilize a Sustainable Lifecycle


Strive for Predictable
and R
epeatable Results


Name

John Doe



Penetration Testing




Vulnerability Management

Name

Jenny Smith




Patch Engineer

Name

Jane Doe



Manages VM team


Coordinates remediation

VM Project Lead


Assign
roles and
responsibilities


Who is responsible
for what


Most roles are
already suited for a
particular person


Patch Management Lead

Red Team

DEFINE A PLAN
-

RESPONSIBILITIES

DEFINE A PLAN
-

SCOPE


What is going to be
managed?


Start with discovery scans


Incorporate as many assets as possible


Security controls should be added as well

In Scope

Out of Scope

Critical Servers

Medical Devices

Firewall X

Application Y

DEFINE A PLAN
-

CRITICAL CONTROLS


Vulnerabilities exist in controls


What controls should be added


SANS Top 20 Critical Controls


SUSTAINABLE LIFECYCLE

Test

Find

Fix

1.Find

Proactively search for
weaknesses within

the scope

2.Fix

Remediate known
vulnerabilities

3.Test

Verify vulnerabilities have been
remediated

SUSTAINABLE LIFECYCLE
-

FIND


How are vulnerabilities found?


2 basic approaches:


Automated


(Semi)Manual


Many tasks can be automated


Manual assessments still need to be
performed

SUSTAINABLE LIFECYCLE


FIND AUTOMATED


Automated tool performs the heavy lifting


The most famous is the vulnerability scanner


7 out of 20 SANS Critical Controls can be
automated in some way with a vulnerability tool


Another 8 can be automated using additional
tools


Automate as much as possible to save time for
the fun

SUSTAINABLE LIFECYCLE


FIND MANUAL


Remaining security controls can be manually
tested


Controls can be tested through various Red
Team exercises


The Red Team simulates attacks from a
malicious party


Incident Detection


Incident Response


People


SUSTAINABLE
LIFECYCLE
-

FIX


How are vulnerabilities going to be fixed


Present data in actionable form


6000 page .
pdf

is not very actionable


Generate patch reports for patch management
team


Reports filtered for server IP’s can be sent to the
server team

SUSTAINABLE LIFECYCLE
-

FIX


Easier said then done


Use built in tools if possible


Need buy in from application, system, and
network team


Without buy
-
in remediation becomes difficult

SUSTAINABLE
LIFECYCLE
-

TEST


Verification of
remediation efforts


Verify that patches have
been applied


Ideally right after
application


Can also be performed
next scan interval


PREDICTABLE AND REPEATABLE RESULTS


Once the program has reached a mature level
the results shouldn’t be surprising


The processes will mature to the point that you
can accurately predict the outcomes


Patches will be applied on time


Malware will be detected and cleaned


assets will be introduced with secure configurations

PREDICTABLE AND REPEATABLE
RESULTS
-

METRICS


Vulnerability Management needs to
be assessed


Metrics
can
gauge your
improvement


NIST
SP 800
-
40
provides
excellent
metrics


55%

PREDICTABLE AND REPEATABLE RESULTS
-

METRICS


Host Susceptibility to Attack


Number of patches, vulnerabilities, or network
services per computer


Vulnerability Mitigation Response Time


Response time for vulnerability
i
dentification, patch
application, or configuration change


VM Program Cost


Cost of Vulnerability Management group, support,
or tools

VULNERABILITY METRICS

NIST SP 800
-
40

VULNERABILITY METRICS


3 minimum


8 maximum

NIST SP 800
-
40

CONCLUSION


Approach VM as a continuous lifecycle


Move beyond minimum standards to
e
nhance
visibility and insight into the current state of
security


Clear objectives and proper approach is
fundamental to VM