57% percent of companies that has experienced a data breach claimed it was due to an unpatched vulnerability. Vulnerability Management decreases an organizations risk profile significantly.
2. 1. What we see
2. What motivates an attacker and strategies they use
3. Challenges of maintaining relevant IT Security Operations
4. Benefits with Vulnerability Management
5. Success criteria for successful Vulnerability Management
6. Summary and recommendations
AGENDA
3. 3
Founded in 2001,
Karlskrona Sweden
>150 employees
2000+ customersin 80+ countries
In 20+ differentindustries
GartnerRecommendedVendor
AAA Rated by Dun & Bradstreet
ABOUT OUTPOST24
5. 5
MANAGEMENT RISK FOCUS
Leaders and executives are considering the following risks;
• Market risks
• Financial risks
• Laws and regulations
• Operational risks
• IT and information risks
7. 7
More users
More ip
connectedthings
More data
More network
traffic
More attacks
More attack
vectors
More regulations
and standards
DOMINO EFFECT PUSHING SECURITY NEEDS
More weband mobile
services
Digital
transformation
8. 8
FACTS
Data breaches have increased
in frequency and size
Cyber-attacks are more
sophisticated than ever
Number of security breaches is
now measured in millions rather
than thousands
• An attacker resides within a network
for an average of 146 days before
detection (Microsoft)
• 50 days average time to resolve a
malicious insider’s attack (Accenture
2017)
• 23 days average time to resolve a
ransomware attack (Accenture 2017)
• Ransomware attacks increased by 36
percent in 2017 (Symantec)
11. HOW AN ATTACKER THINKS?
In the past
• Hacktivism
• Show-off
• Personal economic gain
• Revenge
Now
• Economicgain for criminal networks
• Intelligence information gathering
• Espionage
• Collaborated attacks
12. WHAT MOTIVATES AN ATTACKER?
12
A. Type of attackers
1. Script Kiddie
2. Hacktivist
3. Cyber Criminals
4. Insiders
Professional hackers have a plan
• Clear goals with ROI
• Motivation
• Resources
• Time
• Know-how
• Many attack vectors
B. Motivation
1. Economical
2. Ideological
3. Political
C. Type of attacks
1. Shotgun
2. Targeted
13. ▪ Distributed Denial of service
‒ Extortion via a threat of DDoS attacks
‒ Distraction from other malicious actions
▪ Recruit an insider
‒ Who has access or can plant code
▪ Phishing/Spearphishing/Social Engineering
‒ Goal is to execute code in the target environment
▪ Exploitation of vulnerabilities in software and
configurations
‒ Goal is to execute code in the target environment
EXAMPLE OF TYPES OF ATTACKS WHEN
MOTIVATED BY FINANCIAL MOTIVES
14. • Chinese hacker group with links to Chinese
government
• Purpose to steal intellectual property from
Nordic enterprises (and in other countries)
• Has been running since at least 2016 which
has been confirmed by MSB and FRA
• Hundreds of terabytes of data stolen
• Used a combination of spearphishing and
exploit of vulnerabilities
• Following vulnerabilities are known to be
used* (plus a number of exploits):
• CVE-2012-0158
• CVE-2010-3333
APT10 & CLOUD HOPPER
* Source: PWC & Kryptera.se
15. • Intellectual property theft
• Ransom critical business data
• Disclosure of sensitive customer data
• Destroyed reputation
• Revenue loss
• Decreased value of the company
EFFECTS OF DATA BREACH
16. Eradicate the vulnerabilities that
are the easiest to exploit and that
can provide access to your
environment
ELIMINATE THE ROI OF THE
ATTACKER!
“99% of the current vulnerabilities exploited will continue to be ones known by security
and IT professionals for at least one year”
Gartner (2017)
18. 18
RISK AND BUSINESS DRIVEN SECURITY
Source:“Today’sState of VulnerabilityResponse:PatchWorkDemandsAttention”ServiceNowand PonemonInstituteApril2018
19. 19
1. Not doing anything at all – It
will not happen to me
2. Buying the technologybut not
using it
3. Buying the technologybut not
using the output
4. Buying the technologybut not
actively fixing issues
CHALLENGES
20. 1. Select tools that has a
QualityAssurance process
– otherwiseyou work with
compliance not IT security
2. Select tools that fit the
processes, not requiring
change or addition
3. Clear ownership and define
stake-holders
4. Automate and work
systematically with SLA
5. Visualize status and results
SUCCESS CRITERIA
21. 21
RISK AND BUSINESS DRIVEN SECURITY
Show to management that an investment in IT security
continuously eliminates risk!
22. 22
REPORTING TOOL IS KEY TO SUCCESS
o Reuse your existing organisation
o Reuse your existing processes/workflows
o Work with continuous security testing
o Focus security reporting on Risk reduction and Mitigating vulnerabilities
Risk reduction
and KPI
Effective and
efficient mitigation
Web application
Externalnetwork
Internalnetwork
ManagementCISO/CSO
IT Team 1,2…
Security team 1, 2…
DevOps 1,2…
Security
Forum
One centralized
security portal
23. 23
SUMMARY& RECOMMENDATION
• IT attacksand data breaches are happening today on a daily basis
• Why work actively with Vulnerability Management?
– It is one of several areas
– It is the area that is most frequently used as the most vital building block for an
attack
– It is the area which is easy to control and mitigate and will significantly lower the
risk profile
• Use tools that are solution-centric and have quality assurance built-in
• Adapt to existing organizationand processes
• Use the output to create success
– Create leadership focus and ownership
– Prioritize what to do in your VM work - Eliminate you critical vulnerabilities first
– Follow-up the result of the mitigation actions– show you are continuously
eliminating risk