SlideShare uma empresa Scribd logo

Qualys user group presentation - vulnerability management - November 2009 v1 3

Transferir como PPT, PDF
T
Tom King
1 de 14
1 Vulnerability management – 3i’s journey Tom King tom.king@3i.com A presentation to: Qualys Security Conference November 2009 www.3i.com
2 Contents Vulnerability management About 3i Our journey – the eras of vulnerability management Challenges & gotchas Benefits Conclusions
3 About 3i 3i plc – the company • A world leader in private equity • Focus on buyouts, growth capital, infrastructure • €8.5 billion assets under management, with offices in 12 countries 3i plc – IT • Serving all internal users (circa 750 users) • Very high expectations of “IT service” • Largely a Microsoft house, try to avoid bleeding edge technologies 3i plc – Information security • Small security team (two), operational security with other teams • Good synergy with other internal teams, e.g. Compliance, Risk • Use ISO 27001/2 as backbone of InfoSec program
4 The eras of vulnerability management
5 First era – ad-hoc and reactive First era – ad-hoc and reactive • Little clarity on threats, vulnerabilities, risks • Reactive approach • Annual penetration test against external IP’s? • Widespread media attention around a malware threat, e.g Nimda • Main focus on network perimeter – keep the bad guys/ stuff out • Number of threats and vulnerabilities were snowballing exponentially..
6 Second era – Microsoft patching Second era – Microsoft patching • “Monster” worms were continuing to hit companies – not 3i! • Blaster – global cost (lost/ productivity) - $1.3 billion • SQL slammer – infected most vulnerable hosts on the Internet in minutes not hours • Anti-virus helped but was not a panacea – often did not prevent an infection • Important defensive measure was to ensure timely application of Microsoft patches • Simple edict from CIO – apply all relevant Microsoft patches.. • Geared up processes and technology to deal with “Patch Tuesday” • Started to track and report missing patches
7 Third era – external vulnerability scanning Third era – external vulnerability scanning • Some pressure from auditors to deploy intrusion detection • Personal view – great as a burglar alarm, but has challenges.. • Proposed a different direction – improved vulnerability management • “Let’s find our weak spots, and fix them”. How simple!  • Purchased a well-known SaaS vulnerability scanning solution • Only scanned Internet-accessible machines – web servers, mail servers, remote access etc. • Simple KPI and incident process agreed with IT management • Monitoring, trending, reporting
8 Fourth era – internal vulnerability scanning Fourth era – internal vulnerability scanning • Extended SaaS solution to scan machines on internal network • Great to see what the real picture is, but.. • Huge number of vulnerabilities found • Herculean task to make any improvement • Gartner advocate dealing with “high severity” vulnerabilities first, still difficult! • Ad-hoc pressure from security team to fix certain vulnerabilities • E.g. on critical machines, on machines with sensitive data • Monitoring, trending, reporting
9 Fifth era – risk view of vulnerabilities Fifth era – risk view of vulnerabilities • Using a simple risk framework • Risk = threat * vulnerability * asset value • Makes much more sense of vulnerability data, e.g • Does it matter if a machine has vulnerabilities if its asset value is low? • If a machine is in a hostile environment and is valuable, any significant vulnerability is a big issue.. • Tracking over time, monthly reporting to IT management team • Gives a more meaningful view of the issue – allows better prioritisation of remediation resource.
10 Vulnerability reporting – through the eras Vulnerability reporting – through the eras • Ad-hoc/ reactive – little reporting, maybe detailed technical pen-tests • Microsoft patching – some more detailed data, difficult to see what is important (and why) • External vulnerabilty scanning – useful focus on Internet-facing vulnerabilities. Simple KPI & incident response process worked well • Internal vulnerability scanning – whoah! Information overload.. • E.g. scanning 300 machines, each machine has a vulnerability report of ~150 A4 pages! • Focus initially on critical vulnerabilities per “service” • Risk view of vulnerabilities – simple RAG table.. Microsoft Patching Index 0.0 5.0 10.0 15.0 20.0 25.0 30.0 35.0 Feb Mar Apr May Jun Jul Date Financial Systems Investment Systems EU Desktop - Citrix, data etc Messaging EU Workstations EU Laptops AP Servers USA Servers AP Clients All machines Potential and confirmed vulnerabilities on Internet-facing machines 0 2 4 6 8 10 Dec Jan Feb Mar Apr May Jun Jul Date Numberofvulnerabilities Confirmed severity 5 Confirmed severity 4 Potential severity 5 Potential severity 4 Critical vulnerabilities index per service 0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00 Jun Jul Aug Sep Oct Nov Dec Jan Feb Date Group systems Investment systems EU Servers Messaging Network EU Workstations EU Laptops
11 Vulnerability management – monthly KPI’s Security KPI’s – reported monthly • Monthly security management pack produced • 13 KPI’s (cost, resourcing, malware, security incidents, policy compliance, Microsoft patches, vulnerability scanning etc.)
12 Benefits – vulnerability management Benefits • Finally getting a holistic view of vulnerabilities • Across entire estate – internal & external machines • Not just focussed on Microsoft vulnerabilities • Risk focussed – threat, vulnerability asset value all considered • KPI’s and reporting shaping into something useful • Can determine what issues to address, in what order • Secondary benefits emerging – e.g. machine comparison • Journey has not ended • Not enough visibility on (web) application level vulnerabilities • Need to address medium risk areas – aim for all green
13 Challenges and gotchas – vulnerability management Challenges and gotchas Challenge What we’ve done Sheer number of vulnerabilities Risk view to help prioritise False +ve’s Very infrequent, but YMMV Disruption of live services Generally not an issue, with smart timing and low intensity scans Timely remediation Risk view helps. Defined and agreed response process helps Vulnerability landscape changes frequently Frequent scans
14 Questions/ Answers/ Discussion Questions/ Answers/ Discussion

Recomendados

What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
Common WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemCommon WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Sreejesh Madonandy
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarResilient Systems
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Securityprimeteacher32
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Commercial And Government Cyberwarfare
Commercial And Government CyberwarfareCommercial And Government Cyberwarfare
Commercial And Government CyberwarfareNicholas Davis
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
 

Recomendados

What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
Common WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemCommon WebApp Vulnerabilities and What to Do About Them
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...Sreejesh Madonandy
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarResilient Systems
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Securityprimeteacher32
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Commercial And Government Cyberwarfare
Commercial And Government CyberwarfareCommercial And Government Cyberwarfare
Commercial And Government CyberwarfareNicholas Davis
 
Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Network and Endpoint Security v1.0 (2017)
Network and Endpoint Security v1.0 (2017)Rui Miguel Feio
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Leone ct#4 presentation
Leone ct#4 presentationLeone ct#4 presentation
Leone ct#4 presentationvincentleone
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Ch01
Ch01Ch01
Ch01Alitta Aisyawati
 
MineMeld and the Importance of Centralized Threat Intelligence
MineMeld and the Importance of Centralized Threat IntelligenceMineMeld and the Importance of Centralized Threat Intelligence
MineMeld and the Importance of Centralized Threat IntelligenceJamilaKaya
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the LibrariesEoin Woods
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityDr. Lasantha Ranwala
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...North Texas Chapter of the ISSA
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Rui Miguel Feio
 
Playbook Round Table - Measuring your security program against 2018's applica...
Playbook Round Table - Measuring your security program against 2018's applica...Playbook Round Table - Measuring your security program against 2018's applica...
Playbook Round Table - Measuring your security program against 2018's applica...Priyanka Aash
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for ConsultantsDilum Bandara
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNorth Texas Chapter of the ISSA
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNorth Texas Chapter of the ISSA
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Making Sense of Threat Reports
Making Sense of Threat ReportsMaking Sense of Threat Reports
Making Sense of Threat ReportsDLT Solutions
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterpriseQuick Heal Technologies Ltd.
 

Mais conteúdo relacionado

Mais procurados

Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Leone ct#4 presentation
Leone ct#4 presentationLeone ct#4 presentation
Leone ct#4 presentationvincentleone
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...North Texas Chapter of the ISSA
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
MineMeld and the Importance of Centralized Threat Intelligence
MineMeld and the Importance of Centralized Threat IntelligenceMineMeld and the Importance of Centralized Threat Intelligence
MineMeld and the Importance of Centralized Threat IntelligenceJamilaKaya
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the LibrariesEoin Woods
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityDr. Lasantha Ranwala
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...North Texas Chapter of the ISSA
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Rui Miguel Feio
 
Playbook Round Table - Measuring your security program against 2018's applica...
Playbook Round Table - Measuring your security program against 2018's applica...Playbook Round Table - Measuring your security program against 2018's applica...
Playbook Round Table - Measuring your security program against 2018's applica...Priyanka Aash
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for ConsultantsDilum Bandara
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNorth Texas Chapter of the ISSA
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 

Mais procurados (20)

Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Leone ct#4 presentation
Leone ct#4 presentationLeone ct#4 presentation
Leone ct#4 presentation
 
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
NTXISSACSC2 - Information Security Opportunity: Embracing Big Data with Peopl...
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Ch01
Ch01Ch01
Ch01
 
MineMeld and the Importance of Centralized Threat Intelligence
MineMeld and the Importance of Centralized Threat IntelligenceMineMeld and the Importance of Centralized Threat Intelligence
MineMeld and the Importance of Centralized Threat Intelligence
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the Libraries
 
Health information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information securityHealth information secuirty session 5 best practise in information security
Health information secuirty session 5 best practise in information security
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
NTXISSACSC2 - Social Engineering 101 or The Art of How You Got Owned by That ...
 
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
Share 2015 - 5 Myths that can put your Mainframe at risk (v1.3)
 
Playbook Round Table - Measuring your security program against 2018's applica...
Playbook Round Table - Measuring your security program against 2018's applica...Playbook Round Table - Measuring your security program against 2018's applica...
Playbook Round Table - Measuring your security program against 2018's applica...
 
Technical Writing for Consultants
Technical Writing for ConsultantsTechnical Writing for Consultants
Technical Writing for Consultants
 
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold ToomeyNTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
NTXISSACSC2 - Software Security - My Other Marathon by Harold Toomey
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
NTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John FehanNTXISSACSC2 - The Evolving DMZ by John Fehan
NTXISSACSC2 - The Evolving DMZ by John Fehan
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 

Semelhante a Qualys user group presentation - vulnerability management - November 2009 v1 3

Making Sense of Threat Reports
Making Sense of Threat ReportsMaking Sense of Threat Reports
Making Sense of Threat ReportsDLT Solutions
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseResilient Systems
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAPNIC
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceQualys
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...IBM Security
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 

Semelhante a Qualys user group presentation - vulnerability management - November 2009 v1 3 (20)

Making Sense of Threat Reports
Making Sense of Threat ReportsMaking Sense of Threat Reports
Making Sense of Threat Reports
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident Response
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNICAusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
AusCERT2022: Vulnerability Reporting Program on a Shoestring Budget - APNIC
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
Re-defining Endpoint Protection: Preventing Compromise in the Face of Advance...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

Qualys user group presentation - vulnerability management - November 2009 v1 3

  • 1. 1 Vulnerability management – 3i’s journey Tom King tom.king@3i.com A presentation to: Qualys Security Conference November 2009 www.3i.com
  • 2. 2 Contents Vulnerability management About 3i Our journey – the eras of vulnerability management Challenges & gotchas Benefits Conclusions
  • 3. 3 About 3i 3i plc – the company • A world leader in private equity • Focus on buyouts, growth capital, infrastructure • €8.5 billion assets under management, with offices in 12 countries 3i plc – IT • Serving all internal users (circa 750 users) • Very high expectations of “IT service” • Largely a Microsoft house, try to avoid bleeding edge technologies 3i plc – Information security • Small security team (two), operational security with other teams • Good synergy with other internal teams, e.g. Compliance, Risk • Use ISO 27001/2 as backbone of InfoSec program
  • 4. 4 The eras of vulnerability management
  • 5. 5 First era – ad-hoc and reactive First era – ad-hoc and reactive • Little clarity on threats, vulnerabilities, risks • Reactive approach • Annual penetration test against external IP’s? • Widespread media attention around a malware threat, e.g Nimda • Main focus on network perimeter – keep the bad guys/ stuff out • Number of threats and vulnerabilities were snowballing exponentially..
  • 6. 6 Second era – Microsoft patching Second era – Microsoft patching • “Monster” worms were continuing to hit companies – not 3i! • Blaster – global cost (lost/ productivity) - $1.3 billion • SQL slammer – infected most vulnerable hosts on the Internet in minutes not hours • Anti-virus helped but was not a panacea – often did not prevent an infection • Important defensive measure was to ensure timely application of Microsoft patches • Simple edict from CIO – apply all relevant Microsoft patches.. • Geared up processes and technology to deal with “Patch Tuesday” • Started to track and report missing patches
  • 7. 7 Third era – external vulnerability scanning Third era – external vulnerability scanning • Some pressure from auditors to deploy intrusion detection • Personal view – great as a burglar alarm, but has challenges.. • Proposed a different direction – improved vulnerability management • “Let’s find our weak spots, and fix them”. How simple!  • Purchased a well-known SaaS vulnerability scanning solution • Only scanned Internet-accessible machines – web servers, mail servers, remote access etc. • Simple KPI and incident process agreed with IT management • Monitoring, trending, reporting
  • 8. 8 Fourth era – internal vulnerability scanning Fourth era – internal vulnerability scanning • Extended SaaS solution to scan machines on internal network • Great to see what the real picture is, but.. • Huge number of vulnerabilities found • Herculean task to make any improvement • Gartner advocate dealing with “high severity” vulnerabilities first, still difficult! • Ad-hoc pressure from security team to fix certain vulnerabilities • E.g. on critical machines, on machines with sensitive data • Monitoring, trending, reporting
  • 9. 9 Fifth era – risk view of vulnerabilities Fifth era – risk view of vulnerabilities • Using a simple risk framework • Risk = threat * vulnerability * asset value • Makes much more sense of vulnerability data, e.g • Does it matter if a machine has vulnerabilities if its asset value is low? • If a machine is in a hostile environment and is valuable, any significant vulnerability is a big issue.. • Tracking over time, monthly reporting to IT management team • Gives a more meaningful view of the issue – allows better prioritisation of remediation resource.
  • 10. 10 Vulnerability reporting – through the eras Vulnerability reporting – through the eras • Ad-hoc/ reactive – little reporting, maybe detailed technical pen-tests • Microsoft patching – some more detailed data, difficult to see what is important (and why) • External vulnerabilty scanning – useful focus on Internet-facing vulnerabilities. Simple KPI & incident response process worked well • Internal vulnerability scanning – whoah! Information overload.. • E.g. scanning 300 machines, each machine has a vulnerability report of ~150 A4 pages! • Focus initially on critical vulnerabilities per “service” • Risk view of vulnerabilities – simple RAG table.. Microsoft Patching Index 0.0 5.0 10.0 15.0 20.0 25.0 30.0 35.0 Feb Mar Apr May Jun Jul Date Financial Systems Investment Systems EU Desktop - Citrix, data etc Messaging EU Workstations EU Laptops AP Servers USA Servers AP Clients All machines Potential and confirmed vulnerabilities on Internet-facing machines 0 2 4 6 8 10 Dec Jan Feb Mar Apr May Jun Jul Date Numberofvulnerabilities Confirmed severity 5 Confirmed severity 4 Potential severity 5 Potential severity 4 Critical vulnerabilities index per service 0.00 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00 Jun Jul Aug Sep Oct Nov Dec Jan Feb Date Group systems Investment systems EU Servers Messaging Network EU Workstations EU Laptops
  • 11. 11 Vulnerability management – monthly KPI’s Security KPI’s – reported monthly • Monthly security management pack produced • 13 KPI’s (cost, resourcing, malware, security incidents, policy compliance, Microsoft patches, vulnerability scanning etc.)
  • 12. 12 Benefits – vulnerability management Benefits • Finally getting a holistic view of vulnerabilities • Across entire estate – internal & external machines • Not just focussed on Microsoft vulnerabilities • Risk focussed – threat, vulnerability asset value all considered • KPI’s and reporting shaping into something useful • Can determine what issues to address, in what order • Secondary benefits emerging – e.g. machine comparison • Journey has not ended • Not enough visibility on (web) application level vulnerabilities • Need to address medium risk areas – aim for all green
  • 13. 13 Challenges and gotchas – vulnerability management Challenges and gotchas Challenge What we’ve done Sheer number of vulnerabilities Risk view to help prioritise False +ve’s Very infrequent, but YMMV Disruption of live services Generally not an issue, with smart timing and low intensity scans Timely remediation Risk view helps. Defined and agreed response process helps Vulnerability landscape changes frequently Frequent scans