While vulnerability assessments are essential, considering vulnerability data in a vacuum greatly limits your ability to prioritize your action plan in an effective way. Without the context of which vulnerabilities are the most severe, which are actively being targeted, which are on critical assets, etc, you may waste time checking things off the list without actually improving security.
Join AlienVault for this session to learn:
- Strategies for addressing common vulnerability management challenges
- The pros and cons of different vulnerability scanning techniques
- How to integrate threat intelligence into your vulnerability management strategy
4. WHY DO WE DO VULNERABILITY
MANAGEMENT?
BECAUSE THAT’S WHAT ATTACKERS EXPLOIT.
5. SO WHY ISN’T VULNERABILITY
MANAGEMENT DONE IN THE CONTEXT
OF ACTUAL THREATS?
Historical: limitations of
initial products to market
Became part of a
“silo’ed” process
Many have taken the
“checklist” mindset in
approaching this
problem.
7. COMMON CHALLENGES
With vulnerability management programs
Prioritizing remediation tasks
•
•
Which vulnerability matters most?
What’s the larger risk context? Active threats?
Removing false positives
•
What can I do to reduce this “noise”?
Optimizing workflows
•
•
How do I minimize disruption but maximize
accuracy?
How do I go from a static report to active
remediation?
(e.g. who owns this vulnerable asset anyway?)
8. IS THIS WHAT YOUR VULNERABILITY
REPORT LOOKS LIKE?
What are you supposed to do with this?
9. PRIORITIZING VULNERABILITIES
Avoiding the “vulnerability visibility vacuum”
•
•
View vulnerabilities inside the context of
actual threats – both global and local
At a glance, be able to understand:
• What other software is installed on these
systems?
• What type of traffic do these vulnerable
hosts generate?
• Who owns these systems?
• Have these systems been targeted by
known attackers?
• Are there recent alarms in my SIEM that have been
triggered involving vulnerable systems?
10. VIEWING VULNERABILITIES IN THE CONTEXT OF THREATS
Step 3: Follow step-by-step guidance in
responding to the threat.
Step 1:
Immediately
identify known
malicious IPs
targeting these
vulns.
Step 2: Review
vulnerabilities on
assets that are
being targeted in
active threats.
11. REMOVING FALSE POSITIVES
Leverage a variety of scanning techniques
Continuous Vulnerability Monitoring
correlate data from asset discovery
& inventory scans with the latest
known
vulnerabilities
Benefits: avoids network “noise”;
minimizes system impact;
requires
minimal resources
Active Network Scanning
actively scan to identify vulnerable
services and software.
Authenticated – more accurate,
but potentially more impactful
Unauthenticated – less accurate,
but less impactful
12. OPTIMIZING WORKFLOWS
Breaking down silos
Streamline this process:
Run the scan, vet the data, prioritize
remediation* based on global and local threat
intelligence, then re-run a validation scan.
Document the process:
Integrated ticketing system makes this much easier.
Secret to success?
Having all of the essential functionality in one place.
*sometimes this is a patch, and sometimes it’s a workaround.
13. USING A UNIFIED, THREATBASED APPROACH FOR
VULNERABILITY MANAGEMENT
14. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
What
functionality
do I need?
Figure out what
is valuable
Identify ways the
target could be
compromised
14
15. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Asset Discovery
•
•
•
•
What
functionality
do I need?
Asset
Discovery
Identify ways the
target could be
compromised
15
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software
Inventory
16. Piece it all
together
Look for strange
activity which could
indicate a threat
Start looking
for threats
Asset Discovery
•
•
•
•
What
functionality
do I need?
Asset
Discovery
Vulnerability
Assessment
16
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software
Inventory
Vulnerability Assessment
•
Network Vulnerability Testing
17. Piece it all
together
Look for strange
activity which could
indicate a threat
Threat
Detection
Asset Discovery
•
•
•
•
What
functionality
do I need?
Asset
Discovery
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software
Inventory
Vulnerability Assessment
•
Network Vulnerability Testing
Threat Detection
•
•
•
•
Vulnerability
Assessment
17
Network IDS
Host IDS
Wireless IDS
File Integrity Monitoring
18. Piece it all
together
Behavioral
Monitoring
Asset Discovery
•
•
•
•
What
functionality
do I need?
Asset
Discovery
Active Network Scanning
Passive Network Scanning
Asset Inventory
Host-based Software
Inventory
Vulnerability Assessment
•
Network Vulnerability Testing
Threat Detection
•
•
•
•
Network IDS
Host IDS
Wireless IDS
File Integrity Monitoring
Behavioral Monitoring
Threat
Detection
Vulnerability
Assessment
18
•
•
•
Log Collection
Netflow Analysis
Service Availability Monitoring
21. WHY ALIENVAULT USM?
All-in-one functionality
Vulnerability assessment within a broader
context
Targeted remediation, easier to manage
Flexible reporting, multiple modules, formats &
queries… as detailed as you want it.
Threat intelligence from AlienVault Labs
Know WHO is targeting vulnerabilities, HOW
they’re doing it and WHAT to do about it
21
23. ALIENVAULT LABS THREAT INTELLIGENCE:
COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT
Network and host-based IDS signatures – detects the
latest threats in your environment
Asset discovery signatures – identifies the latest OS’es,
applications, and device types
Vulnerability assessment signatures – dual database
coverage to find the latest vulnerabilities on all your
systems
Correlation rules – translates raw events into
actionable remediation tasks
Reporting modules – provides new ways of viewing data
about your environment
Dynamic incident response templates – delivers
customized guidance on how to respond to each alert
Newly supported data source plug-ins – expands your
monitoring footprint
23
25. ACHIEVING COMPLETE VULNERABILITY MANAGEMENT
Unify your security monitoring controls for better
visibility into vulnerabilities
Use emerging threat intelligence to prioritize
remediation
Evolve from checklist reporting to true risk reduction
26. NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join us for a LIVE Demo!
http://www.alienvault.com/marketing/alienvaul
t-usm-live-demo
Questions? hello@alienvault.com
Notas do Editor
Transform flat reporting into rich contextual data
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)