Contenu connexe Similaire à Proatively Engaged: Questions Executives Should Ask Their Security Teams (20) Plus de FireEye, Inc. (11) Proatively Engaged: Questions Executives Should Ask Their Security Teams1. 1Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIALCopyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Proactively Engaged – Questions Executives Should Ask
Their Security Teams
Part II – Vulnerability Management
2. 2Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Vulnerability Management
The Problem
In the context of this article, vulnerability management refers to the processes by which an organization mitigates weaknesses in
deployed software and systems.
Vulnerabilities affect every type of software from operating systems and applications to network devices, providing avenues for
threat actors to gain access to systems and information.
We are forced time and again to learn the lesson that previously unknown vulnerabilities will be discovered and disclosed, and
recommend you:
- Always expect software to have vulnerabilities, whether they are publicly disclosed or not yet discovered.
- Assume that threat actors will leverage them.
The “HeartBleed” vulnerability, made public in April 2014, is a good example of how a significant vulnerability becomes well-used
by attackers.
https://www.fireeye.com/blog/threat-research/2014/04/attackers-exploit-heartbleed-openssl-vulnerability.html
https://blog.sucuri.net/2014/04/heartbleed-in-the-wild.html
3. 3Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Operating systems and applications are complex and no one can fully eliminate the risk they pose.
For effective vulnerability mitigation strategy, consider:
- What would an attacker gain from fully controlling this system?
- Could the attacker use it to operate in other areas of the network?
- Both the sensitive data within the system, and the passwords, hashes, or other stored information that could provide
access to other systems.
Organizations should prioritize resources toward eliminating publicly known, critical vulnerabilities.
- Aim to patch end-user web browsers and desktop applications quickly
- Assume that the end-user workstations will be compromised and plan your security architecture and monitoring accordingly.
- Focus those resources on Internet-facing systems, infrastructure systems (e.g., Active Directory, SharePoint, Exchange), systems
with sensitive data, and privileged users’ workstations (which provide passwords and hashes that would provide attackers quick
lateral movement to other systems).
The following sections expand on the questions outlined in the first article.
Achievable Mitigation
4. 4Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What Processes Can Detect and Remediate Vulnerabilities?
Organizations should build and maintain a dedicated program to detect and mitigate vulnerabilities.
Larger organizations can benefit from a third-party provider who specializes in vulnerability scanning.
A vulnerability management process program should:
• Holistically cover the entire enterprise, including all significant technologies, operating systems, and applications.
• Use an “authenticated scan” at least quarterly on the entire environment, so the vulnerability scanner logs into the target
systems and gains a comprehensive picture of the systems’ security.
• Ensures IT and the business align to rapidly mitigate serious vulnerabilities.
• Mitigate risks posed by systems without available patches, or that face business or operational constraints.
5. 5Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Where is Our Environment Vulnerable?
Few organizations have adequate coverage across the enterprise. Understanding where coverage is lacking and prioritizing
enhancements conveys confidence in the vulnerability management team.
Are We Effective at Remediating Known, High-risk Vulnerabilities?
The time between detection and closure offers a valuable metric about the vulnerability management program’s effectiveness. Geographic area
and business function metrics can highlight roadblocks.
Consider the downstream impacts. Passwords, hashes or other information on an unpatched risk-accepted system could allow access to other
systems across the environment.
Systems with known, high-risk vulnerabilities offer zero access control, because an attacker can immediately gain entry with a trivial level of
skill and effort. Organizations should not allow such systems on their networks.
6. 6Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Have We Applied Lessons Learned from Publicized Breaches?
Effective security teams learn everything they can from others’ security breaches and apply those lessons to their environments.
This could involve reading published news reports or case studies, and asking colleagues whether the malicious activity in question could have
been prevented or detected if it occurred in your environment.
More formally, tabletop exercises with subject matter experts (whether internal or external) can provide a new level of realism for your team.
Such SMEs can highlight the most significant gaps within visibility and response.
7. 7Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Up Next: Monitoring
Prevention is difficult and is often simply not achievable. Even the most secure organizations are
vulnerable. But, these companies excel at quickly identifying and containing compromises.
Our next blog will focus on key elements of a successful monitoring program:
Where do we have good visibility and where is it lacking?
How do we monitor to detect security incidents?
How do we measure capability effectiveness?
How consistent are we about the type of information we gather?
What additional tools or information do we need to be effective?