Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
7. The Need for Vulnerability Management
Too many compromises due to:
• Unknown systems
• Unknown data
• Unpatched vulns
Need a process to determine what to patch, work
around, or live with
9. Poll #1
How many of you have an active Vulnerability
Management program?
Yes
No
Don’t Know
10. Poll #2
For those who said No, what is keeping you from
deploying a Vulnerability Management program?
Tools
Staff time
Staff training
I’m protected by UTM / NGFW / IPS /
Advanced Antimalware …
Don’t know
11. Detection is the New Black
“There's a trend underway in the information
security field to shift from a prevention
mentality to a focus on rapid detection”
“Your detection & response capabilities are
more important than blocking & prevention”
12. Assessment Scans
Combination of Techniques is Ideal
Passive/Continuous: Monitors network traffic
Active: Sends data to devices to generate a
response
Credential: Logs on to individual systems
Agent: Dedicated agent installed on subset of
devices
Benefits: Visibility, Assets Values, Grouping
13. Vulnerability Prioritization
CVSS: Common Vulnerability Scoring System
• Base Metric Score from 0-10
- 7.0 - 10.0 = High
- 4.0 - 6.9 = Medium
- 0 - 3.9 = Low
- Average = 6.8
Sources: www.first.org/cvss
www.cvedetails.com
14. Prioritizing Remediation & Mitigation
Understanding the Context
Other software installed
on these systems?
What systems
communicate with
these systems?
What traffic do these
vulnerable hosts
generate?
Are these systems
targeted by malicious
hosts?
Have these systems
generated any alarms
previously?
Is there a patch or
workaround available?
15. Threat Correlation & Intelligence
Risk = Assets x Vulnerabilities x Threats
Correlation is Essential
• Correlate asset information with vulnerability
data and threat data
• Correlate IDS alarms with vulnerabilities
- Is the host being attacked actually
vulnerable to the exploit attempt?
Threat Intelligence
• Threat landscape is constantly changing
• Tools need to keep pace
16. No Silver Bullet
Limitations of Vulnerability Management
• Can’t patch everything at once
• Patch ≠ No Compromise
- Focused, patient attacker will get in
• BYOD = No patch
• Zero-day = No patch
• Do the names Edward Snowden or Bradley
Manning ring a bell?
17. 5 Tips
1. Think like an attacker
• They may not be after your data
2. It all starts with the network
• Regular network assessment scans are essential
3. Unify & automate security controls
• You can’t keep up with the data
4. Use threat intelligence to prioritize remediation
• Only way to keep up with changing landscape
5. Remember it is an ongoing process
• It does not end with a checkbox