Cutting Edge Approaches to Vulnerability Cutting Edge Approaches to Vulnerability ManagementManagement

VM ValueVM Value--Added ServicesAdded Services

Chris Kissel, Industry Analyst

Information & Network Security

March 13, 2014March 13, 2014

© 2014 Frost & Sullivan. All rights reserved. This document contains highly confidential information and is the sole property of Frost & Sullivan. No part of it may be circulated, quoted, copied or otherwise reproduced without the written approval of Frost & Sullivan.

Today’s Presenter

Chris Kissel, Industry Analyst

Frost & Sullivan

Follow me on: (Connect with social media)

www.linkedin.com

2

• IT & Network Security: vulnerability management, cloud-based file

sharing services, public vulnerabilities, NAC, and SSL certificates.

• Ten years of research and sales experience in the cellular

infrastructure, wireless, telecomm, PCs, semiconductor, and high-

definition consumer device sectors.

www.linkedin.com

Introduction

1. Vulnerability Management Market Size

2. Vulnerability Management Basics

3. Specialized Reporting

3

4. Context Awareness

5. Integration with Complementary Secondary Technologies

Vulnerability Management Market Size

Cyber Threat Environment

The Nature of Cyber Attacks is Changing

• According to the Symantec Internet Security THREAT REPORT 2014, “targeted” attacks

increased by 32 percent between 2012 and 2013.

• Because of the availability of software and a growing history of cyber attacks, the skill level

required of a cyber attacker is becoming less important. Similar to legitimate

communications services providers, rogue agencies that are offering cyber attack services

are also providing a service level agreement (SLA).

• Cyber attacks are moving from server-side to client-side attacks.

5

• Cyber attacks are moving from server-side to client-side attacks.

• High-profile security breaches have received extensive media coverage, and can actually

affect the market worth of a company.

• While there may be no formal declaration of hostilities and the term “cyber warfare” may be

too much, certainly cyber conflicts are evident. Nation-states are suspected to be

responsible for the most pernicious attacks.

• Literally any aspect of networking from applications to access can be turned into a

vulnerability. While attacks have been sophisticated so too are the defenses against

attacks. Source: Frost & Sullivan

2010–2018 Vulnerability Management Market Size

Total Vulnerability Management Market: Unit Shipment and Revenue Forecast, Global, 2010–2018; Revenue CAGR (2013–2018) = 13.0%

Source: Frost & Sullivan

Investments in Vulnerability Management

• In the last two years, vulnerability

management fundamentally

changed. The major industry

players received money in one form

or another. Tenable Network

Systems and Rapid7 each received

$50 million in funding; Qualys

7

issued an IPO, and eEye Digital and

nCircle were acquisition targets by

BeyondTrust and Tripwire,

respectively.

Source: Frost & Sullivan

Drivers and Restraints

Total Vulnerability Management Market: Key Market Drivers and Restraints, Global, 2014–2018

1–2 Years 3–4 Years 5 Years

The nature of cyber attacks is changing to include smaller businesses and threats are becoming more targeted

H H H

Integration of features in vulnerability management platforms is helping customers harden their systems

M M M

Compliance reporting is increasing in importance to conform

with regulatory requirementsM M H

The Internet of Things requires heterogeneous networks, and M H HM

ark

et

Dri

vers

8

Customers are concerned that vulnerability management is too thin of a slice of protection and worried about limits in the platform

H H H

Vulnerability management customers are prohibited from publishing scan results which reinforces the feeling from customers that they have trouble making value-based decisions

M M M

Syncing security measures to match changes in a network is difficult

M M M

Vulnerability management competes with other technologies for security solution dollars

L L L

integrates new devices and security practicesM H H

Continuous threat monitoring is becoming requisite M H H

Note: Drivers & Restraints are ranked in order of impact. Source: Frost & Sullivan

Mark

et

Dri

vers

Mark

et

Restr

ain

ts

Impact: H High M Medium L Low

Poll Question Number One

Vulnerability Management Basics

Fundamentals to Vulnerability Management

Fundamental Aspects of Vulnerability Management

• Vulnerabilities are defined as any errors or weaknesses within a software program that

enable an unauthorized user to access sensitive data, gain control, or deny access to

authorized users.

• Vulnerability management provides an essential proactive solution to prevent data

breaches and system disruptions. These products enable companies to find weaknesses

in their networks and provide remediation guidance.

11

• Network scanners have the ability to scan all network-attached endpoints for

vulnerabilities. However, the resulting reports often generate long lists of vulnerable

systems.

• Vulnerability management now has much more concise reporting platforms. Ranking

vulnerabilities in terms of remediation is an important efficacy aspect of vulnerability

management. Nearly all devices and systems will show a vulnerability. This makes

vulnerability prioritization important. A security team needs to know which threats should

be addressed first. The ability to identify and remediate a threat at its earliest stages

prevents the likelihood of an advanced persistent threat in the future.Source: Frost & Sullivan

CVSS v.2 Scoring

Figure 1: Attributes and Measures of CVSS v.2

Attributes Measures Worst Case Scenarios

Exploitability

Access Complexity

The type of access a hacker has to a network

No restrictions on access—a hacker can create an exploit without limitations.

Access Vector Where an exploit can be triggered

Exploits triggered remotely operating at Level 3 or above in a network. above in a network.

Authentication How many times an attacker needs to be authenticated

None. No authentication is needed to exploit vulnerabilities.

Impact

Confidentiality Size of breach The hacker can access or steal any or all of the data.

Integrity File security An attacker can manipulate data—total integrity lost.

Availability Pertains to a system or network availability.

Crash! An attacker can incapacitate a system or a network.

Source: NIST; Common Vulnerability Scoring System v.2 (Base Score Metrics)

More About Vulnerability Management Basics

• Ticketing systems are something of a necessity in vulnerability management systems, and elicit strong emotions from IT personnel.

• Outpost24 has an elaborate ticketing system. Ticketing options can be manual or automated. Ticketing can be sorted by a remedy necessity; from low-priority to high priority. The detail of ticket includes who has ownership of the issue, who is assigned to fix the issue, when the issue is to be fixed, and ultimate resolution.

• Patching vulnerabilities is the next step. Vulnerability management companies • Patching vulnerabilities is the next step. Vulnerability management companies have agreements with patch management vendors.

• One differentiator vulnerability management providers can offer is a shortened cycle between remediation and new scanning.

Specialized Reporting

Reporting by Department

• Optimally, reports would be generated to facilitate different functions.

• Many organizations require different perspectives for IT/Security, CEO, and auditing conventions.

• Vulnerability management platform providers • Vulnerability management platform providers can provide templates that accomplish specific reports to prove compliance or that are more appropriate for specific market verticals.

• BeyondTrust uses the Microsoft Online Analytical Processing (OLAP) cubes to port data to its data warehouse.

Compliance Reporting

• Language in the Health Information Technology for Economic and Clinical Health Act (HITECH) suggests that larger healthcare providers like Cigna and Blue Cross assume indemnity for data and patient records coming from subcontractors. Consequently, the large healthcare providers have the right to audit their subcontractors which includes smaller practices like radiologists and ultrasound.

• On November 2013, Payment Card Industry Data Security Standard (PCI-DSS) 3.0 became an official standard. There is a phase-in period for vendors, but on January 1, 2014 the new standards became actionable. In the new set of January 1, 2014 the new standards became actionable. In the new set of standards, PCI-DSS 3.0 added best practices on top of its list of compliances. PCI-DSS 3.0 requires a merchant to have anti-malware protection, and lets merchants use password phrases as well passwords for authentication. PCI DSS 3.0 standards will remain in place for at least three years.

• In the United States, National Institute of Standards and Technology (NIST) 4.0 was released April 30, 2013. NIST develops standards, guidelines, and recommendations to promote information security for all government agency operations and systems. In many cases, NIST compliance is required for private businesses to compete for contracts with government agencies.

Context Awareness

Context Awareness

• Context awareness integrates threat, risk, vulnerability, privilege, and event data, with compliance reporting and remediation procedures and statistics to give IT the information it needs to make the most effective decisions possible.

• There is never a shortage of vulnerabilities. Almost without exception, all networks will show vulnerabilities. The ability to react and remediate the most potentially damaging threat environments is important.

• Vulnerability prioritization allows an IT team to act on Advanced Persistent Threats • Vulnerability prioritization allows an IT team to act on Advanced Persistent Threats and Zero Day vulnerabilities—hopefully before a threat is initiated.

• The pillars of contextual awareness in this report are specialized reporting, device fingerprinting, threat simulation, and risk management.

Enhanced Reporting—Tripwire

Source: Tripwire Analyst Deck, 2013, With permission.

Enhanced Reporting

• The end user can look at any metric on the dashboard and drill down to see what assets are being threatened.

• The Tripwire paradigm lets the end user cross-match conditions: AUTOMATED EXPLOIT AND EXPOSURE would be among the most dire. Additionally, Tripwire vulnerability scoring considers 90,000 conditions.

• Ease of use is also an important specialized report differentiator.

• Outpost24 customers can generate automated reports from a selection of 42 attributes. There are 31 pre-assigned templates, 10 custom templates, and one defined asset groups report) attributes.

• The reports are designed to pivot from the perspective of a stakeholder (system owner, location, or, business unit etc.) regardless of scan time.

• Automated reporting can pair down the flow of information from each perspective.

Device Fingerprinting

• One of the biggest challenges to VM platformsis an ever-changing network.

• Visibility is the unifying concept. New devices, virtualized machines and devices that have been offline or otherwise decommissioned all present the same challenge.

• Any weakness becomes a potential attack • Any weakness becomes a potential attack vectors. IT teams must maintain visibility.

• Of course, the same principle applies to devices that are powered down.

• Essentially, vulnerability management platforms must have easy hooks into mobile device management program (MDM) or must provide “MDM-lite” functionality.

Threat Modeling (Leading Toward Risk Management)

• Rapid7 offers threat modeling simulation in Metasploit Pro and Metasploit Express (An It department can create a tunnel of communications on the L2 layer which bypasses intrusion detection and intrusion prevention systems (IDS/IPS).

• in order to simulate an attack, IT can then launch a single exploit against a host, and use the knowledge from a compromised machine to exploit another machine. Other scenarios include brute force, basic and smart exploitations.

• Outpost24 solutions prioritize remediation based on dependency and criticality • Outpost24 solutions prioritize remediation based on dependency and criticality ratings for affected systems as; the ease of exploitation and its impact on the organization; efficiency and effectiveness of the remediation efforts (solution-based reporting).

Poll Question Number Two

Integration with Secondary Technologies

Integration with Secondary Technologies

Log Management

SSL Certificate Authentication

SIEM

Vulnerability Management

Platform

Privileged Identity

Management

Web Application Scanning

Secure Configurations

Risk Management

Platform

Source: Frost & Sullivan

Applied Analytics

• Security information event management (SIEM), log management and risk management are interrelated and are analytically driven technologies.

• An analytical approach to vulnerability management platforms is preferred on several levels.: Proper event correlation can be incorporated into the frontline of vulnerability scanning.

26

• SIEM or SIEM-like capabilities are the gateway for integration with other security measures. Data loss prevention (DLP) identifies when there are breaches to data surrounding personal identification, industrial or government secrets, or financial data.

• BeyondTrust uses analytics from its solutions integrated under its BeyondInsight IT Risk Management platform to make sure that identity is the basis of access to certain files, to deny access to unauthorized users, and to turn intelligence gathered from the platform into better vulnerability management.

Web Application Scanning

• Hackers are using vulnerabilities in Web applications as a means to create exploits.

• Web application scanning is being offered by several vulnerability management service providers.

• Qualys has a separate Web Application Scanning/Web Firewall Service.

27

Service.

• In June 2012, Tripwire included Web application scanning, WebApp360, on its Tripwire IP360 vulnerability and risk management platform at no additional cost.

• Web application scanning is an integral part of Tenable SecurityCenter Continuous View platform.

QualysGuard Integrated Suite of Security and Compliance Solutions

2828

*In Beta

VulnerabilityManagement

PolicyCompliance

CustomizableQuestionnaires

PCIDSS

Web ApplicationScanning

MalwareDetection

Web ApplicationFirewall

Web ApplicationLog Analysis

Source: Qualys, Used with Permission.

Continuous Monitoring

• In the United States, NIST considers continuous monitoring to be a set of “planned, required, and deployed security controls” in the context of an information system to remain effective “in light of the inevitable changes that occur.”

• From NIST 800-137 (verbatim)… Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

29

• All Federal agencies have to produce monthly inventories of all assets on their networks (devices, applications, servers, virtual machines, etc.).

Continuous Monitoring Principles

Real-time, Continuous Monitoring Platform

� Immediate discovery of assets including

mobile, cloud, and virtual systems

� Continuous, real-time vulnerability assessment

� Integrated threat detection and advanced

Benefits of Continuous MonitoringVulnerability

Management

Malware

Detection

Compliance &

Patch Monitoring

Continuous

Monitoring

30

� Integrated threat detection and advanced

malware analysis, isolation of attack paths

� Real-time network monitoring and anomaly

detection

� Integrated logging, forensics, and threat

investigation & response

� Proactive compliance reporting and patch

auditing

Network

Behavioral Analysis

Log Collection

& Analysis

Continuous Monitoring Architecture (Tenable Network Security)

31

Aspects of Continuous Monitoring (Tenable Network Security)

• Tenable Network Security offers a Continuous Monitoring solution that combines active scanning, passive sniffing, and log analysis forming a composite view of assets, vulnerabilities, and threats.

• Its Nessus active scanner supports both credentialed and non-credentialed scans to identify vulnerabilities, compliance and configuration checks.

• The Passive Vulnerability Scanner (PVS) analyzes network traffic at the packet layer –

32

The Passive Vulnerability Scanner (PVS) analyzes network traffic at the packet layer –also known colloquially as “sniffing” to detect assets as they connect to the network. PVS also identifies vulnerabilities and malicious communications from network traffic supplementing the Nessus active scans.

• The Log Correlation Engine (LCE) provides log analysis to add additional context to vulnerabilities and threats from the surrounding infrastructure and system logs.

• These combined technologies work together to identify risk from transient devices and dynamic systems including mobile devices, virtual infrastructure, and cloud applications.

Major Challenges (Current and Future)

CURRENT CHALLENGES

1. Developing products for the small and medium-sized business markets.

2. Find a unified scoring metric to determine the effectiveness of scanning accuracy. Like many of the enhanced vulnerability scoring matrix offered by VM service providers, time to remediation has to be a part of the platform.

3. To more heavily automate more of the processes in vulnerability management.

4. Explaining goods and services within the context of the Top 20 CSC SANS

33

Explaining goods and services within the context of the Top 20 CSC SANS (SysAdmin, Audit, Networking, and Security) security measures.

FUTURE CHALLENGES

1. Extend the principles of vulnerability management to hybrid cloud environments.

2. Decide which features are best integrated into vulnerability management products.

3. Building an infrastructure to account for the APAC region.

Frost & Sullivan Services, Community Contribution and Network and Information

Security Team InfoSecurity Team Info

Next Steps

Develop Your Visionary and Innovative SkillsGrowth Partnership Service Share your growth thought leadership and ideas or

join our GIL Global Community

35

Join our GIL Community NewsletterKeep abreast of innovative growth opportunities

Phone: 1-877-GOFROST (463-7678) Email: myfrost@frost.com

Follow Frost & Sullivan on Facebook, LinkedIn, SlideShare, and Twitter

http://www.facebook.com/FrostandSullivan

http://www.linkedin.com/companies/4506

36

http://twitter.com/frost_sullivan

http://www.linkedin.com/companies/4506

http://www.slideshare.net/FrostandSullivan

Your Feedback is Important to Us

Growth Forecasts?

Competitive Structure?

What would you like to see from Frost & Sullivan?

37

Emerging Trends?

Strategic Recommendations?

Other?

Please inform us by “Rating” this presentation.

For Additional Information

Chris Kissel

Industry Analyst

IT & Network Security, IRG-74

(623) 910-7986

Christopher.Kissell@frost.com

Michael Suby

VP of Research

IT & Network Security, IRG-74

(720) 344-4860

email@frost.com

38

Frank Dickson

Principal Analyst

IT & Network Security, IRG-74

(469) 387-0256

Frank.Dickson@frost.com

Chris Rodriguez

Senior Analyst

IT & Network Security, IRG-74

(210) 477-8423

Chris.Rodriguez@frost.com