ntxissacsc4 - introducing the vulnerability management maturity model - vm3

@NTXISSA#NTXISSACSC3

IntroducingtheVulnerabilityManagementMaturityModel- VM3

GordonMacKay- @gord_mackayChiefTechnologyOfficer

DigitalDefenseInc.October2016


Overview

• WhatisVulnerabilityManagementandhowhasitEvolved

• InsidetheCISO’sMind

• VulnerabilityManagementChallenges

• VulnerabilityManagementMaturityModel– VM3

• AcceleratingyourEvolution

• BringingitallTogether2


VulnerabilityManagement- Then

• ScanningtheNetworkOnceaYear

• ReportingonVulnerabilitiesMountainsofData

• FixingtheIssues OverwhelmingResources

3


VulnerabilityManagement- Now

• ManagementProcessOverview&Policy• DiscoverAssets/Applications

DataCenter,Cloud,Mobile

• DiscoverConsiderBusinessValue

• AssessWhat?Vulnerabilities,Configuration,People

• AssessHow?Unauthenticated,Authenticated,DAST,SAST

• PrioritizeFindingsBusinessValue,ThreatIntelligence,NetworkArchitecture

• AssignFindingsITOperations

• MeasureReport

4


VulnerabilityManagement– NowIntegratedSecurityEcosystem

5


CISOChallenges

• ThinkLikeaGeneralWhatisVulnerableNow?MinimizemyRisk

• ThinkLikeDetectiveWhereMightIAlreadyBeCompromised?NewlyDiscoveredThreatsRevealPossibleCompromisedAssets

6


HowModernCISOThinks– RealWorldLikeaGeneralandaDetective

HypotheticalUseCase:NewZeroDayImpactsApacheversion2.4.0– 2.4.22butfixedin2.4.23

7

Vulnerable Then Vulnerable Now Time


VulnerabilityManagementChallenges

• TooManyVulnerabilitiesHowtoPrioritize

• WhereisBusinessValueSituationalAwareness

• WhoOwnstheAssetsManyDifferentTeams

• ITSecurityandITOperationsHaveDifferentAgendas

• AccuracyofPastFindingsVMIntelligence

8


VMChallengeScan-to-ScanEndpointCorrelation

9

timeScan Week 1

ScanWeek 2

IP=192.168.40.6DNS HN= NoneNETBIOS HN= BlueMAC= Alpha

IP=192.168.40.7DNS HN= [email protected] HN= WhiteMAC= Undetected

IP=92.168.40.6DNS HN=crm.myorg.comNETBIOS HN= NoneMAC= Undetected

IP=192.168.40.5DNS HN= NoneNETBIOS HN= BlueMAC= Alpha

Asset A Asset B Asset C

Real World Network Assets

IP=192.168.40.5DNS [email protected] HN=NoneMAC= Undetected


PrevalenceofNetworkChurnDDIStudy

10

Source: https://www.ddifrontline.com/wp-content/uploads/2015/08/Network_Host_Reconciliation.pdf


VulnerabilityManagementMaturityModelVM3

WheredoIOperate?

11

Source: https://www.digitaldefense.com/vm3-whitepaper


VulnerabilityManagementMaturityMajorInfluencingFactors

• BusinessEnvironmentExecutiveManagementParticipationSecurityAwarenessBusinessITStructure

• PolicyRiskThresholdSetGoals(SLA)

• Discover&PrioritizeAssetsKnowYourBusinessCriticalAssets

• AssessType,Depth,Breadth,Frequency

12


VulnerabilityManagementMaturityMajorInfluencingFactors

• PrioritizeFindings• VulnerabilitySeverity,AssetCriticality,

ThreatIntelligence,AttackPath

• Remediate• WhoareAssetOwners?• SecurityOperationsvsITOperations• Remediation/MitigationSpeed?

• Measure– Report• Measure/ReportvsSetGoals• MeasureRisk• LearnandEvolveBasedonMeasurements

13


ManagedServiceVulnerabilityManagementCanHelp

• DesignandBuild• DiscoverNewAssetsOngoingBasis• Examine,Re-examineBusinessCriticality• Design,BuildAssessments

VaryingTypes,Depth,Breadth,Frequency

• Operate• PrioritizeFindings

Understandwhichvulnerabilitiesyoushouldtakeon• ManagedServiceHelpsBridgeGapBetweenSecurityOperationsandIT

OperationsTeams• Report

Reportonwhatmatterstoyou

14


WrapUp

• VulnerabilityManagement– AnEvolvingProcess

• VMChallenges• Time– Scan-To-ScanEndpointCorrelation• PrioritizingFindings• AssetOwners?• BusinessCommunication– ITOpsvsSecurityOps

• VulnerabilityManagementMaturationModel• HigherMaturityLevels->LowerRisk

• AcceleratingYourVMEvolution

15


Questions?

Email:[email protected]:@gord_mackay

Support:[email protected]

16

@NTXISSA#NTXISSACSC3@NTXISSA#NTXISSACSC3

The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA

NorthTexasISSA(InformationSystemsSecurityAssociation)

NTX ISSA Cyber Security Conference – October 7-8, 2016 17

Thankyou

ntxissacsc4 - introducing the vulnerability management maturity model - vm3

Internet