what your scanner isn't telling you
TRANSCRIPT
What Your Scanner Isn’t Telling You… A Holistic View of Threat and Vulnerability Management
“In today’s virtualized, complex data centers and
networks–vulnerability management programs are more difficult to master…”
ERIC COWPERTHWAITE VP Advanced Security and Strategy Core Security
TIM CALLAHAN Chief Information Security Officer Aflac
Today’s Agenda
Discuss traditional approach to vulnerability management Take a look at a few ways to help mitigate critical “unspoken” threats?
Q&A session
Traditional Vulnerability Management Approach
• Asset-by-asset approach • Scan and patch all vulnerabilities
(difficult with today’s limited resources) • Limited prioritization methods • No accommodation for complex networks, no
clear picture of how attackers will infiltrate
Data Overload…oh my!
There is so much to do and the increased pressure doesn’t help: o Data – Vulnerabilities, networks, viruses, SIEM, IoT, etc. o Regulations – Required security, reports, mandatory activity
• Thousands of servers, tens of thousands of endpoints • Hundreds of pages of vulnerability reports, no easy way to prioritize • Most organizations are being breached by a combined approach–
social engineering attack quickly followed up by exploiting an old vulnerability
99% of all successful attacks/breaches involve a vulnerability that is at least 1 year old 90% of all breaches involve a vulnerability from 7 years or older 2015 Verizon Data Breach Investigations Report
So, what can we do to mitigate critical “unspoken” threats?
Cut through the noise and innovate
• Engage new and different security skills, outsource critical skills • Success is going to require innovation • Must understand what the bad guy will do • Must know where to expend resources • Implement new technologies
o Analytics o Automation o Integration Change the game to intelligent defense
Penetration Testing
Vulnerability Management
Point Solution Enterprise Platform
1996 Core Security Founded
2001 Core Impact Pro Released
2011 Core Insight
Released
Core Security…evolution
Remediate Collect
Remediation IT/Network Ops
GRC SIEM
Forensics Anti-Virus Logging
Scanning Tools
Application Security Scanning
Web App Security
DATA
The Problem: • Mountains of Data • 1000’s of Vulnerabilities • No Relevance to Business
The traditional solution: • Try to patch everything • Priority based on arbitrary scores • No business context
Collect Remediate Nessus MVM IP360
Qualys Nexpose Etc.
Trustwave AppSpider App Scan
Qualys Web Inspect Etc.
DATA
Attack Intelligence Platform
Consolidate security data Simulate attack paths Prioritize business risk Validate vulnerabilities
Remediation IT/Network Ops
Actionable Information
Analyze
12
NON-EXISTENT SCANNING ANALYSIS & PRIORITIZATION
ASSESSMENT & COMPLIANCE
ATTACK MANAGEMENT
BUSINESS-RISK MANAGEMENT
Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
12
PEAK DATA OVERLOAD EFFECTIVE PRIORITIZATION
Normalized Repository
Single Dashboard and Reporting
Exploit Prioritization
Attack Simulation
Validation
Critical Asset Risk
Vulnerability & Exploit Prioritization Attack Path Planning
Web/Network Scanning
CVSS Scoring
Exploit Matching
Vulnerability Assessment
Thank you! Now, it’s time for Q&A.
@coresecurity I blog.coresecurity.com I www.coresecurity.com
ERIC COWPERTHWAITE. @e_cowperthwaite