whitepaper prioritizing vulnerability remediation€¦ · goodies,” reads verizon’s 2016 data...
TRANSCRIPT
PRIORITIZING VULNERABILITY REMEDIATIONIN THE AGE OF THREAT DISCLOSURE OVERLOADKnowing which vulnerabilities to address first remains a major difficulty for IT security teams
Whitepaper
CONTENTS
INTRODUCTION 3 - 4
WHAT IS THE NATURE OF THREATS? 5
WHAT TO DO IN ORDER TO GAIN CONTROL OVER 6 - 7 YOUR ORGANIZATION’S VULNERABILITY THREATS
THE QUALYS APPROACH TO SOLVING THIS PROBLEM 8
THREATPROTECT, POWERED BY VULNERABILITY 9 MANAGEMENT AND ASSETVIEW
WHAT THREATPROTECT ADDS TO THE MIX 10 - 12The live feedDynamic dashboard viewsSearch engineReal-time threat data analysis from Qualys’ world-class research
THE BENEFITS OF THREATPROTECT AND THE QUALYS 13 - 14CLOUD PLATFORM
INTRODUCTIONOne of the biggest challenges faced by information security teams today is how to effectively prioritize their vulnerability remediation work.
WHY? NEW VULNERABILITIES ARE DISCLOSED EVERY DAY, AMOUNTING TO THOUSANDS PER YEAR.
Burdened with this overload of vulnerability disclosures, infosec teams often get overwhelmed by the task at hand and throw up their hands in frustration. After all, no IT department has enough staff and resources to promptly patch every single vulnerability within their environment.
Faced with this quandary, disconcerted infosec teams may resort to well-intentioned but misguided approaches.
For example, they may heroically try to address 100 percent of the vulnerabilities that exist in their environment in a sequential manner. Or they may blindly stick to an arbitrary and outdated patching schedule that relies more on guesswork than on a true, objective risk assessment.Unfortunately, neither approach works
because not all vulnerabilities are created equal. Some are inconsequential, while others can be catastrophic.
If you treat all vulnerabilities the same, and you assign the same priority level to each one, you will leave dangerous gaps open in your IT environment that attackers are actively trying to exploit. It’s like opting to fix your house’s garage door while there’s a fire burning in the kitchen.
This may sound like a simplistic analogy until you consider that 99.9 percent of the exploited vulnerabilities in 2014 had been disclosed more than a year earlier,
according to the 2015 Verizon DBIR (Data Breach Investigations Report).
Infosec teams must be highly selective in their vulnerability remediation plan, strategically addressing the threats that represent the highest risk to their organization at any given point.
However, pinpointing the IT assets that must be patched with the greatest urgency is no easy task.
99.9% of the exploited vulnerabilities in 2014 had been disclosed more than a year earlier2015 Verizon Data Breach Investigations Report
3
To clearly and precisely prioritize remediation work, infosec teams must correlate the steady stream of vulnerability disclosures against their organization’s IT asset inventory, a connect-the-dots process that requires intense data analysis.
In addition, this correlation risk analysis must be done around the clock. An obvious reason is that new vulnerabilities are disclosed constantly. But that’s not the only reason. Old vulnerabilities initially deemed low risk on the day of their disclosure can suddenly become a lot more dangerous due to factors that change later.
These factors can be both external and internal. Examples of external factors that could intensify the severity of an existing vulnerability are the release of an exploit kit for it, or its sudden association with a particularly vicious type of malware tied to, say, ransomware.
Meanwhile, a vulnerability’s danger could be exacerbated by an organization’s internal changes as well. For example, an IT asset that previously played a minor role could attain a more prominent position within the IT environment, thus making its vulnerabilities riskier than before. Or an IT asset could become more exposed to outside communications, increasing the likelihood that it could be targeted by hackers. In fact, it’s common for organizations to overlook the potential security impact of internal changes such as these.
Thus, infosec pros tasked with vulnerability remediation face a complex threat landscape that’s always shifting and changing. As a result, they need clear, precise and continuous real-time information about the vulnerabilities present in their IT assets so that they can establish strategic remediation priorities.
INTRODUCTION CONTINUED...
REAL TIME THREAT
CORRELATION
4
WHAT IS THE NATURE OF THE THREATS?
Although targeted cyber attacks, such as customized advanced persistent threats (APTs), get a lot of attention because they are particularly sinister and sophisticated, most breaches are caused by automated, relatively unsophisticated attacks. These wholesale “spray and pray” attacks seek to compromise known vulnerabilities that organizations may have left unpatched. While pedestrian, these attacks work very well for the bad guys.
“While 2015 was no chump when it came to successfully exploited CVEs, the tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies,” reads Verizon’s 2016 Data Breach Investigations Report (DBIR). “Hackers use what works and what works doesn’t seem to change all that often. Secondly, attackers automate certain weaponized vulnerabilities and spray and pray them across the internet, sometimes yielding incredible success.”
This reality highlights how important it is for infosec teams to sharpen their vulnerability management processes and technology. If an infosec team patches, remediates and mitigates the right vulnerabilities at the right time, their organization will avoid falling prey to most cyber attacks.
IT’S A PROCESS AKIN TO GETTING VACCINATED: Fixing vulnerabilities immunizes IT assets against breaches. An attack that attempts to exploit a particular vulnerability fizzles if it hits an IT asset where that vulnerability has been patched.
With proper vulnerability management and remediation, organizations can make their IT infrastructure and individual assets robust enough to withstand the daily attacks that seek to exploit unpatched gaps.
5
Organizations engage in vulnerability management with the ultimate goal of not getting breached. This may sound too obvious, but the reality remains that most successful breaches exploit disclosed vulnerabilities for which a patch exists. The problem remains a big one for many companies.
Here are several key steps required for getting control over your IT environment’s vulnerabilities.
WHAT TO DO IN ORDER TO GAIN CONTROL OVER YOUR ORGANIZATION'S VULNERABILITY THREATS
DISCOVER ALL OF YOUR IT ASSETS, NOT JUST A FEW SELECT SYSTEMS AND APPLICATIONS
Cloud-hosted workloads and mobile devices, such as laptops and tablets must be detected. Then you map all your vulnerabilities. This
process of discovering assets and mapping vulnerabilities has to be done continuously.
VISUALIZE YOUR IT INVENTORY AND
THREAT LANDSCAPE via reports, graphs, charts, lists and ad
hoc search queries. You should be able to drill down, and slice and dice this data, as well as share it with others.
ESTABLISH REMEDIATION PRIORITIES so that you can stay a step ahead of attackers by patching or mitigating the
vulnerabilities that represent the highest risk to your organization at any given point in time.
CARRY OUT THE ACTUAL FIXES
6
Only with this knowledge will an organization be able to perform timely and precise vulnerability management. It’s necessary to take into account not only external threat data but also weigh it against the organization’s particular IT architecture and technology requirements.
For example, just because a severe vulnerability has been disclosed doesn’t necessarily mean that an organization needs to drop everything and patch it on its affected systems. The infosec team needs to ask what would be the impact to their organization if that vulnerability were exploited.
Even though a vulnerability is considered generally severe, it may be that in a particular organization it would only harm an isolated, non-essential test server. If that’s the determination, then that organization’s infosec team may choose to rank it as a low priority for remediation.
Likewise, a vulnerability considered a low risk for several months may suddenly become critically dangerous if an exploit kit is released for it and it starts to be actively attacked in the wild. This scenario often catches organizations off guard, because vulnerabilities often drop off their attention radar in the weeks and months after their initial disclosure.
WHAT TO DO IN ORDER TO GAIN CONTROL OVER YOUR ORGANIZATION'S VULNERABILITY THREATS CONTINUED...
7
A market leader in vulnerability management and a pioneer in cloud-based security, Qualys thought long and hard about the challenge of prioritizing vulnerability remediation and has released a product designed to help organizations get this problem under control.
It’s called ThreatPROTECT, and it was designed to be tightly integrated with the Qualys Cloud Platform and suite of security and compliance applications, in particular with the core Vulnerability Management and AssetView solutions.
Qualys’ Vulnerability Management and AssetView take care of vulnerability discovery and detection and of IT asset inventories, respectively, while ThreatPROTECT takes that data, digests it, analyzes it, classifies and categorizes it, and correlates it with external threat disclosures.
The result: Infosec teams get a comprehensive, holistic and continuously updated view of their IT asset vulnerabilities, presented in a clear dashboard so that they can prioritize and actively decide which IT assets need to be fixed right away.
This decision-making process will be rooted in concrete, up-to-date, actionable data, not on hunches, guesswork or on misguided and outdated remediation schedules.
THE QUALYS APPROACH TO SOLVING THIS PROBLEM
8
The combined capabilities of ThreatPROTECT, AssetView and Vulnerability Management give infosec teams a comprehensive, continuously updated view of all of their IT assets, whether they are on premises or in the cloud, and permanently or intermittently attached to their corporate network.
It’s critical for IT departments to have an exhaustive inventory of their IT assets and a complete, unobstructed view of their IT environment at all times, from high-end systems to mobile endpoint devices:
Organizations can’t have invisible assets lurking inside their corporate network, because it’s what you don’t know you have that ruins your remediation efforts.
A rogue IT asset whose existence you ignore is likely to become your weakest link because it may contain critical vulnerabilities that could be exploited at any moment without your knowledge. With Qualys, your IT assets are all either proactively scanned or continuously monitored by Qualys agents, and they are always accounted for.
But you don’t just get a complete list of your IT assets. You also get component and configuration details on each one, and the ability to drill down into each one to obtain granular, precise asset data. We also help you understand what is the role of each asset in your overall IT environment and how valuable and important they are to your organization.
All of these data points, which amount to your IT environment’s underlying foundation, are critical for assessing an IT asset’s vulnerability risk. Without this information, an organization’s attempts at prioritizing vulnerability remediation will be imprecise and very likely ineffective because they will be based on incomplete knowledge.
THREATPROTECTPOWERED BY VULNERABILITY MANAGEMENT AND ASSETVIEW
9
ThreatPROTECT provides a clear, at-a-glance, comprehensive view of your organization’s threat landscape through its holistic dashboard with customizable views, graphs, charts, search engine and real-time feed of the latest vulnerability disclosures.
WHAT THREATPROTECT ADDS TO THE MIX
THE LIVE FEEDThreatPROTECT’s Live Threat Intelligence Feed keeps organizations up to date on the latest vulnerability disclosures and news. In addition to listing the latest vulnerability announcements and details, it also displays how many of your IT assets are impacted by each disclosure, thanks to the product’s powerful data correlation capabilities.
You can click on feed entries and drill down into more granular details of a particular vulnerability and of the affected IT assets. You can also fine-tune and narrow down the feed list by filtering and sorting items according to a variety of criteria.
DYNAMIC DASHBOARD VIEWSIn addition to the live feed, the ThreatPROTECT dashboard also contains dynamic, customizable views displaying specific stats, such as assets with active zero-day vulnerabilities. As with the live feed entries, you can click through them and access more information about the assets flagged as vulnerable.
10
WHAT THREATPROTECT ADDS TO THE MIX CONTINUED...
11
SEARCH ENGINEThreatPROTECT’s search engine offers you a powerful tool when you want to proactively go looking for specific assets.
Queries can contain multiple variables and criteria, such as asset class, vulnerability type, operating system and the like. Search results can then be further sorted and refined using a variety of filtering criteria.
These ad hoc search queries can be saved and turned into permanent dashboard views, so you don’t have to run the same query every time you want to know, say, which Windows 10 PCs have unpatched Adobe Flash vulnerabilities.
REPORTS, GRAPHS, CHARTS, NOTIFICATIONSWith ThreatPROTECT you can generate reports, graphs and charts for display on your dashboard, as well as for sharing them with colleagues.
ThreatPROTECT can also generate and send you notifications when used in conjunction with the Qualys Cloud Platform’s Continuous Monitoring application.
ThreatPROTECT lets organizations create customized dashboards tailored for different IT roles, and makes it possible to easily and quickly share reports across the IT department, so that the need to remedy critical vulnerabilities can be swiftly communicated to those responsible for patching the affected system.
REAL-TIME THREAT DATA ANALYSIS FROM QUALYS’ WORLD-CLASS RESEARCH
Qualys’ global team of researchers is constantly monitoring and tracking RTI (real-time threat indicator) data points, such as attacks and exploits. But these Qualys experts go much deeper into the data, analyzing it in depth to further classify these RTIs into more precise categories.
Qualys researchers provide integrated vulnerability intelligence information leveraging a number of sources such as Core Security, Exploit Database, Immunity, Trend Micro and Verisign iDefense.
WHAT THREATPROTECT ADDS TO THE MIX CONTINUED...
ZERO DAYA vulnerability for which there is no vendor patch available and for which an active attack has been observed in the wild
PUBLIC EXPLOITA vulnerability whose exploit knowledge is well known and for which exploit code exists and is publicly available, even if no active attacks have been observed in the wild
ACTIVELY ATTACKEDA vulnerability that is being actively attacked in the wild
HIGH LATERAL MOVEMENTA vulnerability that, if compromised, lets the attacker propagate the attack broadly throughout the breached network
EASY EXPLOITA vulnerability that can be exploited easily, requiring few skills or little knowledge
REAL-TIME THREAT INDICATORS:
HIGH DATA LOSSA vulnerability whose exploit will yield massive data loss
DENIAL OF SERVICEA vulnerability whose payload could overload the compromised systems so that they become permanently or temporarily unavailable
NO PATCHA vulnerability for which there isn’t a fix from the vendor
MALWAREA vulnerability associated with malware infection
EXPLOIT PACKA vulnerability for which an exploit pack is available
This valuable RTI context appears both in the ThreatPROTECT dashboard and in its live feed. This threat categorization is essential to have in order for infosec teams to prioritize remediation in a way that is truly effective and precise.
12
Traditional enterprise security tools that narrowly focus on protecting the corporate network perimeter fall short in today’s world where organizations have embraced cloud computing and mobility, creating new cyber security, regulatory and compliance challenges and requirements.
Workloads — applications, middleware, databases — are increasingly moving to public, private and hybrid clouds, replacing on premises servers. Mobile devices such as laptops and tablets are the new endpoints, displacing desktop PCs.
ThreatPROTECT, and the Qualys applications suite that it's a part of, are cloud based. This architecture gives customers:
• Continuous discovery of IT assets wherever they are • Real-time, distributed collection of vulnerability data • A powerful correlation analytics engine on the backend that pinpoints which vulnerabilities represent the highest risk to an organization at any given point
THE BENEFITS OF THREATPROTECT AND THE QUALYS CLOUD PLATFORM
THE RESULT: CONTINUOUS SECURITY & COMPLIANCE
13
With ThreatPROTECT, infosec teams get a holistic and contextual view of their threat landscape and they’re able to discover and prioritize the remediation of vulnerabilities that pose the greatest risk to their company. ThreatPROTECT quickly and accurately pinpoints assets across an organization’s entire IT environment that have the highest exposure to the latest threats.
An IT department that is overwhelmed by the constant deluge of vulnerability disclosures generated every day and that lacks visibility into the organization’s IT assets won’t be able to fix the most critical security gaps in a timely manner. Time and speed are of the essence when you need to tie in external and internal vulnerability data, connect the dots and flag the IT assets that are most at risk at any given time.
An organization that fail to properly prioritize vulnerability remediation is in danger of falling prey to potentially devastating exploits which could harm critical operations, tarnish its brand and reputation, repel customers and damage its financial performance.
If you can’t flag danger spots continuously and in real time, cyber criminals could cripple the computing tools your employees need to design, market, sell and support your products and to interact with your customers and partners.
ThreatPROTECT fine-tunes your IT department’s vision and guides it with actionable intelligence through the process of closing security holes in a timely, precise and strategic manner.
THE BENEFITS OF THREATPROTECT AND THE QUALYS CLOUD PLATFORM
ThreatPROTECT is integrated with the Qualys Cloud Platform, which is used by more than 8,800 organizations, including a majority of the Forbes Global 100 and Fortune 100, to continuously discover and secure their IT assets, including:
• Vulnerability Management • AssetView • Continuous Monitoring • Policy Compliance • Web Application Scanning • Web Application Firewall • Malware Detection
FOR A FREE TRIAL VISITwww.qualys.com/trial
14© 2016 Qualys, Inc. All rights reserved.