Best Practice Next-Generation Vulnerability Management to Identify Threats, Eliminate Risk and Prevent Attacks

Gidi Cohen

CEO and Founder, Skybox Security

Infosec London, April 2013

Best Practices for Next-Generation

Vulnerability Management

© 2013 Skybox Security Inc. 2

Skybox Security Overview

Predictive risk analytics for best decision support

Complete visibility of network and risks

Designed for continuous, scalable operations

Leader in Proactive Security Risk Management

Proven Effective in Complex Network Environments

© 2013 Skybox Security Inc. 3

Vulnerability Management is Not Dead

… It Is Just Not Working

Risks Levels Keep Rising

Compliance, continuous monitoring

Proliferation of mobile, cloud

Protect against financial loss due

to cybercrime

Deal with advanced

threats, targeted attacks

Need to secure new services

and users

© 2013 Skybox Security Inc. 4

Is Your Vulnerability Management Program

Keeping Pace?

Then

Now

Find Analyze Fix

© 2013 Skybox Security Inc. 5

2012 Survey Highlights the Vulnerability

Discovery Gap

0

50

100

150

200

250

300

350

60% 70% 80% 90%

Fre

quency c

ycle

s /

year

% of Network Scanned

How often do you scan? How much coverage?

Critical systems, DMZ

Scan every 30 days

50-75% of hosts

To keep pace with threats?

Daily updates

90%+ hosts

?

© 2013 Skybox Security Inc. 6

We just don’t need to scan more

Unable to gain credentialed access to scanportions of the network

The cost of licenses is prohibitive

Some hosts are not scannable due to their use

We don't have the resources to deal withbroader patching activity

We don’t have the resources to analyze more frequent scan data

We are concerned about disruptions fromscanning 59%

58%

41%

34%

29%

12%

5%

Reasons that respondents don’t scan more often

Disruptive, Inaccurate Picture of Risk

Challenges with Traditional Scan Approach

© 2013 Skybox Security Inc. 7

All vulnerabilities in environment

30,000

Identified by scanner

50-75%

Naïve Analysis Results in Costly and

Ineffective Remediation

Attack vectors

using

exploitable

vulnerabilities

Patch/Fix Unneeded

patching

© 2013 Skybox Security Inc. 8

Now

First Generation Vulnerability Management

Processes Are No Longer Effective

30-60 days to scan

and catalog 75% of

vulnerabilities

2-4 weeks to

analyse, and still

get it wrong

60 days to patch,

£ 200,000 per year

Cycle Time: Typically 2-4 months

New vulnerabilities, threats, changes: Hundreds per day

Result: Risk level never reduced

Find Analyze Fix

Big Disconnect …

© 2013 Skybox Security Inc. 9

Self-Test:

What are Your VM Program Challenges?

Discover Analyse and

Prioritise Mitigate

How often is

vulnerability data

collected?

How much of the

network is covered?

Is scanning disruptive

to the business?

Are you able to find

alternatives to

patching?

Do you prioritise

by possible

business

impact?

Are you

considering the

network context?

Is risk level

increasing or

decreasing

over time?

Continuous, Automated, Scalable?

© 2013 Skybox Security Inc. 10

Discover Analyse and

Prioritise Mitigate

Introduction to

Next Generation Vulnerability Management

Non-disruptive

discovery

Scalable

Automated analysis

Risk-based

prioritisation

Using network and

security context

Actionable

Optimal

Easy to track

Scalable Program to Address Critical Vulnerabilities

Continuously and Efficiently

© 2013 Skybox Security Inc. 11

Vulnerability Discovery:

Use the Right Approach for Your Network

Asset Data

Patch Data

Threat Intel.

Active Scanning Non-disruptive

Scan-less Detection

Continuous identification

Relevant vulnerabilities

Infrequent scanning

Large number of vulnerabilities

© 2013 Skybox Security Inc. 12

All vulnerabilities in environment

30,000

Identified vulnerabilities

90+%

Automated Analysis – Attack Surface,

Exploitable Attack Vectors, Risks

Prioritise by

potential

impact Attack

Surface

Patch/

Fix

Efficient

remediation

© 2013 Skybox Security Inc. 13

Risk Analytics: Modeling and Attack Simulation

to Find Exploitable Vulnerabilities

Compromised

Partner

Attack

Simulations

Rogue

Admin

Internet

Hacker

© 2013 Skybox Security Inc. 14

Actionable Remediation Process,

Leveraging Attack Vectors Information

Install security patch on server

Change firewall access

rule

Activate signature on

IPS

© 2013 Skybox Security Inc. 15

High Level Visibility for Vulnerability Management

Monitor Impact and Risk Metrics over Time

Most Critical

Actions

Vulnerabilities

Threats

© 2013 Skybox Security Inc. 16

Comparison – Old and Next Generation VM

Old Generation Next Generation

Discovery Scanning Only Scan-less discovery +

scanning

Analysis Manual; inaccurate Automated; risk-based

Remediation Hit & Miss with Patching Optimal risk mitigation

Scope Limited to traditional

assets

Enterprise-wide

program

Automation Only scanning;

Cycle time 2-4 months

From A-Z;

Continuous process

Effectiveness Costly program; little

benefits

Optimal Risk Mitigation

© 2013 Skybox Security Inc. 17

In Summary –

Steps to Effective Vulnerability Management

• Know what’s really exploitable in your network

• Rank by business impact, end unnecessary patching

• Increase coverage of vulnerability assessment

• Increase frequency of vulnerability discovery

Ensure Frequent & Complete Knowledge of Your Vulnerabilities

• Evaluate alternatives to patching

• Verify impact on risk, and track progress

Close the Loop with Optimal Mitigation and Effective Tracking

Use Risk Analytics to Determine the Exposure

© 2013 Skybox Security Inc. 18

Thank you

www.skyboxsecurity.com