Archive for February, 2010|Monthly archive page
Completing the picture for a risk-based approach to vulnerability management
Filed under: Best Practice, Technology | Tags: risk, Risk Management, Threat And Vulnerability
Leave a Comment 
Pravin Kothari
What’s the essential first step for a successful vulnerability management program?
In the last posting, we started talking about the challenges facing vulnerability management (VM) programs. Today, we’ll look at the all-important starting point: gathering all relevant vulnerability information from several sources: scanners, threat feeds, advisories, asset context, etc. The right information can help drive countermeasure decisions in an efficient and risk-based manner.
Vulnerability assessment tools (known generally as scanners) provide a lot of data (with a lot of noise), but at the same time they are missing a ton of information required for VM programs. Scanners cannot get to significant number of vulnerabilities, due to installed security on the network, servers and desktops.
Scanners are not enough.
Running only network-based and web-application vulnerability assessment tools is not enough to find all vulnerabilities as scanners do not touch software applications installed on the host. You will also need to scan the host for vulnerabilities, such as configuration checks for installed software applications and the OS.
Vulnerability assessment is a necessary part of a VM program whether it’s network, application and host-based scanner, but even that is not sufficient. You cannot rely only on vulnerability assessment. You need to bring in information from several other sources.
One excellent source is the NIST National Vulnerability Database (NVD) database of vulnerabilities—it is industry standard, continuously updated, and freely available. It’s a master repository of all published vulnerabilities by vendors, by users and research organizations. That information can be filtered to be relevant to technologies deployed in your environment. For example, if you know you have Firefox v3.5 on selected systems in your environment, you can use NVD’s latest Firefox v3.5 vulnerabilities to identify all affected systems without running a scan. Such complementary techniques are valuable when scanners are unable to fully scan some hosts and installed software. NVD also provides additional vulnerability attributes to help risk scoring.
Another key piece of information is an external threat intelligence feed, which includes new vulnerabilities discovered by security researchers, underground forums, law enforcement, and others. It also has information about what’s going on in the wild and whether an exploit is available for a given vulnerability – all that information can drive risk-scoring and prioritization. There are also commercial feeds available from VeriSign, Symantec, and so on, that provide advance notice and early warnings on emerging threats – resulting in solid 30 to 60days to deploy compensating controls before that vulnerability becomes public knowledge for exploitation or tested by a scanner.
Similarly, a prudent VM program should also include advisory reports that are provided by your vendors, such as Microsoft and Red Hat, that are relevant to your environment.
Are we missing any other important piece of information?
Yes, one of the most important pieces of information is the business context of target systems and applications. Business context includes how critical the target system is to the business, and its confidentiality, integrity and availability requirements. All the collected security information—vulnerability, threats, advisories, configuration issues, etc.—must be correlated with target systems’ business context for risk scoring and prioritization. Target systems should be linked to higher-level business processes, such as financial reporting, which may be subject to compliance requirements such as SOX.
Such business requirements and threat feeds play a key role in deriving the risk and priority of each vulnerability. A vulnerability affecting a server that stores credit card information should not be treated with the same priority as the same vulnerability affecting a server that stores publicly-available documents. Not having an efficient way of prioritizing vulnerabilities and threats can cause serious vulnerabilities to be buried behind more trivial ones, causing significant delays in remediation.
Seeing the whole picture
Basically, your vulnerability management program should aggregate information from aforementioned sources in order to adapt to the ever changing landscape of threats and to help you provide countermeasures in an efficient and risk-based manner.
Next time, we’ll continue to discuss Vulnerability Management as a key feature of new technology-focused automated GRC platforms. Also, we’ll talk about the next step: Making vulnerability lifecycle management smarter and more efficient with GRC platforms.
Martin Kuppinger blog: What business has to learn so that IT can align
Pravin Kothari
Martin is really on a roll now. 
A nice follow up from Martin about how security and business functions must be better aligned. This is very timely to my current series of blogs on a risk based approach to security management. GRC and security functions must be better aligned if an organization wants to excel.
Michael Rasmussen’s blog: What Is GRC?
Pravin Kothari
In the last 3 months there has been many threads and blog posts on-line trying to define GRC. Some bloggers and analysts go as far as saying GRC doesn’t exist. Michael Rasmussen’s latest blog offers some very nice ways to look at what GRC is.
Kuppinger Cole: Linking GRC to security
Filed under: Technology | Tags: GRC, Kuppinger Cole, Security
Leave a Comment Pravin Kothari
Here is a nice blog entry by Martin Kuppinger of Kuppinger Cole on the different layers of GRC and how GRC is intimately linked to security.
What’s next for vulnerability management? How to complete the picture?
Filed under: Best Practice, Technology | Tags: risk, Risk based security, Security, Threat And Vulnerability
Leave a Comment Pravin Kothari
Vulnerability assessment tools (VA tools or scanners) have been evolving from network-based to host-based to application scanners (web-apps and databases) and even to source code scanners. Tackling known exploitable vulnerabilities is an obvious activity towards managing risk and compliance. Enterprises have spent millions in vulnerability management as part of risk and compliance management programs. Yet, management is struggling to get visibility and answers for basic questions such as – are we focusing on risks that matter to our business? Are we in compliance? Are we secure enough? Is our sensitive data not vulnerable to breaches? They have started to realize that vulnerability assessment tools are just a piece of the broader risk and compliance management puzzle.
Some of the challenges facing vulnerability management programs are the following:
First of all, scanners do not have complete information. There are multiple scanners in deployment – each providing report of its own world. On the other hand, there are number of vulnerabilities that scanners cannot get to due to installed security on servers and desktops. Also, scanners usually focus on open ports and network accessible vulnerabilities, and not as much on installed software vulnerabilities. Moreover, scanners do not address “zero day” / “early warning” vulnerabilities. Subscribers of “Early Warning” advisory services, such as VeriSign iDefense, end up with manually reviewing advisory alerts and are unable to track affected systems and software in their environment.
Second, scanners do not connect the dots. For instance, they do not usually have access to business context of target systems and applications, such as Confidentiality-Integrity-Availability-etc. requirements. A vulnerability affecting a server that stores credit card information should not be treated with the same priority as the same vulnerability affecting a server that stores publicly available documents. Prioritization needs to take business details of the affected asset into consideration. Scanners generate a lot of data, often too much noise for the user to properly review and address in a timely manner – which exacerbate the issue especially with multiple scanners. Not having an efficient way of prioritizing vulnerabilities can cause the real serious vulnerabilities to be buried behind more trivial ones, causing significant delays in remediation.
Once a vulnerability is identified, its tracking and remediation process is often manual and error prone as it relies on a patchwork of disconnected technologies. The process typically starts with a human review of the found vulnerability and ends up with user prescribing a remediation action, which usually takes the form of a helpdesk ticket. Tracking of the ticket is again a separate process and it does not loop back to the vulnerability management. If remediation is done by a patch management system, it also does not loop back with vulnerability management.
Lastly, vulnerability scanners do not correlate vulnerabilities with the compliance requirements, compensating controls and GRC programs, which are ironically partially funding the vulnerability management. Compliance and risk professionals end up manually copying-and-pasting vulnerability information in their control testing documentation.
Vulnerabilities, configurations, remediation and compliance are managed in functional silos and reported up in silos. Information is all available but they are in disparate systems. Enterprises are starting to realize that manual processes and incomplete silos prevent a unified view and clean picture, and result in duplicate efforts and high cost. They see a need to connect the dots, correlate vulnerability information with configuration, remediation, risk and compliance information.
Next time we will discuss how new technology-focused automated GRC platform can address these challenges.
