Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Management Dimension Data – Tom Gilis 24 November 2011.

Published byRuth Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "Vulnerability Management Dimension Data – Tom Gilis 24 November 2011."— Presentation transcript:

1 Vulnerability Management Dimension Data – Tom Gilis 24 November 2011

2 Dimension Data 2 Vulnerability Management21/08/2015 Dimension Data Belgium - Security Consulting – Advisory & Assurance Security Advisory services are Governance, Risk and Compliance oriented consultative engagements focusing on the organizational and strategic aspects of Security Management. Covering requirements such as Business Impact Analysis, Risk Assessment, Best Practices Gap Analysis and Policies and Procedures only to name a few. Security Assurance Services are engagements where our customers rely on our technical expertise to gauge their security posture against a defined security standard or to obtain a ‘bird’s eye view’ of where hackers may exploit weaknesses. Services range from Penetration Testing, Vulnerability Assessment and Management to Source Code Analysis on a very broad technology spectrum. Security Advisory services are Governance, Risk and Compliance oriented consultative engagements focusing on the organizational and strategic aspects of Security Management. Covering requirements such as Business Impact Analysis, Risk Assessment, Best Practices Gap Analysis and Policies and Procedures only to name a few. Security Assurance Services are engagements where our customers rely on our technical expertise to gauge their security posture against a defined security standard or to obtain a ‘bird’s eye view’ of where hackers may exploit weaknesses. Services range from Penetration Testing, Vulnerability Assessment and Management to Source Code Analysis on a very broad technology spectrum.

3 Problem Statement - A day in the life of an IT Officer 3 Vulnerability Management21/08/2015 How do I manage the privacy of the corporate data ? Are my endpoints a risk to my corporate network? Are they subject to targeted attacks ? How do I demonstrate compliance with standards and regulations? How do I maintain our security standards when outsourcing ? How can I show the value of security within my organisation ? Can I combine the new business requirements and uphold a strong secure network environment ? …. How do I manage the privacy of the corporate data ? Are my endpoints a risk to my corporate network? Are they subject to targeted attacks ? How do I demonstrate compliance with standards and regulations? How do I maintain our security standards when outsourcing ? How can I show the value of security within my organisation ? Can I combine the new business requirements and uphold a strong secure network environment ? …. Questions

4 Problem Statement – Security Landscape 4 Vulnerability Management21/08/2015 The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex New vulnerabilities are found every day : Much more research for vulnerabilities and security weaknesses “On average, about 3000 vulnerabilities per year get reported to CERT and only about 10% are published.” CERT New vulnerabilities are found every day : Much more research for vulnerabilities and security weaknesses “On average, about 3000 vulnerabilities per year get reported to CERT and only about 10% are published.” CERT Source : http://www.gfi.com/blog/wp-content/uploads/2009/10/Florian-graph.JPG

5 Problem Statement – Security Landscape 5 Vulnerability Management21/08/2015 The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex Increase in attacks at the application layer : Every 1,000 lines of code averages 15 critical security defects (US Department of Defense) Increase in attacks at the application layer : Every 1,000 lines of code averages 15 critical security defects (US Department of Defense)

6 Problem Statement – Security Landscape 6 Vulnerability Management21/08/2015 The threat landscape is becoming more and more sophisticated while technology environments continue to be very complex Change in malicious attacks: Increased professionalism and commercialization of malicious activities Threats that are increasingly tailored for specific regions Increasing numbers of multi-staged attacks More targeted attacks with bigger financial loss Change in malicious attacks: Increased professionalism and commercialization of malicious activities Threats that are increasingly tailored for specific regions Increasing numbers of multi-staged attacks More targeted attacks with bigger financial loss

7 Problem Statement – Security Landscape 7 Vulnerability Management21/08/2015 Compliance pressure and stringent legal requirements continue to drive security focus Compliance explicitly calling for vulnerability management and security assessments ISO 27001/27002, PCI DSS v2.0, SOX Section 404, GLBA, HIPAA, FISMA, NIST 800-53, NIST 800-64, CBFA Circular 2009_17 (Belgium FSI regulator)... Vulnerability Management Penetration Testing Source Code and Binary Code Review... Compliance explicitly calling for vulnerability management and security assessments ISO 27001/27002, PCI DSS v2.0, SOX Section 404, GLBA, HIPAA, FISMA, NIST 800-53, NIST 800-64, CBFA Circular 2009_17 (Belgium FSI regulator)... Vulnerability Management Penetration Testing Source Code and Binary Code Review...

8 Problem Statement – Security Landscape 8 Vulnerability Management21/08/2015

9 Problem Statement – Security Landscape 9 Vulnerability Management21/08/2015 Compliance pressure and stringent legal requirements continue to drive security focus Compliance explicitly calling for vulnerability management and security assessments PCI – DSS : Req. 12 - Regularly test security systems and processes ISO 27002 : 12.6.1 - Control of technical vulnerabilities Directive 95/46/EC of the European Parliament : The Principle of Security Compliance explicitly calling for vulnerability management and security assessments PCI – DSS : Req. 12 - Regularly test security systems and processes ISO 27002 : 12.6.1 - Control of technical vulnerabilities Directive 95/46/EC of the European Parliament : The Principle of Security

10 A Strategic Approach 10 Vulnerability Management21/08/2015 How do you consistently calculate risk across a diverse enterprise? o ‘Finger in the air’ o Who shouts the loudest ? o Excel o CVSS (Common Vulnerability Scoring System) o …. Can you do this in an automated and repeatable manner ? Is this used to help prioritize your remediation efforts ? … How do you consistently calculate risk across a diverse enterprise? o ‘Finger in the air’ o Who shouts the loudest ? o Excel o CVSS (Common Vulnerability Scoring System) o …. Can you do this in an automated and repeatable manner ? Is this used to help prioritize your remediation efforts ? … Determine Risk Level

11 A Strategic Approach 11 Vulnerability Management21/08/2015 How fast can your organization deploy a patch to all affected systems? Is it more cost effective to protect first and fix later ? What is the most effective tool to mitigate the risk ? Example : How fast can your organization deploy a patch to all affected systems? Is it more cost effective to protect first and fix later ? What is the most effective tool to mitigate the risk ? Example : Implement appropriate protection Typical Savings20052006 Number of patch cycles199 Number of people assigned to patch operations4119 Average hours per patch cycle7368 Total FTE275.6 Patch Management savings of one of the largest security vendors in the world. Vulnerability Management helped them decide to patch or not to. Depending on type of attacks, type of vulnerabilities, if systems are affected to specific attacks and control mechanisms in place.

12 A Strategic Approach 12 Vulnerability Management21/08/2015 Reducing overall IT Security Risk Targeted New, critical vulnerabilities Key assets Bottom-up Assess vulnerability state Remediate detected vulnerabilities Top-down Define asset baseline Define security baseline Enforce IT security configuration Near day mitigation Scan and remediate Policy audit and enforcement

13 A Strategic Approach 13 Vulnerability Management21/08/2015 We need something that... provides continuous insight on the security posture of an external or internal infrastructure helps us stay in control and measure security maturity and progress in between extended assessments e.g. an annual Penetration Test automates the combating against vulnerabilities which crucial for success. Manual detection and remediation workflow is too slow, too expensive and ineffective. can be used to drive the internal Patch Management process and provides valuable information to decide on priorities Consolidate Proactive and Reactive security controls ! Demonstrates compliance and control ……..

14 “Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities ” “Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners ” “Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities ” “Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners ” Vulnerability Management 14 Vulnerability Management21/08/2015 What is VM ? Source : Wikipedia

15 1.Discover and inventory assets 2.Categorise and prioritise assets 3.Scan for vulnerabilities 4.Report, classify and rank risks 5.Remediate – apply patches, fixes and workarounds 6.Verify – Re-scan to confirm fixes and verify security 1.Discover and inventory assets 2.Categorise and prioritise assets 3.Scan for vulnerabilities 4.Report, classify and rank risks 5.Remediate – apply patches, fixes and workarounds 6.Verify – Re-scan to confirm fixes and verify security Vulnerability Management 15 Vulnerability Management21/08/2015 The 6 Steps of Vulnerability Management

16 1.Discover and inventory assets Establish baseline of all assets o IP devices connected to the network o Software, applications and services o Individual configurations, latest software release, patches, etc. 2.Categorize and Prioritize Inventory By measurable business value By potential impact on business availability Establish interrelations between systems and services 1.Discover and inventory assets Establish baseline of all assets o IP devices connected to the network o Software, applications and services o Individual configurations, latest software release, patches, etc. 2.Categorize and Prioritize Inventory By measurable business value By potential impact on business availability Establish interrelations between systems and services Vulnerability Management 16 Vulnerability Management21/08/2015 The 6 Steps of Vulnerability Management

17 3.Scan for vulnerabilities Scan assets against comprehensive and industry standard database of vulnerabilities, this increases accuracy of scanning and minimizes false positives Automated scanning keep you up-to-date, its accurate, and scales globally to the largest networks Tests effectiveness of security policy and controls by examining network infrastructure and applications for vulnerabilities 3.Scan for vulnerabilities Scan assets against comprehensive and industry standard database of vulnerabilities, this increases accuracy of scanning and minimizes false positives Automated scanning keep you up-to-date, its accurate, and scales globally to the largest networks Tests effectiveness of security policy and controls by examining network infrastructure and applications for vulnerabilities Vulnerability Management 17 Vulnerability Management21/08/2015 The 6 Steps of Vulnerability Management

18 4.Report, classify and rank risks Create manual or automated reports and distribute to the respective stakeholders Maintain overview for instant risk analysis Proof compliancy with regulations 4.Report, classify and rank risks Create manual or automated reports and distribute to the respective stakeholders Maintain overview for instant risk analysis Proof compliancy with regulations Vulnerability Management 18 Vulnerability Management21/08/2015 The 6 Steps of Vulnerability Management

19 5.Remediate Apply patches, updates and fixes or install workarounds to mitigate the risk. Use a remediation workflow tool to automatically generate and assign tickets and ensure follow-up and remediation. Pre-test all patches, etc. in your organization's test environment before deployment 5.Remediate Apply patches, updates and fixes or install workarounds to mitigate the risk. Use a remediation workflow tool to automatically generate and assign tickets and ensure follow-up and remediation. Pre-test all patches, etc. in your organization's test environment before deployment Vulnerability Management 19 Vulnerability Management21/08/2015 The 6 Steps of Vulnerability Management

20 6.Verify – Re-scan to confirm fixes and verify security Re-scan to verify applied patches and confirm compliance Update the remediation workflow and the assets baseline 6.Verify – Re-scan to confirm fixes and verify security Re-scan to verify applied patches and confirm compliance Update the remediation workflow and the assets baseline Vulnerability Management 20 Vulnerability Management21/08/2015 The 6 Steps of Vulnerability Management

21 Belnet Vulnerability Scanner 21 Vulnerability Management21/08/2015 Web-based SAAS solution IPv6 Compliant Secure Solution with strong authentication and encryption… 99.997% proven accuracy Easy, transparent reporting using customizable templates Web Application Vulnerability scanning module Modules for specific compliance requirements (PCI DSS, …) …. Web-based SAAS solution IPv6 Compliant Secure Solution with strong authentication and encryption… 99.997% proven accuracy Easy, transparent reporting using customizable templates Web Application Vulnerability scanning module Modules for specific compliance requirements (PCI DSS, …) …. Advantages

22 What are my compliance requirements and legal boundaries ? Are my current security controls proactive or reactive ? Is my Vulnerability Management tool efficient ? Do I know what the current security state of my network is ? Is my confidential data sufficiently protected ? Can I properly protect my assets in this security landscape ? What are my compliance requirements and legal boundaries ? Are my current security controls proactive or reactive ? Is my Vulnerability Management tool efficient ? Do I know what the current security state of my network is ? Is my confidential data sufficiently protected ? Can I properly protect my assets in this security landscape ? Vulnerability Management - Conclusion 22 Vulnerability Management21/08/2015 Things to think about...

23 Vulnerability Management - Conclusion 23 Vulnerability Management21/08/2015 Hacking is easy

24 Vulnerability Management - Conclusion 24 Vulnerability Management21/08/2015 Hacking is easy

25 Vulnerability Management - Conclusion 25 Vulnerability Management21/08/2015 Hacking is easy

26 Thank you !! Vulnerability Management - Conclusion 26 Vulnerability Management21/08/2015

Download ppt "Vulnerability Management Dimension Data – Tom Gilis 24 November 2011."

Similar presentations

Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
All rights reserved © 2005, Alcatel Enhanced Security situational Awareness for (Enterprise) networks  Bertrand Marquet / François Cosquer  Alcatel.

All rights reserved © 2005, Alcatel Enhanced Security situational Awareness for (Enterprise) networks  Bertrand Marquet / François Cosquer  Alcatel.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.

Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Risk Assessment Frameworks

Risk Assessment Frameworks
Vulnerability Assessments

Vulnerability Assessments
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2014 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Similar presentations

Ads by Google