July 4th we spent a big . Today we publish a transcript of Andrey Novikov's speech from Qualys. He will tell you what steps you need to go through to build a vulnerability management workflow. Spoiler alert: we'll only get to scanning halfway through.
Step #1: Determine the maturity level of vulnerability management processes
At the very beginning, you need to understand where your organization is in terms of the maturity of vulnerability management processes. Only then will you be able to understand where you are going and what steps you need to take. Before jumping into scans and other activities, organizations need to do some internal work and understand how your current processes are arranged from an IT and information security perspective.
Try to answer the basic questions:
- do you have processes for inventorying and classifying assets;
- how regularly the IT infrastructure is scanned and whether the entire infrastructure is covered, whether you see the whole picture;
- Are your IT resources monitored?
- whether any KPIs are implemented in your processes and how do you understand that they are being implemented;
- Are all of these processes documented?
Step #2: Get full infrastructure coverage
You cannot protect what you do not know about. If you don't have a complete picture of what your IT infrastructure is made up of, you won't be able to secure it. Modern infrastructure is complex and constantly changing quantitatively and qualitatively.
Now the IT infrastructure is based not only on a stack of classic technologies (workstations, servers, virtual machines), but also on relatively new ones - containers, microservices. The information security service runs away from the latter in every possible way, since it is very difficult for it to work with them using existing toolkits, which consist mainly of scanners. The problem is that any scanner cannot cover the entire infrastructure. In order for the scanner to reach any node in the infrastructure, several factors must coincide at once. The asset must be inside the organization's perimeter at the time of the scan. The scanner must have network access to assets, their accounts, in order to collect complete information.
According to our statistics, when it comes to medium or large organizations, approximately 15-20% of the infrastructure is not captured by the scanner for one reason or another: the asset has left the perimeter or never appears in the office at all. For example, a laptop of an employee who works remotely, but at the same time has access to the corporate network, or the asset is located in external cloud services such as Amazon. And the scanner, most likely, will not know anything about these assets, since they are out of its line of sight.
To cover the entire infrastructure, you need to use not only scanners, but a whole set of sensors, including passive traffic listening technologies to detect new devices in your infrastructure, an agent-based data collection method to receive information - allows you to receive data online, without the need for scanning, without isolating credentials.
Step #3: Categorize Assets
Not all assets are equally useful. It is up to you to determine which assets are important and which are not. No tool, the same scanner, will do it for you. Ideally, information security, IT and business analyze the infrastructure together to highlight business-critical systems. For them, they define acceptable metrics for availability, integrity, confidentiality, RTO / RPO, etc.
This will help prioritize the vulnerability management process. When your specialists receive data on vulnerabilities, it will not be a sheet with thousands of vulnerabilities throughout the infrastructure, but granular information, taking into account the criticality of systems.
Step #4: Conduct an Infrastructure Assessment
And only at the fourth step do we come to assessing the infrastructure in terms of vulnerabilities. At this stage, we recommend that you pay attention not only to vulnerabilities in the software, but also to errors in configurations, which can also be a vulnerability. Here we recommend the agent-based method of collecting information. Scanners can and should be used to assess perimeter security. If you use the resources of cloud providers, then you also need to collect information on assets and configurations from there. Pay special attention to vulnerability analysis in infrastructures using Docker containers.
Step #5: Set up reporting
This is one of the important elements within the vulnerability management process.
First point: no one will work with multi-page reports with a disorderly list of vulnerabilities and descriptions of how to fix them. First of all, you need to communicate with colleagues and find out what should be in the report and how it is more convenient for them to receive data. For example, some administrator does not need a detailed description of the vulnerability and only needs information about the patch and a link to it. To another specialist, only vulnerabilities found in the network infrastructure are important.
The second point: by reporting, I mean not only paper reports. This is an outdated format for obtaining information and a static history. A person receives a report and cannot influence in any way how the data will be presented in this report. To get the report in the right form, the IT specialist must contact the information security specialist and ask him to rebuild the report. As time goes by, new vulnerabilities appear. Instead of spreading reports from department to department, both teams should be able to watch the data online and see the same picture. Therefore, in our platform, we use dynamic reports in the form of customizable dashboards.
Step #6: Prioritize
Here you can do the following:
1. Creation of a repository with golden system images. Work with golden images, check them for vulnerabilities and correct configuration on an ongoing basis. This can be done using agents that will automatically report the appearance of a new asset and provide information about its vulnerabilities.
2. Focus on those assets that are critical to the business. There is not a single organization in the world that can fix vulnerabilities in one go. The process of eliminating vulnerabilities is long and even dreary.
3. Narrowing the attack surface. Clean your infrastructure from unnecessary software, services, close unnecessary ports. We recently had a case with a company that had about 40 vulnerabilities found on 100 devices related to an old version of the Mozilla browser. As it turned out later, Mozilla was embedded in a golden image many years ago, no one uses it, but it is the source of a large number of vulnerabilities. When the browser was removed from computers (it even stood on some servers), these tens of thousands of vulnerabilities disappeared.
4. Rank vulnerabilities on the intelligence database (threat intelligence). Consider not only the criticality of the vulnerability, but also the presence of a public exploit, malware, patch, external access to the system with the vulnerability. Assess the impact of this vulnerability on critical business systems: whether it can lead to data loss, denial of service, etc.
Step #7: Align KPIs
Don't scan for the sake of scanning. If nothing happens with the vulnerabilities found, then this scan turns into a useless operation. To prevent working with vulnerabilities from becoming a formality, consider how you will evaluate its results. Information security and IT must agree on how the work to eliminate vulnerabilities will be built, how often scans, patches, etc. will be carried out.
On the slide you see examples of possible KPIs. There is also an extended list that we recommend to our clients. If you are interested, please contact me, I will share this information with you.
Step #8: Automate
Back to scanning again. At Qualys, we believe that scanning is the least important thing that can happen today in the process of managing vulnerabilities, and that, first of all, it should be automated as much as possible so that it can be performed without the participation of an information security specialist. Today there are many tools that allow you to do this. It is enough that they have an open API and the required number of connectors.
An example I like to give is DevOps. If you implement a vulnerability scanner there, then you can simply forget about DevOps. With the old technology, which is the classic scanner, you simply will not be allowed into these processes. Developers won't wait for you to scan and give them a multi-page, awkward report. Developers expect information about vulnerabilities to get in the form of bug information into their code building systems. Security should be seamlessly built into these processes, and it should be just a function that is automatically invoked by the system your developers use.
Step #9: Focus on the Essentials
Focus on what brings real value to your company. Scans can be automatic, reports can be sent automatically too.
Focus on improving processes so that they are more flexible and convenient for all participants. Focus on ensuring that security is built into all contracts with your counterparties who, for example, develop web applications for you.
If you need more detailed information on how to build a vulnerability management process in a company, please contact me and my colleagues. I'll be glad to help.
Source: habr.com