QSC 2019 Presentation Using Qualys Policy Compliance to Achieve Vulnerability Management Program & Security Compliance Program Goals By: John Njenga
QSC 2019 Using Qualys Policy Compliance to Achieve Vulnerability Management Program & Security Risk Compliance Goals Introduction: To most Cybersecurity Practitioners it is a well-known fact that the reduction of Security Risks can only be achieved and maintained by practicing;- q A rigorous Vulnerability Management & Risk Assessment Program q Good Asset Management and Configuration Hygiene q Employing layered security defenses In this session, you will learn a proven approach towards achieving specific VMP, Security Risk and Compliance goals by using the Qualys Policy Compliance for Asset Configuration benchmarking, as well validating controls for Regulatory Compliance requirements (SOX and PCI).
QSC 2019 What is Vulnerability Management? As described in multiple IT Frameworks, Vulnerability Management as an IT domain, focuses on those processes by which organizations Identify, Analyze and Manage Vulnerability Risk within a critical service operating environment. Ø Vulnerability Management is one of the core components of a holistic Information Technology Security Program but unfortunately some organizations barely give it the attention it deserves, so unpatched vulnerabilities continue to proliferate within. Ø Yet the news headlines are full reports of security and data breaches, which are most often attributed to unpatched or misconfigured IT assets. Much of the problem involves the maturity of Vulnerability Management Programs and priority given to Vulnerability Management and Risk remediation practices.
QSC 2019 Why is Vulnerability Management Important? While the Cyber security threat landscape continues to evolve everyday for the worse and with the sophistication of threats increasing daily, Vulnerability Management Strategy and Practices and must adapt quickly. Ø While many organizations understand that Annual, Quarterly or Periodic scans aren't enough, most struggle with the prioritization of resources to address vulnerability risk. To create an effective risk-based vulnerability management program and maintain it, every organization must prioritize building an effective vulnerability management strategy to improve capabilities for managing and remediating vulnerability risks.
QSC 2019 What is Vulnerability Management? (continued.) An effective Vulnerability Management Program strategy includes these components q Define a Vulnerability Analysis and Resolution Strategy q Develop a Plan for Vulnerability Management q Implement the Vulnerability Analysis and Resolution Capability q Assess and Improve the Capability
QSC 2019 Vulnerability Management Life Cycle Review To develop an effective vulnerability management strategy, a continuous review of the vulnerability management life cycle is necessary to assess capabilities as shown in the SANS Vulnerability Management Model below.
QSC 2019 Vulnerability Management Strategy Development q A review of the vulnerability management lifecycle is required in order to develop an effective strategy and must include an assessment of security technology and tools used to identify and qualify vulnerability risks, as well as the different approaches to calculate how much risk is associated with a threat in order to determine how to mitigate, transfer, accept, or avoid the vulnerability. q While there are many flavors of security technologies, a recommended best practice advocates making sure that both the security tools and chosen approach leverages layered capabilities, so that if a defense measure fails to detect an attack, another measure or control is available to help prevent the attack. ü Vulnerability Scanning tools (for assessing the network infrastructure, cloud and container infrastructure) ü Static Application Testing (SAST) ü Dynamic or Web application Testing (DAST) ü Software Composition Analysis (SCA) (for identifying software vulnerabilities) ü Other dedicated, specialized monitoring and assessment tools for Business Applications, Mobile, IoT and OT environments.
QSC 2019 Vulnerability Strategy & Tools Assessment Layered Approach Source: J. Muniz http://www.ciscopress.com/articles/printerfriendly/2460771
QSC 2019 Vulnerability Management Life Cycle Review Tools in DevOps Vulnerability Management Lifecycle in a DevOps Environment Source: https://www.slideshare.net/secfigo/practical-devsecops-course-part-1-82334619
QSC 2019 Vulnerability Management Strategy Tools Capability The capabilities of the selected tools can also be supplemented with penetration testing or bug bounty programs; however, the effectiveness of a vulnerability management program depends on how well the organization orchestrates them toward the common goal of reducing threats and vulnerability risks posed to the organization.
QSC 2019 IT Asset Management & Configuration Management Hygiene What is IT Asset Management? A process used to Identify, control, record, report, audit and verify a service asset and configuration items, including versions, baselines, constituent components, their attributes, and relationships.
QSC 2019 IT Asset Management & Configuration Management Hygiene What is IT Asset Management & Configuration Item?
QSC 2019 IT Asset Management & Configuration Hygiene Why is IT Asset Management and Configuration Hygiene Important? ü Without a clear picture of the IT Assets which exist within an organization, there is no telling, how much exposure an organization has to a potential security attack. ü IT Asset Management supports a big part of the Vulnerability Management Life Cycle including IT Risk assessment, Vulnerability Patching, Incident Response and Change Configuration. ü All of these processes make use of the asset management data to ensure completeness and sound decision making. ü With asset data which is out of date, incomplete or not properly managed within the likelihood of an impact of security events impacting business operations are significantly elevated.
QSC 2019 Using Qualys Policy Compliance as a layer for Vulnerability Management Within our organization we have implemented the Qualys Policy Compliance checks for Baseline Configuration Assessments of our;- q On Premise Server Platform Image Build We have implemented Baseline configuration checks using CIS Baseline Benchmarks to create Baseline Configuration Policies for use to validate server image builds for adherence to IT Security Policy and Regulatory Requirements. q Have implemented SOX Regulatory Policy Controls verification using Custom Policies to verify our assets in scope are assessed on a weekly basis for adherence. q We have also implemented Custom Policies to verify PCI DSS required controls configuration for all our PCI in scope assets. q Assess Network Devices (Switches/Routers/Firewalls and Printers) against industry Configuration Baseline Benchmarks (CIS/NIST).
QSC 2019 Using Qualys Policy Compliance as a layer for Vulnerability Management
QSC 2019 Using Qualys Policy Compliance as a layer for Vulnerability Management
QSC 2019 Presentation References
- SANS Paper - Why Your Vulnerability Management Strategy Is Not Working--and What to Do About It. By: Jake Williams April 2019.
- CERT-CRM Model: https://www.uscert.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-VM.pdf
- "The Technology," in Security Operations Center: Building, Operating, and Maintaining Your SOC. J. J. Muniz: http://www.ciscopress.com/articles/printerfriendly/2460771
- https://blog.opengroup.org/2016/02/05/the-new-generation-it-operating-model/ By: Yan Zhao, Ph.D, President, Chief Architect, ArchiTech Group LLC
- Qualys Enterprise Platform