Vulnerability Management: Moving Away From the Compliance Checkbox towards Continuous Discovery. presented at Security B-Sides Detroit 2012

by Derek Thomas,

Tags: Security

Summary : The vulnerability scan has become a staple in the modern security program. A single scan can provide a point-in-time snapshot of known vulnerabilities and configuration issues associated with the infrastructure. I find many organizations perform vulnerability scans but the problem is that the scans are performed merely to satisfy compliance. An annual scan may check the box in a report but there will also be 11.5 months of little to no visibility into the state of the infrastructure. Have those patches really been applied? Is change control being followed? Vulnerability management needs to move beyond the periodic vulnerability scan towards continuous vulnerability discovery. This process is much more than just technical scanning and requires the security professional to constantly test and improve detection and alerting. Poor incident response, inadequate security monitoring, and unknown assets can leave a network just as vulnerable as an unpatched server. Are IDS alerts generated when they should be or has an antivirus alert received adequate response? I will be discussing my experience with a vulnerability management program from the painful beginning. In addition to the use of vulnerability scanning tools I will address how to solve these problems through red team testing, security information and event monitoring, and configuration baselines. A vulnerability management program should be designed around making incremental improvements in current security processes.