Professional Documents
Culture Documents
Management Program
A comprehensive approach to reducing
vulnerabilities across your ecosystem
About the speakers
@JTBuchanan John_Greene@Rapid7.com
Agenda
• What’s changed about corporate networks over the last few years?
• Quarterly/Monthly
scanning
10 years ago...
• Employees usually
worked in the office
• Heavy investment in
preventative
defenses
In The Modern
Environment….
• Cloud services,
virtualization, and
containers
• Environment changes
every hour
• Focus on gathering
credentials via phishing
and other methods
3 4
Protecting Assessing risk
employees to prioritize
and remediation
mitigating
user risk
1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities
3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk
ENHANCING NETWORK
VULNERABILITY ASSESSMENT
Vulnerability Assessment is hard
Today's modern environment has altered the requirements for effective
vulnerability assessment. Security professionals today find it difficult to
achieve these three outcomes:
Complete Remediation
Simplified
ecosystem across cross
assessment
visibility functional teams
1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities
3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk
ADDRESSING WEB
APPLICATION VULNERABILITIES
Rich web applications = Achilles heel
Traditional application security testing was developed to detect weaknesses in web applications built
with older technologies like HTML, PHP, and Perl. Today it is necessary to test APIs and rich web
applications built with HTML5, Action Message Format (AMF), Single Page Application (SPA) frameworks
and libraries, and toolkits, services, and protocols such as JSON, REST, GWT, SOAP and XML-RPC.
Creating bridges
The risk of
Understanding between
continuous
modern web development,
application
applications security, and
deployment
operations teams
1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities
3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk
PROTECTING EMPLOYEES
AND MITIGATING USER RISK
Don’t let employees be the weak link
Modern vulnerability management programs must include activities that increase
resilience to phishing and other social engineering attacks, and that allow IT
organizations to respond quickly when such attacks are reported or detected.
User training to
Identify active
increase phishing Incident detection
campaigns
resilience
1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities
3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk
ASSESSING RISK TO
PRIORITIZE REMEDIATION
Evaluate risk based on real attacker
behavior
Today's modern environment has altered the requirements for effective
vulnerability management. Security professionals today find it difficult to
achieve these three outcomes:
Account for
Penetration test to
Go beyond CVSS business
assess overall risk
criticality
Align people, processes, and technologies across the enterprise
SECURITY IT DEV
Silos Prevent: A Shared Language
WE FOUND WHAT? WHERE? WHAT’S A CVE?
10,000 VULNS, WHO? PRIORITY? YOU MEAN A
HERE YOU GO... BUG?
SECURITY IT DEV
Silos slow risk reduction, innovation,
and productivity
SecOps: make security inherent within
innovation and operations.
IT DEV
SECURIT
Y
An organizational practice to create a
shared alliance and motivation between
Security, IT, and Development teams.
Supplemental Whitepaper
http://www.rapid7.com/modern-vm
Questions?
http://www.rapid7.com/modern-vm
Thank you!
http://www.rapid7.com/modern-vm