Building a Modern Vulnerability

Management Program
A comprehensive approach to reducing
vulnerabilities across your ecosystem
About the speakers

Justin Buchanan, CISSP John Greene

Rapid7 Solutions Manager Rapid7 Customer Advisor

@JTBuchanan John_Greene@Rapid7.com
Agenda
• What’s changed about corporate networks over the last few years?

• How has this made vulnerability management more difficult?

• What are requirements to modernize your VM program?

• How do we align people, processes, and technologies?

10 YEARS AGO…
Uber didn’t exist
You could still buy a
Hummer
Lil Wayne released
”Tha Carter III”
Most people still typed text
messages with “keys”
Morpheus website
taken down
 10 years ago...
• Environments mostly
physical

• Few changes over time

• Change hard to miss

• Quarterly/Monthly
scanning
 10 years ago...
• Employees usually
worked in the office

• Desktops made up most

endpoints

• Sensitive data limited to

what’s on the hard drive
 10 years ago...
• Attackers focused on
servers and
malware/exploits

• Heavy investment in
preventative
defenses
In The Modern
Environment….
• Cloud services,
virtualization, and
containers

• Environment changes
every hour

• Security isn’t always told

about perimeter changes
In The Modern
Environment….
• Most employees can do their job
from home

• Many remote employees that

rarely visit the office

• Access to sensitive data via cloud

productivity apps

• Work increasingly done on

smartphones, laptops, iPads, etc.
In The Modern
Environment….
• Attackers focused on
users

• Focus on gathering
credentials via phishing
and other methods

• Lower barrier of entry to

hacking
The Four Pillars of Modern Vulnerability
Management 1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities

3 4
Protecting Assessing risk
employees to prioritize
and remediation
mitigating
user risk
 1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities

3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk

ENHANCING NETWORK
VULNERABILITY ASSESSMENT
Vulnerability Assessment is hard
Today's modern environment has altered the requirements for effective
vulnerability assessment. Security professionals today find it difficult to
achieve these three outcomes:

Complete Remediation
Simplified
ecosystem across cross
assessment
visibility functional teams
 1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities

3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk

ADDRESSING WEB
APPLICATION VULNERABILITIES
Rich web applications = Achilles heel
Traditional application security testing was developed to detect weaknesses in web applications built
with older technologies like HTML, PHP, and Perl. Today it is necessary to test APIs and rich web
applications built with HTML5, Action Message Format (AMF), Single Page Application (SPA) frameworks
and libraries, and toolkits, services, and protocols such as JSON, REST, GWT, SOAP and XML-RPC.

Creating bridges
The risk of
Understanding between
continuous
modern web development,
application
applications security, and
deployment
operations teams
 1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities

3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk

PROTECTING EMPLOYEES
AND MITIGATING USER RISK
Don’t let employees be the weak link
Modern vulnerability management programs must include activities that increase
resilience to phishing and other social engineering attacks, and that allow IT
organizations to respond quickly when such attacks are reported or detected.

User training to
Identify active
increase phishing Incident detection
campaigns
resilience
 1 2
Enhancing Addressing
network web
vulnerability application
assessment vulnerabilities

3 4
Protecting Assessing risk
employees to prioritize
and mitigating remediation
user risk

ASSESSING RISK TO
PRIORITIZE REMEDIATION
Evaluate risk based on real attacker
behavior
Today's modern environment has altered the requirements for effective
vulnerability management. Security professionals today find it difficult to
achieve these three outcomes:

Account for
Penetration test to
Go beyond CVSS business
assess overall risk
criticality
Align people, processes, and technologies across the enterprise

THE PRACTICE OF SECOPS

Silos Prevent: Visibility

SECURITY IT DEV
 Silos Prevent: A Shared Language
WE FOUND WHAT? WHERE? WHAT’S A CVE?
10,000 VULNS, WHO? PRIORITY? YOU MEAN A
HERE YOU GO... BUG?

SECURITY IT DEV
Silos slow risk reduction, innovation,
and productivity
SecOps: make security inherent within
innovation and operations.

IT DEV
SECURIT
Y
An organizational practice to create a
shared alliance and motivation between
Security, IT, and Development teams.
Supplemental Whitepaper

http://www.rapid7.com/modern-vm
 Questions?

Aligning Security, IT, and

Development teams through shared
visibility, analytics, and automation

http://www.rapid7.com/modern-vm
 Thank you!

Aligning Security, IT, and

Development teams through shared
visibility, analytics, and automation

http://www.rapid7.com/modern-vm