1/29/2019

Closing the Loop: Detecting Sponsored by

Vulnerabilities is Great but

Risk Only Decreases After
Remediation

© 2019 Monterey Technology Group Inc.

 Made possible by

Thanks to

1
 1/29/2019

 Comprehensive organizational view

 Security interdependency and coupled nature of risks
Preview of Key  All systems matter to every other system
 All products matter to every other product
Points  Just keeping your systems and products patched doesn’t protect the data
and processes on your system
 Compensating controls and defense-in-depth important
 But you’ve got to patch
 Thoroughly
 Timely

Time is of the Patch Patch

Installed
Released
essence

Risk

Time

2
 1/29/2019

Patch
Released

3 basic Monitor Vendor

Patch
Management
processes that Security
Bulletins
Software

lead to patch Vulnerability

Scanning
installation

Install
Patch

 Monitor Vendor Security Bulletins

 Least time-to-awareness
 100% coverage of all vendors, products and systems
 Most labor intensive and dependent on people
 Vulnerability scanning
 Next shortest time-to-awareness
 Centralized
Comparison  < 100% coverage
 Can miss scanning systems
 Lack of authority to
 Network segmentation, firewall misconfiguration
 Agent not installed or scanning scope has holes
 Not all vendors/products supported

 Patch Management Software

 Longest time-to-awareness
 Least coverage
 Most labor-saving
 It’s place is in bulk patching of common software on large homogenous
system sets

3
 1/29/2019

Patch
Released

3 basic Monitor Vendor

Patch
Management
processes that Security
Bulletins
Software

lead to patch Vulnerability

Scanning
installation

Install
Patch

 Management needs assurance that right people know about the right
Monitor patches and they get installed on timely basis
 If not, why not
Vendor  Simply stating that each server/application team is responsible for
Security monitoring vendor bulletins for their respective products insufficient
 That is a policy
Bulletins  Not a control
 Where is the assurance?
 No way to demonstrate compliance

4
 1/29/2019

 Monitoring vendor bulletins Vendor

Vendor
Vendor
Vendor
 Centralized with info security team Vendor Vendor
Vendor
 Which vendors to monitor?
 Which products?
 Who to pass on notification to?
 Where is each product deployed
InfoSec

Monitor throughout organization?

 Who is responsible for patching
Server Team

DB Admins Workstation Team

affected systems?
Vendor  Disadvantages
eCommerce Team Network Admins
SharePoint Team
 Latency
Security  Inaccuracy
Vendor

Bulletins  Distributed
 How do we know each team is
Vendor
Vendor
Vendor
Vendor
Vendor
Vendor

subscribed to each vendor relevant to

their area of responsibility?
 How do you detect orphan product
installations no one takes
responsibility for? Server Team

 Disadvantages DB Admins Workstation Team

 Scatter shot effectiveness eCommerce Team Network Admins
 No assurance SharePoint Team

 Hybrid monitoring vendor bulletins

 Centrally supervised distributed monitoring of vendor security bulletins
 Policy – each team responsible to monitor and timely patch products under
their responsibility
 Control and Assurance by Infosec
 Maintains awareness of
 All hardware and software products deployed

Monitor  All systems on network

 All teams and their responsibilities
 Patch liaison
Vendor  Actively looks for orphaned products
 Trains and periodically verifies each team is directly monitoring right bulletins,
Security identifying needed patches, prosecuting patch to completion
 Actively monitors each vendor’s security bulletins
 Identifies high risk patches for the organization and actively liaises with
Bulletins responsible teams to ensure risk mitigation

InfoSec

Training, search for orphaned, urgent patching intervention

5
 1/29/2019

Patch
Released

3 basic Monitor Vendor

Patch
Management
processes that Security
Bulletins
Software

lead to patch Vulnerability

Scanning
installation

Install
Patch

 Provides critical independent assurance that patches have been

prosecuted all the way to completion
 Reports should be shared with responsible teams but accountability
enforced by independent team in Infosec

Vulnerability
Scanning
Vulnerability
Scanner

reports

6
 1/29/2019

 Ongoing efforts
Vulnerability  Ensure all systems are being scanned
 Ensure VM has necessary access and agents to those systems
Scanning  Ensure VM has latest definitions
 Increase VM coverage of deployed products and systems
 Maintain accurate awareness of systems and products not covered by VM

Vulnerability  Go further than missing patch report

 Ability to squelch de-prioritized patches or those scheduled for future
Scanning deployment
 Integrate with ticketing and change management
Management  Pre-prioritize patches based on
 Vulnerability details
 Local environment risk dynamics
 How long vulnerability public

7
 1/29/2019

Patch
Released

3 basic Monitor Vendor

Patch
Management
processes that Security
Bulletins
Software

lead to patch Vulnerability

Scanning
installation

Install
Patch

 Patch Management Software

 Longest time-to-awareness
 Least coverage
 Most labor-saving
 It’s place is in bulk patching of common software on large homogenous
system sets
Patch
Management

8
 1/29/2019

What it takes
 Prioritization by team
to get a patch  Change control
installed on a  Ticketing
given system  Scheduling
once you
know about it  Justin Buchanan from Rapid7 will show how the technology side can be
addressed through automation and integration with InsightVM.

© 2019 Monterey Technology Group Inc.

Accelerating the patching process

Automate
Prioritize

Patch

Gain visibility
Print Report

18

9
 1/29/2019

Implementing compensating controls

19

Collect Data Across Your

Ecosystem

Prioritize Using Attacker

Analytics

Remediate with SecOps

Agility

20

10
1/29/2019

11
1/29/2019

12
1/29/2019

13
1/29/2019

14
1/29/2019

15
1/29/2019

16
1/29/2019

17
1/29/2019

18