Experts on Threat and Vulnerability Management
Total Page:16
File Type:pdf, Size:1020Kb
Sponsored by Experts on Threat and Vulnerability Management Best Practice Advice On How To Prioritize Your 7Remediation with a Cutting-Edge Approach NEW EDITION INTRODUCTION: THREAT AND VULNERABILITY MANAGEMENT One of the greatest challenges security teams face is identifying, assessing, and eliminating vulnerabilities before the bad guys find them. Sometimes it seems like the bad guys are winning. Most major breaches in that past year have occurred through known vulnerabilities that for various reasons went unpatched until it was too late. Organizations know they have Mighty Guides make you stronger. vulnerabilities in their systems. They are investing in new tools, yet industry surveys show These authoritative and diverse that few are totally satisfied with their vulnerability-management practice. guides provide a full view of a topic. Part of the challenge is that managing vulnerabilities requires balancing threats and asset They help you explore, compare, criticality against known vulnerabilities, but these things are all constantly changing. To gain and contrast a variety of viewpoints a clearer understanding of these challenges and how organizations are addressing them, we so that you can determine what will partnered with RiskSense. We approached 7 cyber risk experts with the following question: work best for you. Reading a Mighty “What best-practice advice would you offer to help someone take a Guide is kind of like having your own proactive, cutting-edge approach to cyber-risk management?” team of experts. Each heartfelt and sincere piece of advice in this guide Of course, the answers depend on a lot of factors, but our experts had a number of useful and sits right next to the contributor’s revealing things to say about assessing criticality, managing remediation, and applying next- name, biography, and links so that generation tools to the problem. It’s interesting that although new technology is a key part you can learn more about their work. of the puzzle, to get the most out of those tools there needs to be close collaboration with This background information gives business operations. It’s essential to have good communications with business people who are not security professionals. you the proper context for each expert’s independent perspective. There are no simple answers, but the essays in this eBook contain many observations and valuable lessons from experts actively facing these challenges. I’m sure anyone interested in Credible advice from top experts sharpening their vulnerability management practice will appreciate these insights. helps you make strong decisions. Strong decisions make you mighty. All the best, David Rogelberg Publisher, Mighty Guides, Inc. © 2018 Mighty Guides, Inc. I 62 Nassau Drive I Great Neck, NY 11021 I 516-360-2622 I www.mightyguides.com Sponsored by 2 FOREWORD Without a doubt, you struggle with prioritizing the plethora of threats and vulnerabilities that hit your organization every day. There are never enough hours in the day, nor enough staff to remediate all of attacks on both your internal and external IT infrastructure. RiskSense®, Inc. provides vulnerability prioritization and Shift your thinking. Narrow down the threats and vulnerabilities to the ones that management to measure and control cybersecurity risk. apply to your IT infrastructure, then further reduce the list to the ones that have The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology- active exploits and finally identify your critical devices that should be remediated accelerated pen testing to identify critical security first. This is impossible if you don’t have a platform that takes in all of your weaknesses with corresponding remediation action vulnerability scanner data, across your dynamic attack surface: network, endpoints, plans, dramatically improving security and IT team efficiency and effectiveness. database, applications and IoT devices. Leverage human intel, combined with AI and machine learning to guide your remediation efforts and let your security staff focus The company delivers a fully-informed picture of group, department, and organizational cybersecurity risk with on the strategic issues to support your digital transformation with an integrated our credit-like RiskSense Security Score (RS3). The security platform. RiskSense platform continuously correlates customer infrastructure with comprehensive internal and external This e-book illustrates the value of identifying critical IT assets, and the importance vulnerability data, threat intelligence, human pen test of a prioritization platform that provides you clear guidance on remediation findings, and business asset criticality to measure risk, provide early warning of weaponization, predict attacks, efforts. With the RiskSense Security Score (RS3), you can define your journey to and prioritize remediation activities to achieve security track security metrics that link to your business goals. Security teams and business risk goals. leaders alike will find value in the perspectives shared here. By leveraging RiskSense threat and vulnerability management solutions, organizations significantly shorten time-to-remediation, increase operational efficiency, strengthen their security programs, heighten response readiness, lower costs, and ultimately reduce attack surface and minimize cyber risks. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense. Regards, Srinivas Mukkamala CEO and Co-Founder, RiskSense Sponsored by 3 TABLE OF CONTENTS JUAN MORALES PIETER VANIPEREN SURINDER LALL SENIOR DIRECTOR, GLOBAL CYBERSECURITY FOUNDING MEMBER SENIOR DIRECTOR, & INCIDENT RESPONSE CODE DEFENDERS INFORMATION SECURITY REALOGY HOLDINGS CORP. VIACOM Focus First on Assets That Keep Risk Assessment and Prioritization The Key To Risk Prioritization is The Business Running: P5 is a Triage Process: P8 Risk Assessment: P11 NICK GREEN BOBBY ADAMS JOHN TRUJILLO JAYESH KALRO VICE PRESIDENT , INFORMATION SECURITY SENIOR SECURITY ARCHITECT AVP, TECHNOLOGY DIRECTOR, GLOBAL EMEA/APAC TD AMERITRADE PACIFIC LIFE INSURANCE PRACTICE, CA SERVICES LIVE NATION ENTERTAINMENT & TICKETMASTER COMPANY CA TECHNOLOGIES In a Large Organization, Know the A Holistic, Enterprise-Wide Strategy You Must Understand the Business To Manage Vulnerabilities Effectively, Risk Owners and Adapt to Their is Essential: P16 Function of Digital Assets: P19 Define Business Priorities and Identify Needs: P13 Critical Assets: P22 Sponsored by 4 FOCUS FIRST ON ASSETS THAT KEEP THE BUSINESS RUNNING he main reason for vulnerability management is that it’s not possible to remediate all the vulnerabilities for all the assets in an enterprise completely. It’s necessary to T prioritize, yet for many companies, just knowing what assets they actually have can be a daunting task. Juan Morales, senior director of cybersecurity at residential real estate services company Realogy, recommends starting out by asking how you identify your critical assets. “Regardless of vulnerabilities, start figuring out what is really important to the business,” says Morales. “What is most impactful should it be exploited? What really are the key assets that keep the company going, operationally and financially?” JUAN MORALES As you identify those assets, you also need to know where they are located. “That helps to start painting the picture of the criticality, and the context in which they’re being used,” Morales Senior Director, Global explains. “You might start doing a bit more in-depth vulnerability scanning of those particular Cybersecurity & Incident Response Realogy Holdings Corp. assets, and then you’re able to start having conversations with key stakeholders.” This gives you a basis for doing more research into vulnerabilities the system is identifying. “Now you Juan Morales is the senior director have the insight from the organization as far as the criticality of those key assets, tied with the of global cybersecurity and incident information that the vulnerability-management system is giving you,” he adds. He points out response for Realogy. He directs the the importance of this dialog with business stakeholders, because vulnerability-management security operations center, incident response, forensics, eDiscovery, and systems don’t really understand the context of how these systems are being used. vulnerability management functions for Realogy. Juan has more than 18 When communicating risk to stakeholders, Morales prefers to quantify it in terms of system years of experience in IT, InfoSec and availability and financial impact . For instance, you can say that if your company is hit with an technology management, focusing exploit that costs $10,000, or $1 million to fix, that’s a point in time assessment of a cost to fix, on reducing risk exposure, enabling business success by promoting sound but not a true assessment of the actual impact to the organization. “If the system’s not going and adaptive security practices with a focus on the fundamentals of cybersecurity. He holds a master’s Regardless of vulnerabilities, start figuring out what is really degree in Cybersecurity from Fordham University and CISSP, ISSMP, important to the business. What really are the key assets that and CEH certifications. keep the company going, operationally and financially? LinkedIn I Website Sponsored by 5 FOCUS FIRST ON ASSETS THAT KEEP THE BUSINESS RUNNING to be available for X number of days or X number of hours, I think then it becomes a lot easier to translate