Our experience shows that cyber attacks that are frequently successful, and damaging business agility, are unrelenting: they are real, they are complex and they are credible. Many organisations are unaware just how exposed they are to such threats because IT infrastructure are not fully or correctly enumerated for their significance: vulnerabilities often remain unidentified.
Understanding exposure to cyber attacks is key to enable continued business operation. This includes knowing what data and systems are under your control, as well as what vulnerabilities remain hidden and therefore not remediated. As maintenance and implementation of fixes for such vulnerabilities can be prohibitively expensive, a reliable threat attack analysis is required to focus on and address those that would cause most damage. Sustained analysis and reporting of potential and identified attacks forms part of a preventative and detectable defence posture.
Jirasek Security has developed a methodology that brings good practice processes, training and technology to help in this area.
VULNERABILITY management process
Our experience, supported by cyber security research companies, shows that the primary reason companies get compromised are active non-remediated vulnerabilities in their systems and applications.
The well-known Verizon Data Breach Investigation report (DBIR) 2016 lists vulnerabilities primary reason for breaches.
All that patching is for naught if we’re not patching the right things.
Our approach to vulnerabilities is two-fold:
- Slow and steady patching ensures that the problem does not get worse
- Automated threat and exposure analysis picks up organisational vulnerabilities that need urgent attention: those that are often outside a typical patch cycle
Thought our 50 years of combined cyber security experience we have used many frameworks specifically related to threat and vulnerability management - some good, some not so! As a consequences we have subsequently devised our own approach, based on industry good practice and enriched by our battled-hardened experience.
Ultimately, the process consists of 4 elements as depicted in our process picture below.
Discovered vs. known assets
Configuration management, as defined by ITIL, is hard technology element to accomplish. Very few organisations achieve managed stage on the CMMI (Capability Maturity Model Integration) maturity level. We have worked with some most complex organisations and understand what is a good CMDB (Configuration Management Database). The key is to focus not on tooling but rather people and process. Like any process, the approach needs to be well defined and measured.
The key deliverables of this phase are:
- Correct and up to date Configuration Management Database (CMDB)
- A process to discover new assets and ensure these are added to CMDB
- A regular review process which queries owners of assets about their currency and attributes
- A graph like relationships between business processes, data elements, applications and infrastructure assets
Vulnerability & configuration information acquisition
Once we know what assets there are within a company, asset relationships and their relative importance, our next step is the collection of active vulnerabilities and mis-configurations from systems (assets). You may already have a vulnerability scanning tool, and that is a very positive approach to managing assets. We will examine how this tool is implemented and maintained to give optimal results.
If not, we have the experience and capability to recommend appropriate tools, including the design, configuration, implementation and, if required, the operation (run & maintain) these tools. It is important not only to look at technology, but also review processes and train people to use the tool most effectively.
Analysis & prioritisation
Once all vulnerabilities and mis-configurations are collected, the company needs to decide which assets are the most important and critical to maintaining its business operation. System management is adversely affected by vulnerabilities, as they are not revealed (by vendors & security teams) in a linear fashion but ad-hoc, making prioritisation for remediation difficult. Fix progressively and steadily and ensure the following:
- The pool of vulnerabilities is not getting bigger
- Critical vulnerabilities that are, or can be actively exploited, are prioritised.
We will establish processes and tooling to help you do just that.
Remediation, Monitoring & Risk management
Finally, based on prioritisation, the vulnerabilities and mis-configurations are either fixed or consciously ignored for limited periods of time. In such cases, the active monitoring of attempts to exploits these by attacks is strongly advised.
We partner with Qualys and Skybox to deliver this service.