Secret #5 of Vulnerability Scanning: You Can Actually Prioritize, Rather Than Just Analyze

Posted on January 20, 2015 by in Industry, Network Scanners, Security Management, Vulnerability Assessment, Vulnerability Management

This is the third post by Ed Bellis in a three-part series on Vulnerability Scanning. To view all five secrets and two common “gotchas” of vulnerability scanning, please click here.

Typically, security teams spend tons of time putting together Excel spreadsheets and swimming through countless rows of data. Doing so will get the job done, eventually…kind of. But the problem is, as soon as you manage to rise to the top of your current data ocean, another wave will hit you. That is to say… by automating the detection you end up creating an ever growing mountain of findings that require more than manual effort to plow through. You can’t prioritize what to fix if you can’t even keep up with the inbound volume of data regarding potential threats, breaches and attacks.

What you need is a way to immediately prioritize the data in front of you. This is a case where tools—rather than elbow grease—may be of help. Platforms exist that can sit on top of your scan data and help you identify weaknesses in your infrastructure in the context of real-time threat data (i.e. what’s actually occurring in the world right now, and which may affect you).

This kind of platform solution—a GPS for your scan data—can be an immense time savings, and help guide your efforts in a much more efficient way than simply sorting by CVSS scores, each and every day.

Secret #4 of Vulnerability Scanning: Don’t Dump-and-Run, Make It Consumable

Posted on January 15, 2015 by in Industry, Network Scanners, Security Management, Vulnerability Assessment, Vulnerability Management

This is the second post by Ed Bellis in a three-part series on Vulnerability Scanning. To view all five secrets and two common “gotchas” of vulnerability scanning, please click here.

You know what I’m talking about when I talk about the infamous dump-and-run. “Here’s your 300-page PDF with a laundry list of every vulnerability known to man!”

From what I’ve seen, being the recipient of a dump-and-run is handled by systems administrators, developers, network engineers and other remediators exactly the same way: by filing it in the trash. The least effective way of getting critical issues fixed in your environment is the oversized PDF dump.

You need to make scan results consumable and actionable for those responsible for remediation. SysAdmins don’t want a laundry list of vulnerabilities listed out by their CVE identifier; they need an actionable list of what needs to get done, such as deploying a specific patch or updating to a specific group of assets with their relevant identifiers.

As Gene Kim so eloquently stated, “The rate at which information security and compliance introduce work into IT organizations totally outstrips IT organizations ability to complete, whether it’s patching vulnerabilities or implementing controls to fulfill compliance objectives. The status quo almost seems to assume that IT operations exist only to deploy patches and implement controls, instead of completing the projects that the business actually needs.”

Or to put it another way…don’t be that guy.

Secret #1 of Vulnerability Scanning: CVSS Is Only Part of the Picture

Posted on January 8, 2015 by in Industry, Network Scanners, Security Management, Vulnerability Assessment, Vulnerability Management

This is the first post by Ed Bellis in a three-part series on Vulnerability Scanning. To view all five secrets and two common “gotchas” of vulnerability scanning, please click here.

Information security can be a thankless job. I know, I’ve lived it first-hand. When I ran Security at Orbitz, it was absolutely critical that my team and I stayed on top of threats, attacks and potential exploits. And we had to ensure that our execution was flawless, every day, despite the fact that the influx of new data and threats was never ending. Any slip up could put the company at risk.

While in the trenches, we developed a series of best practices for working with vulnerability scanners such as Qualys, Nessus, Rapid7, WhiteHat and the rest. I found that following these practices dramatically improved our company’s security posture, and helped all of us sleep a lot better at night. Well minus those dealing with small children in the middle of the night.

Here’s what we learned:

1. CVSS is great. But it’s only part of the picture.

CVSS is table stakes these days when examining vulnerability scan results, but you need to be careful to not place too much reliance on CVSS when prioritizing your remediation tasks. CVSS has the ability to add temporal data in the effort to account for changing threats; however, temporal scores can only lower and not raise the actual score. I’ll say that again… temporal scores can only lower and not raise the actual score. So if you look at CVSS and only focus on the 8’s, 9’s and 10’s, you may be missing the real priorities.

Let me give you a hot button, commonly referenced example: the Heartbleed vulnerability exposed the majority of web servers running over SSL on the Internet and allowed for the leaking of data (including the very encryption keys that protected them). But how did CVSS rate Heartbleed? It scored at only a five.

Why did CVSS misread Heartbleed so badly? The scoring system doesn’t allow for a high score on a vulnerability whose impact is “information leakage,” even though in this case the information being leaked could have been—and was—highly sensitive. You have to take into account an ever-shifting threat landscape and model, asset priorities, and mitigating controls in order to take a holistic approach to prioritized remediation.

A Holiday Poem About Your Scan Data

Posted on December 16, 2014 by in Industry, Risk I/O, Security Management

     

    It’s almost year end, and you must understand
    security pros everywhere are tired of their scans.
    The data’s too much! And it just isn’t clear
    where the next threat might truly appear.

    Security folks need help, a surefire way
    to parse through Qualys, Nessus & more each day.
    To know what to prioritize, without having to bet
    and find vulnerabilities, breaches & 0day threats.

    In a matter of minutes, Risk I/O can solve this pain
    think of all the time in your day you will gain.
    Oh, to know what to fix! As quick as a flash!
    And be the hero at your holiday bash!

    If this sounds like a great way to greet the new year
    let us know and we can help, with good cheer.
    We’ll make your life easy, we’ll give you a gift
    (and we don’t cost much, if you’re focused on thrift).

    So reach out to us (if not now, maybe in January)?
    We’ll make your scans fun, simple & merry.

    Happy Holidays from the Team at Risk I/O

    P.S. Take the Free Trial

    P.P.S. Our Explainer Video May Make You Smile

 

Vulnerability Management Decision Support: Identifying & Prioritizing Zero-Day Vulnerabilities

Posted on November 10, 2014 by in Guest Blogger, Launch, Threats and Attacks, Vulnerability Intelligence

This is a guest blog post by Josh Ray, Senior Intelligence Director for Verisign iDefense Security Intelligence Services.

One of the biggest challenges facing security teams today is staying up-to-date on the ever-changing security threat landscape. The inclusion of Verisign iDefense Security Intelligence Services’ zero-day vulnerability intelligence into Risk I/O’s threat processing engine provides security practitioners with actionable intelligence on the most important cyber threats to help protect their enterprise.

OpenVAS Vulnerability Integration

Verisign iDefense vulnerability intelligence includes vulnerability, attack and exploit data, such as unpublished zero-day vulnerabilities, collected from over 30,000 products and 400 technology vendors around the world. This data complements the threat processing of Risk I/O’s SaaS-based vulnerability threat management platform, which continuously aggregates attack, threat, and exploit data from across the Internet, by matching it with customers’ vulnerability scan data to generate a prioritized list of vulnerabilities that are most likely to be exploited.

Having advance knowledge of zero-day vulnerabilities and leveraging a risk-based prioritization methodology provides network defenders with the information they need to develop and implement mitigation plans to help protect against exploits and reduce their organization’s cyber threat exposure until a patch, or official fix from the vendor, has been issued.

As we have seen numerous times over the last year, the cost of a compromise to an organization’s revenue and brand far outweigh any of the upfront costs of moving toward a proactive security model. Advance knowledge, coupled with risk-based prioritization, can help enterprises shrink their attack surface and make better resource allocation decisions to effectively save valuable time and money. That’s what the partnership between Risk I/O and Verisign iDefense Security Intelligence Services is all about.

To learn more about the benefits of getting your data processed with Verisign iDefense’s zero-day vulnerability data, click here.

About the Author:
Josh is a recognized cyber intelligence expert on matters related to cyber exploitation and adversarial tactics, techniques, procedures and technologies, and for his work on computer network exploitation and cyber adversarial actions. He has presented at a variety of DoD and commercial cyber intelligence conferences and symposiums.

Josh has more than 12 years of combined commercial, government and military experience in Cyber Intelligence, Threat Operations and Info Security, including managing Verisign iDefense, managing the Cyber Threat Intelligence Program at Raytheon and technical leadership roles with the Office of Naval Intelligence (ONI) and the Northrop Grumman Corporation at the Joint Task Force – Global Network Operations (JTF-GNO) providing support to focused operations.

Risk I/O Threat Processing – Now With Zero-Day Vulnerability Data

Posted on November 4, 2014 by in Feature Release, Launch, Threats and Attacks, Vulnerability Management

Today we are announcing the addition of zero-day vulnerability data from Verisign iDefense to our platform. With this addition, our vulnerability threat management platform now offers smarter prioritization based on unpublished vulnerability data, providing an early warning of exploits and vulnerabilities in your environment for which a fix is not currently available.

Using our threat processing engine, Risk I/O continuously correlates vulnerability scan results with live attack data, exploit data, and now zero-day vulnerability data. The result is a complete list of suggested vulnerabilities to mitigate. We think the addition of zero-day vulnerability data will save your organization time by allowing you to take action ahead of waiting for a fix to become available.

To start prioritizing zero-day mitigation, navigate to the Home tab in your instance of Risk I/O and simply select the zero-day vulnerabilities facet. Right away, you’ll notice that the vulnerability table will update to filter by those assets containing zero-day vulnerabilities.

Selecting the zero-day vulnerabilities facet will allow you to filter your asset down to those containing zero-days.

Once the list is generated, you can use the sliders on the right to filter your list down even more for remediation based on score, severity, threat and priority of the zero-day vulnerabilities tied to your assets. The Asset Filters allow you to filter your asset list by tags that you created, giving you additional information on which vulnerabilities are most important to address first and how this affects your organization.

You can filter your list down even more to understand which vulnerabilities are most important to address first.

Short on time but want to apply the same edit to multiple assets? Use our enhanced bulk editing to apply tagging and other actions to multiple assets at a single time.

You can filter your list down even more to understand which vulnerabilities are most important to address first.

Give this new feature a spin by heading into your Risk I/O instance to find out if any zero-day vulnerabilities are affecting assets in your on your network. We think you’ll appreciate the enhanced security that comes with this automatic alerting. If you don’t already have a Risk I/O account, you can create one for free.

Laying the Foundation for Change

Posted on October 14, 2014 by in Industry, Risk I/O, Security Management

This blog post was written by new CEO of Risk I/O, Karim Toubba. You can read more about our new CEO announcement here.

I have always been drawn to solving substantive problems that lay the foundation for change, particularly in the security industry. To date, much has been written about the sophistication of the hacker and even the most casual news reader is bombarded with the latest highly publicized attack. Ironically, organizations continue to spend more money than ever on security technology  (the entire industry spent over $46B last year – ABI research).

While new technologies are needed to drive efficacy, especially in light of ongoing threats, they alone are not going to address this challenge. Talk to any security practitioner, from security operations or analyst to CISO, and they quickly point out that they are inundated with the newest tech to protect them against the latest attack. This so called “layered” security model has left organizations with a myriad of security technologies from network to application to client each of which provide an inherent value and hold critical information about attack patterns. Yet these technologies are still largely siloed and require increasingly highly skilled security staff to maximize the information these systems produce. As a friend of mine often reminds me, “there is no Moore’s law to the human brain.” While SIEM platforms attempt to aggregate the data, the boil the ocean approach, over reliance and the forensic and compliance use cases and often expensive and complex integration task means the mass market is not able to leverage the full capability of these solutions. While big data holds promise, most of the platforms have gone by way of general purpose platforms that can process any and all data missing the opportunity to focus on solving this vexing problem in security.

The long lived idea of “layered security” needs to give rise to a better way to connect the layers, understand what the data means, why it matters, and most importantly make it actionable in a meaningful way to security operations teams. Of course low time to value is a key tenet if we expect broad adoption.

Laying the foundation for change is never easy. It requires insight, a leap of faith, and maniacal execution. I joined the Risk I/O team to help lead the charge in solving this substantive problem. One, that when solved, will have a lasting impact on the security industry and our customers.

Risk I/O Now Integrates With OpenVAS

Posted on October 6, 2014 by in Feature Release, Network Scanners, Open Source, Risk I/O, Vulnerability Assessment

Last week we quietly launched our 26th and latest connector. With our latest integration our customers can load their OpenVAS results directly into Risk I/O for threat processing and prioritization.OpenVAS Vulnerability Integration

To take advantage of the OpenVAS integration, navigate to the Connectors tab and click New Connector. From there select the OpenVAS connector, name it and save it. You can then click the Run button on your OpenVAS connector. This will prompt you to upload your XML output that you generated from your OpenVAS scanner. Select the location of the XML file or simply drag and drop it into your browser.

Remember that this connector allows Risk I/O to consume scanner output directly from OpenVAS along with a number of tools that use OpenVAS under the hood.

If you’re not currently a Risk I/O customer you can sign up for a free 30-day trial and give our OpenVAS integration a whirl.

Mo’ Vulnerabilities, Mo’ Problems

Posted on September 19, 2014 by in Remediation, Risk I/O, Vulnerability Management

*This originally appeared as a guest post in the Tripwire – The State of Security blog as Mo’ Vulnerabilities, Mo’ Problems…One Solution.

Security practitioners juggle many tasks, with vulnerability management requiring the most time and effort to manage effectively. Prioritizing vulnerabilities, grouping those vulnerabilities and assets, and assigning them to the appropriate teams takes considerable time using current scanning technology.

The end goal of any successful vulnerability management program is to keep organizational data and assets safe from breaches. Security practitioners must ask themselves: Do I have visibility that my current plan is working? When I am given a small window of time to remediate vulnerabilities, am I targeting the right ones?

Risk I/O’s risk meters use vulnerability data from scanning technologies, such as Tripwire IP360, to monitor any group of assets and vulnerabilities. Instead of trying to fix everything, risk meters shift your strategy towards identifying and remediating the few vulnerabilities that are most likely to cause a breach. Risk I/O takes millions of daily breaches and exploits via threat feeds and makes a comparison to your vulnerability data every 30 minutes. Your monthly scans can be turned into dynamic risk meters to ensure that any vulnerability that has been breached in the wild does not find its way into your environment.

Let’s say that you are a security practitioner that needs to separate your assets and vulnerabilities by five office locations to ensure that the team in each location is keeping up with their required remediation windows. You could create risk meters for each of those locations and monitor the overall health of each environment as a whole.

Now let’s say that you upgraded a large section of your desktops and laptops to Windows 8, and each office location received a portion of these OS upgrades. You can monitor those specific devices separately with their own risk meter. Using the entire list of organizational assets, select just those Windows 8 machines and create a risk meter to ensure that the OS upgrade goes smoothly and to act on any potential threats that arise quickly. Take a look at the video below to learn how risk meters allow you to monitor your assets at a glance in any way you choose.

Companies large and small can use risk meters to validate their remediation efforts and focus on the assets and vulnerabilities that matter most. Attackers target not only the CVSS 9’s and 10’s of the world, but they also target the old and forgotten vulnerabilities that were never remediated. Adding risk meters to your vulnerability management program will provide you with visibility to ensure that you are protecting your organization from the risk of a breach.

11 Tips and Tricks for the RIO Power User

Posted on August 18, 2014 by in Risk I/O, Vulnerability Intelligence

1. Keyboard Shortcuts
Keyboard shortcuts are available from the home screen. Want to know what they are? Click the Keyboard Shortcuts link in the bottom right sidebar or just <shift>+?

2. Threat Trends Click-Through
Clicking on any of the attack or breach bubbles within the threat trends view will filter your assets by only displaying those that are vulnerable to that attack or exploit. Didn’t know threat trends existed? Go to the dashboard and open the threat trends “drawer” by clicking on it in the bottom of your screen.

3. Threat Trends History
Speaking of threat trends and keyboard shortcuts, there’s a hidden shortcut within threat trends. By clicking on the left and right arrows, you can page through threat trends historically one week at a time.

 

4. Bulk Editing
You can edit multiple assets and vulnerabilities at a time using the bulk editing menu. To edit multiple assets or vulnerabilities at once, just select the ones you want to edit with the checkbox on the left side of the asset and vulnerability table. At the top right of the table you’ll see our bulk editor. For assets, you can set their priority score, add and remove tags, and mark them inactive or active. For vulnerabilities, you can create a Jira ticket (requires a Jira connector) or edit any custom fields. Didn’t know we had custom fields??

5. Custom Fields
In addition to tagging assets you can create custom fields for vulnerabilities. To define a new custom field, click the gear icon in the upper right and choose custom fields. Click New Custom Field. Complete the form by naming the field, provide an optional description, select the field data type (string, numeric, or date), and if you’d like to filter your vulnerabilities on this field check the faceted search box then save it.

Once you have defined your custom fields you can add them to vulnerabilities either in bulk via the method above or on an individual vulnerability. To define for an individual vulnerability, just click on the vulnerability details arrow from the home screen and then click edit on the right hand side of your screen. Assign your own creative values to your custom hearts content.

6. Heads Up Display (HUD)
Our Heads Up Display is accessible from the home screen by clicking on the bar chart in the upper right corner. Opening up the HUD displays a breakdown of the CVSS metrics and subscores of the vulnerabilities currently under review. You can click on any of the values within the charts to filter your vulnerabilities by those values.
HUD

 

7. Compare Teams/Applications/Networks/BUs via Tagview
You can compare any set of assets side-by-side with meta data using the tag view within the dashboard. Want to compare multiple teams, different applications or maybe even business units against each other? Within the dashboard select the tag view tab and enter the tagged assets you’d like to compare to each other in the tag filter box. For easier comparison, you can select either stacked or grouped charts.

 

8. RBAC
You can restrict access in RIO using Role Based Access Control (RBAC). First you’ll need to create a role by clicking the gear in the upper right of your screen and selecting user roles. Select New Role and complete the form including naming the role, selecting whether the role will have read only or read+write access and then entering the tag(s) to the assets this role will have access to. Next save the role.

Assign a user to a role from the gear in the upper right select users. You can edit an existing user or create a new user. In the user form select the role from the role drop down and save it. Done.

9. Search by IP Range
If you want to find assets by an IP range, you can use the search box in the home screen. An example of a search query by ip range would be:

ip_address_locator:[10.0.0.0 TO 10.255.255.255]

This will produce a list of assets in your 10-dot network.

If you want to find all of your internal RFC 1918 assets you could perform a search like:

ip_address_locator:[10.0.0.0 TO 10.255.255.255] ip_address_locator:[192.168.0.0 TO 192.168.255.255] ip_address_locator:[172.16.0.0 TO 172.16.255.255]

You can also perform a negative search. For example, you could take the same search above and find any asset that doesn’t have an RFC 1918 internal address by adding a ‘-‘ in front of the key to look like this:

-ip_address_locator:[10.0.0.0 TO 10.255.255.255] -ip_address_locator:[192.168.0.0 TO 192.168.255.255] -ip_address_locator:[172.16.0.0 TO 172.16.255.255]

10. Jira Ticketing
If you use Jira for trouble ticketing or bug tracking, you can send vulnerabilities for remediaiton to Jira directly from Risk I/O. You can send multiple vulnerabilities to a single ticket in Jira using the bulk editor as described above. You can also send an individual vulnerability to Jira by opening up the vulnerabilities details page and clicking the Create Jira Issue button on the right side panel. After you submit the issue, we’ll persist the issue ID, assignee, due dates and it’s status within the vulnerability details in Risk I/O.

11. RESTful API
Did you know we have a robust RESTful API? You can find the full doc here: https://api.risk.io