Vulnerability Management Maturity Model

I’ve been working on this for a couple months now. Basically, we all know the truth of the matter is that intrusions happen because we security guys are not able to patch the things that matter, fix the areas that intruders will use to break in and steal credit cards or SSN’s or … passwords, now. I realize that there is a lot of hype about advanced bad guys, zero day exploits, and so on. And there are things there to be worried about.

However, the vast majority of all cyber-crime is happening because we are not doing the basics well. That was a major factor in my deciding to move to Core Security last year. I wanted to make a difference for a lot of people, across the whole of security. We focus on something that I think is key in all of this, which is dealing with the data overload that exists around vulnerability management. As part of this effort, I realized that most companies really have no idea if their vulnerability management is good or bad, how to measure it, what constitutes a good patch lifecycle, and so forth. Most companies vulnerability management is more like whack-a-mole than like a mature security program.

I decided to take a stab at helping to fix that. Over the last few months I’ve been working on a maturity model and roadmap for maturity for Vulnerability Management. I’ve drawn on my experience at EDS, at Providence Health & Services as CISO for 7 years and now my time at Core and working with our customers. The model is aimed at a security management level and focuses on building the right processes, coordinating activity across departments, and putting technology in place where it makes sense.

We are going to release the model publicly at BlackHat – come see us at Booth 735 for the first look and a discussion around where you fit within the model and what activities make sense to move to a new level of maturity.

There are prettier versions coming, but here is the maturity model itself. The roadmap will follow soon.

Maturity-Model-no-roadmap

 

Rob Lemos (@roblemos on Twitter) wrote a nice piece yesterday for eWeek specifically on the work we are doing around improving maturity for vulnerability management programs.

Posted in Conferences, InfoSec, Security, Vulnerability Management | Tagged , , , , , | Comments Off on Vulnerability Management Maturity Model

As Promised – A “Booth Babe”

Pics of the “booth babes” were promised. Here’s your first one 🙂

IMG_4225

Posted in Uncategorized | Comments Off on As Promised – A “Booth Babe”

A Week in Vegas

Yep, here I am in Las Vegas. Sitting in my hotel room knocking out a quick post on the blog before heading down to check in for BlackHat and find people and dinner. I plan to write something every day, although we will see how that goes.

Also note that some cool stuff is going to be announced by Core Security and I will definitely link to the company blog when the announcements are made. Some of it is my work, so I might have to point that out, too. 😉

As you may have noticed, over the past couple of months I’ve been talking a lot about what makes a good security program and about security needing to solve some basic problems. Definitely more to come on that, too. Keep your eyes open.

Meanwhile, thunderstorms and flash floods here in Las Vegas. Not too much to worry about where I’m at, though.

I expect there will be cigar pictures, booth babe shots, stuff from a demo I’m doing, and lots more.

Posted in Cigars, Conferences, General, InfoSec, Security, Vulnerability Management | Tagged , , , , | Comments Off on A Week in Vegas

August: Something I Swore I’d Never Do

No, not August, actually. It comes every year and it would be a bit awkward to swear off of August. Imagine me having to basically go into some sort of hibernation for 31 days.

What I swore I’d never do is go to Las Vegas for the crazy security festival that is Black Hat, DefCon and BSidesLV. At most, I declared many times, I could see myself sending some of my staff. After all, there are important things at these events. Things that a good security program needs to know about, account for, build into their planning and capabilities.

However … for a Security Executive, BlackHat (and RSA, for that matter) is really about vendors getting access to you, marketing, booths, evening events and dinners, etc. Honestly, there’s no good reason why I needed to go to Vegas for that kind of thing. And especially not using my company’s money to do it. If I want to go to Vegas for parties, dinners, cigars, gambling … well, I’ll do it with my wife and have a lot more fun.

Well, never say never. As a leader in a security technology firm, I have to go to BlackHat. It’s now my job.

So, to all my security friends who thought they’d never see me in Vegas, in August, I say …. See you there!

——————-

Oh, and yes RSnake and Corman, I was deep in conversation with Core Security when you two were trying to convince me to go to DefCon at the Gartner Summit in 2013. So, I pretty much already knew I’d be there … but it was fun having you guys try and convince me … yet again …. 😉

Posted in Career, Conferences, Life and Times, Security | Tagged , , , , , | Comments Off on August: Something I Swore I’d Never Do

Changes

Well, as you may have noticed when you clicked through on a link … I’m no longer hosted at WordPress.com. I even have my own domain now, just cause it seemed like the thing to do. I put in a redirect at WordPress so that anything there will come here.

Figured it was time.

Posted in General | Tagged , , | Comments Off on Changes

What Is A Good Security Program?

What distinguishes a good security program? One of the hardest questions to answer in the Information Security field is whether our security program is good, or not. It’s a question we want to answer for many reasons, not least of which include:

  • Assuring my boss, my CEO, my Board, my company that the money and resources they’ve entrusted me with are appropriate and well utilized.
  • Being comfortable that we have done the right things to make a breach, theft, intrusion, etc as difficult and unlikely as possible.
  • Measuring your security program in an easy to understand, clear fashion.

Based on many years of my own experience, I’m going to tell you what I believe constitutes a good security program. One that is appropriate and effective. A program that you can measure and demonstrate that you are doing the right things. This is all about taking care of your “below the line” responsibilities. Those are the responsibilities that are your job, that you are just supposed to take care of, that the CEO doesn’t want to hear about every day.

Please notice that VP of Marketing is not busy giving the CEO metrics on how many FTE hours were spent creating powerpoint slide decks for the sales people to use. This is the sort of “I’m busy” metrics that should never be used outside your own department.  Of course you are busy, that is what your organization pays you to do.

Okay, so what makes a security program appropriate and effective (which is a good way of defining “good”) and can also be measured? I can sum it up pretty easily.

  1. Do security basics really well.
  2. Do good threat & attack intelligence.
  3. Do good incident response

Yep, that’s pretty much God, Country, Motherhood and Apple Pie sort of stuff. But it also happens to be very, very true. If you go look at security incidents that are reported publicly, you will discover that the vast majority of them were not the dreaded “Advanced Persistent Threat” or the nation-state bogeyman. I talked about that in an earlier blog entry, actually: Vulnerability Management Re-Visited.

What you will find is that almost every time a company’s security is breached and critical assets are exploited in some way that the company failed to do security basics well. And frankly, if you don’t do #1, you are going to have a hard time at #2 and #3.

Let’s put this another way. Gartner said at their recent Security & Risk Management Summit that doing the basics of security well enables an organization to reduce the risk they face by up to 80%. You read that right. Do the basics. Stop worrying about the Chinese Army for crying out loud and start worrying about threat and vulnerability management, patching servers, access management, encryption, solid policies. In fact, here is the specifics according to Gartner (I’m in total agreement):

  • Patch and Update (yep, they listed it first)
  • Good fundamental policies
  • Security education
  • Encryption where it’s warranted
  • Serviceable perimeter protection
  • Identity and Access Management

Let me reiterate …. this solves up to 80% of your risk. If you are not doing this stuff well, you are not running a good security program. The definition of what “good” looks like is out there. Gartner is a good source. Companies like mine are a good source. Yes, of course we are selling products and services. But we’ve also been doing penetration testing and vulnerability management since 1996 and actually know what a good patch and update program looks like. So look to peers in your industry, to analyst firms and to product and services vendors to see what doing the basics well means.

What about the other two? Pretty simple, really. If you don’t know who is going to attack you and how, then how on earth can you possibly do the basics well in the first place. Perhaps I should make Threat & Attack Intelligence #1 and the basics #2? Anyway, figure out what the threat is. If you are a hospital, it’s probably not the PLA. If you are a retail store, it’s probably not medical insurance fraud types. Focus on the bad guys that threaten you. Focus on their real capabilities. And then determine how and where they will attack. See my post explaining that You Can’t Defend Without Intelligence.

Finally, you need to be able to do good incident response. You’re only reducing your risk by 80 to 90 percent by doing 1 and 2. Something bad is going to happen. If you can’t detect that it happened and respond to the incident, you are going to be in deep trouble. The last thing you want is to have the FBI and the credit card brands show up at your front door to let you know that your network is breached and tens of millions of credit cards have been stolen. You want to be the guy that realizes there is a bad guy operating inside your network and can go to the FBI (or appropriate law enforcement agency for your scenario and country) and provide them with the information and evidence needed for them to take action on your behalf. Good incident response is measured by building a capability and then testing it yourself.

Stop worrying about APT’s and start worrying about the guy that is busy breaking into your un-patched print server and pivoting from there to your credit card data stores. Stop telling your CEO about how many virus infections you cleaned up and start telling him how much risk you are taking out of the business. Start running a good security program by doing the basics well.

Posted in InfoSec, Penetration Testing, Risk Management, Security, Vulnerability Management | Tagged , , , , , | Comments Off on What Is A Good Security Program?

Vulnerability Management Re-Visited

I know, boring topic. Just part of IT and Security operations. Nothing sexy here. It’s way more fun to think about how to beat those nasty, mean APT’s, how to detect malware actively on your network, how to do fancy risk management presentations.

But there are two things that are part of your reality, information security people, that make Threat & Vulnerability Management an imperative for you if you wish to succeed.
Continue reading

Posted in InfoSec, Risk Management, Security, Vulnerability Management | Tagged , , , , , , | 1 Comment

My Memorial Day: Pulled Pork and Cigars

It’s a 3 day weekend that traditionally announces the beginning of summer. And Monday is the day that we memorialize those who have given their lives in our wars. I’ll do two things I have been doing for years this weekend.
Continue reading

Posted in Alcohol, Cigars, Food, Life and Times, Military, Smoking | Tagged , , , , , , | Comments Off on My Memorial Day: Pulled Pork and Cigars

Blaming the Victim for the Crime

Putting the victim on trial. Decades ago we learned to stop putting victims of sexual abuse, domestic violence and rape “on trial”. Well, mostly anyhow. But we, mostly, stopped blaming the girl because she wore a short skirt or went to a bar and flirted with guys. These days we don’t try and say that the domestic violence victim invited the abuse or they were at fault for not speaking up in the first place. And so forth. But there’s a community that, I am sad to say, spends a lot of time blaming the victims of crime.

Continue reading

Posted in General | Tagged , , , , , , , | Comments Off on Blaming the Victim for the Crime

You Can’t Defend Without Intelligence

Imagine you are an Army General. And you have been given responsibility to defend a town that is the key to the local road network. You have a specific set of units under your command and several days to prepare to defend before the enemy is expected to attack. How are you going to go about setting up your defenses? Could you successfully defend without understanding the routes the enemy will use and what capabilities the enemy will have in addition to the knowing their objective?

Continue reading

Posted in InfoSec, Security | Tagged , , , , , | 3 Comments