This year's 2016 Verizon Data Breach Investigations Report has plenty of juicy data to pour over and for the past week we've been providing recommendations for ways to improve your security program and stop attackers. The report didn't provide any huge surprises, except for the fact that everything that was bad just keeps getting worse. Thus, we've had some great posts from my teammates focused on the Verizon Data Breach Investigations Report and how it affects the incident detection and response landscape with Eric Sun and the web app security space from Kim Dinerman. But today it's time to talk vulnerability management.
Vulnerability Management has been around for a long time, and if there's one thing we've learned, practically every attack outlined in the Verizon Data Breach Investigations Report or any other industry report still involves an exploited vulnerability at some point. The DBIR provides some key controls to implement to get a handle on the never ending growth of new vulnerabilities, and wouldn't you know it, they match up perfectly to some of the key reasons our customers love Nexpose.
1. Focus on what the bad guys look for first
The DBIR describes patching vulnerabilities as a “Sisyphean struggle," with more vulnerabilities being released every week. Keeping pace is difficult. To stop endlessly running up that hill (bonus points if you get the 80s Kate Bush reference), they recommend you “establish a process for vulnerability remediation that targets vulnerabilities which attackers are exploiting in the wild, followed by vulnerabilities with known exploits or proof-of-concept code." Basically, prioritize the vulnerabilities and get that stuff done first, but one must remember that you have to look beyond CVSS.
Here to help: This is what Nexpose is all about! We're still the only solution that automatically factors known exploits into our risk scoring (including how easy the exploit is to use), and with Metasploit Pro, you can validate your vulnerabilities to see which ones an attacker could exploit in real time. Check out this quick video to see how easy it is to scan for vulnerabilities with Nexpose and then validate your vulnerabilities with Metasploit Pro.
2. Identify what can't be fixed, and come up with a plan to mitigate it
Many companies have critical systems running on legacy software that they can't update without impacting their business; that doesn't mean you can ignore the risk. Use a defense-in-depth policy to create mitigating controls for these flaws, so that if you have to leave a hole in the wall open, make damn sure it's fortified (think the wall tunnel in Game of Thrones).
Here to help: Nexpose makes it really easy to create exceptions for these vulnerabilities and remove them from reports, as well as set expiration dates and approval chains to make sure you revisit them when you can. You can also use Metasploit to validate those compensating controls and make sure they're blocking the bad guys the way they should.
Mag the Mighty, only slightly scarier than attackers
3. Use vulnerability management to figure out what's new in your environment
Regular vulnerability scanning is like flossing in between going to the dentist; it's a great way to keep up on security hygiene, and the DBIR suggests you use it to identify unknown assets and deviations from standard configurations.
Here to help: Nexpose has baseline comparison and trending reports to make it easy to see what's new, and with adaptive security you set up Nexpose to automatically scan and catalog new devices as they enter the network, removing a lot of the legwork that comes with today's rapidly shifting environments. To learn more about adaptive security, check out this on-demand webcast.