A comprehensive vulnerability management program is the foundation for effective security. Yet, many organizations find it challenging to run an effective program where vulnerabilities are quickly identified and remediated. And for many organizations, not fixing vulnerabilities has consequences. In their Market Overview: Vulnerability Management report published in April 2015, Forrester Research noted that 53% of external attacks are carried out by hackers exploiting software vulnerabilities.

Many organizations find it challenging to run an effective program where vulnerabilities are quickly identified and remediated

There are many reasons why vulnerability management is challenging. The top concerns we hear frequently from customers are:

• The volume of reported vulnerabilities is overwhelming. In 2015, the National Vulnerability Database shows an average of 25 new vulnerabilities reported every day.
• There are limited available resources to fix vulnerabilities and tackle the challenge of prioritizing remediation. In the Technology Adoption Profile: Vulnerability Management Trends in APAC, an April 2016 commissioned study conducted by Forrester Consulting on behalf of Tenable, 34% of respondents said it was difficult to prioritize which vulnerabilities are most important.
• The IT landscape is changing, bringing with it new vulnerabilities. As more organizations embrace cloud services and applications as well as BYOD/mobile, these technologies can potentially introduce an entirely new set of vulnerabilities into the IT landscape.

Adding to the challenge is the desire to track whether the vulnerability management program is improving or not. Again, the sheer volume of data makes tracking impossible for many.

The need for a reliable, proven vulnerability management solution

Tenable has a deep and rich history in vulnerability management. As the creators of Nessus®, we’ve seen our flagship product develop over the years from an open source tool with a few Linux checks to a full function solution that today has more than 76,000 checks. These cover nearly 30% more vulnerabilities across 32% more technologies than competitive solutions.

Tenable has a deep and rich history in vulnerability management

Vulnerability management is more than just scanning though, so at Tenable we’ve introduced complementary technologies to help organizations run their comprehensive vulnerability management programs.

Agents - Last year, we introduced agents for Nessus. Agents help organizations extend their vulnerability management programs to those hard-to-scan assets that hide out in the network. These might be transient devices like laptops that aren’t typically connected to the network when an active scan is taking place. Or they might be assets that you’d like to run authenticated scans on, but which are also assets where it’s difficult to get access to their credentials on an ongoing basis. Agents are also helpful for organizations that want to run scans more frequently without burdening network resources. Since agents are distributed and use local system resources, you can have many agent scans running on many assets at any time with minimal impact to your network.

Passive scanning - Tenable’s passive listening and event monitoring capabilities also detect and monitor services and applications in use and their vulnerabilities – even in cloud and virtualized environments.

These capabilities have the added benefit of being able to provide data continuously so your organization has updated information about vulnerabilities between active scans.

Results you can use

Tenable technologies that help you collect vulnerability data are just one part of the equation. It’s equally important to us to help customers interpret all that data. To accomplish this, our solutions offer meaningful reports and dashboards that put results into context.

The Tenable research team helps by providing daily content updates, new dashboards, and pre-built reports that provide the critical context for your vulnerability management program. Reports showing information such as vulnerabilities over 30 days old or the percentage of hosts compliant with configuration audits, enable you to make better business decisions and prioritize your efforts to optimize your security posture.

Looking ahead

We see comprehensive vulnerability management remaining a foundation for effective security for years to come. We do see the landscape changing though, as organizations move IT assets to the cloud and embrace new technologies like cloud and mobile. As a result, we’ll continue to invest in our vulnerability management technologies to give customers effective ways to manage vulnerabilities in whatever IT environment they’re operating.

Comprehensive vulnerability management will remain a foundation for effective security for years to come

If you want to keep up with the latest and greatest vulnerability management updates from Tenable, visit the Vulnerability Management section of our website where we post links to our latest white papers, webcasts and other materials that you might find interesting.

Earlier this month, the US Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) launched parallel inquiries into mobile carriers and device manufacturers about their processes for reviewing and releasing security updates for mobile devices. Representatives from these organizations say their goal is "to better understand, and ultimately to improve, the security of mobile devices."

Some might make the argument that this inquiry isn't needed at this time because mobile security isn't a significant issue. This year's Verizon Data Breach Investigations Report (DBIR) for example doesn't include a focus on mobile because there's not "significant real-world data on these technologies as the vector of attack on organizations."

On the other hand, there are several reasons why investigating mobile security now, instead of when it reaches the level where the DBIR has sufficient data to cover it as a topic area, makes sense:

• Mobile on corporate networks is a common occurrence today. As we saw in the results of the 2016 BYOD and Mobile Security Survey, 72% of survey respondents had reached the stage where BYOD was available to all (40%) or some (32%) employees. And what employees do with mobile devices on corporate networks is becoming increasingly complex. Where email and contact management used to be the norm, today many people use their mobile devices for accessing work documents and data as well as accessing applications with sensitive data like Salesforce.
• Mobile vulnerabilities and malware are getting more sophisticated. Some of the reports about this inquiry use Stagefright as an example of the growing number of vulnerabilities associated with mobile operating systems. Stagefright is a piece of code in Android that can be exploited by hackers to send malware to any user via text message. As a recipient, you don't even have to open the text message for your phone to be infected. Almost a billion phones were at risk when the vulnerability was first discovered last year.
• Updating mobile devices can be complicated. One of the reasons that the FCC and FTC have parallel inquiries is because the process for issuing security updates is complicated and often lengthy. The carriers often customize the software on their devices, especially for Android devices, making it necessary for the operating system vendor like Google to go through a two-step process where Google submits updates to carriers and the carriers then push to device users. The longer it takes carriers and device manufacturers, the longer consumers are exposed. And if for some reason the carrier chooses not to push updates at all, consumers are left with orphaned devices.

This inquiry is just that at this time - an inquiry. The carriers and device manufacturers have 45 days to respond. After that, the FCC and FTC say they will analyze the responses and share data with each other and determine next steps. Like others, we’re looking forward to seeing the results.

Tenable and mobile security

At Tenable, we believe mobile security is an important part of your overall security program, and we offer multiple solutions to give you visibility into security gaps and vulnerabilities that mobile devices bring to your network.

• Nessus® Cloud and Nessus Manager integrate with leading Mobile Device Management (MDM) products (Microsoft Exchange, Apple Profile Manager, MobileIron, AirWatch, Good for Enterprise) to capture device information for iOS, Android and Windows phones to perform vulnerability and compliance assessments.
• SecurityCenter Continuous View™ (SecurityCenter CV™) takes this further by tracking managed and unmanaged devices continuously as they connect to the network. It also monitors mobile device vulnerabilities and malicious communications over time to identify if they are quickly resolved, or if misconfigured or out-of-compliance devices can be proactively addressed before your next audit.

One of the biggest challenges with mobile is simply getting visibility into its presence on your network. In the Unknown Assets and Shadow IT area of our website, you can learn more about how SecurityCenter CV addresses this challenge.

Many thanks to David Vance for his contributions to this article.

In all practicality, threat hunting is hard. Either you don’t have data you need, or you have too much data with little or no resources to work with it. However, DNS is one of the best indicators for a wide range of threat activity that could impact your network. DNS also generates a huge amount of data. So how do you start working with it?

I’m not going to talk about math, or scripting, or AI and decision trees, or periodicity of beaconing and domain generation algorithms. There are tons of resources on the web to work with these concepts using DNS data to find threats. Let's go ahead and strip this all back and simplify it.

What is the goal of threat hunting? To find adversary activity in the most expedited way possible.

When you view the gigantic amount of DNS requests generated in an environment, it seems insurmountable. Referring back to Threat Hunting 101, segmentation saves the day when it comes to identifying what is normal and what isn’t.

Quick and easy wins

SecurityCenter Continuous View™ (SecurityCenter CV™) includes several tools that enable you to programmatically filter through your DNS information and automatically pull out useful, actionable information right away. This quickly enables you to show results from threat hunting activities and ultimately justify the time you spend working on it.

If you have SecurityCenter CV in your environment, its network sensors are already at work passively capturing DNS requests off the wire without having to enable any logging on the DNS server itself.

#1 - Known bad communications

A quick win when beginning to work with communications is to apply threat intelligence of known bad external hosts. In SecurityCenter CV, this is included as the Threatlist event type. External threat intelligence is compared against all of the hosts involved in communications both inbound and outbound from your organization. This runs by default, against all types of communications, including DNS. Communications to hosts that are known to be infected with malware, or botnet controllers, are highly reliable to determine if a threat is active on your network. It’s not technically hunting, but it gets results and can weed out the really low hanging threats already impacting you.

#2 - Suspicious event patterns

Isolating known patterns of actions that are likely malicious is also essential to detecting them. As stated in Verizon’s 2016 Data Breach Investigations Report, most attacks that result in breaches have a fairly well defined pattern:

Unfortunately, the simplest point of access into a network is often the humans who run it. Tenable includes pre-built logic to find these kinds patterns of suspicious activity in the Indicator event type. These run on a cumulative scale from 1-20 based on the number of suspicious actions in the event chain. Using events not commonly monitored such as statistical anomalies in communications, DNS errors, authentication attempts, and other activities, we tie these together and send up indicator events for review. You can find more information about how they work in our Discussion Forum. They’re a great place to start catching adversary actions on your networks:

#3 - Vulnerable DNS configurations

Stating the obvious, vulnerabilities in your DNS configurations make it substantially easier for attackers to slip in unnoticed. Some of the configurations that should be addressed before moving forward should be:

• Ensuring that DNS servers are defined in your environment. In Windows environments, domain controllers will always be the default DNS servers for their clients. If you don’t want that to be the case, architect a tiered DNS service where your domain controllers aren’t actively querying name servers on the internet. The fewer servers talking on the internet, the better.
• Restricting zone transfers. If you don’t want someone to extract your internal network names, don’t allow your internal DNS servers to perform zone transfers. +1 for a tiered model where your internal name servers simply don’t talk to the internet.

Address other vulnerabilities as pertinent to your environment. It comes down to knowing what the DNS servers are, and making sure they’re configured in as secure a manner as possible.

Stay tuned to the Tenable blog for more tips on hunting threats in your environment with SecurityCenter Continuous View. 

For more information on threat hunting with Tenable, check out these other resources:

• [Video] Threat Hunting Demo with SecurityCenter Continuous View
• Finding Threats on Your Network: Hunt or Be Hunted
• Making CDM Work For You with Threat Hunting
• Have You Been Compromised? Let’s Go Hunting!
• Are You Ready to Go Hunting for Threats?

The Tenable Blog now offers a free email subscription. The email subscription delivers notifications of new blogs every day or once a week, right into your inbox; no need to use an RSS reader to see new Tenable blogs. The email option will save you time and keep you informed on the latest security news from Tenable.

To subscribe to The Tenable Blog, go to the Blog Home page and click the Blogemailupdates option under Follow Us:

1. You will be directed to a Subscribe to the Tenable Blog form.
2. Provide your name, email address and company name.
3. Select a frequency of either Daily or Weekly.
4. Click Submit.
5. You will receive an email message asking you to confirm your subscription request. Click the link in the message to complete your subscription.

You will start receiving blog notices in the next cycle: daily notices are sent out 11 AM ET; weekly notices are sent out Tuesdays at 11 AM ET.

Thank you for staying in touch with Tenable and reading our blog!

Recent events in Malaysia have shown once again that continuous monitoring should be a key component in any cybersecurity program.

Malaysia’s myIMMs immigration system was recently discovered to have been under remote control by foreign syndicates for a number of years

The audacious case is centered on Malaysia’s myIMMs immigration system, which was recently discovered to have been under remote control by foreign syndicates for a number of years. These syndicates have manipulated the myIMMs system assisted by immigration department IT staff, immigration officers and even software vendors, who were paid to do so by the syndicates. More than 100 people — including immigration officers — were involved, and at least 15 have been arrested.

Malaysian Immigration Director-General Sakib Kusmi said “They deal online. The instructions come from overseas ... they can manipulate our system from outside. You can see this in our computers — the cursor moves without someone operating it…" He further stated that the syndicate was able to control the movement of anybody entering or leaving Malaysia. Clearly there are serious national security implications for Malaysia.

The systems were being actively controlled by malicious syndicates

Aside from the obvious failings of the department from a governance perspective, there are two things about this attack that stand out. The first is the fact that the state and configuration of the various components of the myIMMs system would have needed to be altered in some way to inject the necessary malware to facilitate remote control. The second is the fact that the systems were being actively controlled — remotely over the internet — by the malicious syndicates.

Tenable applies three different technologies to facilitate the detection of nefarious activities such as this – scanning, sniffing, and event analysis. These technologies can provide several vectors that enable the early detection of subterfuges such as the one in Malaysia. Manipulation of the endpoints — for example, the creation of backdoor accounts to facilitate outsider access — can be detected through event analysis. Injected malware can be identified by Nessus® with its ability to detect malicious processes in an endpoint. Our Passive Vulnerability Scanner™ detects the remote control traffic from syndicates such as those active in Malaysia to the various network systems and assets. All the data collected from these three functions can be amalgamated, analyzed and displayed on the SecurityCenter™ console, facilitating the central monitoring function that is so important to rapid threat identification.

Clearly, this case again proves the value of continuous monitoring. In fact, since this activity was facilitated by insiders, the perimeter defenses likely were blind to the attack, so a strategy focused on endpoints and events may be the only plausible detection strategy in this type of scenario.

On May 24, 2016 Tenable hosted a panel webinar about Five Things Every CISO Must Understand about Cyber Insurance Coverage. Our panel of experts included:

• Ben Beeson: Senior Vice President, Lockton Companies
• Matthew Prevost: Vice President, North American Financial Lines, Chubb
• Matthew Perry: Global Manager, Information and Cyber Security, First Solar
• Craig Shumard: former CISO with Cigna; now Principal, Shumard & Associates

The session explored the reasons why companies are investing in cyber insurance, what’s covered, when and how CISOs should get involved, how CISOs influence coverage decisions and costs, the impact of security best practices, and how insurers may ultimately help insured enterprises lower risk over time.

How does Tenable impact cyber insurance coverage?

When businesses invest in cyber insurance, they go through an underwriting process. CISOs play an important role in underwriting by briefing the underwriter about what they’re doing to protect the business.

CISOs play an important role in underwriting by briefing the underwriter about what they’re doing to protect the business

Among other things, they must be able to adequately describe how they assess and maintain conformance with administrative, technical, and physical controls. The NIST Cybersecurity Framework is increasingly being cited by insurers and industry experts for its value in reducing cyber risk by providing a sound framework for assessing an organization’s overall cyber hygiene.

Tenable provides CISOs with a uniquely effective way to measure, visualize, and communicate strong and comprehensive conformance with technical security controls. This includes NIST CSF conformance, where we can automate the assessment of over 90% of the technical controls AND provide extensive reporting capabilities that empower a CISO with the information needed to brief insurance underwriters, as well as collaborate and communicate with peer executives, boards of directors, and members of the security team.

Tenable provides CISOs with effective ways to measure, visualize, and communicate conformance with technical security controls

By effectively implementing a security framework, you’re better equipped to meet due-care standards, continually identify security gaps, efficiently comply with multiple compliance requirements, and communicate business risk to executives. And, as one of our speakers noted, within the next year, there will likely be a linkage between your effective use of controls and the price you pay for cyber coverage.

Resources

If you’re an information security leader looking for insights about your role in cyber insurance procurement, check out the on-demand version of our webinar. We also encourage you to visit our NIST Cybersecurity Framework page to find more about our solutions for NIST CSF conformance and security framework adoption, a short video, and links to other resources.

Don't miss any Tenable news! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

In my last blog, I talked about DNS and its importance as an indicator of malicious activity. Once you’re past the quick wins stage, what’s the next step? Most of the difficulty with threat hunting is the overwhelming quantity of data. Once you’re monitoring everything needed to recreate attacks, it quickly becomes more than you can work with effectively.

One of the most important things that you can do to tune out the noise is to leverage whitelisting within your monitoring system for known-good or known-normal activities. The events will all still be there when you need them, but you won’t be alerted on them.

Most of the difficulty with threat hunting is the overwhelming quantity of data

Analytics and whitelisting

You can leverage the segmentation discussed in my previous blog post to build a profile of normal DNS activity for a server environment or for other devices that have known behaviors. This gives you rapid insight into any abnormal requests coming from these environments.

Start with a summarized view of traffic in your environment like the DNS Summary dashboard for SecurityCenter Continuous View™ (SecurityCenter CV™). I’m going to walk you through how I tuned this data for effective monitoring in one of our environments, so you can apply the same techniques to yours.

This is a lab environment, so there are some immediate things to check out. Top-level domains (TLDs) for non-US countries are always suspicious unless they serve a known business purpose. That’s a great quick win. Additional suffixes can be added to the summary element for monitoring to meet your business needs; this is just a default set.

Looking at overall traffic, you can build a quick custom overview for how much DNS is happening to internal domains, external common domains, and any other activity out there:

To build this, you can use a matrix element with a ratio of events. You are matching local known domains against the entirety of the DNS event set:

To pull the “All Others” information, you can use negative filtering in the same ratio element:

These are examples of filters you can create to quickly see what’s going on in your environment.

Since .com is the most used TLD in this lab traffic, the next step is walking through an example of profiling it, and then creating alerts for deviations. As you create these, you will get false positives, but once they’re in place and working, they’re great warning indicators. I would not recommend this process for more dynamic user environments and workstations. Leverage the environments that have regular patterns of activity that you can profile.

Drilling into the .com events, you can exclude known corporate domains and jump into the raw event view. Click into the first few, and see if the domains are known to be good. In this example, there are Microsoft domains, and some update URLs for vendor products, and Google. With each iteration of filtering domains, the number drops significantly, so you know you are moving in the right direction.

As the numbers drop, misconfigurations in your environment will surface: misspelled domains, or processes calling to example.com and other unconfigured vendor defaults in applications. These are also quick wins for security to work through with server administrators to reduce the number of false positives in your environment. Each resolved issue is another step toward improving the effectiveness of your security monitoring and reducing your false positive rate.

What we’re doing is whitelisting domains at the most basic level. At the end of the process, you’ll end up with a list of the most commonly accessed domains in the environment you’re working with, you’ll be able to set up alerts to summarize any activity you haven’t caught, and provide a warning of abnormal activity.

To configure alerts, save your search as a query and leverage it using the process discussed in Threat Hunting 101.

For more information about threat hunting with Tenable, check out these resources:

• [Video] Threat Hunting Demo with SecurityCenter Continuous View
• Finding Threats on Your Network: Hunt or Be Hunted
• Making CDM Work For You with Threat Hunting
• Have You Been Compromised? Let’s Go Hunting!
• Are You Ready to Go Hunting for Threats?
• Threat Hunting 201: Quick Wins with DNS

Stay in touch with Tenable. Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

In an unusual risk reduction effort, Singapore has decided to remove internet access from all civil service desktops, impacting over 100,000 computers. This move is to be fully implemented by May 2017. The plan is for civil servants who require internet access to either use their own personal devices or use separate terminals dedicated for the purpose.

Singapore is connected

Singapore is considered one of the most connected countries on the planet, with average broadband speeds of over 135 Mbps, according to Akamai’s State of the Internet Report. Additionally, Singapore has been very aggressive in its adoption of the internet as a way for citizens to interact with various government services to the point that just about every service provided by the government is available online.

Why unplug?

Why, then, did the government decide to implement such a seemingly draconian measure? According to David Koh, chief executive of Singapore’s Cyber Security Agency, “Internet-surfing separation will prevent attackers from using the internet to plant malware ... and exfiltrate information from government computers.” Mr. Koh further stated that over 16 cyberattacks had made it past the network perimeter over the past year. Prime Minister Lee Hsien Loong stated that the move was “absolutely necessary,” adding “Otherwise, you will find all your NRIC numbers and income tax returns for sale on the internet … how will the government explain?”

Let’s consider this move from a security perspective. Removing internet access from civil servant desktops helps to mitigate an entire class of web based and email based attack vectors, including drive-by browser attacks, phishing attacks, botnet attacks, Trojan downloads and even advanced persistent threats. Additionally, a computer that’s not connected to the internet cannot be used to leak confidential information. Doing this, however, has impacts on productivity and convenience. For example, the Prime Minister himself has been testing the concept by using separate workstations and said that “it’s inconvenient but doable…”

The continuing threat

Does this completely eliminate the threat? No, and here’s why – human behavior. Consider the workflows that people use every day in their connected lives. They bounce between applications, email, browsers and instant messaging. Suddenly, all connectivity that they were used to having is gone. The ability to paste something from a web page or document into an email? Gone. The ability to quickly chat with a coworker who is out stationed at the moment? Gone. So all this hyper connectivity will be replaced by something rather old-fashioned that we fondly call “sneaker net” – moving data around using thumb drives, for example. A typical scenario would be for a worker to go to the separate internet connected terminal, download something, copy that something onto a thumb drive, then copy that something from the thumb drive onto the “disconnected” workstation. This same “sneaker net” works in reverse too, and can serve to exfiltrate data. Thus, the workstation is really indirectly connected to the internet, and innocent mistakes or malicious actions by insiders can still result in compromises or information leakage. So the threat is really still there.

Will a determined attacker still be able to infiltrate the government systems? Absolutely – it will take more perseverance but it is still a very real threat. Stuxnet serves as a splendid example.

Vigilance

This somewhat dramatic step being taken by the Singapore government will indeed go a long way towards bolstering cybersecurity for the country, but many risks will continue to remain. Diligence in terms of well executed vulnerability management and continuous monitoring of both end points and the networks is just as essential for “air gapped” infrastructures as it is for infrastructures connected to the internet. Malicious actors are very clever at jumping over gaps.

At Tenable, we have long been champions of continuous monitoring. Constantly collecting and interpreting data from multiple sources, including active and agent scans, network traffic, events, log data, and via integrations with other systems and applications gives you continuous visibility into what’s happening on your network as well as the critical context you need to take decisive action.

This continuous flow of security information also helps solve some very specific security challenges, including what happens when a high visibility threat or vulnerability makes the news.

High visibility threats and vulnerabilities

High visibility threats and vulnerabilities aren’t anything new. I remember back to my university days (1990s) when the Michelangelo virus was going to wipe out millions of PCs around the globe. Michelangelo turned out to be a bit of dud (thankfully) but it garnered significant attention from the mainstream media.

If we put away our ‘90s Beanie Babies and fast-forward to today, we still see high visibility threats - that hasn’t changed. However, with the internet, social media, as well as traditional media, news about these threats spreads much faster and wider. Heartbleed was one of the first vulnerabilities in recent memory to get full marketing attention; when it was announced in April 2014 with its own cool name, website and logo, word spread fast. Today, a Google search for “Heartbleed” yields 4+ million results. This mass communication means a much wider audience learns about threats faster than ever before, including your CEO.

As a security professional, do you dread seeing your CEO when the next Heartbleed makes the news? Your CEO will want to know right away whether the organization is exposed, and if so, how quickly you can respond. If you’re relying on traditional security tools, like active scanning alone, you know it will take days or weeks to get that answer, even though your CEO wants it immediately.

Immediately identify new threats and respond effectively

So how can continuously collecting and interpreting security data help when you need to immediately determine if your organization is affected by the next high visibility threat or vulnerability? Simply put, if you need an answer immediately, there’s nothing more immediate than already having the information you need.

If you need an answer immediately, there’s nothing more immediate than already having the information you need

With SecurityCenter ContinuousView™ (SecurityCenter CV™), Tenable is in a unique position to provide threat and exposure information immediately. SecurityCenter CV gets information from multiple sources, including scan data, agent data, network traffic monitoring, host activity and event monitoring, as well as through external sources like threat intelligence and connectors to other systems and applications. With all of this information, much of it collected in near real time, it becomes easy to answer critical questions like “which systems are running an affected operating system?” immediately.

Mapping out an effective response requires critical context

With these high visibility threats though, knowing whether or not you are exposed is just the first step. Mapping out an effective response requires critical context - an ability to interpret the data, prioritize remediations and mitigations, and reduce the risk to your organization as quickly as possible. Again, SecurityCenter CV is uniquely positioned to help. A library of curated dashboards is available from the Tenable Research Team, who delivers new dashboards when new vulnerabilities emerge. Here’s a recent example of a dashboard the team developed when the Badlock vulnerability was announced earlier this year:

Tenable introduces new Exposure Response solution

History tells us that exposure response isn't trivial. A full year after Heartbleed was announced, 74% of Global 2000 organizations were still exposed, as noted by Fortune. At Tenable, we want to make it easier. That’s why today, we’ve introduced the new Exposure Response solution.

Our Exposure Response solution is intended to help organizations understand how to identify high visibility threats and vulnerabilities and immediately respond to them. Using the data collection mechanisms and dashboards described earlier, SecurityCenter CV delivers both visibility and context to make exposure response easier and more effective.

SecurityCenter CV delivers both visibility and context to make exposure response easier and more effective

If you’re interested in learning more, visit our Exposure Response page. You’ll find whitepapers and other materials to learn more about how SecurityCenter CV can help you quickly identify threats and vulnerabilities, and effectively respond to them.

Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

There is no better way to learn about information security in Europe than by attending the Infosecurity Europe Conference (Infosec 2016). This year’s London-based conference took place 7-9 June 2016, and was the largest to date. If you weren’t able to attend, no worries – we’ve got you covered. Six Tenable strategists and experts share their views on the hot topics, trends, and themes coming out of Infosec 2016. Sit back and watch this video as they summarize the buzz.

Tenable had a strong presence at the conference, showcasing our solutions such as transforming security, vulnerability management, and continuous monitoring.

Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

Imagine you’re standing on the beach with your boss. He hands you a ruler and tells you it’s your job to measure the ocean and make sure that it stays within acceptable parameters for “ocean safety.” You’d probably think he was crazy. A ruler isn’t the right tool to measure that vast and constantly changing environment. Furthermore, what metrics could you possibly collect that would have any bearing on whether or not the ocean was “safe”?

IT security teams face a comparable challenge when they try to measure the effectiveness of their security programs. With the prevalence of cloud services and mobile devices, enterprises have become enormous, complex, borderless infrastructures. Just knowing what you have that needs to be secured is a challenge. Finding security metrics that actually communicate meaningful information on the security state of your organization and the effectiveness of your security programs to business executives and the board is even harder.

You need a better way

On their own, security metrics can be just noise – easily overwhelming CISOs and other IT leaders and business executives.

According to Gartner in Sharpen Your Security Metrics to Make Them Relevant and Effective:

CISOs are unhappy with their existing security metrics, and are asked to improve them, but they are not sure what better and more meaningful metrics look like.

At Tenable, we repeatedly hear of this unhappiness in the hundreds of conversations we have with CISOs each year. CISOs and other IT leaders continue to struggle to use security metrics effectively when explaining to business executives and the board how and why security investments are being made.

To help with this problem, Tenable recently sponsored the publication of a highly insightful ebook, Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to Business Executives and the Board. In this book, experts from diverse industries share their first-hand experiences and best practices for using security metrics to communicate security program effectiveness and for implementing actionable security metrics. One important point that these experts repeatedly highlight is the importance of effectively translating security metrics into business language.

The importance of effectively translating security metrics into business language

Spanning the gap between IT and the business when measuring security program effectiveness and communicating security assurance is critical. To be successful, you must have tools and processes in place that enable you to define security metrics that make sense; that business executives and the board can understand; and that drive action at both the strategic and operational level. This requires not only defining the correct metrics, but having trustworthy data and ways to measure these metrics – and in a format that visually makes sense to business users.

Measure security assurance more effectively, close the communication gap

To help CISOs and other IT security leaders more effectively measure their security posture and close the communication gap, Tenable helps you measure security assurance in SecurityCenter Continuous View™ (SecurityCenter CV™). Security assurance capabilities in SecurityCenter CV align security metrics with business goals through proactive measurement, analysis of security metrics, and visualization of security metrics using customizable dashboards, reports, and the industry’s first Assurance Report Cards™ (ARCs).

Our approach to measurement is two-fold:

1. We give you the tools to define security metrics in a way that aligns directly with your business goals.
2. We ensure those metrics are accurate, using reliable data collection methods that include active scanning, agent scanning, integrations with third-party systems, passive listening, and host data activity monitoring.

One size doesn’t fit all

When it comes to security assurance, there is no one-size-fits-all template for developing meaningful security metrics, because each business is unique.

There is no one-size-fits-all template for developing meaningful security metrics, because each business is unique

If you don’t know where to start in terms of defining security program objectives and security assurance metrics and mapping them to business objectives, Tenable provides five pre-packaged ARCs, known as Tenable’s Five Critical Cybersecurity Controls. The five controls summarize the most important points presented in industry standards such as the 20 Critical Security Controls from the Center for Internet Security (formerly from the SANS Institute), the NIST Cybersecurity Framework, and the PCI Data Security Standard. Adopting these five controls enables you to identify the security strengths and weaknesses of your organization and start improving alignment with business leaders.

If you already know what your business objectives are, you can map your business objectives to the policies and controls used in your security program by creating your own custom ARCs. ARCs are powerful and flexible. You can define security policy statements in ARCs that map upwards to business objectives, as well as downward to security controls and their underlying data. With ARCs, you can take a metric-driven approach to visualizing and communicating security program effectiveness. ARCs use business language that executives understand, helping business executives and other IT leaders quickly grasp the impact of security efforts by visualizing progress and gaps.

ARCs use business language that executives understand

For example, a report card for a healthcare organization that provides home health visits could help identify vulnerabilities on mobile devices that have taken longer than 30 days to fix – since that interferes with HIPAA compliance for protecting patient information.

At an online retailer, a report card could easily show that the percentage of payment systems patched in the last month has met corporate goals without interfering with order processing.

Even if you’re not sure exactly how you want to develop security metrics, but are thinking about implementing the NIST Cybersecurity Framework in your organization, we can get you started with eight pre-built ARCs that align with the NIST Cybersecurity Framework.

Measure, communicate, improve, succeed

If your security team is struggling to validate their ongoing security assurance efforts and justify budget requests to the board, Tenable can help. SecurityCenter CV security assurance capabilities enable you to better communicate the effectiveness of your security programs, justify or revise security investments, and ensure compliance with corporate or industry security mandates.

Learn more

Want to know more? Check out these resources:

• ebook:Using Security Metrics to Drive Action: 33 Experts Share How to Communicate Security Program Effectiveness to Business Executives and the Board
• Solution Story:Tenable Security Assurance
• Whitepaper:Communicating Security Program Effectiveness: SMART Metrics and SecurityCenter Continuous View

Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

According to the Trends in Security Framework Adoption Survey, conducted by Dimensional Research on behalf of Tenable, 44% of organizations use more than one security framework. That is half of the 88% of organizations that are using a framework. Combining frameworks is seemingly encouraged by the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) because it includes cross-references to other frameworks, including the Center for Internet Security Critical Security Controls (CSC). I have spoken with people at multiple organizations who see the CSF and the CSC as complementary. The CSF is well suited for risk assessment and to identify gaps between current and target profiles, while the CSC is well suited to guide detailed technical control implementation.

44% of organizations use more than one security framework

You may be saying to yourself, “Implementing a single framework is challenging enough. How can anyone implement more than one?” It is true that security framework implementation is challenging; as a rule it is a long-term project requiring a multi-year budget commitment. A key to success is to prioritize business services based on risk assessment and then to start implementation of the most important controls for the highest risk services. Using the CSF and CSC together can help you accomplish just that. The CSF can help you prioritize business services, and the CSC controls are prioritized so you can start implementation with the first five controls, designated Foundation Cyber Hygiene. Achieve a quick win, adapt if needed based on lessons learned, and then address the next highest priority. The next highest priority may be the next business service, or it may be implementing additional security controls for the current business service.

The City of Portland, Oregon is one organization that has taken this approach. It is using both the CSF and CSC frameworks to guide security program evolution. Christopher Paidhrin, Portland’s Information Security Manager, uses both frameworks to meet the following objectives:

• Prioritize risk and remediation
• Identify security gaps and selective metrics
• Align business risk to Critical Security Controls
• Prioritize budget and resources

The CSC technical control implementation is directed by Brian Ventura, one of the city’s Information Security Architects.

Both Christopher and Brian will be presenting a case study explaining Portland’s experience at an upcoming Multi-State Information Sharing and Analysis Center (MS-ISAC) webcast, A Prioritized Approach to Implement the NIST CSF Using the CIS Critical Security Controls.

Christopher Paidhrin is a CSF expert and frequent conference speaker. He will share Portland’s risk-based security roadmap and has generously offered to make his roadmap planning spreadsheet available to attendees. Brian Ventura is a CSC expert who frequently teaches a SANS course about planning, implementing, and auditing the Critical Security Controls. Brian will explain how the city is implementing the CSC Foundational Cyber Hygiene controls, including examples from SecurityCenter Continuous View™.

Please join them for the webcast. I have seen a sneak peek of their content and know that it will be worth your time.

Tenable recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. Their first-hand experiences are insightful and offer best practices that you can implement in your own organization.

In this blog, I’d like to share my own thoughts on why metrics are crucial to your security program and how they should be presented to your executives, based on my many years of experience, consulting and technical advisory work that I’ve done with Fortune 500 firms and national governments.

Metrics must tell a story

Most chief executive officers (CEOs) and board-level executives assume that the security team is doing its job. No one goes out of his or her way to build an insecure network, but the metrics that matter are ones that tell a story in the context of a business reality. That story shows where things stand and justifies an action that will improve business performance. Those are the metrics that matter to the CEO. Part of your job as a security professional is to know which metrics are important for the situation at hand.

Metrics describe problems and point to solutions

For example, say that you’re head of security for Acme Widgets, and you recognize an issue that requires a high-level decision. You request a meeting with the board. You might begin by explaining how computer security affects the business. You’ve had malware outbreaks that caused widget production lines to shut down six times in the past year, and each shutdown resulted in a median cost of $150,000 in lost production and remediation. A root-cause analysis of those incidents revealed that all six resulted from malware infections on desktops initiated by phishing attacks. Further analysis revealed that they all came from the same business unit. Additional interviews showed that the security requirements for this group do not match their accessibility requirements.

You then recommend changing the desktop environment. That will cost $XX, but in the upcoming year it will save the company $XXX. Furthermore, you offer to report back in six months about whether the savings have materialized and possibly recommend that this approach be extended to other parts of the company. In the course of your presentation, you move through slides, and each slide is based on an underlying data point. Taken together, these data points describe a problem and point to a solution that is available if Acme Widgets makes a change or takes an action.

Cost projections back up your suggestions

Here’s another scenario where metrics tell a business story. Acme Widgets has been using an internal cloud for a year. Now, it wants to expand cloud services to business partners. As head of security, your first instinct might be to say, “Don’t do that.” But the CEO has a business plan, with numbers showing how much money the company will make. As the CISO, you can say, “This is great, and the security team looks forward to helping.” You can then note that when the cloud system went live for internal use, the incident response rate tripled, and making it available to business partners is likely to at least triple it again. Revenue and cost projections should factor in as resources needed to handle the anticipated increased volume of incidents. That will cost $XX. In this way, you’re being a team player, offering a positive analysis with metrics to back up your points.

Security professionals must be completely tuned in to what’s important to the business. If you work for Acme Widgets and your security team has absolutely zero impact on widget production, you had best polish up your resume. But if it turns out you do have a potential impact on widget production, your security metrics must show that.

Security professionals must be completely tuned in to what’s important to the business

My favorite metric

So I must admit that I have a favorite metric that has proven to be useful in many situations. You should track the time between a reported vulnerability and when it’s fixed; then plot that time against the number of incidents attributed to that known vulnerability. I call that the ‘I told you so’ metric. It works every time.

More information

• I recently created a series of videos about Establishing Relevant Security Metrics for the Tenable Blog. The videos expand on many of these ideas and provide tips for getting started.
• Get your copy of the ebook, Using Security Metrics to Drive Action.
• Watch the Tenable Blog for weekly excerpts from Using Security Metrics to Drive Action. You can subscribe to the blog by clicking Blog email updates on the Blog Home Page.

Credentialed vulnerability assessments deliver the deepest analysis of targeted assets, networks and systems, providing highly detailed results. Without this access, unauthenticated assessments only scratch the surface. Unauthenticated scans reveal some issues – but these may or may not give you the entire picture of your security posture.

The challenge of credentialed scans

Maintaining privileged account credentials can be a challenge. It entails getting access to and navigating an ever-changing sea of usernames, passwords and privileges; storing the credentials in your vulnerability management solution just adds to the pain. Additionally, decentralized security policies add another potential attack vector.

Maintaining privileged account credentials can be a challenge

So how do you benefit from deep vulnerability assessments without the added burden of manual credentials management? The answer is simple: integration between your credentials management and vulnerability assessment solutions.

The Tenable and Thycotic solution

Together, Thycotic and Tenable enable you to easily perform credentialed scans

We are pleased to announce integration between Nessus® Cloud and Nessus Manager with Thycotic Secret Server. This integrated solution supports storage of privileged credentials in Thycotic Secret Server and their automatic retrieval at scan time by Nessus. By controlling sensitive passwords in a single, secure vault, customers don’t have to deal with the insecurity and hassles of password proliferation.

More information

Together, Thycotic and Tenable enable you to easily perform credentialed scans, collecting the most accurate vulnerability information without compromising accountability or control of privileged credentials. Integration between Tenable Nessus Cloud and Thycotic Secret Server makes managing credentialed scans easy and secure, ensuring that you’re delivering more accurate results and identifying threats and vulnerabilities sooner. For more details, read the Tenable and Thycotic Solutions Brief.

Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

According to the Trends in Security Framework Adoption Survey, research conducted by Dimensional Research on behalf of Tenable, adoption of security frameworks is at an all-time high. Your organization might adopt a security framework for many good reasons, including:

• Identifying security gaps requiring additional investment. Comparing existing security controls to those recommended by an established security framework can highlight weaknesses that require additional controls.
• Communicating business risk to executives and board members. Business leaders are often familiar with financial controls and will quickly grasp the concept of security controls. They will understand budget requests to implement controls needed to mitigate cyber risk.
• Building a foundation to efficiently meet multiple compliance requirements. Rather than tackling each compliance requirement with ad hoc controls, a security framework can provide a single, extensible foundation to meet multiple compliance requirements.
• Discussing security with external stakeholders. Major customers, cyber insurance suppliers and other business partners may have questions about an organization’s security program, and security frameworks provide a structured format for discussion.
• Meeting due care/due diligence standards to limit liability. Many organizations have a legal obligation to understand the cybersecurity risks they face and then to implement appropriate controls that manage that risk. Failure to adequately manage risk may expose the organization, its executives and board members to legal action. For example, a U.S. appeals court recently ruled that the Federal Trade Commission has authority to pursue lawsuits accusing organizations of failing to properly safeguard consumers’ information.

Using multiple frameworks

Many organizations—44% according to the above mentioned survey—are using more than one framework. Some organizations are using a different framework in different parts of their businesses. However, many organizations are using multiple frameworks in a single business area. They are creating their own composite framework based on multiple published frameworks. This makes sense because the Center for Internet Security Critical Security Controls (CSC), ISO/IEC 27001/27002 (ISO 27K) and NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) frameworks are just that—frameworks. They are not strict standards designed to be adopted without at least some tailoring. The following snippets taken from each standard substantiate this:

• CSF: “The Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources,” and “The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes.”
• ISO 27002: “This International Standard may be regarded as a starting point for developing organization-specific guidelines. Not all of the controls and guidance in this code of practice may be applicable.”
• CSC: “But this is not a one-size-fits-all solution, in either content or priority. You must still understand what is critical to your business, data, systems, networks, and infrastructures… ”

Tenable solutions

Recognizing the flexibility of these frameworks, Tenable has just released a comprehensive set of report, dashboard and Assurance Report Card (ARC) templates that support ISO 27K and CSC (formerly referred to as the SANS Top 20). You can easily tailor them to meet your specific needs. For example, you can mix and match components designed to support various frameworks, as the dashboard below shows. It includes components initially created for CSF, ISO 27K and CSC frameworks, which you could rename as desired to match your internal language. Additionally, you could easily design your own dashboards leveraging a template or by starting from scratch.

In addition to customizing reports, dashboards and ARCs, you can apply dynamic asset lists to reuse a single template with assets for different business systems. This is especially useful with ARCs because you can set different pass/fail thresholds for different business systems as needed to mitigate different risk levels. The following example displays the status of three different business systems relative to the CSC Foundational Cyber Hygiene controls. Notice the different thresholds for the CRM system and the financial reporting system.

More information

If your organization is using one or more security frameworks, Tenable can help you automate your technical controls and help you assess and communicate their status. Please visit the following pages for additional information:

• Security Frameworks
• NIST Cybersecurity Framework
• ISO/IEC 27001/27002
• CIS Critical Security Controls

Keep up with the latest from Tenable! Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

Tenable recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. In this article, excerpted from the ebook, Gary Hayslip, Deputy Director/CISO City of San Diego, CA, shares his thoughts on using security metrics to drive action.

Gary Hayslip found himself sitting next to the mayor of San Diego, California, one evening over dinner. The mayor turned to San Diego’s chief information security officer (CISO) and asked, “Just how secure are our networks?”

“They are a work in progress,” Hayslip responded.

It wasn’t what the mayor wanted to hear, but it started the two and a half-hour conversation. In it, CISO Hayslip helped the mayor understand that cybersecurity is a life cycle, not an event. “And part of that life cycle,” Hayslip explains, “is breaches. You never get 100 percent secure.”

That’s one reason why metrics are so important, Hayslip says. “When you collect metrics, you’re collecting them to tell a story,” he states. “They have to be able to tell the story of your business.” To that end, Hayslip keeps a sharp eye on three measurements:

• Time to detect. San Diego’s networks average 66,000 attacks per day—22 million a year—that are successfully blocked, Hayslip indicates. It’s inevitable that some attacks get through, he says. “My concern is, when they get in, how fast do I get alerts on them? How quickly do my firewalls and sensors detect that we’ve got an incident?”
• Time to contain. This metric allows Hayslip to know how quickly attacks are contained and cleaned up. Those numbers need to be examined carefully, however, he says. If incidents are contained in 20 minutes on average, that might seem fine, but if within that average some departments take as long as an hour, it might mean that some brainstorming is in order to find new security layers to protect remote or mobile assets.
• Number of compromised systems. San Diego hosts 14,000 desktop and laptop computers in its 40 departments, Hayslip notes. “So I have about 14,000 different doorways into my network.” On average, 45 machines are infected per month. By monitoring the number of compromises, he can gauge whether the city is staying within the acceptable exposure rate—for Hayslip, that’s about 1 percent of 10,000 machines per month. It also tells him whether he’s closing in on his personal goal of 10 machines per month. “That would be kind of phenomenal, when you look at the size of my network,” he adds.

These and other metrics—such as what types of attacks are getting through—tell Hayslip whether he’s succeeding in his overarching goal. “I want to be proactive,” he says. “I want to be able to see an attack before it infects the machine and to be able to stop it and kill it.” Metrics, in short, tell him how much work is yet to be done.

As it turns out, there’s still a fair amount of work to do, though much has been accomplished. Intrusions have fallen dramatically since Hayslip came on the scene, from a high of 160 intrusions per month down to 40. Phishing email attacks and infection from flash drives and websites are all down. Recently adapted cybersecurity technologies, including the Tenable Nessus agent scanner suite, have clearly been a big help, Hayslip asserts.

Not all metrics are created equal, of course. Hayslip used to monitor the number of help desk tickets that employees filed. That proved not terribly useful. “They could be submitting requests to my team’s email box that don’t even apply to us, just hoping someone is going to help them,” he explains.

In the end, Hayslip counsels CISOs to choose which metrics to track based not on their personal curiosity but on their business’ bottom line. “The metrics you collect need to mean something to the organization,” he says.

If possible, he concludes, tie metrics to hard dollars. He did that recently, showing city leaders that by replacing some vulnerable legacy technologies, the city could reduce direct financial risk by $4.5 million and associated legal exposures by a whopping $75 million. “That room was quiet,” Hayslip recalls. “Everyone was looking at us like, ‘Wow!’”

More information

• Get your copy of the ebook, Using Security Metrics to Drive Action.
• Watch the Tenable Blog for weekly excerpts from Using Security Metrics to Drive Action. You can subscribe to the blog by clicking Blog email updates on the Blog Home Page.

About the author

As CISO for the City of San Diego, California, Gary Hayslip advises the city’s executive leadership, departments, and agencies on protecting city information and network resources. Gary oversees citywide cybersecurity strategy, the enterprise cybersecurity program, and compliance and risk assessment services. His mission includes creating a risk-aware culture that places high value on securing city information resources and protecting personal information entrusted to the City of San Diego.

CISOs too often focus on numbers and metrics that are disconnected from the strategic mission of the business. Cybersecurity can add value, however, by looking past the numbers to the steps being taken to facilitate a safe execution of business strategy. 

The secret to success as a CISO is forging relationships

The secret to success as a chief information security officer (CISO) “is forging relationships,” Nikk Gilbert, director of global information protection and assurance for ConocoPhillips (COP), said recently in the ebook, Using Security Metrics to Drive Action. “Metrics,” Gilbert continued, “can be a great way to solidify those relationships.” But it’s important for CISOs to form a strategic point of view with regards to the business objectives and use metrics to resonate those strategic views.

In the case of COP, this extends to the chief information security officer having a strong grasp of the ways COP geoscientists and reservoir engineers work together to find and extract petroleum around the world. These strategic relationships also need to extend to vendors, engineers, and the nuances of the locals that live in the locations where the engineering, geophysics and geology teams search for hydrocarbon reserves.

Within organizations like COP, CISOs and CIOs also build relationships with other C-level executives and upper management, which leads to even more benefits. For starters, a recent study from the CIO Association of Canada found that 67 percent of CEOs and CIOs are confused about how IT should be enabling the business. The same study also concluded that improving the IT-business alignment in organizations at the C-level can make IT operate more effectively and generate tangible value.

Spending is not adequately aligned with their mission

Despite the fact that global IT spending is over $4 trillion annually, companies are not getting the full value of this investment because the spending is not adequately aligned with their mission. By aligning spending with mission and by building relationships predicated on metrics and data that provide strategic value, organizations benefit in three tangible ways:

The truth comes out. Executives are often so consumed by the bottom line that they misunderstand or simply don’t know how susceptible organizations are to the calamitous effects of a successful cybersecurity attack. By building these relationships, C-level peers of the CISO are able to see past the numbers and contemplate the real impact of the danger that comes from a major breach.

Establish lines of communication that mitigate potential panic. By having a CISO build strong bonds with team members like risk and compliance executives, organizations can align their processes like business continuity planning with their cybersecurity practices. They can also establish lines of communication that help everyone remain calm and well informed in the event of a severe and successful attack.

Navigate compliance minefields. In industries in the energy sector, by aligning and building relationships with executives, CISOs can help the organization as a whole navigate potential compliance minefields. A good example of this is the recent need for complete operational technology and asset inventory tracking in the latest revision of the NERC CIP in the utilities sector. CISOs were often at the forefront, working with vendors to accomplish this feat.

CISOs need to build and foster relationships. And companies like Tenable Network Security can help make that happen by providing solutions that add end to end visibility and critical context, to move beyond vulnerability scanning to effective vulnerability management.

SecurityCenter™ by Tenable Network Security, for example, provides discovery and analysis, which becomes more effective in the hands of a CISO who has a strong understanding of the business goals and the direction of the organization. The customizable dashboards, reports and Assurance Report Cards™ in SecurityCenter arms the CISO with the tools he needs to socialize and support their viewpoints with colleagues and higher level executives.

Resources

For more information:

• Using Security Metrics to Drive Action ebook
• Security Assurance solution story
• SecurityCenter
• Assurance Report Cards

Stay in touch with Tenable. Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page.

Vulnerability management is an essential part of government cybersecurity. It requires not only continuous monitoring and visibility to spot vulnerabilities, but also the context needed to prioritize vulnerabilities based on risk so agencies can take effective action to eliminate, patch or mitigate.

Successful coaches know that a winning team must be able to execute on the fundamentals. The same holds true for government cybersecurity. The best talent and technology by themselves cannot ensure the security of an agency’s enterprise without a focus on the basics.

Vulnerability management is fundamental to government cybersecurity. It is essential to good cybersecurity hygiene and a basic element of your agency’s risk management. It requires not only that you identify vulnerabilities, but also prioritize them so that they can be effectively eliminated, patched or mitigated. This requires not only visibility, but also context. Tenable, already the most widely deployed security solution for discovering what and who is on your network, can also provide the context and communication you need for fully effective vulnerability management.

Risk

According to the latest 2016 Data Breach Investigations Report from Verizon, the median time to exploit a newly identified vulnerability is about 30 days, and the top 10 vulnerabilities account for about 85 percent of successful exploits. This provides agencies with a reasonable window to patch or mitigate the most troublesome vulnerabilities in their systems. But there are another 900 Common Vulnerabilities and Exposures (CVE) that are being targeted by the remaining 15 percent of exploits.

Add to this the fact that your networks are dynamic, with new hardware and software continually coming online and increasingly mobile users accessing your resources remotely, and it becomes clear that managing vulnerabilities must be a continuous process.

A vulnerability management program can’t be effective if it manages only some—or even most—of your agency’s assets. It must detect new and hidden (or shadow) devices and applications, as well as transient end devices such as laptops and mobile devices. These unknowns, including cloud assets, must be identified, their status and configuration discovered, and then managed on an ongoing basis.

Management

Anyone who has updated, patched or mitigated vulnerabilities knows that this is not a trivial task. All changes must be vetted to ensure that they do not interfere with vital government missions. Devices that are not permanently part of the network must be managed when they show up—all while dealing with the addition of new software and hardware. This means that vulnerability management must be prioritized. If you can’t eliminate all vulnerabilities, you have to focus on the most important ones.

If you can’t eliminate all vulnerabilities, you have to focus on the most important ones

Which vulnerabilities are most important depends on the level of risk they represent, and this will vary from agency to agency. It depends on the likelihood that a vulnerability will be exploited, and the potential impact. So you not only need to spot the vulnerability, you must also know something about it and the system where it lives.

Relevant information must be made available to public sector stakeholders, including the security team, IT operations, asset owners, and executive-level management.

Visibility plus context

Tenable Network Security provides the visibility and critical context needed to move your agency beyond vulnerability scanning to effective vulnerability management. Tenable’s passive traffic and event monitoring detect and monitor services and applications in use, even in cloud and virtualized environments.

SecurityCenter™ is a comprehensive solution that provides not only discovery, but also analysis and a variety of customizable dashboards, reports and Assurance Report Cards™ so that stakeholders get the information they need. It combines technology with people, with a research team that provides daily content updates.

SecurityCenter provides:

• Broadest coverage of CVEs
• Powerful communication
• Easy integration with third-party solutions
• Support from Tenable’s world-class team of researchers

The government vulnerability management life cycle includes continuous monitoring, analysis and response. By providing full-cycle vulnerability management, Tenable is ready to help your agency create a successful vulnerability management program.

Check out these resources for more information on vulnerability management:

• Vulnerability Management resources
• Comprehensive Vulnerability Management for a Changing IT Landscape blog
• SecurityCenter
• Stay in touch with Tenable. Subscribe to the Tenable Blog by clicking Blog email updates on the Blog Home Page

When Gartner Vice President Peter Firstbrook took the stage at this year’s Gartner Security and Risk Management Summit, he spoke of two shifts in security: resilience and trust. Organizations must develop resilient security programs that anticipate disruptions and enable them to respond quickly to avoid costly lapses in productivity. He also championed trust within the organization, as opposed to traditional restrictive security controls.

Additional sessions throughout the week, including keynotes from the likes of General Colin Powell, reinforced the importance of these concepts, particularly in a world where the lines between physical security and cybersecurity continue to blur. Here are a few key takeaways and insights from the conference.

Vulnerabilities remain

Some things change while others remain the same. In his session, “Gartner Essentials: Top Security Predictions/SPAs 2016,” Earl Perkins noted that through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.

This issue becomes even more apparent with the increase in the number of IoT and mobile devices in the workplace, which has caused organizations to adjust their strategy to find legacy vulnerabilities on those devices. During his presentation, “The World Is Changing – How Does It Affect My Vulnerability Management Program,” Augusto Barros recommended that vendors integrate with enterprise mobility management (EMM) providers to ensure better management of those assets, which in turn can lead to more informed mitigation options.

DevSecOps

The emergence of IoT, combined with the prevalence of legacy vulnerabilities, will force security to be integrated earlier in the development process. During his session, "Integrating Security in DevOps: DevSecOps," Gartner VP Distinguished Analyst, Neil MacDonald, implored practitioners and vendors not to let the perception of security as an inhibitor to rapid innovation prevent it from being part of the DevOps process. To help integrate themselves with these processes, security vendors must provide more out-of-the-box support for containers and other management systems.

Automation

Detection and response ahead of prevention—has been the rallying cry for the past several years from Gartner and vendors have received that message. However, the sheer amount of data created by detection services, combined with a skill shortage in the industry, has created a pressing need to introduce additional automation capabilities. In his session, "What Every Security Vendor Should Known About Security Automation," Gartner Research Director, Eric Ahlm, by 2020, security program owners that are able to automate at least 50% of their program will experience half the amount of breaches as their peers that have not automated.

While Ahlm doesn’t view automation as a market unto itself, it can act as a task facilitator and error reducer, especially in the threat detection, threat response, threat investigation, and vulnerability management markets. Consumers of automation products will depend largely upon the maturity of the Security Operations Center (SOC) within the organization.

Security analytics and UEBA

Along with automation, organizations are using security analytics and User Entity Behavior Analytics (UEBA) strategies to prioritize and take action on the most relevant data. Despite the hype surrounding security analytics, the definition still remains unclear and many UEBA tools are still immature. However, several security vendors are taking notice, and according to Avivah Litan and Toby Bussa's session, "The Fast-Evolving State of Security Analytics 2016," Gartner expects that by 2018, at least 30% of major SIEM vendors will incorporate advanced analytics and UEBA functionality into their products.

Adaptive Security Architecture

All of these trends point toward a framework that Gartner recommends security professionals follow to protect their organizations from attacks: adaptive security architecture. Adaptive security architecture is composed of four critical competencies—predict, prevent, detect, respond—that encourage organizations to utilize context-aware platforms that provide them with continuous visibility into all areas of their environment. According to Gartner, this framework can be a useful tool in identifying and evaluating their existing security investments, as well as new vendors.

As new and emerging technologies change the way we look at security, Tenable continues to transform security technology to meet critical business needs through solutions that provide continuous visibility and critical context, enabling decisive actions to protect organizations. Check out our solutions page today to see how Tenable solves your most pressing security needs such as vulnerability management, continuous monitoring, and security assurance.

Tenable recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. In this article, excerpted from the ebook, Aanchal Gupta, Chief Information Security Officer (CISO) for Skype at Microsoft, talks about how she selects metrics to illustrate business risks.

Aanchal Gupta empathizes with C suite executives’ need to get to the point of any discussion. As chief information security officer (CISO) for Skype and Skype for Business, she appreciates terseness from her own team.

When an executive asks her for an enterprise security update, she shows the same courtesy. That attitude helps guide her selection of metrics to illustrate business-risk assessments to senior leaders. Examples of those metrics include:

• Externally reported security incidents. Because Skype is a public-facing, Microsoft-owned communications platform, external researchers do a lot of testing on Skype. “Anything that is reported is taken very seriously. We track these issues closely,” Gupta says. She graphs incidents over time, she states, to help leadership understand whether Skype is addressing these potential vulnerabilities. She also tracks the mean time to resolve each issue. If, over time, both graphs do not trend downward, she notes, “Then something is wrong—we are not focusing our engineering investments in the right places.”
• Penetration testing. Skype regularly pen-tests its own product, Gupta notes, and this metric reveals any visible gaps. “I try to categorize those gaps for our leadership team,” she adds. Skype uses Microsoft’s “STRIDE” model to categorize threats—an acronym that stands for “spoofing identity,” “tampering with data,” “repudiation threats,” “information disclosure,” “denial of service” and “elevation of privilege.” The metric is important to senior leadership, Gupta asserts, because they know that penetration failures can be prevented with more in-depth training.
• Engineering security maturity. Gupta believes that when engineers understand that they’re responsible for security from the requirements phase all throughout the development process, the final product is more secure. That’s why threat modeling is required of the Skype engineering teams. She uses color-coded heat maps to track teams’ relative security-preparedness ranking graphically, she says. The best prepared fall into the green zone; the least prepared are color-coded red. This is a simple way to communicate to executives which engineering teams need “encouragement” to focus more on security. “You can see the wheels moving right away,” she comments. “You leave the executive meeting and right away you get four follow up meeting invitations from the engineering managers: ‘Can you walk my team through why we are red and how we can get to green?’”

Right away you get four follow up meeting invitations from the engineering managers: ‘Can you walk my team through why we are red and how we can get to green?’

It is important for CISOs to avoid presenting prebaked metrics to executives, Gupta cautions. If at an executive meeting you point out that the organization has several open security issues, someone will ask you to prioritize and rank them. If you reply that some of the issues you have charted have not yet been severity-ranked, leadership will not be happy.

“Don’t go to your leadership unprepared,” Gupta urges, “Your data should reflect the homework you have done.”

A final insight: a picture is worth a thousand words, especially one that illustrates your metrics in an effective and cogent way. “You may speak for an hour and nobody will believe that you have affected the problem,” Gupta contends. “But if you show leadership a trend graph, they’ll be convinced.”

Don’t go to your leadership unprepared. Your data should reflect the homework you have done.

More information

• Get your copy of the ebook, Using Security Metrics to Drive Action.
• Watch the Tenable Blog for weekly excerpts from Using Security Metrics to Drive Action. You can subscribe to the blog by clicking Blog email updates on the Blog Home Page.

About the author

As CISO for Skype at Microsoft, Aanchal Gupta leads a team of experts at Microsoft in the areas of security, privacy, and compliance. She is passionate about building products that are safe, trustworthy, and accessible to everyday users. Prior to joining Microsoft, Aanchal led Yahoo!’s Global Identity team, contributing to various authentication and authorization open standards such as OpenID and OAuth. She has more than two decades of experience leading large, distributed development teams developing global software used by millions.