assessing vulnerabilities .pdf
Original filename: assessing-vulnerabilities.pdf
This PDF 1.4 document has been generated by Adobe InDesign CS5 (7.0.4) / Adobe PDF Library 9.9, and has been sent on pdf-archive.com on 15/02/2013 at 09:38, from IP address 83.86.x.x.
The current document download page has been viewed 615 times.
File size: 585 KB (8 pages).
Privacy: public file
Download original PDF file
Integrating data and processes to make vulnerability
management more effective and efficient
Integrating data and processes to make vulnerability management
more effective and efficient
The Security Connected
framework from McAfee enables
integration of multiple products,
services, and partnerships for
centralized, efficient, and
effective risk mitigation. Built
2 3 of 5
more than two1decades
proven security practices, the
Security Connected approach
helps organizations of all
sizes and segments—across all
postures, optimize security
for greater cost effectiveness,
and align security strategically
Architecture provides a
LEVEL path from
2 3to 4
implementation. Use it to
adapt the Security Connected
concepts to your unique risks,
infrastructure, and business
objectives. McAfee is relentlessly
focused on finding new ways to
keep our customers safe.
Understanding vulnerabilities is a critical early step in any security management
program. On average, 400 new vulnerabilities are discovered every month according
to NIST’s National Vulnerability Database. This rapid rate of change makes it difficult
to quickly analyze the potential impact of newly discovered vulnerabilities on your
organization. In addition, many companies introduce new servers or applications
regularly, complicating the problem. If you don’t have a solid understanding of
where your most critical hosts, applications, and vulnerabilities lie, you are flying
blind in a thunderstorm and can only hope that you don’t crash into a mountain
hiding in the clouds.
The problem is that most organizations treat vulnerability scanning as an occasional
and isolated exercise, largely focused on simple compliance requirements. They fail to
take into account the dynamic nature of assets and threats, and they fail to leverage
the information they have about hosts and countermeasures to effectively prioritize
remediation. Microsoft, Adobe, and other vendors disclose new vulnerabilities on
an almost daily basis, and new assets appear on the network faster than they can
be catalogued. A vulnerability management system that isn’t solidly connected to
asset management and a closed-loop remediation process is doomed to remain an
inefficient, continuous run on the hamster wheel.
Most organizations have a vulnerability assessment (VA) tool of one sort or another, often more than
one. Basic tools are effective at the basic task of cataloguing vulnerabilities that exist on hosts, but
tend to be disconnected, deployed primarily to meet compliance mandates that dictate the need. The
valuable data they glean about hosts remains siloed, independent of multiple security management
processes that could benefit from it. This hurdle must be overcome, since the data from a well-managed
vulnerability management program is exactly the input needed to create an optimized security and
Vulnerability assessment solutions tend to remain in this standalone, tactical state for a number of reasons:
Lack of connectivity to a comprehensive source of asset information. Before you can assess
a device, you must know it exists, and what it is. While most tools provide for basic discovery of
assets, this primitive information fails to offer the context needed for relevant asset inventory,
reporting, and workflow.
Good view of the network; poor view of the enterprise organization. An effective solution
needs to know not only where the active IP addresses are on your network, but also be able to link
them to their roles in your business. Vulnerability assessment and reporting are very different for a
point-of-sale kiosk, executive laptop, and e-commerce server.
Multiple tools to do one job. While many organizations do a reasonably good job of assessing
vulnerabilities on hosts, few bother diving into web applications and databases, where critical data
resides. The tools make this difficult, as they tend to be special purpose. Connecting each of these
special-purpose VA tools into your enterprise infrastructure adds complexity and cost.
Poor remediation workflow. The focus of many vulnerability assessment programs is gathering
data and generating reports. This is only the beginning. A truly effective program categorizes and
prioritizes vulnerabilities, taking into account severity of the vulnerability and the relative value of
each vulnerable asset. Next, it is critical to get this information directly into the hands of the people
who need to take action.
Inability to translate vulnerability into risk. Most organizations today have far more vulnerabilities
in their network than they are able to address with their available staff. Not all vulnerabilities are
created equal. Many vulnerabilities are mitigated by countermeasures or other security controls, are on
assets that are low value, or are highly unlikely to be exploited for other reasons. A good VA program
and its tools should provide the guidance you need to fix what’s most important, first.
Until these basic challenges are overcome, most organizations are unable to leverage the information
they have gathered to transform raw data into actionable intelligence. As a result, they tend to spend
a great deal of resources on VA, often with little or no measurable improvement in risk posture.
These factors could influence
Do you need to assess
workstations? Servers? Web
What types of VA reports
will you require? How often
will you need to generate
them? Are there different
organizations that require
specific reports related to
How does your current
process work? Who needs
the information detailing
the specific vulnerabilities
that need to be addressed?
What’s the most efficient
way to provide that
information? Is there an
existing ticketing system?
Do you use McAfee ePolicy
ePO™) today to manage
endpoint security or other
to your business that
might affect your
VA solution architecture?
To achieve efficient vulnerability assessment, it is necessary to step beyond point products and disparate
tools and integrate vulnerability assessment into a broader enterprise workflow. An ideal solution
combines the following capabilities into a cohesive framework:
Comprehensive asset discovery. Asset discovery can be performed both actively (via scanning) or
passively (via links to external databases or passive network listeners). Regardless of the technique,
all assets should flow into a common repository for management.
management. Asset management ensures that each scanned asset is properly sorted and
categorized to support efficient scanning, reporting, and remediation. Assets may need to be
organized by geography, business unit, application, compliance, or combinations of these. Assets also
may require criticality or value to be assigned by administrators, so that remediation can be prioritized.
Finally, assets should have owners associated with them, so that the proper personnel can be assigned
Comprehensive vulnerability scanning. Vulnerability scanning should provide the ability to deeply
assess a wide variety of platforms, including Windows, UNIX, Mac OS, and network infrastructure
devices. In addition to operating systems, administrators should also provide the ability to assess web
applications and databases, eliminating the need for multiple tools that accomplish essentially the
Flexible reporting and remediation workflow. Many VA implementations begin with simple reports
that business owners use to demonstrate compliance with relevant regulatory requirements. They
highlight broad areas that require remediation. At a minimum, the VA solution needs the flexibility
to produce the reports dictated by the business. As your vulnerability and risk management processes
mature, however, you will require a more open framework to support deeper, automated analysis
of the risk associated with vulnerabilities, ensuring the right individuals are fixing the right things in
the right order.
Technologies Used in the McAfee Solution
The McAfee® solution has several components designed to work together as a cohesive solution.
Servers, Network Devices
• Asset Management
• Risk Analytics
McAfee ePolicy Orchestrator (McAfee ePO)
McAfee Risk Advisor
The McAfee solution provides comprehensive, risk-based vulnerability assessment over the network, unified by McAfee
McAfee Vulnerability Manager
McAfee Vulnerability Manager (MVM) is the core of the solution and performs several key tasks.
In the simplest model, MVM is a highly scalable standalone solution for host discovery, asset
management, vulnerability assessment, and reporting on any network-connected device. As your
needs expand, MVM integrates cleanly with the other components in the McAfee solution, protecting
and extending your investments.
McAfee Vulnerability Manager: Web Application Assessment Module
The MVM Web Application Assessment Module (WAAM) offers deep web application scanning to
ensure that common coding mistakes and vulnerabilities are addressed as part of a vulnerability
management lifecycle. What makes it unique is that it treats web applications as business assets, just
like a server, router, or other high-value assets. This is important since web applications have business
value and therefore have asset owners and varying levels of criticality.
The WAAM covers commonly exploited web application vulnerabilities and weaknesses in the market
today. Specifically, the Web Application Assessment Module includes the required checks for PCI DSS
as well as coverage of the OWASP Top 10 and the CWE-25 categories. All workflow and reporting
is seamlessly integrated with native MVM capabilities and may be performed via McAfee ePolicy
Orchestrator® (McAfee ePO™) as well.
McAfee Vulnerability Manager for Databases
McAfee Vulnerability Manager for Databases (MVMDB) comprehensively evaluates risk for leading
database systems such as Oracle, Microsoft SQL Server, IBM DB2, MySQL, and others. It includes more
than 3000 checks to reveal missing database patches, unsecured database accounts, high-risk code,
and other classes of vulnerabilities. MVMDB is a simple extension to McAfee ePolicy Orchestrator and
leverages native functionality for reporting and workflow.
McAfee ePolicy Orchestrator
McAfee ePolicy Orchestrator serves as a central repository for asset management and reporting across
the combined vulnerability assessment solution. McAfee ePO collects information about assets via
multiple discovery techniques, including active scanning from McAfee Vulnerability Manager and passive
sensing via McAfee ePO Rogue System Detection. Discovered assets are then grouped, tagged, and
managed via McAfee ePO for use in scanning and reporting. McAfee ePO also collects and collates
vulnerability information from all parts of the McAfee solution, providing centralized dashboards,
reporting, and automated workflow for dealing with vulnerability remediation.
McAfee Risk Advisor
McAfee Risk Advisor (MRA) is an analytics engine that brings in:
feeds from McAfee Labs
information from MVM
data from McAfee ePO, including criticality, specific security controls (countermeasures)
that are deployed in your environment, and how they are configured
By combining detailed information about host security posture with up-to-date information about
emerging threats, McAfee Risk Advisor highlights exactly which vulnerabilities are most critical,
correlated with the most valuable assets, helping you address the most pressing issues first.
McAfee Network Security Platform
McAfee Network Security Platform (NSP) leads the industry in network intrusion prevention. It deeply
analyzes hundreds of different network protocols looking for known attacks as well as suspicious and
malicious behaviors. NSP imports vulnerability details from MVM, providing crucial security posture
details to the IPS analyst. Correlating attacks with host vulnerabilities improves the relevancy of the
alerts generated by NSP and allows IPS analysts to more quickly identify the most critical security events.
Impact of the Solution
Deploying McAfee’s solution for VA addresses the driving concerns outlined at the beginning of
Connects vulnerability assessment to a comprehensive source of asset information, providing the
context needed for relevant asset inventory, reporting, and workflow
Provides visibility into both the network and the enterprise organization, telling you where the active
IP addresses are on your network and their roles in your business
Consolidates a tool for host vulnerability assessment with tools for assessing web applications and
databases to improve risk management while reducing complexity and cost
Improves remediation workflow to get the right information directly into the hands of the people
who need to take action
Helps translate vulnerability into risk to provide the guidance you need to fix what’s most important, first
McAfee reduces the cost of integrating vulnerability assessment with other enterprise processes, such
as compliance reporting and patch management, to help you manage those 400 new vulnerabilities per
month with the fewest possible resources.
Are all of the components discussed in this blueprint required, or can I start with one
component and build up to a more complete implementation over time?
All of the components in this solution are important parts of a comprehensive vulnerability assessment
program. However, it is certainly not mandatory to deploy them all simultaneously. Each module—host,
web, and database—can be put in place independent of the others and will be ready to support a
completely integrated solution over time.
What countermeasures can McAfee Risk Advisor correlate against vulnerabilities?
McAfee Risk Advisor currently correlates the following countermeasures:
McAfee VirusScan® Enterprise
McAfee Host Intrusion Prevention
McAfee Application Control
McAfee Network Security Platform
McAfee adds support for additional countermeasures regularly; see the product documentation or the
McAfee website for a current, complete list.
For more information about the Security Connected Reference Architecture, visit:
About the Author
Scott Taschler, Systems Engineer with McAfee, has over 15 years experience helping enterprises to
understand and to effectively cope with the latest emerging threats. In his role at McAfee, Scott works
closely with a wide range of organizations to understand how the threat landscape is evolving, and how
to leverage a range of techniques on the endpoint and network to counter them. Scott is a Certified
Information Systems Security Professional.
The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information
contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability
of the information to any specific situation or circumstance.
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
McAfee, McAfee Application Control, McAfee ePolicy Orchestrator, McAfee ePO, McAfee Global Threat Intelligence, McAfee Host Intrusion
Prevention, McAfee Labs, McAfee Network Security Platform, McAfee Risk Advisor, McAfee Vulnerability Manager, VirusScan, and the McAfee
logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and
brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only
and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2011 McAfee, Inc.