CONFIDENCE: SECURED

WHITE PAPER

TONY BR ADLEY, CISSP-ISSAP, MICROSOFT MVP

EDITOR-IN-CHIEF OF T ECH S PECTIVE

MIND THE GAP

USING VULNERABILITY MANAGEMENT TO ADDRESS

THE ENTERPRISE CYBERTHREAT GAP

ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE

INTRODUCTION
The problem for most enterprises today is information overload. Attacks
are becoming more sophisticated, and increasing at a pace that IT
professionals simply cant keep up with. A data breach is a matter of when,
not if, and what separates a minor incident from a catastrophic event
is the ability to minimize the cyberthreat gap, and address issues more
effectively and efficiently.
This paper will discuss the security challenges facing enterprises today, and
how to deal with them. Specifically, the paper will describe how automated
vulnerability management can be an effective tool for reducing the
cyberthreat gap, and minimizing the potential damage from a data breach
incident.
If an organization does not have enough
information about suspicious activity or security events on its network,
that is obviously a problem. For most
enterprises today, though, the opposite
is true: there is such an overwhelming
amount of information that it is difficult to properly correlate, analyze, and
understand whats going on. Attackers
continue to get more organized, and
more sophisticated over time, and a lack
of qualified IT staff leaves organizations
at a distinct disadvantage.

THREE MAJOR CHALLENGES

There are three primary challenges

facing IT professionals today. The
first contributing factor is information
overload, and a lack of a single source
of truth. Enterprises rely on disparate
specialized security toolsantivirus,
firewalls, intrusion detection/prevention,
patch management, etc. SIEM (Security
Information and Event Management)
platforms are ostensibly designed to
address this problem, but because these
different systems dont share data it is
difficult to effectively aggregate security
information. There is no single vendor
that can truly manage everything

end-to-end, so organizations need enterprise integration. Businesses need to be

able to unify data from separate silos in
order to make effective decisions in a
timely manner.
Another factor is a lack of business
context. IT departments do not have
unlimited resources, so its impossible to
immediately resolve every single issue.
Some applications or servers are more
business critical than others, and deserve
more attention and protection. If all
assets are treated as equal its impossible
to effectively allocate IT resources to
reduce the cyberthreat gap and minimize the impact of an attack, so its
important to determine which assets
matter most and focus on those. Risk
has to be managed within the scope of
business context to filter out noise and
focus on the critical assets.
The third factor is the motives and
motivations of the adversaries that
enterprises face. While organizations
have to identify and patch every vulnerability and defend against every possible
attack, attackers only have to find one
exploit that works. A patient adversary

Mind the Gap: Using Vulnerability Management to Address the Enterprise Cyberthreat Gap

has time on his or her side, and a successful data breach may play out over
an extended period of days, weeks, or
months. Enterprises need reliable data
collection that can identify changes that
are indicators of compromise, eliminates
blind spots and enables fast and effective
decisions.

THE ENTERPRISE
CYBERTHREAT GAP
How much damage can be done, or how
much data can be compromised by an
attacker in a day? How about a month?
Mandiant (now part of FireEye) reports
that it takes an average of 243 days to
discover an APT (Advanced Persistent
Threat), and a Ponemon study revealed
that it typically takes 123 days to completely resolve a breach. Thats a whole
year from the time an attacker infiltrates
the network until the compromise is
detected and the threat is eradicated.
A year. Add to that the fact that most
organizations dont actually even discover their own data breaches, and its
obvious that enterprises have a problem.
One of the keys to better security is to
give up on the idea that complete security is an achievable goal. It isnt a matter
of if your organization will be compromised, its a matter of when, and its best
to work under the assumption that you
are in a constant state of compromise.
Instead of hiding behind the illusion of
security, work to understand the nature
and behavior of the threats, and then
implement solutions that help identify
and resolve incidents more quickly.
Tripwires Enterprise Cyberthreat Gap
model was created to illustrate the different phases of the Cyberthreat Lifecycle,
and provide IT professionals with a
means of addressing the escalating
security risks. It is critical to discover
a breach, determine when the initial
breach occurred, and identify how long
your data has been exposed.

Tripwire breaks the lifecycle down into

three phases:

Detection GapThe amount of

time it takes to discover an actual

compromise and identify its nature
the longer it takes to detect, the
greater the likelihood of loss (or not
being able to figure out what really
happened)
Remediation GapThe time it takes
after detection to understand the
scope and severity of the attack, and
take steps to minimize damage
Prevention GapThe time it takes
to put measures in place to avoid
future attacks, such as implementing
additional monitoring or patching
vulnerabilities (75 percent of breaches
could be prevented by remediating
known vulnerabilities)
DETECTION GAP
The Detection Gap is the time between
when a breach actually occurs and when
it is detected. It is crucial for an enterprise to be able to limit this gap, because
every day that a breach goes undetected
is an opportunity for the attackers to
wreak more havoc and compromise more
data.
IT professionals need to be able to
answer the question, Have we been
breached? There are red flags
indicators of compromisethat
enterprises should be looking for, like
rogue, unknown devices suddenly
popping up on the network, or new
applications installed that shouldnt
be there, or network equipment taken
offline or uninstalled.
The challenge is how to effectively
answer that question and minimize the
Detection Gap. Many attacks are smart
enough to not make waves. They take
their time infiltrating and compromising
the network in order to fly under the
radar and evade detection. The best way

to identify sophisticated attacks is often

through detecting sequence of small
changes that play out over time.
Organizations should have tools in place
to detect changes and events of interest in real-time, and alert IT personnel
about rogue hosts or applications as they
happennot just a report after the fact.
To reduce the signal to noise ratio, the
tools also need to be able to incorporate
vulnerability or risk assessment information, and correlate suspicious activity
with vulnerable hosts.
Its also important to view activity
through the lens of behavioral context
How? Patterns often emerge that
provide indicators of risk that can assist
in early detection, and speed up the
response time when an actual incident
occurs.
RESPONSE GAP
Once an attack is detected, the next
order of business is the Response Gap
limiting the damage by minimizing
the time between the discovery and
remediation.
Organizations need immediate access to
information that enables them to answer
crucial questions about the attack. If
the breach was a result of a vulnerability
being exploited, IT personnel need to
be able to quickly determine which
machines are vulnerable. Why? Because
if attackers are successful in exploiting
a vulnerability on one machine, theyre
likely able to exploit it on others. Time
is of the essence in this scenario, and
waiting to run a new vulnerability scan
is not a viable option.
If your log monitoring tool alerts you
to suspicious activity on your network,
you need to have the right information
at your fingertips to answer urgent and
important questions: Who owns the
machine? What applications does it run?

Which ports are open? What vulnerabilities does it have?

In order to minimize the Response Gap,
you need to be able to find, isolate, and
mitigate affected machineskeeping in
mind the business context of the assets
so the most critical systems are treated as
a higher priority. You need to know who
owns responsibility for the target host,
and what its business purpose is so that
the right people can be notified, and
decisions can be made quickly.
An ideal platform for addressing the
Response Gap enables an organization to
quickly answer all of the above questions
by searching through historical scan and
inventory and forensic data. It should
be able to look back in time during the
window when no patch or signature
was available, and identify changes
made so damage can be isolated and
resolved. Ideally, it should also provide
some context about whom and when the
attack originated from, and an ability to
quickly shut down login credentials that
appear to be exhibiting suspicious or
malicious behavior.
PREVENTION GAP
The final piece of closing the Enterprise
Cyberthreat Gap is the Prevention Gap.
You need to put preventive measures in
place to avoid future attacks and reduce
the odds of a successful attack occurring.
How do you address the Prevention Gap?
For starters, you should reduce the overall
attack surface by shutting off or disabling
unused devices, services and applications.
Next, you need to maintain an accurate
and up to date inventory of every device
and application on the network. Every
IP-based asset running on your networkservers, desktops, laptops, routers,
switches, firewalls, printers, etc.should
be catalogued, along with a profile of the
operating system, applications, current versions and the open ports on each device.

Mind the Gap: Using Vulnerability Management to Address the Enterprise Cyberthreat Gap

Conduct a scan of remote and third-party (supply chain, vendors, and partner)
networks. Dont ignore scanning hard
to reach places (like your network
perimeter and remote offices) that could
provide an easy back door for attackers, and be thorough by scanning both
managed and unmanaged devices and
systems. Web applications are a frequent
and easy target for attackers, so identify
and fix unpublished vulnerabilities in
those.
Finally, prioritize remediation. You
should have a scoring and reporting
system that takes into account both the
vulnerabilities and general risk for a
given system, as well as its role within a
business context. Each asset should have
a unique score that helps you prioritize
remediation efforts, so allocate resources
to mitigate or recover mission critical
systems first.

USE VULNERABILITY MANAGEMENT

TO CLOSE THE CYBERTHREAT GAP
A comprehensive vulnerability management platform like Tripwire IP360 plays
a central role in establishing an effective
program to address the Cyberthreat
Gap. There are four ways vulnerability
management facilitates closing the gap:
reliable data collection, business context,
security automation, and enterprise
integration.
RELIABLE DATA COLLECTION
Vulnerability management helps you
eliminate blind spots by consistently collecting data from mostif not allof
the devices and applications that touch
your network. You can strike a balance between scan accuracy and host
or network impactchoosing between
simple detection or active exploitation
to verify a vulnerability. There is also
a balance between scan speed and the
amount or volume of data collected.
For example, conducting a cursory scan

vs. performing a deeper scan (using

credentials to allow the vulnerability
scanner to log in to the host to collect
more data and conduct a full port scan),
or configuring the vulnerability scanner to perform continuous scanning vs.
periodic scans.
The vulnerability management platform
can also receive automated threat/coverage feeds to stay up to date on emerging
threats, as well as leverage historical data
to enable instant queries, identify trends
and provide forensic analysis capabilities.
BUSINESS CONTEXT
A comprehensive vulnerability management platform enables you to manage
security risk using the unique terms that
apply to your business. Understanding
the business context of the assets on
your network is helpful when identifying
where a system is located, or who owns
it, and enables an organization to limit
access for users to only the systems or
data their roles require.
Another facet of business context is the
monetary value of assetsthe ability to
assign a specific financial value to the
potential impact of an attack or exploit.
A random endpoint may hold relatively
little value, while an e-commerce web
server could be worth millions.
You can align your vulnerability
management program with your organizational structure, and prioritize your
efforts based on which assets are most
critical to your business rather than
treating every vulnerable machine as an
equal priority.
SECURITY AUTOMATION
Automation is a key factor in effective
security. There are simply too many vulnerabilities and too many new exploits
to expect IT personnel to keep up with
it all manually. Automating manual

Mind the Gap: Using Vulnerability Management to Address the Enterprise Cyberthreat Gap

processes (such as report generation, data

analysis in spreadsheets, and data correlation) increases efficiency and allows
your organization to more effectively
reduce risk. The vulnerability management platform provides automation to
continuously check for new vulnerability
risks, rogue hosts or unauthorized applications, and automatically prioritize risks
to take immediate action.
ENTERPRISE INTEGRATION
As we mentioned at the beginning of
this paper, part of the problem facing
enterprises is that there are too many
discrete security tools that dont communicate with each other. A vulnerability
management platform like Tripwire
IP360 can integrate with other security
solutions to unify information silos, and
combine vulnerability, configuration and
event data to share data and business
context to enable further automation.
You can strengthen your overall security
postureand get more from your existing investment in securityby sharing
refined intelligence between different
security controls. For example, if you
mesh vulnerability management with a
security configuration management platform like Tripwire Enterprise, you can
combine change, policy and risk data
to immediately discern between good
changes and the bad ones that adversely
affect security.
TRIPWIRE IP360
The attackers seem to have an advantage
because they have time on their side, and
they only have to find one exploit that
works to compromise your data. There
are simply too many threats, and too
much information for IT personnel to
manage it effectively. Its overwhelming.
Employ a vulnerability management
system like Tripwire IP360 to help you
automate as much as possible, and close
the Enterprise Cyberthreat Gap.

ABOUT TRIPWIRE

Tripwire delivers advanced threat,

security and compliance solutions used
by over 9,000 organizations, including
over half of the Fortune 500. Tripwire
enables enterprises, service providers and
government agencies around the world
to detect, prevent and respond to cybersecurity threats.
Tripwire discovers every asset on an
organizations network and delivers highfidelity visibility and deep intelligence
about these endpoints. When combined
with business-context, this valuable
information enables immediate detection
of breach activity and identifies other
changes that can impact security risk.
Tripwire solutions also deliver actionable reports and alerts and enable the
integration of valuable endpoint intelligence into operational systems like
change management databases, ticketing
systems, patch management and security
solutions including SIEMS, malware
detection and risk and analytics. These

integrations are part of our Technology

Alliance Program and they ensure our
customers have robust, accurate information to make their organizations more
cyber-secure.
Tripwire is built on a foundation of
innovation and deep security expertise. While Tripwires founder, Gene
Kim, was a graduate student at Purdue
University, he created an initial version
of the software in 1992 and pioneered
many techniques still used in intrusion
detection.
With widespread support from corporate, education, and government security
professionals, Tripwire, Inc. was founded
in 1997 to bring these innovations to the
commercial market. In 2000, Tripwire
contributed source code to the open
source community to enable Open
Source Tripwire a tool that remains in
use today. Tripwire continues invest in
heavily in innovation and holds over 20
security innovation patents.

In 2005, Tripwire released the first

version of Tripwire Enterprise, the companys flagship product, designed to help
organizations control IT configurations,
a common attack vector used by cybercriminals to gain unauthorized access
to critical systems. In 2010 announced
the release of Tripwire Log Center, a
log and security information and event
management (SIEM) solution that correlates critical changes to configurations
and events, making it possible to rapidly identify sophisticated and targeted
cyber-attacks.
Innovation and growth continued with
the acquisition of nCircle in 2013. The
acquisition added solutions that assess
risks from vulnerabilities to complement
the companys award winning product
portfolio. Today, Tripwires integrated
portfolio of award winning security solutions includes configuration and policy
management, file integrity monitoring,
vulnerability management and log intelligence. Tripwire is the second largest
provider in the Security Vulnerability
Management market as measured by
IDC, delivering trusted cybersecurity
solutions that allow customers to have
confidence in their cybersecurity.

Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based
on high-fidelity asset visibility and deep endpoint intelligence combined with business-context, and enable security automation through enterprise integration. Tripwires portfolio of enterprise-class security solutions includes configuration and
policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at tripwire.com. u
u

SECURITY NEWS, TRENDS AND INSIGHTS AT TRIPWIRE.COM/BLOG

FOLLOW US @TRIPWIREINC ON TWITTER

2014 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc.

All other product and company names are property of their respective owners. All rights reserved.

WPMTG1a 201501