Building and Leading Vulnerability Management Programs

Vulnerability, patch, and configuration management are not new enterprise security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage security vulnerability capabilities effectively. The quantity of outstanding vulnerabilities for most enterprise organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new security vulnerabilities in their infrastructure and applications. When you add in the cloud, and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, enterprise security may seem unachievable. This vulnerability management training course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them.

Skills Gained

• Steps to create, implement, or mature your vulnerability management program and receive buy-in from your stakeholders
• Techniques for building and maintaining an accurate and useful inventory of IT assets in the enterprise and the cloud
• What identification processes and technologies are effective across both infrastructure and applications and how to configure them appropriately
• Which common false positives or false negatives to be aware of in your identification arsenal
• How to prioritize unblocked vulnerabilities for treatment based on a variety of techniques
• Effectively report and communicate vulnerability data within your organization
• Ability to identify and report on the risk associated with vulnerabilities that are blocked and cannot currently be prioritized for remediation
• A better understanding of modern treatment capabilities and how to better engage with treatment teams
• Talent for making vulnerability management more fun and engaging for all those involved
• Differentiating how to deal with application layer vulnerabilities versus infrastructure vulnerabilities
• An understanding of how our strategies and techniques might change as we move to the cloud, implement private cloud, or roll out DevOps within our organizations

Course Content:

Module1:  Vulnerability Management Design and Planning

Overview

This section looks at why vulnerability management is important and introduces the course. We then provide an overview of the cloud and how different cloud service types and architectures can impact managing vulnerabilities. Finally, well dig into why asset management is so important and foundational for effective vulnerability management, and the different ways that gaining additional context can help us succeed.

Exercises

• Moving to the Cloud: Scenario-based lab about the impact of moving to the cloud on an organizations vulnerability management program
• Critical Attributes: Scenario-based lab on how to identify critical contextual attributes that need to exist within our asset management database or be tracked in some other way to prioritize and manage vulnerabilities more effectively
• Leveraging Asset Context
  • Hands-on lab leveraging a spreadsheet that contains both vulnerability and asset data sets to answer questions about the vulnerability of data and the quality of the asset data
  • Demonstration of how asset details and context and be used to help analyze vulnerability data performed in Domo, a SaaS Business Intelligence platform and Azure Data Explorer
• Cyber42 Game
  • Game introduction and practice event
  • Initiative selection for Round 1
  • Three Round 1 events

Topics

• Course Overview
• Cloud and Cloud Vulnerability Management
• Asset Management
  • Overview
  • Importance of context
  • Attributes and inline context
  • Cloud asset management

Module2:Vulnerability Identification

Overview

Identifying vulnerabilities continues to be a major focus for our security programs, as it can provide insight into the current risks to our organization. It also provides the data for our analysis and for the measures and metrics we use to guide the program and track our maturity. This section looks at common identification pitfalls and discuss identification architecture and design across both infrastructure and applications. Well also look at where we might require permission to perform identification and how we safely grant permission to third parties to test our systems and applications and responsibly disclose any findings.

Exercises

• Scanning: Scenario-based lab to better understand and identify the types of scanning that are most effective for different asset types
• Scan Validation: Scenario-based lab to better understand and identify the reasons why certain vulnerabilities are showing up in infrastructure scans even though they seem invalid or out of place
• Pipeline Integration Demo
  • Demo of how to leverage GitHub Actions to integrate SAST and SCA into an automated pipeline
• Cyber42 Game
  • One Round 1 event
  • Initiative selection for Round 2
  • Two Round 2 events

Topics

Identification

• Challenges
• Tools, architecture, and design
• Cloud identification
• Permission
• Validating scan results
• Scanner configuration
• Application vulnerabilities
• Proactive Identification
• Bug bounty programs

Module3:  Vulnerability Analysis, Metrics, and Communication

Overview

Gone are the days when we can just scan for vulnerabilities and send the raw output to our teams for remediation. We need to help reduce the burden by analyzing the output to reduce inaccuracies and identify root-cause issues that may be preventing remediation. Once we have identified the issues that cannot be resolved, we should prioritize the rest to ensure that we are having the greatest impact and provide targeted reports or dashboards to system and platform owners. This section will look at some common inaccuracies in the output of our identification processes, discuss prioritization, and then look at what metrics are commonly used to measure our program and the related operational capabilities. We will also discuss how to generate meaningful reports, communication strategies, and the different types of meetings that should be held to increase collaboration and participation.

Exercises

• Contextual Prioritization: Critical thinking lab around how we leverage different contextual attributes to help us prioritize our vulnerability data sets
• Solution Groups and Types: Demo of to apply solution groups or remediation actions to vulnerability data sets and leverage the groupings for analysis and reporting performed in ServiceNow.
• Cyber42 Game
  • Two Round 2 events
  • Initiative selection for Round 3
  • One Round 3 event

Topics

• Analyze
  • Simple Threat Contextual Information
  • Asset-based Contextual Information
  • Advanced Threat Contextual Information
  • Solution Groups
  • Exclusion Groups & Risk
• Communicate
  • Metrics
  • Reporting
  • Communication Strategy
  • Vulnerability Management Meetings

Module4: Driving Remediation and Automation

• Overview

  Treating vulnerabilities and reducing risk is the ultimate goal of all we do in vulnerability management. It is important for all participants to understand the typical processes and technologies that exist and how to leverage them to increase positive change within the organization. Most organizations will have some form of change, patch, and configuration management programs. This course section will look at how we interface with these processes to streamline change and increase consistency. Well also examine some unique challenges we face in the cloud, how to better deal with application vulnerabilities, and some alternatives we can look to when traditional treatment methods are not available.

  Exercises

  • Changing Culture: Discussion and thought-based lab about what organizational cultures are most or least conducive to vulnerability management and how to go about changing or influencing culture
  • Gold Image Pipeline: Demo of Gold Image Pipeline to update and securely configure an AWS EC2 Instance using Packer, Ansible, and InSpec
  • Remediation Effectiveness: Scenario-based lab to better understand and identify how to gauge the effectiveness of the treatment options selected for various vulnerabilities after implementation and over time
  • Cyber42 Game
    • Three Round 3 events
    • Initiative selection for Round 4

  Topics

  Treatment

  • Change management
  • Patch management
  • Configuration management
  • Cloud management
  • Application management
  • Alternative treatment
  • Other treatment considerations

Module5: Collaboration and Continuous Improvement

Overview

Vulnerability management is not the easiest job in an organization, and many challenges can hold us back. From split responsibility and accountability to reliance on shared personnel, much of the work done in this space goes unrecognized. This section will summarize much of what we have learned and discussed throughout the week and look at how we can use this information to improve the program. Well discuss how we can make VM more fun and successful within the organization, identify and collaborate more effectively with various stakeholders, and build out and mature a robust vulnerability management program.

Exercises

• Vulnerability Management Buy-In: Scenario-based lab to better identify important stakeholders and get or improve buy-in for the program
• Cyber42 Game
  • Five Round 4 events
  • Final scoring and wrap-up

Topics

• Buy-In
• Making VM fun
• Common Problems
• Stakeholder Identification
• Collaboration
• Creating a Vulnerability Management Program
• Selecting the Right Tools
• Advancing the Program

 Course Prerequisites