When we started establishing our Threat and Vulnerability Management (TVM) Program in 2010, we knew where we were heading. Although driven primarily to satisfy a regulatory requirement -- PCI DSS -- this was something we had been talking about for a long time as a good security practice. Scanning 80,000 IP addresses across a flat network was a big undertaking. While we knew we would be getting reams of data back from the scans, we underestimated the compelling story the data would tell.
The first year saw the program mature from a set of scans with output to a program defined by processes, specifications and reporting, not just for existing devices, but also for the new devices that are part of normal growth. An application here, a couple firewalls there, all requiring a scan before being implemented into production to ensure they're deployed in a secure manner. Now in the second year of the program, we are starting to perform further analysis on the data we're getting back from our scans. It's a lot of data, but we are starting to pull out nuggets we hadn't expected when we created the vulnerability management program.
One of the most important parts of any security program is patching. Most organizations spend a lot of effort ensuring the server infrastructure is patched in a timely manner. Desktop OS patches also get a lot of attention, as do the most common desktop applications. What doesn't get a lot of attention, from a patching perspective, are all the other applications that make up your business users requirements (e.g. Adobe products, Java, developer tools, productivity tools) that may or may not be centrally supported. The TVM Program is starting to fill this gap. The scan reports tell us not only about OS problems, but also about problems with installed applications on the desktop/server infrastructure. These reports, when presented, not only get all the ancillary applications patched, but also assist in getting the complete application picture included in the overall patch management processes. We now have a full view of the additional software users put on their machines, which gives us a clearer picture of the threat profile of the systems on the network.
About Brian Wishnousky
TITLE: Senior Manager, Threat and Vulnerability Management
COMPANY: Rogers Communications
- Led the creation of the Threat and Vulnerability Management program at Rogers Communications. He is responsible for the TVM Program, which encompasses roughly 75,000 internal IP addresses, and 2,000 external IP addresses.
- Instrumental in the creation of security standards and policies at Rogers, contributing to a vastly improved security posture for the corporate network.
- Leads the security vendor management process for the Information Security Office at Rogers.
As part of the TVM Program, we do a monthly mapping exercise to keep track of what we are scanning. It's amazing to see the numbers change month to month. It's also interesting to compare the number of devices on the network with the number of "supported" devices that are in our company's asset database. When we started the program, we knew we would be contributing to the asset database, simply because we would be getting a very clear picture of what should be there. What we did not expect was having a large number of "rogue" systems for which we could find no owner and, in some cases, no one acknowledging the existence of that device.
Some of these unknowns are consumer devices (iPhones, iPads, Androids and BlackBerrys), but some are business computing devices (servers/workstations) or network devices (switches, home routers with Wi-Fi) that people put on the network to "make their jobs easier." It's nice to see people trying to be more efficient, but it makes our job more difficult. A lot of these rogue devices are not properly patched, do not have basic security software, and are not properly hardened against attacks, which could turn them into launch-pads for malicious attacks. We can't change the way people think overnight, but by having the data reported on regularly with the scans, the risk posed by these devices can now be rated, and dealt with as appropriate. It's one thing to know you have these devices, but quite another to see them and to have the risk identified and quantified.
Another beneficial off-shoot of the TVM Program is identifying problems with the asset database. While every attempt is made to keep the database updated, things get missed, updates don't happen due to job changes and often, errors are made. The TVM Program cannot fix these errors, but again, it does a good job of identifying errors in the data – such as incorrect IP address, location or owner information -- and in some instances, can provide updated information for the database. This is a harder problem than it appears, because the TVM Program depends on the asset database for a lot of the information regarding to whom to send reports. Without that owner information, scanning, patching and asset lifecycle management will eventually come to a screeching halt, so we try to be proactive in making sure the database is updated properly.
I am sure as we move into the third year of the program and beyond, we will find more ways of using the new information we are creating and will reap additional benefits from our TVM Program.
The Security 7 Awards recognize the efforts, achievements and contributions of practitioners in the financial services/banking, telecommunications, manufacturing, retail, government/public sector/non-profit, education and health care/pharmaceutical industries. Click here to learn more about the Security 7 Awards and to see a list of all the winners.