Provided by SANS

About the course

Attackers are winning the battle. The frequency, number, and severity of compromises continue to grow. The enterprise IT environment has become easy to attack as the number of devices, applications, users, and data assets continue to increase. A dominating trend that compounds this issue is the mass migration of valuable assets into cloud-based services. This often puts the enterprise at an unknown or much greater level of risk.

Many enterprises are completely unaware of the growing menace they face, while others have recognized the need to improve the practices and procedures they use to perform risk and vulnerability management. Across the board, enterprises are in a more difficult position than ever when it comes to understanding the risks and vulnerabilities of the use of cloud services. Giving control of your valuable assets to a third party, losing visibility of those assets, being unable to test and verify the security and vulnerability status of those assets - as well as facing a host of other cloud-specific vulnerabilities, AKA "the treacherous twelve" threats - puts enterprises in a weakened position.

Our MGT516 course is designed to present students with an effective and comprehensive methodology commonly used to manage the risks and vulnerabilities inherent in an enterprise. Additional emphasis on vulnerability management for those using or planning on using cloud services is provided. Practical step-by-step procedures flow from one phase of the vulnerability management lifecycle to the next. We'll walk through each phase of that lifecycle so that students will be able to accurately recognize and manage the vulnerabilities all along the way.

The course is based on the Prepare, Identify, Assess, Communicate, and Treat (PIACT) Model:

• Prepare - Secure the enterprise environment and establish the framework of governance, which includes developing a defendable network and the vulnerability management process.
• Identify - Identify vulnerabilities present in the enterprise.
• Assess - Assess the severity of each vulnerability and identify cost-justified controls that could eliminate or mitigate the vulnerabilities.
• Communicate - Communicate the assessment methodology, the current security posture, the current risk/vulnerability posture, and cost-justified controls that eliminate or mitigate the vulnerabilities as a positive return-on-investment business proposal for management's purchase approval.
• Treat - Implement the approved controls, verify performance and the new state of vulnerability, maintain and monitor the controls, and detect and remediate violations and breaches.

The course first walks students through this model from the perspective of managing vulnerabilities within the enterprise IT environment, ensuring a strong understanding of each phase. We then focus squarely on the risks and vulnerabilities specific to the use of cloud services, beginning by introducing those services and then turning to justifying the business need to use them, vetting the prospective cloud service provider(s), conducting risk/vulnerability assessments, managing cloud use, preparing for the migration of assets into the cloud, implementing the migration process, maintaining assets securely and monitoring them within the cloud, and detecting violations, incidents, and breaches and responding to those loss events.

The course also walks through issues and considerations for cyber liability and data breach insurance, as well as special issues that should be considered within the cloud services agreement.

The primary objective of the course is to help enterprises improve their vision and understanding of the vulnerabilities present in their IT environments, and to develop a straightforward approach to manage those vulnerabilities, avoiding or minimizing unnecessary loss events.

A capstone lab performed on the last day of the course features a business scenario based on the enterprise and the cloud-based environment. The lab forces students to employ their newly developed skills in order to perform prudent vulnerability management of the assets. The case study is then reviewed in class.

Course Syllabus

MGT516.1: Introduction to Enterprise Vulnerability Management: Prepare and Identify Phases

Overview

Day 1 provides an introduction to the elements of risk, the relationships between those elements that produce risk, and those elements that provide indicators of the severity of each risk used to prioritize risk response. After this introduction, we walk through the Prepare, Identify, Assess, Communicate, Treat (PIACT) Model in the enterprise by examining the first two phases.

The Prepare phase describes how an enterprise establishes its framework of governance and its security program. It is within this security program that risk management and vulnerability management practices and procedures are born.

The Identify phase describes the various types of vulnerabilities an enterprise should anticipate, and the tools and techniques used to identify which vulnerabilities exist and where.

Exercises

• Data Classification and Asset Prioritization
• Vulnerability Management

CPE/CMU Credits: 6

Topics

Course Introduction

• Overview of course schedule
• Cyber leadership/management pyramid
• Why is this important? (Boardroom conversations, risk discussions)
• Why are we here?
• Why focus on vulnerability management?
  • The elements of risk
  • Risk - How is it produced?
  • Risk - How is it quantified?
  • Four elements - threat, vulnerability, likelihood, and impact
  • Ways to determine risk - qualitative versus quantitative
• Risk scoring methods
• High-level introduction to the vulnerability management process
• Introduction to PIACT

Vulnerability Management Process - Prepare

• Design and architecture considerations
• Policies and procedures
• Senior management buy-in
• Team organization and structure
  • Skills of team members
• Governance
• Partnerships needed
• Leadership skills needed
• Team management
• Legal ramifications - good and bad
• Data - know the targets
  • Know where important items are
  • Classification of data
• LAB: Data Classification and Asset Prioritization
• Metrics for tracking
• Dashboards
• Team communications
• Tracking the work
• Governance
• Regulatory requirements
• Risk tolerance of the enterprise

Vulnerability Management Process - Identify

• Types of vulnerabilities in the enterprise and their impacts on operations
• How to identify vulnerabilities
  • LAB: Vulnerability Management
• Issues/concerns/problems with identifying vulnerabilities

MGT516.2: Enterprise Vulnerability Management: Assess, Communicate, and Treat Phases

Overview

Day 2 picks up with the Assess, Communicate, and Treat phases of the PIACT Model in the enterprise. The Assess phase shows students how to recognize the severity of the various risks identified in order to prioritize the risks and establish the proper level of response to them. With an understanding of the potential loss expected from a given risk situation, appropriately cost-justified controls can be identified as the basis for the risk report and proposed countermeasures provided to senior management in the Communicate phase for approval. To improve the success of the proposals to management, students are shown how to present the information in terms that management will understand by avoiding technical jargon and speaking in terms of costs, benefits, and return on investment (ROI). The desired outcome of this phase is the approval of multiple security controls that will reduce the vulnerabilities and overall risk levels of the enterprise. With these approvals from management, the Treat phase is initiated, during which the approved controls are acquired and properly implemented.

Exercises

• Prioritizing Vulnerabilities and Identifying Asset Business Value
• Risk Exercise
• Communications Package Exercise
• Remediation and Effectiveness

CPE/CMU Credits: 6

Topics

Vulnerability Management Process - Assess

• Validating vulnerabilities (false positive, false negatives)
• How to assess criticality/prioritize vulnerabilities
• Categorizing vulnerabilities in terms of severity /risk
• How to factor in value to the business
• LAB: Prioritizing Vulnerabilities and Identifying Asset Business Value
• Alternatives to fixing the problem
• Options to deal with the vulnerabilities
• Risk revisited
• When to mitigate, transfer, avoid, or accept the risk
• LAB: Risk
• Identifying potential cost-justified controls

Vulnerability Management Process - Communicate

• Package information together for management
• Assessment methodology
• Current security posture - controls, successes
• Current state of risk/vulnerability
• Proposed controls
• LAB: Communications Package

Vulnerability Management Process - Treat

• Managing the vendors
• Remediation
• LAB: Remediation and Effectiveness
• Validation of remediation - evaluate the effectiveness of the controls
• Maintain and monitor the new controls
• Detect and remediate violations and breaches
• Tracking results

MGT516.3: Introduction to Cloud Vulnerability Management: Cloud Services, Prepare, and Identify Phases

Overview

Day 3 begins with an introduction to cloud services, describing the cloud deployment and service models, the various roles of entities in cloud services, statistics of current cloud use, and cloud services based on virtualization technology.

Day 3 then runs through a quick review of the Prepare, Identify, Assess, Communicate, Treat (PIACT) Model for cloud services, followed by cloud-specific elements of vulnerability management for the Prepare and Identify phases. The Prepare phase includes justifying the business need to migrate into the cloud, and choosing an appropriate cloud service provider (CSP). The Identify phase provides the students with a list of new and common cloud-specific vulnerabilities many enterprises have yet to recognize or deal with effectively, as well as techniques used to reveal these new cloud-specific vulnerabilities.

Exercises

• Review a Standard Cloud Services Agreement Exercise
• Developing a Cloud Use Plan - Prepare Phase
• Business Needs and CSPs Scenario - Prepare Phase
• Applying the CSA CCM and CAIQ - Prepare Phase
• Treacherous Twelve - Identify Phase
• Additional Consumer-side Vulnerabilities - Identify Phase
• Additional In-between Vulnerabilities - Identify Phase
• Additional Consumer-side Vulnerabilities - Identify Phase
• Additional Web Application Vulnerabilities - Identify Phase
• New Department Scenario - Identify Phase

CPE/CMU Credits: 6

Topics

Introduction to Cloud Services

• Characteristics
• Deployment models
• Service models
• Roles in cloud services
• Cloud statistics
• Virtualization
• LAB: Review a Standard Cloud Services Agreement
• Quiz questions for review
• Vulnerability management lifecycle - A quick review
• PIACT

Prepare for Cloud-specific Vulnerability Management

• Satisfy business needs
• Secure the internal environment
• Justify the need for cloud services
• LAB: Developing a Cloud Use Plan - Assess Phase
  • Preparing for the cloud
  • Choosing a CSP
• LAB/Discussion: Business Needs and CSP Scenario - Prepare Phase
  • Cloud management best practices
• LAB: Applying the CSA CCM and CAIQ - Prepare Phase
• Quiz questions for review

Identify - Cloud-specific Vulnerabilities

• CSA treacherous twelve
• LAB/Discussion: Treacherous Twelve - Identify Phase
  • Identifying vulnerabilities - consumer-side
• LAB/Discussion: Additional Consumer-side Vulnerabilities - Identify Phase
  • Identifying vulnerabilities between the consumer and the CSP
• LAB/Discussion: Additional In-between Vulnerabilities - Identify Phase
  • Identifying vulnerabilities - CSP side
• LAB/Discussion: Additional CSP-side Vulnerabilities - Identify Phase
  • Web application development
• LAB/Discussion: Additional Web Application Vulnerabilities - Identify Phase
• LAB/Discussion: New Department Scenario - Identify Phase
• Quiz questions for review
• Day 3 summary

MGT516.4: Managing Cloud Vulnerabilities: Assess, Communicate, and Treat Phases

Overview

Day 4 picks up with the Assess, Communicate, and Treat phases of the PIACT Model for cloud services. The Assess phase revisits the procedures used to determine the severity level of the individual cloud-specific vulnerabilities, in part by assessing the security posture of the cloud service provider (CSP) through a review of its policies, industry-recognized certifications, and industry-based best practices and recommendations. Next, the Assess phase reviews the cost-justification procedures used to determine appropriate controls to mitigate or eliminate the vulnerabilities. Two controls are singled out and reviewed and should be considered when planning to migrate assets into the cloud: cyber liability and data breach insurance, and a customized cloud services agreement. The Communicate phase once again pulls the appropriate material into a report to management using the language of business managers - little or no technical jargon and using cost/benefit/ROI statements. The Treat phase includes implementation of the approved cloud-specific vulnerability management controls, along with the verification of the performance and effectiveness of these new controls. The Treat phase also includes the careful migration of assets into the cloud and the ongoing maintenance, monitoring, and verification of the performance and effectiveness of controls looking forward. Day 4 wraps up with a summary review of the course.

Exercises

• The FAIR Approach - Assess Phase
• Consumer-side Controls - Assess Phase
• Cloud Services Agreement - Assess Phase
• Communicate Scenario - Communicate Phase
• Treat Scenario - Treat Phase

CPE/CMU Credits: 6

Topics

Assess - Cloud-specific Vulnerabilities and Cost-justified Controls

• Assessment procedure
  • LAB: The FAIR Approach - Assess Phase
• ROI formula
• Control types
• Consumer-side controls
  • Justify the need for cloud services
  • The cloud use plan
  • The cloud migration plan
  • Cloud use risk assessment
  • Secure the internal environment
  • The crypto/key management plan
  • Vetting the CSP
  • Secure web applications
  • LAB/Discussion: Consumer-side Controls - Assess Phase
  • The cloud services agreement - considerations
  • LAB/Discussion: Cloud Services Agreement - Assess Phase
  • Cyber liability and data breach insurance
• In-between controls
• CSP-side controls
• Quiz questions for review

Communicate Findings with Management

• Report/Proposal to management
• Legal counsel review
• Management decision
  • LAB/Discussion: Communicate Scenario - Communicate Phase
• Quiz questions for review

Treat - Cloud-specific Vulnerabilities and Approved Controls

• Implement approved controls
• Verify performance and effectiveness of controls - initial
• Migrate into the cloud
• Verify performance and effectiveness of controls - ongoing
  • LAB/Discussion: Treat Scenario - Treat Phase
• Quiz questions for review

Summary

• Managing security vulnerabilities: Enterprise and cloud

MGT516.5: Managing Vulnerabilities: Capstone Lab Exercise

Overview

Day 5 begins with a review of an enterprise and cloud-based scenario that triggers a case study exercise for the students. Students will work in teams and be required to work through the PIACT Model of performing vulnerability management. The instructor will roam the classroom to provide guidance as needed to keep the teams moving towards acceptable conclusions on the vulnerability management process for the case study. A review of findings and conclusions will follow, allowing each team to present and critique the solutions of the other teams. The instructor will also present a version of an acceptable vulnerability management solution as the course wrap-up.

Exercises

• Review the Enterprise-based Scenario
• Review the Cloud-based Aspects of the Scenario
• Working through the PIACT Model of Vulnerability Management for the Case Study

CPE/CMU Credits: 6

Who Should Attend

• CISOs
• Information security managers, officers, and directors
• Information security architects, analysts, and consultants
• Aspiring information security leaders
• Risk management professionals
• Business continuity and disaster recovery planners and staff members
• IT managers and auditors
• IT project managers
• IT/system administration/network administration professionals
• Operations managers
• Cloud service managers and administrators
• Cloud service security and risk managers
• Cloud service integrators, developers, and brokers
• IT security professionals managing vulnerabilities in the enterprise or cloud
• Government IT managing vulnerabilities in the enterprise or cloud (FedRAMP)
• Security or IT professionals who have team lead or management responsibilities
• Security or IT professionals using or planning to use cloud services

Prerequisites

• A basic understanding of risk management objectives and IT systems and operations is recommended.

What You Will Receive

• Student manuals containing the entire course content
• Procedures, charts, and checklists to complete vulnerability assessments
• Introduction and walkthrough of labs
• In-class quizzes as a review of recently covered material

This Course Will Prepare You To

• Implement risk and vulnerability management programs
• Establish a secure, defendable enterprise and cloud computing environment
• Build an accurate inventory of IT assets in the enterprise and cloud
• Identify existing vulnerabilities and understand the severity level of each
• Prioritize which vulnerabilities to remediate
• Identify potential controls to avoid and mitigate vulnerabilities for the enterprise and cloud
• Perform cost justification for each control to show management a positive return on investment
• Develop a risk/vulnerability report for management with cost-justified control proposals
• Implement, maintain, and monitor the new controls in the enterprise and cloud
• Develop a framework for continuous improvement