When it comes to cybersecurity, vulnerability management is one of the older technologies that still play a critical role in securing our assets. It is often overlooked, disregarded, or considered only for checkbox compliance needs, but a proper vulnerability management program can play a critical role in avoiding a series data breach. CIS Control 07 provides the minimum requirements, table stakes if you will, for establishing a successful vulnerability management program.
Key Takeaways for Control 7
At the core of CIS Control 7 is a reliance on known standards; terms from organizations like NIST and MITRE, that those of us in the cybersecurity space have heard for years. CVE, CVSS, OVAL, SCAP, and more are keywords that can be found throughout this document. While those terms frequent this document, it is important to note that they are not the be-all and end-all of a vulnerability management program. The controls document notes that some systems, like CVSS, must be augmented by additional data. This is an important note to consider when planning continuous vulnerability management.
The biggest takeaway from Control 7 is that if a vulnerability is patched, it cannot be exploited. This is why the process is critical and becomes a continuous cycle:
- Discover vulnerabilities
- Prioritize vulnerabilities
- Resolve vulnerabilities
This control also serves as a great reminder for what vulnerability management is not. It should not be a reactionary process for 0-day vulnerabilities. You have other controls to help you mitigate that. Instead, this control is focused on reducing the known risk in your environment, something that many organizations often forget.
Safeguards for Control 7
Establish and Maintain a Vulnerability Management Process
Description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Notes: The security function associated with this safeguard is Protect. This process should detail the process from start to finish with important consideration being given to the concept of a cyclical process. Vulnerability Management is not a one-and-done process nor is it a set it and forget it process. Much like a body builder visits the gym daily, this is about sets and reps and finding the correct mix that provides results for you.
2. Establish and Maintain a Remediation Process
Description: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Notes: The security function associated with this safeguard is Respond. The remediation process is a subset of your vulnerability management process, with a focus on how you will actually fix the vulnerabilities that are discovered. This is where it is critical to develop a prioritization system that works for your organization and considers all external data that could influence organizations risk.
3. Perform Automated Operating System Patch Management
Description: Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Notes: The security function associated with this safeguard is Protect. It is important that the controls call out patch management as a subset of vulnerability management. Often, these processes are considered one and the same, but they are not. Patch management is about the deployment of patches, which may or may not resolve vulnerabilities, vulnerability management is about ultimately resolving those vulnerabilities and reducing your overall risk. Security patches often require post-patch configuration, something that patch management software often neglects to include and your continuous vulnerability management program will identify those missed configurations.
4. Perform Automated Application Patch Management
Description: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Notes: The security function associated with this safeguard is Protect. This should be considered identical to Safeguard 3 with the added consideration that the attack surface provided by your applications is often far more extensive than your OS attack surface due to the sheer number of applications installed on some systems.
5. Perform Automated Vulnerability Scans of Internal Enterprise Assets
Description: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Notes: The security function associated with this safeguard is Identify. This is one of the controls where CIS veers the wrong way. While standards are good, SCAP-compliant does not indicate the value of a scanning tool, simply the adherence to specific standards. When considering a tool for scanning, consider depth and breadth of coverage along with both false positive and false negative rates. Additionally, understand the frequency with which updates to the tool’s coverage are released.
6. Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Description: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Notes: The security function associated with this safeguard is Identify. A good general rule to reduce complexity and ensure adoption is to use the same tool for scanning your internal and externally-exposed assets.
7. Remediate Detected Vulnerabilities
Description: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Notes: The security function associated with this safeguard is Respond. Remediation is a key aspect of the process. Remediation is ultimately what reduces your risk, either by way of patching or another means. If you are missing the remediation step or failing to properly prioritize your results, you put your entire system at risk. The continuous vulnerability management process can easily become a house of cards and staying on top of remediation can add stability to that fragile structure.
Read more about the 18 CIS Controls here:
CIS Control 7: Continuous Vulnerability Management