One of the more challenging aspects of cybersecurity is that the job is never done. New vulnerabilities, exploits, malware, and attacks are launched and discovered on a daily basis. According to Panda Security, an average of over 200,000 new malware samples are captured every day. With this continuous onslaught of new attacks coming every day, the security that defends an organization needs to be just as adaptable. In order to complete that mission, both the security technology that has been deployed and the professionals that deploy and operate it must be continually updating their ability to provide a robust security defense. Maintaining a current understanding of the cybersecurity world usually requires a significant investment of time, energy, and resources.
To make a difficult task even harder, adversaries usually have access to the same information defenders do. Once a new vulnerability has been publicly released, both defenders and adversaries begin a race to see who can reach the finish line first. Adversaries are looking for ways to turn vulnerabilities into exploits, and defenders are looking for ways to mitigate or eliminate the vulnerability from their environment.
This continual game of cat and mouse is the reason behind the CSC 4 control. In CSC 4, organizations need to continually acquire, assess, and act upon new information to identify and remediate vulnerabilities and minimize the opportunity of attack to adversaries. With the massive amount of new information that comes out daily in the cybersecurity world, it would be an impossible task for a cybersecurity professional to be able to keep up with it all. That is now the job of technology, and the responsibility of the cybersecurity defenders is to deploy and administer that technology appropriately.
The CSC4 sub-controls help to provide logic and order on how to employ this control. They are:
Sub-Control 4.1 Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk.
Sub-Control 4.2 Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable.
Sub-Control 4.3 Perform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested.
Sub-Control 4.4 Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization’s vulnerability scanning activities on at least a monthly basis.
Sub-Control 4.5 Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe. Patches should be applied to all systems, even systems that are properly air gapped.
Sub-Control 4.6 Monitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans.
Sub-Control 4.7 Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed, either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk.
Sub-Control 4.8 Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets. Apply patches for the riskiest vulnerabilities first.
Most of the sub-controls in CSC 4 do not relate specifically to the deployment of new technology, but more on the processes that are related to the proper administration of the tools. Ensuring that scanning tools are kept current with the latest vulnerability data, that scans are run on a consistent and regular basis, and that the reports are actually reviewed and acted upon are all equally, if not more, important than the tools that are in place. With that said, there are solutions on the market that can be used to meet the recommendations of the CSC4 sub-controls.
One of the more widely known vulnerability scanning tools on the market today is Tenable Nessus. The Nessus product line has been around for several years and is used today by millions of organizations. It is capable of scanning web applications, cloud environments, mobile devices, embedded devices, and a whole host of other environments. The Nessus scanning engine is kept current on new vulnerabilities through plug-ins. Within 24 hours of a new vulnerability becoming public, Tenable updates their customer base with a new plug-in. Since vulnerabilities are detected every day, Tenable’s customers receive daily plug-ins.
Another well-known vendor, SolarWinds, also offers a set of solutions that fill the technology needs of the CSC4 control. With a continually growing suite of network monitoring tools, SolarWinds Orion is often used as a single platform to fulfill several of IT’s scanning and monitoring needs. Specific to CSC 4, however, SolarWinds has a couple of solutions that can be integrated into the Orion suite. The first of these is the Network Configuration Manager (NCM). While primarily used to provide a backup service for network devices, it has a couple of key features that lend itself to the CSC 4 sub-controls. NCM can scan router and switch configurations and evaluate them based on compliance and regulatory standards and identify anything out of compliance. NCM provides the ability to specify which policy-mandated controls that need to be configured will automatically audit device configurations for compliance. NCM can even create remediation scripts, which can be automatically or manually execute to bring out-of-compliance devices back into compliance.
SolarWinds Patch Manager provides the functionality detailed in sub-control 4.5. Patch Manager automates the patch management process to proactively address any known software vulnerabilities. Through protocols, such as Microsoft Windows Server Update Service (WSUS) and System Center Configuration Manager (SCCM), Patch Manager can deploy Microsoft patches and updates for third-party applications. Leveraging patch management automation can often be an effective way to keep operating systems and applications up to date and minimize software vulnerabilities in an environment.
As with any security implementation, there are several solutions on the market that can assist with many of the tasks contained in the CSC4 sub-controls. While there is no single solution that is right for every organization, a thorough evaluation of the organization’s environment, goals, and objectives can help determine which solutions are right for them.
ePlus provides assessments that help gauge the effectiveness of your current security program, and help you better protect your organization. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. For more information about how you can implement the recommendations of the CSC4 sub-controls, visit www.cisecurity.org/controls/ or contact us at firstname.lastname@example.org. You can also contact your ePlus Account Executive directly.