Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Master Your Security Foundation: CIS Vulnerability Management Controls

Most of us are likely very familiar with vulnerability management. Unfortunately, familiarity with vulnerability management doesn’t necessarily equate to mastery. According to a survey sponsored by Tenable and the Center for Internet Security (CIS) in late 2016, about half of the surveyed organizations need to significantly improve their vulnerability management practice. The following data tell the story:

  • Only 56% use automated tools to perform any type of vulnerability scanning.
  • Only 51% use automated tools to scan all network systems for vulnerabilities on at least a weekly basis.
  • Only 36% verify that important vulnerabilities with available patches were addressed within two weeks.

Note: The CIS Controls were formerly known as the Center for Internet Security Critical Security Controls (CSC).

The fourth of the five CIS Controls (CSC), Continuous Vulnerability Assessment and Remediation, is described as:

continuously acquiring, assessing and taking action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for hackers.

CSC 4 includes eight sub-controls that will help you improve your vulnerability management program. Here is an overview of several sub-controls.

Run automated vulnerability scans against all systems at least weekly and deliver a prioritized vulnerability list to system administrators (see CIS Control 4.1). As the above survey data shows, only about half of organizations scan all systems weekly. If yours is not yet scanning weekly, it may be relatively easy for your security team to begin scanning more frequently. However, if you don’t significantly pare down your list of vulnerabilities to those that are most important, you can easily bury your IT operations colleagues and deter them from taking action on your vulnerability reports. As an example, you can pare down your list by including only critical and high vulnerabilities that have an exploit available.

Perform vulnerability scanning in authenticated mode or with agents (see CIS Control 4.3). External, non-authenticated scanning only provides a surface picture. You need to assess your systems from the inside out to identify OS and application/service vulnerabilities.

Subscribe to vulnerability intelligence services (see CIS Control 4.4). First, you need to ensure that your vulnerability scanning tool is regularly updated with all relevant important vulnerabilities. Second, if one is available, you should join an industry-specific threat intelligence service to identify the threats that target organizations like yours. This intelligence should help you identify vulnerabilities that require prompt remediation.

Deploy automated patch management tools (see CIS Control 4.5). Realistically, automation is the only way to remediate the majority of high-priority vulnerabilities. This certainly applies to servers and desktops running popular operating systems and popular applications. You may need to apply manual patches or implement compensating controls for some systems, but this should be the exception.

Verify that vulnerabilities were addressed (see CIS Control 4.7). It is not enough to throw a prioritized vulnerability list over the wall to your operations colleagues. You need to work with them to measure the results using a closed-loop vulnerability management process. Jointly develop reasonable goals to establish some quick wins and measure progress over time as you continuously improve.

Establish a process to risk-rate vulnerabilities (see CIS Control 4.8). This sub-control is an expansion of CSC 4.1, which includes basic prioritization. Here, the recommendation is to incorporate risk-based prioritization with the addition of knowledge about the assets you need to protect. Identify the assets with the lowest risk tolerance and remediate those first. You may also want to scan these assets more frequently.

Familiarity with vulnerability management doesn’t necessarily equate to mastery

Tenable can help

It should not be surprising that Tenable knows vulnerability management. However, you may not know that we have tailored a SecurityCenter Continuous View® dashboard and an Assurance Report Card® specifically for CIS Control 4. Both are templates that you can readily adapt to your specific requirements.

CIS CSC: Vulnerability Management (CSC 4) dashboard

The CIS Vulnerability Management dashboard provides a clear picture of your vulnerability management status

The Track Mitigation Progress component in the upper left of the CIS CSC: Vulnerability Management (CSC 4) dashboard is especially useful. You can scope it to specific assets to track the mitigation status of the top exploitable hosts based on vulnerability criticality, exploitability and how long a patch has been available.

Track Mitigation Progress component

You can use the CIS CSC Vulnerability Management Assurance Report Card during monthly meetings with IT operations staff to jointly manage a closed-loop vulnerability management process. As your program matures, you can increase the thresholds to drive additional improvement.

CIS CSC Vulnerability Management Assurance Report Card

The CIS CSC: Vulnerability Management ARC helps you communicate status to IT leadership

Learn more

During an upcoming Tenable webinar on June 28, Brian Ventura, a SANS Community Instructor, will dive into the details of each of the sub-controls and show you how Tenable supports CIS Control 4. We will also reserve time for questions and answers.

Even if you can’t attend, please register so we can send you a link to the recorded webinar to watch at your convenience.

Watch for my final blog in this series on Foundational Cyber Hygiene controls; CIS Control 5 is all about controlled use of administrative privileges.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training