Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Master Your Security Foundation: CIS Vulnerability Management Controls

Most of us are likely very familiar with vulnerability management. Unfortunately, familiarity with vulnerability management doesn’t necessarily equate to mastery. According to a survey sponsored by Tenable and the Center for Internet Security (CIS) in late 2016, about half of the surveyed organizations need to significantly improve their vulnerability management practice. The following data tell the story:

  • Only 56% use automated tools to perform any type of vulnerability scanning.
  • Only 51% use automated tools to scan all network systems for vulnerabilities on at least a weekly basis.
  • Only 36% verify that important vulnerabilities with available patches were addressed within two weeks.

Note: The CIS Controls were formerly known as the Center for Internet Security Critical Security Controls (CSC).

The fourth of the five CIS Controls (CSC), Continuous Vulnerability Assessment and Remediation, is described as:

continuously acquiring, assessing and taking action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for hackers.

CSC 4 includes eight sub-controls that will help you improve your vulnerability management program. Here is an overview of several sub-controls.

Run automated vulnerability scans against all systems at least weekly and deliver a prioritized vulnerability list to system administrators (see CIS Control 4.1). As the above survey data shows, only about half of organizations scan all systems weekly. If yours is not yet scanning weekly, it may be relatively easy for your security team to begin scanning more frequently. However, if you don’t significantly pare down your list of vulnerabilities to those that are most important, you can easily bury your IT operations colleagues and deter them from taking action on your vulnerability reports. As an example, you can pare down your list by including only critical and high vulnerabilities that have an exploit available.

Perform vulnerability scanning in authenticated mode or with agents (see CIS Control 4.3). External, non-authenticated scanning only provides a surface picture. You need to assess your systems from the inside out to identify OS and application/service vulnerabilities.

Subscribe to vulnerability intelligence services (see CIS Control 4.4). First, you need to ensure that your vulnerability scanning tool is regularly updated with all relevant important vulnerabilities. Second, if one is available, you should join an industry-specific threat intelligence service to identify the threats that target organizations like yours. This intelligence should help you identify vulnerabilities that require prompt remediation.

Deploy automated patch management tools (see CIS Control 4.5). Realistically, automation is the only way to remediate the majority of high-priority vulnerabilities. This certainly applies to servers and desktops running popular operating systems and popular applications. You may need to apply manual patches or implement compensating controls for some systems, but this should be the exception.

Verify that vulnerabilities were addressed (see CIS Control 4.7). It is not enough to throw a prioritized vulnerability list over the wall to your operations colleagues. You need to work with them to measure the results using a closed-loop vulnerability management process. Jointly develop reasonable goals to establish some quick wins and measure progress over time as you continuously improve.

Establish a process to risk-rate vulnerabilities (see CIS Control 4.8). This sub-control is an expansion of CSC 4.1, which includes basic prioritization. Here, the recommendation is to incorporate risk-based prioritization with the addition of knowledge about the assets you need to protect. Identify the assets with the lowest risk tolerance and remediate those first. You may also want to scan these assets more frequently.

Familiarity with vulnerability management doesn’t necessarily equate to mastery

Tenable can help

It should not be surprising that Tenable knows vulnerability management. However, you may not know that we have tailored a SecurityCenter Continuous View® dashboard and an Assurance Report Card® specifically for CIS Control 4. Both are templates that you can readily adapt to your specific requirements.

CIS CSC: Vulnerability Management (CSC 4) dashboard

The CIS Vulnerability Management dashboard provides a clear picture of your vulnerability management status

The Track Mitigation Progress component in the upper left of the CIS CSC: Vulnerability Management (CSC 4) dashboard is especially useful. You can scope it to specific assets to track the mitigation status of the top exploitable hosts based on vulnerability criticality, exploitability and how long a patch has been available.

Track Mitigation Progress component

You can use the CIS CSC Vulnerability Management Assurance Report Card during monthly meetings with IT operations staff to jointly manage a closed-loop vulnerability management process. As your program matures, you can increase the thresholds to drive additional improvement.

CIS CSC Vulnerability Management Assurance Report Card

The CIS CSC: Vulnerability Management ARC helps you communicate status to IT leadership

Learn more

During an upcoming Tenable webinar on June 28, Brian Ventura, a SANS Community Instructor, will dive into the details of each of the sub-controls and show you how Tenable supports CIS Control 4. We will also reserve time for questions and answers.

Even if you can’t attend, please register so we can send you a link to the recorded webinar to watch at your convenience.

Watch for my final blog in this series on Foundational Cyber Hygiene controls; CIS Control 5 is all about controlled use of administrative privileges.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training