A robust cybersecurity posture does not come easy, especially with a large enterprise. The relationship between the organization’s business management and its IT Security management often do not align perfectly for both teams to value the same priorities of the business. The National Institute of Standards and Technology (NIST) has provided two publications of guidance on the importance of patch management and creating an enterprise strategy incorporating patching and risk: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology and Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways. In order to connect the security to the context of the business, it is important to track an organization’s assets by business criticality and context. That is where SAINT can help you bridge the gap.
SAINT can help organizations Discover IT assets and track them by business criticality and context. SAINT provides internal Discovery functions as well as 3rd party host discovery by connecting to Active Directory (AD), AWS Accounts and Azure Accounts to track assets by cloud Instance, Virtual Machine hypervisors, and Containers to ensure all assets are managed. SAINT also provides host-based Agents to ensure tracking of assets that are not connected to organization’s networks, data centers and cloud VPCs.
Next, SAINT’s comprehensive scanning capabilities scan for vulnerabilities that map to vulnerabilities in the NVD, as well as other classes of vulnerabilities and risk exposures that may require other risk reduction approaches such as policy and configuration changes or web app coding changes not always supported by a vendor patch. SAINT’s pre-configured Microsoft Patch Tuesday scan policy also provides a fast and convenient method to assess specific vulnerabilities associated with the monthly Microsoft patch process. SAINT’s SCAP validated scan capabilities also provide organizations to scan using OVAL and XCCDF content as well as SAINT’s own vulnerability repository.
SAINT’s data analytics and reporting also provide extended value to risk assessors and system owners by aligning vulnerabilities with known exploits “in the wild” as well as the capability to create custom severity values for selected vulnerabilities that require special handling or consideration, such as those associated with credentials, certificates or other classes of risk.
Additionally, SAINT’s Patch reports provide insights into what assets will be remediated by applying individual patches, as well as the inverse – what patches are needed by each Asset.
Lastly, verification is key to ensuring patches were applied to all managed assets and identification of assets that may have been excluded in the patch process.
This continuous assessment and feedback loop provides vital information about the effectiveness of the patch program as well as insights into new or unmanaged assets that require investigation by asset management and system owners.
Interoperability across security investments is also important as a force-multiplier for asset and vulnerability management. For example, in addition to connecting to AD, AWS, Azure, Container managers and Hypervisors, SAINT interoperates with technologies such as Forescout, IBM’s QRadar, Cisco ISE, Splunk and InfoBlox for Asset Discovery, asset data sharing, and even quarantining vulnerable assets if needed prior to response and remediation. As in the example configuration in SP 1800-31, there are many classes of security technologies in a comprehensive risk management program. Leveraging the capability to interoperate and/or share data across these resources is vital to create a cost-effective and complete solution.
Looking to bridge the gap between risk management and vulnerability management? Try SAINT for Free here: https://bit.ly/3Odg7rb
Want to learn more about the importance of bridging the gap? See our live training about it here: https://bit.ly/3jAOV7U
If you need assistance updating SAINT to the current version or help on other SAINT topics, contact support at support@saintcorporation.com. If you need assistance getting SAINT for your organization, please contact sales at be.secure@carsoninc.com.
Follow us on social media for the latest on SAINT updates and our security services below:
References:
Software Vulnerability Management Life Cycle – The following describes a basic software vulnerability management life cycle. This life cycle applies to all risk response approaches.
1. Know when new software vulnerabilities affect your organization’s assets, including applications, operating systems, and firmware. This involves knowing what assets your organization uses and which software and software versions those assets run down to the level of packages and libraries, as well as keeping track of new vulnerabilities in that software. For example, your organization might subscribe to vulnerability feeds from software vendors, security researchers, and the National Vulnerability Database (NVD).
2. Plan the risk response. This involves assessing the risk the vulnerability poses to your organization, choosing which form of risk response (or combination of forms) to use, and deciding how to implement the risk response. For example, you might determine that risk is elevated because the vulnerability is present in many organization assets and is being exploited in the wild, then choose mitigation as the risk response and mitigate the vulnerability by upgrading the vulnerable software and altering the software’s configuration settings.
3. Execute the risk response. This will vary depending on the nature of the selected risk response, but common phases include the following:
a. Prepare the risk response. This encompasses any preparatory activities, such as acquiring, validating, and testing patches for the vulnerable software; deploying additional security controls to safeguard the vulnerable software; or acquiring a replacement for a legacy asset that cannot be patched. It might also include scheduling the risk response and coordinating deployment plans with enterprise change management, business units, and others.
b. Implement the risk response. Examples of this include distributing and installing a patch, purchasing cybersecurity insurance, deploying additional security controls, and changing asset configurations and state (e.g., software reset, platform reboot). Any issues that occur during implementation should be resolved.
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-40r4 NIST SP 800-40r4 GUIDE TO ENTERPRISE PATCH MANAGEMENT PLANNING: PREVENTIVE MAINTENANCE FOR TECHNOLOGY
c. Verify the risk response. This step involves ensuring that the implementation has been completed successfully. For patching, this means confirming that the patch is installed and has taken effect. For deploying additional security controls, ensure they are functioning as intended. For risk avoidance, verify that vulnerable assets were decommissioned or replaced.
d. Continuously monitor the risk response. Make sure that the risk response continues to be in place: no one uninstalls the patch, deactivates the additional security controls, lets the cybersecurity insurance lapse, or restarts the decommissioned asset.