Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CCC 2: Remove Vulnerabilities and Misconfigurations

by Cody Dumont
June 23, 2015

Monitoring systems for vulnerabilities and misconfigurations is full time job and requires the CISO to pay particular attention to several key indicators.  This ARC provides the CISO with several of the key indicators to include vulnerability over 30 day old and configuration audits. 

When monitoring the mitigation of vulnerabilities, the CISO monitors the implementation of a regular scanning program using a continuous network monitoring philosophy. The scanning technology should include sensors to detect publicly identified vulnerabilities, missing patches for operating systems and applications, and misconfigured applications. Once all vulnerabilities and misconfigurations are identified, the organization should have a repeatable process to remediate/patch/remove the weaknesses.

This ARC strategically crosses several different operational teams and provides the CISO a quick overview of how the organization is approaching security.  The policy statements in this ARC cover the operations team by monitoring the status of patch deployments, and the audit teams by measuring the overall security policy check pass ratio.  Monitoring for system audit success and tracking patch deployment steps reflects the security team’s progress. 

This ARC is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The ARC can be easily located in the feed by selecting category executive. The ARC requirements are:

  • SecurityCenter 5.0
  • Nessus 6.3.6
  • LCE 4.4.1
  • PVS 4.2.0

This ARC uses all aspects of continuous network monitoring, including scanning, sniffing, and log correlation.  Using each of these technologies allows Tenable to provide a unique combination of detection, reporting, and pattern recognition utilizing industry recognized algorithms and models.  SecurityCenter Continuous View integrates with many technologies such as patch management, mobile device management, malware defenses, network infrastructure, cloud services, and other log analysis platforms to provide a holistic approach to threat detection and risk analysis.

The policy statement for this ARC are:

Greater than 95 % of systems with configuration audit successfully performed in past 90 days: This policy identifies systems that have been scanned using credentials and will show Compliant in green if more that 95% percent of systems have been scanned successfully.  The policy checks for all systems that have been detected using Nessus or PVS.  The benefit of the policy is that it helps to measure the coverage of PVS and Nessus, thus making sure each system is scanned and sniffed.

Greater than 75% of configuration audits are compliant with security policies: This policy monitors all the configuration audit checks and will show Compliant in green when over 75% of the checks are compliant with security policies.  The configuration audits are checked using the Nessus audit files located in the Customer support portal.  These audit files should be edited to meet corporate policies.

Less than 15% of systems with high or critical severity vulnerability with a patch released over 30 days ago: The policy monitor all vulnerabilities discovered using passive and active methods.  If a patch was published more that 30 days ago, the organization is not applying patches in the industry accepted time line.  The organization can adjust the date time line, however in doing so the organization is increasing their risk exposure.  This policy will show Compliant in green when less than 15% of systems have patches missing for more that 30 days for critical or high severities.

All detected software and hardware is currently supported by the vendor: This policy statement identifies all systems running unsupported hardware or software.  The filters search for the word "unsupported" in the plugin name.  If any systems are identified, the policy will fail.  Therefore, reporting is green only when all systems are running supported software and hardware.