The IT Operations teams in most organizations run in monthly cycles from “Patch Tuesday” to “Patch Tuesday.” The cycle never seems to end, and in many cases the vulnerabilities from one cycle bleed into the next, and this insurmountable problem seems to grow at an exponential rate. This continuous cycle often leads operational managers to make difficult choices – and in some cases – uncomfortable meetings, where they try to explain the presence of vulnerabilities. The Vulnerability Management (VM) application in Tenable.io enables operations managers to easily see how progress is made toward patch deployment goals.
Outstanding patch statistics
When reporting to management about the status of patch deployments, you always benefit from being able to quantify the current status in easily explainable terms. The Outstanding Patch Tracking dashboard provides easy to understand metrics that can be communicated to anyone in the organization. The top two components use the plugin (66334) Patch Report to show the status of how many systems are missing patches by the patch count and by the operating system. When reviewing the series by patch count, you can get an overall understanding of how effective patch management is, meaning if your systems have more than 90 patches missing, then your organization is not applying patches in an effective manner. On the other hand, if you only have systems with missing patches between 0 - 30 patches, you would be within a 30 patch cycle. The adjacent bar chart provides a list of hosts per operating system, which have been reviewed for missing patches. The Patch Report plugin is only triggered on a credentialed scan, so this chart also gives you an idea if all your systems are being scanned with valid credentials.
Microsoft Security Bulletins
After gaining a good understanding of the metrics, you must be able to communicate the risk and how vulnerable systems are by the outstanding patches. The Tracking Microsoft Security Bulletins - Current Missing Patches component displays the total count of missing patches related to Microsoft Security Bulletins. The security bulletins are named by the year and the order in which a bulletin was released. For example MS17-001 was Microsoft’s first security bulletin released in 2017 (Plugin ID: 96390 Plugin Name: MS17-001: Security Update for Microsoft Edge). This example illustrates the effectiveness of your patch management program. By combining several Microsoft Bulletin prefixes together, you can easily track the year the vulnerability was patched. An effective patch management system will not have patches in years prior to the current year.
This matrix includes six columns; the first provides a count of affected systems and the middle four columns provide a count based on the respective severity levels. The final column provides a count of the vulnerabilities which are exploitable. The color for this final column will change based on the percentage thresholds, the colors are: >=90 Red, >= 75 Orange, >= 50 Yellow, >= 25 Green, >= 1 Blue, Default Blue. This change in colors helps you to understand the level of risk: the colors closer to red indicate a greater risk.
Missing patches by plugin family
While reporting on Microsoft vulnerabilities is good, there are other operating systems you should be concerned with. The Remediations Tracking - Current Missing Patches component tracks vulnerabilities based on plugin families. Tenable.io is capable of analyzing many types of software and hardware. As a result, there are many plugin families covering different types of software and hardware grouped by a common theme, such as Debian Local Security Checks. There are currently over 60 plugin families supported by Tenable.io. The plugins within each family detect and evaluate information based on different criteria for each operating system. For example, for vulnerabilities found in Apache, there could be several plugins across many plugin families. Taking this approach helps you easily communicate the risk exposure by operating systems other than Microsoft.
This matrix uses a similar approach as the previous matrix, by providing a count of affected systems; the middle four columns provide a count based on the respective severity levels, and the last column shows exploitable percentages. However, in this matrix, the exploitable percentage remains purple regardless of the percentage value.
Outstanding patch analytics
As a practitioner and manager, I use the data in the Outstanding Patch Tracking dashboard on a daily basis. Monitoring the different views helps to prepare for conversations with my team and management. When communicating with my team and IT operations, this information helps to communicate risk and where remediation efforts are most needed. Additionally, I can have open discussions about problems in the vulnerability collection process. For example, when reviewing the bar chart, I can talk with the operations team about operating systems that I know are present on the network, but seem to be missing from the dashboard; or we can discuss quantities of each of the operating systems as needed.
Another interesting thing happened recently in a meeting with my team: the bar chart indicated that there were both “Windows 7 Professional” and “Windows 7 Professional N”. The “N” version of Windows 7 is a more international version of Windows, and it is often found in countries that are part of the European Economic Area, Croatia, and Switzerland. The OS allows for users to choose their own media player and software required to manage and play CDs, DVDs, and other digital media files. From this conversation, we started to have a larger conversation about where these systems came from if they should be present within our environment.
When discussing risk with the upper echelons of management and the security operations team, this dashboard provides me the current status of vulnerability data. With this information, I am able to speak about risk incurred from delaying patch deployments, and can provide insight on the exploitability if our organization were attacked. These numbers also provide foundational information needed to calculate projected costs per vulnerability if compromised. These types of analyses help executives understand the risk to the organization and may help to fund expensive mitigation strategies.
As you work to address your risk mitigation tasks and track progress, the Tenable.io Outstanding Patch Tracking dashboard provides key analytics. Whether you are communicating up the chain, to peers, or to your team, this dashboard provides a thorough look at your outstanding risk.
Interesting in learning more about Tenable.io?