Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Vulnerability Management (CSC 4)

by David Schwalenberg
June 20, 2016

Vulnerable devices and applications on an organization's network pose a great risk to the organization. Vulnerabilities such as outdated software, susceptibility to buffer overflows, risky enabled services, etc. are weaknesses in the network that could be exploited. Organizations that do not continuously look for vulnerabilities and proactively address discovered flaws are very likely to have their network compromised and their data stolen or destroyed. This dashboard provides a high-level overview of an organization's vulnerability management program and can assist the organization in identifying vulnerabilities, prioritizing remediations, and tracking remediation progress.

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. This dashboard aligns with CIS Critical Security Control 4, Continuous Vulnerability Assessment and Remediation, which addresses identifying and managing vulnerabilities.

Analysts can also use this dashboard to easily drill down into the data presented by the dashboard components. This enables the analyst to gain more detailed information about the vulnerabilities found on the network, such as which vulnerabilities are the most dangerous. The analyst can also determine information that will benefit vulnerability remediation. This information might include on which hosts a vulnerability is found and what remediations would most benefit a particular group of machines. Knowing these details can enable better and more efficient vulnerability management, patching, and mitigation within the organization. This in turn will help the organization better protect itself from exploitation of network vulnerabilities, and potential intrusions, attacks, and data loss.

This dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends. The dashboard requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0

Many other vulnerability-focused dashboards are also available in the Threat Detection & Vulnerability Assessments feed category. These dashboards can assist an analyst in further investigating vulnerabilities and tracking remediations. Some suggested dashboards are Vulnerability Top Ten, Web Vulnerabilities, Browser Vulnerabilities, Understanding Risk, and Mitigation Summary. Dashboards that address exploitations of specific vulnerabilities (such as Shellshock and Logjam) can be found in the Security Industry Trends feed category.

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with the Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

The following components are included in this dashboard:

  • Vulnerability Summary - 3-Month Trend of Vulnerabilities:This component is a 3-month summary chart tracking unmitigated vulnerabilities of low, medium, high, and critical severity.
  • Vulnerability Top Ten - Top 10 Most Vulnerable Hosts: This component shows the top ten hosts with exploitable vulnerabilities of high or critical severity. Editing the filters in the component and changing the tool from IP Summary to Class C Summary or Port Summary can give information on exploitable vulnerabilities per subnet or per port, respectively.
  • Understanding Risk - Remediation Opportunities: This table displays the top remediations for the network. For each remediation, the risk reduction for the network if the remediation is implemented is shown, along with the number of hosts affected. The table is sorted so that the highest risk reduction is at the top. Implementing the remediations will decrease the overall vulnerability of the network. Adding filters to the component, such as filtering on only critical severity vulnerabilities or filtering on a specific asset group, can narrow the focus of the component, giving remediation opportunities in specific areas.
  • Track Mitigation Progress - Vulnerability Summary by Severity: SecurityCenter records when vulnerabilities are discovered, when patches are issued, and when vulnerabilities are mitigated. This component assists in tracking vulnerability mitigations. The matrix presents vulnerability summary information by severity. In the matrix, the row with red is critical severity vulnerability information, the row with orange is high severity, the row with yellow is medium severity, and the row with green is low severity. The Mitigated column displays the total number of mitigated vulnerabilities. The Unmitigated column displays the total number of vulnerabilities that have not yet been mitigated. The Exploitable column displays the percentage of those unmitigated vulnerabilities that are known to be exploitable. The Patch Available column displays the percentage of the unmitigated, exploitable vulnerabilities that have had a patch available for more than 30 days. Ideally, both of these percentages should be 0%, because all exploitable vulnerabilities and all vulnerabilities with patches available should have been mitigated already. The Exploitable Hosts column displays the number of hosts on the network that have unmitigated, exploitable vulnerabilities.
  • Vulnerability Summary - Exploitable Vulnerabilities: This matrix displays warning indicators for exploitable vulnerabilities actively and passively detected on the network, including Windows vulnerabilities, web vulnerabilities, open source application vulnerabilities, and vulnerabilities by keywords such as "Java" and "unsupported". Vulnerabilities that can be exploited by Metasploit are very dangerous and must be remediated as soon as possible. Exploitable vulnerabilities that have been marked as accepted risks or recast to Informational within SecurityCenter are also noted. Clicking on a highlighted indicator will bring up the vulnerability analysis screen to display details for the vulnerabilities and allow further investigation. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities are present. Setting the tool to Vulnerability Details will display the full details for each vulnerability, including a description, the solution to fix the vulnerability, and in some cases, links to more information.