FRAMEWORKS AND STANDARDS

Control 07: Continuous Vulnerability Management

A summary about data protection and management

Published Date: October 29th, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators, Data Management Personnel

Get your copy of the CIS Controls V8.1 here.

Overview

Vulnerability management aims to minimize the attack surface by identifying, prioritizing, and remediating vulnerabilities based on their potential impact and the likelihood of exploitation. This control focuses on maintaining a continuous process to assess and address vulnerabilities across an organization’s assets and systems.

Why is this control critical?

Organizations of all sizes and in all industries face ongoing threats from attackers exploiting known vulnerabilities to gain access to sensitive systems and data. To mitigate this risk, continuous scanning and monitoring can find existing security gaps in systems. Pair this with vulnerability management which allows defenders to track CVEs and swiftly perform patching and updates to maintain operational integrity and protect assets from compromise and exploitation.

Key Techniques for Continuous Vulnerability Management

1. Implement Regular Scanning
   
   Use both authenticated and unauthenticated scans to identify vulnerabilities in internal and external assets. Effective scanning tools should be SCAP-compliant and able to map identified issues to standardized classification systems, such as CVE or CVSS.
    
2. Update Based on Risk
   
   Prioritize patches based on impact and likelihood of exploitation. When a vulnerability is detected, prompt remediation minimizes risk exposure. Monitor threat intelligence for information on newly discovered vulnerabilities and adjust priorities accordingly.
    
3. Automate Patch Management
   
   Employ automated patch management systems to consistently apply updates for operating systems and applications, which reduces the risk of vulnerabilities remaining unaddressed.
    
4. Integrate with Incident Management
   
   Utilize a ticketing system to track progress on remediating identified issues, ensuring high-priority vulnerabilities receive attention and are resolved in a timely manner.

Enhanced Protection Techniques

1. Data-driven Prioritization 
   
   Use data from vulnerability scoring (i.e. CVSS) alongside threat intelligence to determine which vulnerabilities present the highest risks. Updates to exploitation likelihood should adjust vulnerability priorities, streamlining the patching process for critical assets.

2. Comprehensive Documentation 
   
   ​​​​​​​Maintain a documented process for vulnerability management, reviewing it annually to align with any infrastructure changes. Proper documentation enables clear tracking and accountability for vulnerability handling. It is not uncommon for organizations to have devices that are forgotten or out of date, and these devices can pose a threat if they are still tapped into the network.