The threat landscape has been evolving at a rapid pace, requiring enterprises to be highly vigilant and stay on top of new tools and processes that effectively protect them from cyberattacks. According to a recent study on data breaches, 90 percent of exploits targeted apps for which patches had been available for six months or longer, and 50 percent of systems had at least 10 vulnerabilities that had patches available, but were not installed.
Needless to say, patch management is an integral component of any effective defense-in-depth strategy and is a valuable first line of defense to minimize your endpoint risk. System hardening with security configuration management and vulnerability assessment and remediation are two important controls that go hand-in-hand with patch management.
Security Configuration Management
Over the years Verizon’s annual Data Breach Investigations Reports have indicated that weak configuration management and inadequate system hardening factor into most data breaches. Developing configuration settings with strong security properties is a complex task that requires knowledge and analysis that is beyond the scope of the user.
Installing a strong configuration is not enough. You must continue to manage it to maintain its security properties to ensure it is not compromised over time as a result of changes or new events, such as new security vulnerabilities or software updates. In order to manage all the systems, operating systems and applications in your environment, you need a centralized solution that gives you a holistic view of your endpoints, and the ability to install and update standard configurations across your entire environment.
Such a solution will empower you to enforce a consistent endpoint configuration policy, as well as continually monitor and tweak it to ensure that it stays effective long term.
Vulnerability Scanning and Remediation
Vulnerability scanning is another integral component of an effective security strategy; without it, you would be unable to discover and address flaws that could potentially give hackers a way to get into your network and systems. Also, vulnerability analysis can help you assess the effectiveness of proposed countermeasures.
The Open Vulnerability and Assessment Language (OVAL®) is a well-known standard that gives you a repository to check for software vulnerabilities, configuration issues, programs, and/or patches on your endpoints. The OVAL repository for vulnerability tests is continually updated by the community, which reviews and vets new definitions before adding them to the repository. For more information and a helpful list of controls, check out our new white paper, Protecting Your Network and Endpoints with the SANS 20 Critical Security Controls.
Enterprises today must take a very active role in defending their organizations and managing risk, and you play a key role in helping your organization achieve this through patching, configuration management and the use of vulnerability scans. This is no easy undertaking, but a centralized solution can make your life a lot easier.
Gain more insight into developing an effective patch management strategy that meets your organization’s needs.
<p>again, nice blog post.</p>
<p>It is very interesting and certainly an aspect to support that is growing in need as however hard you work to keep things secure they are working just as hard to make it through. Sometimes it is very frustrating to deal with considering you are trying to do the right thing and are constantly bombarded with these issues.</p>
<p>Glad KACE can do this for us!</p>
<p>Security targets are always changing. Automation is the only way to keep up.</p>
<p>I'd like to see a KKE session on system hardening with kace, I'm sure that there's a whole lot more that I could be doing but haven't thought of yet.</p>
<p>Good stuff here</p>
<p>More to dive into... Thanks for the good info!</p>
<p>Per your comment:</p>
<p>"I'd like to see a KKE session on system hardening with kace, I'm sure that there's a whole lot more that I could be doing but haven't thought of yet.â€</p>
<p>I let our KKE training team know, pazouz.</p>
<p>Thanks for the feedback!</p>
<p>Great stuff once again</p>
<p>I have been preaching this for some time now. Hard to get my users to understand this. I will be referring people to this blog for clarification.</p>
<p>Thank you all for your feedback :).</p>
<p>Thanks, comjam! Glad this blog will be of use :)</p>
<p>this is some very useful information, thanks</p>
<p>Happy to hear that, dana.bidlack :). Have a great weekend!</p>