Patch Management, Configuration Management and Vulnerability Scans - Adding to Your First Line of Defense

The threat landscape has been evolving at a rapid pace, requiring enterprises to be highly vigilant and stay on top of new tools and processes that effectively protect them from cyberattacks. According to a recent study on data breaches, 90 percent of exploits targeted apps for which patches had been available for six months or longer, and 50 percent of systems had at least 10 vulnerabilities that had patches available, but were not installed.

Needless to say, patch management is an integral component of any effective defense-in-depth strategy and is a valuable first line of defense to minimize your endpoint risk. System hardening with security configuration management and vulnerability assessment and remediation are two important controls that go hand-in-hand with patch management.

Security Configuration Management

Over the years Verizon’s annual Data Breach Investigations Reports have indicated that weak configuration management and inadequate system hardening factor into most data breaches. Developing configuration settings with strong security properties is a complex task that requires knowledge and analysis that is beyond the scope of the user.

Installing a strong configuration is not enough.  You must continue to manage it to maintain its security properties to ensure it is not compromised over time as a result of changes or new events, such as new security vulnerabilities or software updates. In order to manage all the systems, operating systems and applications in your environment, you need a centralized solution that gives you a holistic view of your endpoints, and the ability to install and update standard configurations across your entire environment.

Such a solution will empower you to enforce a consistent endpoint configuration policy, as well as continually monitor and tweak it to ensure that it stays effective long term.

Vulnerability Scanning and Remediation

Vulnerability scanning is another integral component of an effective security strategy; without it, you would be unable to discover and address flaws that could potentially give hackers a way to get into your network and systems. Also, vulnerability analysis can help you assess the effectiveness of proposed countermeasures.

The Open Vulnerability and Assessment Language (OVAL®) is a well-known standard that gives you a repository to check for software vulnerabilities, configuration issues, programs, and/or patches on your endpoints. The OVAL repository for vulnerability tests is continually updated by the community, which reviews and vets new definitions before adding them to the repository. For more information and a helpful list of controls, check out our new white paper, Protecting Your Network and Endpoints with the SANS 20 Critical Security Controls.

Enterprises today must take a very active role in defending their organizations and managing risk, and you play a key role in helping your organization achieve this through patching, configuration management and the use of vulnerability scans. This is no easy undertaking, but a centralized solution can make your life a lot easier.

Gain more insight into developing an effective patch management strategy that meets your organization’s needs.