Vulnerability Management

  1. Home
  2. Case Studies
  3. Vulnerability Management
  • Category: CISA KEV Vulnerability Management
  • Tags: ServiceNow, Nessus, Splunk, Active Directory, CISA

Vulnerability Management at Scale - Context is King

Stop approaching your Vulnerability Management process with a one-size fits all approach using prioritization data provided by third party scanners and start understanding how these vulnerabilities impact your business. Clockspring allows you to leverage information spread across your network to streamline your Vulnerability Management processes to quickly and easily understand the impact to your organization and who is responsible for remediation.

Challenge

On November 3, 2021, the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) published Binding Operational Directive (BOD) 22-01 to address a widespread problem of Known Exploited Vulnerabilities (KEVs) still being found in federal enterprises. While threat actors can use very novel approaches to access these information systems the easiest way in is to exploit vulnerabilities that are widespread and well understood. CISA aims to reduce these KEVs through establishing a requirement that all published KEVs are remediated within as little as 2 weeks from the date it was published and report back to CISA with the status of these vulnerabilities on the network.

Navigating this process can be a real pain point for large organizations to understand what is due and when, what assets are impacted, what services those assets provide to the organization and who is responsible for remediating these vulnerabilities. With thousands, or millions, of vulnerabilities showing up during regular scans the process to get from identification to assignment and then remediation can easily take longer than the required remediation timeline. According to CISA "If these actions cannot be accomplished within the required timeframe, you must remove the asset from the agency network".

This can cause immeasurable damage to the organization and being able to reduce the time to remediation must be a priority.

Solution

Dashboard showing a risk-prioritized vulnerability dashboard
Combined vulnerability view of system-level aggregate risk

Using Clockspring you can take asset information that is already floating around on the network and have a single pane of glass to understand the scope of the vulnerability, the affected assets, the services that the asset supports, as well as a point of contact who is responsible for the system. To do this Clockspring pulled in data from the following sources:

  • Vulnerability Scanner (Nessus, Qualys, etc.)

    • Core to this process is the vulnerability data itself. We look at the vulnerability data directly to build the initial inventory of vulnerabilities on the network.

  • CISA KEVs

    • Next, we compare the data in the scanner with the latest KVE list to identify any systems with a KEV.

  • CMDB (ServiceNow, ManageEngine, etc.)

    • Once the assets are identified, we query the CMDB to get information about this asset. Relevant data points may include Information System or Business service the device supports, assigned system owner, and CIA scores. This attribute list can be expanded further based on any data stored in your CMDB.

    Note: Clockspring can also automatically populate your CMDB with this sort of information. Contact Us to learn how!

  • SIEM (Splunk, ArcSight, etc.)

    • We then query the SIEM to get login information about the host to identify the most common user of the system. Since we are sending all the login events to the SIEM anyway, we can use this data to figure out the user that has logged in the most in 30/60/90 days.
    While we have system owner information from the CMDB, this data is extremely valuable when the assigned owner is out of date.

  • Active Directory

    • Once we have username of who is the most common user, we want to further enrich this information from Active Directory to get full name, email address, phone number, and even supervisor information.

Screenshot showing a detailed view of an endpoint with data pulled from several different data sources
Detailed component view

Once we have all this information, Clockspring writes a single entry to the SIEM with all of the relevant data points in an easily digestible manner. This enables us to be able to create a dashboard on the SIEM to provide a single pane of glass to view all KEVs and get associated system information.

As this page just shows vulnerability overview information, we can select a single host and drill down to get detailed information about that host.

Impact

By combining host information from tools already deployed in the enterprise, Clockspring can provide a one stop view of the data that matters when complying with BOD 22-01 no matter your role in the organization. Using this method, you can quickly and easily understand your organization's compliance, prioritize the most pressing vulnerabilities, and easily assign remediation activities to the appropriate resource.

Get Started