Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
Follow Us on Social
The CIS Critical Security Controls, known widely as CIS Controls, are a series of actionable cybersecurity recommendations designed to prevent common and not-so-common attacks against IT infrastructure seen in the wild.
They include a prioritized list of security controls that span from implementation group 1 (IG1), which covers the basic security needs that apply from the smallest to the largest organizations, to implementation groups 2 and 3 – which cover the needs of multi-department organizations and enterprises. By designing CIS Controls to defend against known threats, the Center for Information Security (CIS) shows that implementing them mitigates 83% of all the techniques of the ATT&CK model, setting concrete security expectations for organizations that adopt the framework.
CIS Controls map to other cybersecurity frameworks, such as CMMC, NCSC Cyber Assessment Framework, PCI, and others, making it a very appealing choice for establishing an organization’s cybersecurity controls.
In CIS Controls version 8, there is a dedicated control to continuous patch and vulnerability management. The 7th control, “Continuous Vulnerability Management,” sets up the necessary processes and infrastructure to keep enterprise software assets up to date, ensuring that vulnerabilities do not lead to a data breach.
It is, in principle, an easy goal to understand and justify, but implementation is not always as straightforward. According to Ponemon Institute, 56% of enterprise organizations take from five weeks to more than one year to apply security patches and the same amount of companies don’t use automation to assist with vulnerability patching.
Attacks that result in data breaches at enterprise organizations occur as a result of a series of steps an attacker takes. Therefore, an organization’s security posture depends heavily on multiple defenses being present at each one of those steps.
A commonly exploited step that leads to a data breach is the exploitation of software vulnerabilities. Given the large number of operating systems, software, and hardware a typical organization uses, it is not a surprise that ransomware attacks against web applications in 2022 were mainly a result of exploiting software vulnerabilities.
To improve an organization’s security posture against software vulnerabilities, implementation group 1 in CIS Controls includes 4 controls, shown below.
These controls apply to organizations of any size and are considered basic cyber hygiene.
In short, they ensure that organizations perform security updates in an automatic way on a monthly, or more frequent, basis. They also require a documented process to scan infrastructure for vulnerabilities and a follow-up process for remediation that is based on risk analysis, i.e., address the assets that are the most important to the organization first.
As we move to larger organizations, more requirements apply, as shown below.
These controls further ensure that an organization moves from proactive patch management to being proactive in both patch management and vulnerability scanning, as well as remediates the found vulnerabilities on a regular schedule.
As seen above, the requirement for automated patch management is present even for implementation group 1 (basic cyber hygiene) of the CIS Controls framework. At the same time, although it is possible to configure automatic security updates on a Linux system today, it is very often an unusable setup in practice.
Security patches on the Linux kernel and commonly used components, like glibc, require a system restart to apply. Moreover, system updates are often combined with feature updates that may cause unexpected software behavior changes.
For this reason, operations teams deploy updates manually in a controlled environment, and – after testing – the updates are deployed in production systems during a maintenance window that may be monthly, quarterly, or any other interval the organization can afford.
Although this describes today’s best practice, it is, in effect, a manual process – defeating the goal of automation in security patching. With a manual patching process, the exploitation vulnerability window becomes large, as patches must wait for the next maintenance window to be applied.
KernelCare live patching is a solution that patches the Linux kernel and applications while they run. Unlike system updates, this approach does not require a system restart and is used exclusively for security patching – meaning there are no behavioral changes in the software.
KernelCare live patching enhances an organization’s patch management program by introducing automation and subsequently reducing the time to patch vulnerabilities as well as the vulnerability exploitation window.
It does so by providing live patches for vulnerabilities to the Linux kernel and critical userspace components that pose a risk of exploitation irrespective of their CVSS score. At the same time, each Linux kernel and component support receives live patches for its lifetime, ensuring that the live patching process supports each organization’s maintenance processes, whether periodic or ad hoc.
KernelCare live patching brings automation to the ‘Automated Operating System Patch Management’ CIS control and further complements an organization’s vulnerability management program by integrating seamlessly with all major vulnerability scanners.
TALK TO A CYBERSECURITY EXPERT
Stay updated with the latest news and announcements from TuxCare.com
A digital twin (DT) is a virtualized representation of an...
Continuous integration (CI) refers to testing code changes before deployment...
When it comes to the Industrial Internet of Things (IIoT),...
Keeping your systems up to date can be done in...
Gone are the days of Operational Technology (OT) being distinctly...
Breakthroughs don’t often happen in cybersecurity, but when one does,...