Automated patch management with live patching for CIS Controls compliance
The CIS Critical Security Controls, known widely as CIS Controls, are a series of actionable cybersecurity recommendations designed to prevent common and not-so-common attacks against IT infrastructure seen in the wild.
They include a prioritized list of security controls that span from implementation group 1 (IG1), which covers the basic security needs that apply from the smallest to the largest organizations, to implementation groups 2 and 3 – which cover the needs of multi-department organizations and enterprises. By designing CIS Controls to defend against known threats, the Center for Information Security (CIS) shows that implementing them mitigates 83% of all the techniques of the ATT&CK model, setting concrete security expectations for organizations that adopt the framework.
CIS Controls map to other cybersecurity frameworks, such as CMMC, NCSC Cyber Assessment Framework, PCI, and others, making it a very appealing choice for establishing an organization’s cybersecurity controls.
How does CIS Controls tackle security updates?
In CIS Controls version 8, there is a dedicated control to continuous patch and vulnerability management. The 7th control, “Continuous Vulnerability Management,” sets up the necessary processes and infrastructure to keep enterprise software assets up to date, ensuring that vulnerabilities do not lead to a data breach.
It is, in principle, an easy goal to understand and justify, but implementation is not always as straightforward. According to Ponemon Institute, 56% of enterprise organizations take from five weeks to more than one year to apply security patches and the same amount of companies don’t use automation to assist with vulnerability patching.
Why are security updates important?
Attacks that result in data breaches at enterprise organizations occur as a result of a series of steps an attacker takes. Therefore, an organization’s security posture depends heavily on multiple defenses being present at each one of those steps.
A commonly exploited step that leads to a data breach is the exploitation of software vulnerabilities. Given the large number of operating systems, software, and hardware a typical organization uses, it is not a surprise that ransomware attacks against web applications in 2022 were mainly a result of exploiting software vulnerabilities.
What are the CIS recommendations for security updates?
To improve an organization’s security posture against software vulnerabilities, implementation group 1 in CIS Controls includes 4 controls, shown below.
|7.1||Establish and Maintain a Vulnerability Management Process||IG1+|
|7.2||Establish and Maintain a Remediation Process||IG1+|
|7.3||Perform Automated Operating System Patch Management||IG1+|
|7.4||Perform Automated Application Patch Management||IG1+|
These controls apply to organizations of any size and are considered basic cyber hygiene.
In short, they ensure that organizations perform security updates in an automatic way on a monthly, or more frequent, basis. They also require a documented process to scan infrastructure for vulnerabilities and a follow-up process for remediation that is based on risk analysis, i.e., address the assets that are the most important to the organization first.
As we move to larger organizations, more requirements apply, as shown below.
|7.5||Perform Automated Vulnerability Scans of Internal Enterprise Assets||IG2+|
|7.6||Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets||IG2+|
|7.7||Remediate Detected Vulnerabilities||IG2+|
These controls further ensure that an organization moves from proactive patch management to being proactive in both patch management and vulnerability scanning, as well as remediates the found vulnerabilities on a regular schedule.
How live patching provides the necessary automation
As seen above, the requirement for automated patch management is present even for implementation group 1 (basic cyber hygiene) of the CIS Controls framework. At the same time, although it is possible to configure automatic security updates on a Linux system today, it is very often an unusable setup in practice.
Security patches on the Linux kernel and commonly used components, like glibc, require a system restart to apply. Moreover, system updates are often combined with feature updates that may cause unexpected software behavior changes.
Where’s the automation for system updates?
For this reason, operations teams deploy updates manually in a controlled environment, and – after testing – the updates are deployed in production systems during a maintenance window that may be monthly, quarterly, or any other interval the organization can afford.
Although this describes today’s best practice, it is, in effect, a manual process – defeating the goal of automation in security patching. With a manual patching process, the exploitation vulnerability window becomes large, as patches must wait for the next maintenance window to be applied.
Live patching to the rescue
KernelCare live patching is a solution that patches the Linux kernel and applications while they run. Unlike system updates, this approach does not require a system restart and is used exclusively for security patching – meaning there are no behavioral changes in the software.
KernelCare live patching enhances an organization’s patch management program by introducing automation and subsequently reducing the time to patch vulnerabilities as well as the vulnerability exploitation window.
It does so by providing live patches for vulnerabilities to the Linux kernel and critical userspace components that pose a risk of exploitation irrespective of their CVSS score. At the same time, each Linux kernel and component support receives live patches for its lifetime, ensuring that the live patching process supports each organization’s maintenance processes, whether periodic or ad hoc.
KernelCare live patching brings automation to the ‘Automated Operating System Patch Management’ CIS control and further complements an organization’s vulnerability management program by integrating seamlessly with all major vulnerability scanners.