Security Control: Vulnerability Management
Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.
5.1: Run automated vulnerability scanning tools
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 5.1 | 3.1, 3.2, 3.3 | Customer |
Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers.
Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
5.2: Deploy automated operating system patch management solution
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 5.2 | 3.4 | Customer |
Use Azure "Update Management" to ensure the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
How to configure Update Management for virtual machines in Azure
Understand Azure security policies monitored by Security Center
5.3: Deploy automated patch management solution for third-party software titles
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 5.3 | 3.5 | Customer |
Use a third-party patch management solution. Customers already leveraging System Center Configuration Manager in their environment may leverage System Center Updates Publisher, allowing them to publish custom updates into Windows Server Update Service. This allows Update Manager to patch machines that use System Center Configuration Manager as their update repository with third-party software.
5.4: Compare back-to-back vulnerability scans
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 5.4 | 3.6 | Customer |
Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you may pivot into the selected solution's portal to view historical scan data.
5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 5.5 | 3.7 | Customer |
Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.
Next steps
- See the next Security Control: Inventory and Asset Management
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for