Security Control: Vulnerability Management

Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.

5.1: Run automated vulnerability scanning tools

Azure ID CIS IDs Responsibility
5.1 3.1, 3.2, 3.3 Customer

Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers.

Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

How to implement Azure Security Center vulnerability assessment recommendations:

https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations

5.2: Deploy automated operating system patch management solution

Azure ID CIS IDs Responsibility
5.2 3.4 Customer

Use Azure "Update Management" to ensure the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.

How to configure Update Management for virtual machines in Azure:

https://docs.microsoft.com/azure/automation/automation-update-management

Understand Azure security policies monitored by Security Center:

https://docs.microsoft.com/azure/security-center/security-center-policy-definitions

5.3: Deploy automated third-party software patch management solution

Azure ID CIS IDs Responsibility
5.3 3.5 Customer

Use a third-party patch management solution. Customers already leveraging Configuration Manager in their environment may leverage System Center Updates Publisher, allowing them to publish custom updates into Windows Server Update Service. This allows Update Manager to patch machines that use Configuration Manager as their update repository with third-party software.

5.4: Compare back-to-back vulnerability scans

Azure ID CIS IDs Responsibility
5.4 3.6 Customer

Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you may pivot into the selected solution's portal to view historical scan data.

5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

Azure ID CIS IDs Responsibility
5.5 3.7 Customer

Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

Next steps

See the next security control: Inventory and Asset Management