Security

Using Automation to Meet CISA’s Vulnerability Management Directive

Automated vulnerability scanning minimizes the need for human intervention, reducing the potential for human error.

Michael Epley is chief architect and security strategist at Red Hat.

Cyberattacks against government agencies have risen significantly since the introduction of the Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01.

Such attacks increased 95 percent in the second half of 2022 compared with the same time period in 2021, according to CloudSEK. The U.S. was the second-most targeted country in 2022.

CISA continues to provide actionable guidance about prioritizing vulnerability management and reacting to threats quickly as the number and sophistication of attacks increase. BOD 22-01 created a living, growing list of more than 800 vulnerabilities that agencies must be prepared to address within two weeks or less.

Combing through that list and matching vulnerabilities to the systems an agency uses is nearly impossible, even for the hardest-working personnel. It’s especially challenging for agencies impacted by the ongoing cybersecurity skills shortage, and 65 percent of respondents to a recent Fortinet Training Institute survey believe that cyberattacks will increase over the next year.

Automation plays an important role in alleviating the burden on overworked government cybersecurity experts while helping agencies meet the requirements of CISA’s directive. It can help agencies identify and prioritize vulnerabilities that pose the most immediate or potentially destructive threats against their organizations so they can act quickly and protect themselves.

Click the banner below to learn about the benefits of hybrid cloud environments.

How to Quickly Address and Prioritize Vulnerabilities

There are a few methods agencies can use to automate vulnerability tracking and assessment, including:

Open Vulnerability Assessment Language

OVAL is a collaborative effort — driven in part by the National Institute of Standards and Technology and other industry leaders in the information security community — designed to “promote open and publicly available security content.” OVAL reports include information on systems, machine states and assessment results. A product security incident response team compiles the reports, which present vulnerability data in a standard format that enables users to easily act based on the assessment results. Some vendors incorporate this research into their tools, enabling users to easily consume data feeds and focus on remediating vulnerabilities.

Vulnerability Exploitability eXchange Data Format

VEX is a simple way to tell whether a piece of software is or is not affected by a vulnerability. VEX compares software against known vulnerabilities and categorizes the software as “not affected,” “affected,” “fixed” or “under investigation.” The information is presented in a machine-readable format, so users can automatically compare the results with the solutions they’re using. This makes it easier for an organization to determine whether a vulnerability on the BOD 22-01 list poses a threat to it, as well as which vulnerabilities it should prioritize.

Software Bills of Materials

SBOMs are directories that include granular details of an agency’s software tools, including their versions, components and provenance. While SBOMs are still in the early adoption phase, they are highly effective at cataloging software inventory and protecting against possible attacks. Using an SBOM in combination with a VEX makes it easier to match vulnerabilities on the BOD 21-01 list with the solutions an agency is currently using.

Many software vendors use these services to advise their customers on which vulnerabilities they should act against and which they don’t have to worry about. For example, if a vulnerability that made the BOD 22-01 list shows up in an OVAL or VEX report, the supplier of that software should automatically alert its customers while providing a patch or update. This takes the onus of having to determine what to do about vulnerabilities off of users, enabling them to focus on quickly fixing issues.

DISCOVER: Hyperautomation is increasing across agencies.

Minimizing Human Involvement Leads to Better Security Outcomes

While these are all good options, there will still be instances where system administrators need to individually examine their systems or dig through code and files to look for vulnerabilities. This is where automated vulnerability scanning comes in.

With automated scanning, software checks for possible vulnerabilities and threats, alerts users to their existence, and automatically remediates and closes security gaps. Automated vulnerability scanning minimizes the need for human intervention, reducing the potential for human error; reduces the scope for privileged access management, which can be time-consuming to implement and manage; and shifts its focus away from managing routine system interventions for patching and updates.

Agencies can get closer to the ideal of zero trust without having to worry that a person has missed something that could ultimately be damaging. Ironically, the chances of this happening will likely increase as organizations rely more on SBOMs.

SBOMs are important and useful, but there is a danger that some teams may become too dependent on them. It will be important to have automated solutions to essentially back up the SBOM for an extra layer of assurance.

As vulnerabilities and attacks continue to escalate, traditional vulnerability management methods are no longer sufficient. Agencies should implement a multilayered and automated approach to cybersecurity.

Doing so will help them meet CISA’s directive and keep their organizations well-fortified as well as freeing up resources to focus on other mission-critical priorities.

Suriya Phosri/Getty Images