Security Control: Vulnerability Management

Vulnerability management recommendations focus on addressing issues related to continuously acquiring, assessing, and acting on new information in order to identify and remediate vulnerabilities as well as minimizing the window of opportunity for attackers.

5.1: Run automated vulnerability scanning tools

Azure ID CIS IDs Responsibility
5.1 3.1, 3.2, 3.3 Customer

Follow recommendations from Azure Security Center on performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers.

Use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

5.2: Deploy automated operating system patch management solution

Azure ID CIS IDs Responsibility
5.2 3.4 Customer

Use Azure "Update Management" to ensure the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.

5.3: Deploy automated patch management solution for third-party software titles

Azure ID CIS IDs Responsibility
5.3 3.5 Customer

Use a third-party patch management solution. Customers already leveraging System Center Configuration Manager in their environment may leverage System Center Updates Publisher, allowing them to publish custom updates into Windows Server Update Service. This allows Update Manager to patch machines that use System Center Configuration Manager as their update repository with third-party software.

5.4: Compare back-to-back vulnerability scans

Azure ID CIS IDs Responsibility
5.4 3.6 Customer

Export scan results at consistent intervals and compare the results to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Azure Security Center, you may pivot into the selected solution's portal to view historical scan data.

5.5: Use a risk-rating process to prioritize the remediation of discovered vulnerabilities

Azure ID CIS IDs Responsibility
5.5 3.7 Customer

Use a common risk scoring program (for example, Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool.

Next steps