Understand vulnerability and configuration scanning
Vulnerability and configuration scanning are the final components of PAVC. The security agent installed on all assets during deployment enables fully automated vulnerability and configuration scanning of the production environment. The security agent uses industry-standard tools to detect known vulnerabilities and security misconfigurations. Production assets are scheduled for daily, automatic scans with the most recent vulnerability signatures. The results of these scans are collected in a secure, central storage service, and automated reporting makes results available to service teams.
Service teams review scan results using dashboards that report aggregate scan results to provide comprehensive reporting and trend analysis. Vulnerabilities detected in scans are tracked in these reports until they are fully remediated. When vulnerability scans indicate missing patches, security misconfigurations, or other vulnerabilities in the environment, service teams use these reports to target the affected components for remediation.
Vulnerabilities discovered through scanning are prioritized for remediation based on their Common Vulnerability Scoring System (CVSS) scores and other relevant risk factors. Service teams use the change management process to remediate vulnerabilities within timeframes based on the vulnerability's risk. Microsoft 365 ensures system availability during patching through system redundancy and staged release of patches across production environments. Gradual rollout of patches allows service teams to roll back any patches that cause unexpected issues.
Vulnerability scanning and remediation help prevent security incidents by detecting and mitigating potential vulnerabilities before they can be exploited by adversaries. Validation of our security posture through automated daily scans improves our ability to protect Microsoft 365 services and customer data.