3.4: Deploy Automated Operating System Patch Management Tools
Sub-control 3.4 states that you must deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Applications | Protect | 1, 2, 3 |
Dependencies
-
Sub-control 5.1: Establish Secure Configurations
Inputs
- Required OS auto-update configuration: This could vary by organization, by product, by security tool, etc. This could be 1 setting or multiple settings. You must also determine if partial settings are creditable, the potential weighting of settings, dependencies, etc.
-
List of required updates: This could be pulled from the vendor’s website, or could be an organization’s selected subset of updates.
- Optional Field: If time metrics are desired, this list also needs to show the date when each update was released by the vendor.
- Continuous vulnerability scanning and integration with patch management systems can often lessen the burden on organizations to visit vendor sites and pull lists of updates. Tenable Security Center Continuous View supports a wide variety of patch management solutions including SCCM, WSUS, HCL BigFix, Dell KACE K1000, and Symantec Altiris.
- List of endpoints to be checked: Ideally, this includes all assets. While some hardware devices exist that rarely receive patches, all endpoints should be monitored on a regular basis. The list of endpoints can be pulled from the "Ground Truth" devices of Sub-Control 1.4, because this list includes all known devices on the network as identified by continuous scanning.
-
Optional: Time metrics: The allowable time frame for installation of an update after its release. CIS recommends this be at least 30 days.
Operations
- For each endpoint in I3, compare that endpoint’s auto-update configuration to that provided in I1. Then, generate a score based on the logic provided by I1 (M1).
-
For each endpoint in I3, retrieve a list of installed OS updates (M2) and compare that endpoint’s installed updates to the required updates provided by I2. The list of matching updates is M3.
- (Optional) If timing metrics are desired, for each endpoint, also determine the elapsed time between the update release date provided in I2 and the install date for each of the corresponding updates on the endpoint. This information could be added as another field attached to each update entry in M3.
Measures
| Measure | Definition |
|---|---|
| M1 = Auto-update configuration score |
The endpoint-specific auto-update configuration score as determined by Operation 1. |
| M2 = List of installed updates | An endpoint-specific list of installed updates as determined by Operation 2. |
|
M3 = List of required updates |
An endpoint-specific list of required updates that are installed, as determined in Operation 2. This is a full list of updates that are installed for each endpoint. |
| M4 = Number of required updates |
The number of required OS updates per I2. This is a count of any updates that are required to be installed. |
| M5 = Count of items in M3 | A count of the total number of items in M3. |
Metrics
Update Effectiveness (Per Endpoint)
| Metric | Calculation |
|---|---|
| For a given endpoint, the calculated ratio of installed OS updates compared to the total number of OS updates required. | If M4 = 0, this indicates the endpoint requires no OS updates. Otherwise, this metric is calculated as M5 / M4 |
Update Effectiveness (Organizational)
The organizational metric is calculated by averaging the results of the Per Endpoint metric above.