How Qualys Supports the National Cyber Security Centre (NCSC)’s Vulnerability Management Guidance
Last updated on: April 19, 2024
NCSC details the importance of having asset management and remediation as key requirements of a successful VM program.
“A vulnerability management process shouldn’t exist in isolation. It is a cross-cutting effort and involves not just those working in IT operations, but also security and risk teams.”
In its recent vulnerability management guidance, the UK’s National Cyber Security Centre (NCSC) provided five vulnerability management principles. This guidance is intended to help all organisations, from small and medium businesses to enterprises and the public sector, understand where to focus their vulnerability management (VM) efforts and what goals to target.
The 5 principles as provided by the NCSC
- Put in place a policy to update by default
- Identify your assets
- Carry out assessments by triaging and prioritising
- The organisation must own the risks of not updating
- Verify and regularly review your vulnerability management process
The guidance details the importance of understanding that an efficient and successful VM program is not done in a vacuum and requires coordination between IT and security teams. In practice, this requires those teams to combine three key shared practices: vulnerability management for risk assessment, asset management for identifying all assets and their context, and patch and configuration management.
In this blog, I will focus on three of the NCSC’s principles, showcase the importance of bridging the gap between IT and security for each, and discuss how the Qualys platform can help efficiently implement them.
Sign up for our complimentary service to begin measuring, communicating, and remediating according to NCSC guidelines.
The current state of UK organisations
Based on Qualys’ anonymous data, organisations in the UK fall behind the NCSC guidelines regarding remediating vulnerabilities. For example, on average, UK organisations remediate external-facing vulnerabilities in 17 days, which is much longer than the 5 days recommended by the NCSC. If you consider non-external-facing vulnerabilities, remediation is accomplished after 15 days, which is again longer than the 7 days recommended by the NCSC.
By focusing on discovering external-facing assets, Qualys assists customers in prioritizing vulnerabilities that need urgent patching. This approach ensures compliance with the recommended five-day patching window, helping to close the gap between ideal remediation times and current practices.
Put in place a policy to update by default
This is the first out of the five principles: “You should put in place a policy to update by default, where you always apply software updates as soon as possible, and ideally automatically.” In addition, the NCSC recommends following these aggressive timelines for remediation: Internet-facing services and software – 5 days, Operating system and applications – 7 days, and Internal/air-gapped service and software – 14 days. Unfortunately, as noted by colleague Saeed Abbasi in his blog post, the average business in the UK takes 15 days to remediate internal threats and 17 days to address external vulnerabilities.
Why the discrepancy between timeframes? There can be many reasons. Among them:
- Not enough focus on non-Microsoft products: Many IT teams use a Patch Tuesday-based rollout to implement the “update by default” policy specifically for Microsoft patches. These organisations rightfully target Microsoft software updates as their main “update by default” policy because Microsoft vulnerabilities are numerous; in 2023 alone, Microsoft products introduced 1,000+ new vulnerabilities. However, to follow NCSC’s guidance, focusing only on Microsoft products is not enough as Microsoft products do not represent the largest number of new vulnerabilities. In 2023, other major vendors like Adobe, Google, and Mozilla combined introduced more vulnerabilities than Microsoft (more than 2,000). To make the challenge even harder, products commonly used by end users like VideoLan, 7-Zip, Zoom, and Notepad++ introduced ~80 new vulnerabilities in 2023. Even though this number is not as high as the other major vendors, it still requires IT’s time and attention.
- The lack of communication between security & IT: In most organisations, the IT/remediation teams that are responsible for patching are siloed from the security team and are not exposed to the risk that unpatched vulnerabilities present to the business, nor the additional work required from the security teams when they opt not to implement an “update by default” policy on as many products as possible.
How Qualys Helps
The Qualys platform is designed to help SecOps and IT teams work together and significantly simplify the creation of “safe” and timely policies to “update by default.” The following are two examples of how a unified approach for VM and Patch Management can help security and IT teams work together to create “update by default” policies that comply with the recommended 5 to 14 day remediation times:
“Update by Default” using Zero-Touch Automation
It is a challenge for most organisations to create an update-by-default policy to “patch all non-Microsoft products as soon as a new patch is released on every asset,” and most organisations will need to embrace a phased approach for update by default.
As such, organisations should focus first on the products that introduce the most risk but, at the same time, are “safer” to patch in terms of operational and business continuity risk—this is where Qualys can help. A Qualys dedicated report allows IT and security teams to work together and identify the products that introduce the most security risk to the environment but, at the same time, are the safest to patch automatically. Using the Qualys platform, the remediation teams can create automated jobs that will deploy the latest patch to those selected products as soon as a new update is available – all with Zero Touch – i.e., set and forget. To further align with the NCSC recommendations, the automation can focus only on security-related patches or on patches that solve vulnerabilities based on their risk.
“Update by Default” – automating Patch Tuesdays the easy way
Based on Qualys anonymized data, we see many instances of customers with more than 30% of their Microsoft-related vulnerabilities open more than 30 days after release. This is 6 times longer than the NCSC guidance recommends for Internet-facing software and 4 times longer than recommended for operating systems and applications.
To solve for the delay in patching Microsoft-related vulnerabilities, remediation teams can leverage the Qualys Agent to complement their current Patch Tuesday efforts (i.e., to complement SCCM or other patch products) or, in other cases, to replace them, but either way, ring-based-automation jobs can be created to address patches released by Microsoft every patch Tuesday.
To comply with the guidance, remediation teams can create two Qualys patch jobs:
- One that is automatically triggered a day after Patch Tuesday and deploys the latest Microsoft patches to a set of test devices,
- Followed by a patch job that starts automatically five days after Patch Tuesday and deploys the already-tested patches to production.
As the two jobs are linked and automated, no human intervention is required unless the tested patches introduce a problem. The remediation team will only have to manually intervene and stop the deployment of the “broken” patches to production in the unlikely event that a new Microsoft patch breaks something in the environment.
Identify your assets
The NCSC guidance tells us, “Understanding what systems and software you have on your technical estate, who is responsible for what, and which vulnerabilities are present … Once you have identified this, it’s important to agree the tasks which the security and IT system maintainers carry out.” This principle highlights the foundational importance of three key areas for effective vulnerability management:
Asset Discovery: If you can’t see it, you can’t defend it. Continuous visibility across your attack surface is step 0 of your cyber security program.
How Qualys Helps: Qualys CyberSecurity Asset Management (CSAM) is designed to continuously discover and identify all assets in the environment—including IT/OT/IoT, cloud assets, and external assets. CSAM uses incremental discovery methods such as scanning, agent-based discovery, third-party connectors, and passive sensing to ensure that security teams can identify all unmanaged assets and add them to their VM program. It also provides inventory risk assessment—vulnerabilities, misconfigurations, EoL/EoS software, and missing security controls.
Obsolete and extended-support products: The NCSC tells us, “During asset discovery, you may find products that are obsolete or under extended support. It’s important to make sure they are categorised as such, and that you take the appropriate action.”
How Qualys Helps: Another advantage of having CSAM integrated into your VM solution is identifying all the applications that have reached (or will soon reach) their EoL/EoS in the same console and the same workflows as identification of vulnerabilities. Tech debt such as EoL/EoS are risk multipliers because there will be no patches for end-of-support software. Integrating a remediation solution will help IT and security teams determine a course of action, such as updating to a supported version as recommended by NCSC or uninstalling the product.
Configuration management: As stated in the guidance,“Ensuring secure and consistent configurations across your systems is essential for security and effective operation.”
How Qualys Helps: Qualys VMDR provides out-of-the-box configuration checks to allow security teams to check against commonly used configuration best practices; however, IT teams are the ones that must fix all of the misconfigurations discovered, which is, in many cases, a timely task. Integrating automated fixes of misconfigurations wherever possible allows IT and security teams to work together more efficiently and respond to misconfiguration issues faster.
As part of their guidance for configuration management, the NCSC recommends application allow lists. Integrating asset management into the VM solution simplifies the implementation of these lists. Once IT and security teams agree on the set of allowed applications, the security team is empowered to detect all applications not on this list and take the appropriate action, whether it’s removing the application or notifying the user.
Carry out assessments by triaging and prioritising
The third principle tells us, “A regular scanning regime is essential to make you aware of the risks your organisation may face… Vulnerability and configuration scans may also highlight issues that can’t be addressed through software updates, or where an automatic update mechanism hasn’t worked properly, meaning that manual remediation is required.”
Even though an update-by-default policy may significantly reduce the count of open vulnerabilities, in some cases, organisations find that even with the best efforts to update by default, some vulnerabilities remain open. Some examples of why this may be the case:
- mission-critical systems cannot be patched automatically or have a short maintenance window,
- patches may fail to deploy,
- assets may not be reached or
- certain vulnerabilities cannot be remediated with a patch.
This is why, as NCSC suggests, a manual process should be used to remediate remaining vulnerabilities based on risk prioritization. To implement this NCSC principle, organisations must efficiently coordinate between IT and security teams, leveraging tools like asset management, vulnerability management, and patch management.
As the Qualys Platform intuitively integrates those tools and allows the security and IT teams to use them in a coordinated manner while still complementing other IT tools, the Qualys platform will identify open vulnerabilities that are “in services or applications that are internet facing and/or that would have the largest negative impact if successfully exploited (such as those present in critical shared infrastructure),” and will help the remediation teams find and deploy the relevant configurations and patches to remediate those open, critical vulnerabilities.
The Qualys platform is ideally suited to assisting organisations in meeting the NCSC guidance to assess, triage, and prioritize vulnerabilities that cannot be remediated through software updates alone because it is designed to help security and IT teams:
- Focus on the riskiest vulnerabilities based on the vulnerability’s real security risk (using Qualys’ TruRisk algorithm).
- Identify internet-facing assets and prioritize vulnerabilities found on those assets.
- Enhance prioritization by elevating assets identified by Qualys as critical to the business that will have the largest negative impact if exploited.
- For the riskiest vulnerabilities, based on this prioritization, allow the security team to create “ready to be deployed” remediation jobs that include the relevant patches and configuration changes required to remediate those vulnerabilities, allowing the remediation teams to test and deploy those fixes.
Conclusion
For organisations looking to comply with the NCSC’s vulnerability management guidance to put in place a policy to update by default, identify assets, and carry out assessments by triaging and prioritising, Qualys offers the only integrated platform that brings IT and security teams together to de-risk the business.
Sign up for the webinar on April 30th to see how the Qualys platform can help you meet the NCSC guidelines.
Contributors
- Saeed Abbasi, Product Manager, Vulnerability Research, Qualys
- Palmer Wallace, Senior Product Marketing Manager, Qualys