Patching known vulnerabilities is as close to an open goal as cybersecurity professionals get. It’s a fundamental best practice that helps organizations to reduce risk through enhanced cyber hygiene.
However, putting theory into practice hasn’t always been easy for IT security and operations teams, especially the federal government. So it’s understandable that a new Binding Operational Directive (BOD) from the US Cybersecurity and Infrastructure Security Agency (CISA) is causing concern as well as winning praise. Concerns due to tight timelines: known vulnerabilities from 2021 listed in the BOD must be patched within two weeks. And praise for getting serious about vulnerabilities that could threaten government systems.
Fortunately, Tanium was made for this. Trusted by a majority of the branches of the US Armed Forces, we empower government IT teams to identify threats, contain breaches and remediate risk within seconds and minutes, not days and weeks — no matter how many endpoints you have or where they are located.
What does the BOD demand?
Some have argued that the BOD is long overdue, given the well-documented challenges federal agencies have faced with patching programs over the years. Following a Presidential Executive Order on Cybersecurity issued back in May, it’s a strong start for an administration keen to improve baseline security standards and practices across the government.
The directive applies to all software and hardware on internet- and non-internet-facing IT systems, whether they’re managed in-house or by a third party. Applicable to all federal civilian agencies, it mandates they patch a list of over 300 vulnerabilities judged to present a “significant risk” to networks.
Agencies have just two weeks to remediate the vulnerabilities published in 2021 and six months for legacy flaws dating back to 2014. The directive also establishes a CISA-managed catalog of known exploited vulnerabilities and requirements for agencies to fix them. This list will be regularly updated, making this not a one-off effort but something that will require a continuous patch management program.
No two federal agencies are alike. But one thing most share is a disparate IT environment of new and old, spread across on-premises and multiple cloud-based platforms. Further complicating efforts to patch promptly is the inevitable growth of unmanaged endpoints since the start of the pandemic, following mass work from home mandates. This presents IT teams with a complex, distributed and opaque environment – and with a common lack of resources in staffing and expertise.
These challenges make it difficult for agencies to answer vital questions like:
- Where are the BOD-listed vulnerabilities in my environment?
- How can I patch these common vulnerabilities and exposures (CVEs) at speed and scale?
- How can I quickly validate whether or not these patches were installed?
Unfortunately, federal agencies do not have the weeks or months usually needed to answer such questions. They now have just days.
How Tanium can help
The Tanium platform can help agencies meet this aggressive patching timeline. Its unique architecture delivers visibility into the entire endpoint estate, and the capabilities to deploy patches at tremendous speed and scale — no matter how many assets are in the organization.
Tanium has enabled customers to shorten patching cycles for their entire fleet from months to under an hour. The US Air Force, for example, was able to mitigate the notorious WannaCry ransomware worm in 2017 — patching its entire endpoint estate in just 41 minutes.
Tanium customers have also used the platform to patch high-profile exploits such as PrintNightmare in minutes.
Here’s how to use Tanium to help meet the requirements of the BOD:
Gain visibility into your endpoint estate
You can’t protect what you can’t see. Leverage Tanium Discover, Comply, Trends, Interact, and Asset to find out where the CVEs in the CISA BOD exist in your organization.
Discover enables you to see every machine or device plugged into the network.
Comply can be used to scan continually against the CVEs in the CISA catalog and create a report revealing your risk exposure.
Trends offers easy-to-digest dashboards via to display the information contained in Comply reports and to track remediation efficacy.
Interact enables IT users to query endpoints for arbitrary data points, such as CVEs, in plain English. Alternatively, Interact dashboards can be created containing pre-configured questions.
Asset allows you to create a report identifying vulnerable software on online and offline machines.
Remediate those unpatched vulnerabilities
Once you have visibility, it’s time to patch. Tanium Patch, Enforce, Deploy and Interact can all help to remediate open CVEs.
Patch enables Windows, Linux, and OSX operating system patching across your enterprise at speed and scale.
Enforce applies configuration changes across the entire endpoint estate within minutes.
Deploy enables customers to install, upgrade, or uninstall third-party software across the organization.
Interact provides comprehensive visibility and control, enabling IT to ask questions in order to check if unpatched CVEs are present on endpoints, and then take action to quickly remediate them.
To find out more about these capabilities, please visit our Community post.
With Tanium, federal agencies can meet the most pressing requirements of the BOD within hours. That’s peace of mind for now and into the future, as the catalog is updated.
Tanium can help your agency implement this new directive. Contact us today.