NIST SPECIAL PUBLICATION 1800-31

---

Improving Enterprise Patching for General IT Systems:

Improving Enterprise Patching for General IT Systems

Utilizing Existing Tools and Performing Processes in Better Ways

---

Includes Executive Summary (A); Security Risks and Capabilities (B); and How-To Guides (C)

Tyler Diamond*

Alper Kerman

Murugiah Souppaya

Kevin Stine

Brian Johnson

Chris Peloquin

Vanessa Ruffin

Mark Simos

Sean Sweeney

Karen Scarfone

*Former employee; all work for this publication was done while at employer

April 2022

FINAL

This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-31

The draft publication is available free of charge from https://www.nccoe.nist.gov/publications/practice-guide/nist-sp-1800-31-improving-enterprise-patching-general-it-systems-draft

NIST SPECIAL PUBLICATION 1800-31

Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways

Includes Executive Summary (A); Security Risks and Capabilities (B); and How-To Guides (C)

Tyler Diamond*

Alper Kerman

Murugiah Souppaya

National Cybersecurity Center of Excellence

Information Technology Laboratory

Brian Johnson

Chris Peloquin

Vanessa Ruffin

The MITRE Corporation

McLean, VA

Mark Simos

Sean Sweeney

Microsoft

Redmond, WA

Karen Scarfone

Scarfone Cybersecurity

Clifton, Virginia

*Former employee; all work for this publication was done while at employer

FINAL

April 2022

U.S. Department of Commerce

Gina M. Raimondo, Secretary

National Institute of Standards and Technology

James K. Olthoff, Performing the non-exclusive functions and duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology

Volume A

• Executive Summary
  • Challenge
  • Solution
  • How To Use This Guide
  • Share Your Feedback
  • Collaborators

Volume B

• 1 Summary
  • 1.1 Challenge
  • 1.2 Solution
  • 1.3 Benefits
• 2 How to Use This Guide
  • 2.1 Typographic Conventions
• 3 Approach
  • 3.1 Audience
  • 3.2 Scope
  • 3.3 Assumptions
  • 3.4 Scenarios
    • 3.4.1 Scenario 0: Asset identification and assessment
    • 3.4.2 Scenario 1: Routine patching
    • 3.4.3 Scenario 2: Routine patching with cloud delivery model
    • 3.4.4 Scenario 3: Emergency patching
    • 3.4.5 Scenario 4: Emergency mitigation (and backout if needed)
    • 3.4.6 Scenario 5: Isolation of unpatchable assets
    • 3.4.7 Scenario 6: Patch management system security (or other system with administrative privileged access)
  • 3.5 Risk Assessment
    • 3.5.1 Threats, Vulnerabilities, and Risks
    • 3.5.2 Security Control Map
• 4 Components of the Example Solution
  • 4.1 Collaborators
    • 4.1.1 Cisco
    • 4.1.2 Eclypsium
    • 4.1.3 Forescout
    • 4.1.4 IBM
    • 4.1.5 Lookout
    • 4.1.6 Microsoft
    • 4.1.7 Tenable
    • 4.1.8 VMware
  • 4.2 Technologies
    • 4.2.1 Cisco Firepower Threat Defense (FTD) & Firepower Management Center (FMC)
    • 4.2.2 Cisco Identity Services Engine (ISE)
    • 4.2.3 Eclypsium Administration and Analytics Service
    • 4.2.4 Forescout Platform
    • 4.2.5 IBM Code Risk Analyzer
    • 4.2.6 IBM MaaS360 with Watson
    • 4.2.7 Lookout
    • 4.2.8 Microsoft Endpoint Configuration Manager
    • 4.2.9 Tenable.io
    • 4.2.10 Tenable.sc and Nessus
    • 4.2.11 VMware vRealize Automation SaltStack Config
    • 4.2.12 Additional Information
• Appendix A Patch Management System Security Practices
  • A.1 Security Measures
  • A.2 Component Support of Security Measures
    • A.2.1 Cisco FTD Support of Security Measures
    • A.2.2 Cisco ISE Support of Security Measures
    • A.2.3 Eclypsium Administration and Analytics Service Support of Security Measures
    • A.2.4 Forescout Platform Support of Security Measures
    • A.2.5 IBM Code Risk Analyzer Support of Security Measures
    • A.2.6 IBM MaaS360 with Watson Support of Security Measures
    • A.2.7 Lookout MES Support of Security Measures
    • A.2.8 Microsoft Endpoint Configuration Manager (ECM) Support of Security Measures
    • A.2.9 Tenable.sc Support of Security Measures
    • A.2.10 VMware vRealize Automation SaltStack Config Support of Security Measures
• Appendix B List of Acronyms

Volume C

• 1 Introduction
  • 1.1 How to Use this Guide
  • 1.2 Build Overview
    • 1.2.1 Use Case Scenarios
    • 1.2.2 Logical Architecture
  • 1.3 Build Architecture Summary
  • 1.4 Implemented Products and Services
  • 1.5 Supporting Infrastructure and Shared Services
    • 1.5.1 AD Domain Services
    • 1.5.2 Windows DNS
    • 1.5.3 Windows DHCP
    • 1.5.4 Cisco Switch
  • 1.6 Typographic Conventions
• 2 Tenable
  • 2.1 Nessus Installation and Configuration
  • 2.2 Tenable.sc
    • 2.2.1 Tenable.sc Installation and Configuration
    • 2.2.2 Tenable.sc Scan Setup and Launch
    • 2.2.3 Scan Results
    • 2.2.4 Tenable.sc Dashboards
    • 2.2.5 Tenable.sc Reporting
    • 2.2.6 Tenable.sc Integrations
    • 2.2.7 Tenable.sc Ongoing Maintenance
  • 2.3 Tenable.io
    • 2.3.1 Tenable.io Configuration
    • 2.3.2 Performing Container Scans
    • 2.3.3 Container Scan Results
    • 2.3.4 Tenable.io Maintenance
• 3 Eclypsium
  • 3.1 Eclypsium Installation and Configuration
  • 3.2 Eclypsium Scanning
  • 3.3 Eclypsium Reporting
  • 3.4 Updating Firmware
  • 3.5 Updating Eclypsium
• 4 VMware
  • 4.1 VMware vRealize Automation SaltStack Config Installation and Configuration
  • 4.2 Salt Minion Agent
  • 4.3 SaltStack Config Jobs
  • 4.4 SaltStack SecOps
  • 4.5 vRealize Automation SaltStack Config Maintenance
• 5 Cisco
  • 5.1 Cisco FTD and FMC
    • 5.1.1 Cisco FMC Installation
    • 5.1.2 Cisco FTD Installation
    • 5.1.3 Licensing Cisco FTD with Cisco FMC
    • 5.1.4 Cisco FTD Initial Network Configuration
  • 5.2 Cisco Identity Services Engine
    • 5.2.1 Cisco ISE Installation
    • 5.2.2 Cisco ISE Initial Configuration
    • 5.2.3 Configuring AnyConnect VPN Using Cisco FTD and Cisco ISE
    • 5.2.4 Cisco Security Group Tags (SGTs)
    • 5.2.5 Cisco ISE Integration with Tenable.sc
    • 5.2.6 Cisco ISE Integration with Cisco Catalyst 9300 Switch
    • 5.2.7 Cisco ISE Policy Sets
      • 5.2.7.1 VPN Policy Set
      • 5.2.7.2 Wired 802.1x Policy Set
    • 5.2.8 Client Provisioning Policy
    • 5.2.9 Posture Assessment
    • 5.2.10 Cisco FTD Firewall Rules
  • 5.3 Cisco Maintenance
• 6 Microsoft
  • 6.1 Microsoft Installation and Configuration
  • 6.2 Device Discovery
  • 6.3 Patching Endpoints with Microsoft Endpoint Configuration Manager
  • 6.4 Microsoft Reporting
  • 6.5 Microsoft Maintenance
• 7 Forescout
  • 7.1 Installation and Configuration of Enterprise Manager and Appliance
    • 7.1.1 Installation via OVF
    • 7.1.2 Installation of Forescout Console and Initial Setup
  • 7.2 Forescout Capabilities Enabled
    • 7.2.1 Network
    • 7.2.2 User Directory
    • 7.2.3 DNS Query Extension
    • 7.2.4 Tenable VM
    • 7.2.5 Microsoft SMS/SCCM
    • 7.2.6 Linux
    • 7.2.7 HPS Inspection Engine
    • 7.2.8 pxGrid
    • 7.2.9 Switch
    • 7.2.10 VMware vSphere/ESXi
  • 7.3 Policies
    • 7.3.1 Adobe Flash Player Removal Policy
    • 7.3.2 Java Removal Policy
    • 7.3.3 Critical Vulnerability Quarantine Policy
    • 7.3.4 Force Windows Update Policy
    • 7.3.5 Agent Compliance Check Policy
    • 7.3.6 SCCM Agent Non Compliant Check Policy
  • 7.4 Forescout Maintenance
• 8 IBM
  • 8.1 IBM Code Risk Analyzer
    • 8.1.1 Getting Ready
    • 8.1.2 Creating Your Toolchain
    • 8.1.3 Configuring Delivery Pipeline
    • 8.1.4 Executing the Developer Workflow
    • 8.1.5 Reviewing the Code Risk Analyzer Results
  • 8.2 IBM MaaS360 with Watson Phase 1
    • 8.2.1 Enrolling Devices
    • 8.2.2 Cloud Extender Installation
    • 8.2.3 App Catalog and Distribution
    • 8.2.4 Deploying Patches
    • 8.2.5 MaaS360 Maintenance
  • 8.3 IBM MaaS360 with Watson Phase 2
    • 8.3.1 Enrolling Mobile Devices
    • 8.3.2 Device Inventory
    • 8.3.3 Device Policies
    • 8.3.4 Alerts
    • 8.3.5 Firmware Updates
  • 8.4 IBM MaaS360 with Watson Reporting
• 9 Lookout
  • 9.1 Integrating Lookout with IBM MaaS360
  • 9.2 Adding Lookout for Work to the MaaS360 App Catalog
  • 9.3 Configuring MaaS360 Connector in the Lookout MES Console
  • 9.4 Firmware Discovery and Assessment
  • 9.5 Software Discovery and Assessment
  • 9.6 Lookout MES Security Protections
  • 9.7 Security Compliance Enforcement with IBM MaaS360
• Appendix A List of Acronyms