NIST SPECIAL PUBLICATION 1800-31
Improving Enterprise Patching for General IT Systems:
Improving Enterprise Patching for General IT Systems¶
Utilizing Existing Tools and Performing Processes in Better Ways
Includes Executive Summary (A); Security Risks and Capabilities (B); and How-To Guides (C)
Tyler Diamond*
Alper Kerman
Murugiah Souppaya
Kevin Stine
Brian Johnson
Chris Peloquin
Vanessa Ruffin
Mark Simos
Sean Sweeney
Karen Scarfone
*Former employee; all work for this publication was done while at employer
April 2022
FINAL
This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-31
The draft publication is available free of charge from https://www.nccoe.nist.gov/publications/practice-guide/nist-sp-1800-31-improving-enterprise-patching-general-it-systems-draft
NIST SPECIAL PUBLICATION 1800-31
Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways
Includes Executive Summary (A); Security Risks and Capabilities (B); and How-To Guides (C)
Tyler Diamond*
Alper Kerman
Murugiah Souppaya
National Cybersecurity Center of Excellence
Information Technology Laboratory
Brian Johnson
Chris Peloquin
Vanessa Ruffin
The MITRE Corporation
McLean, VA
Mark Simos
Sean Sweeney
Microsoft
Redmond, WA
Karen Scarfone
Scarfone Cybersecurity
Clifton, Virginia
*Former employee; all work for this publication was done while at employer
FINAL
April 2022
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
James K. Olthoff, Performing the non-exclusive functions and duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 3.1 Audience
- 3.2 Scope
- 3.3 Assumptions
- 3.4 Scenarios
- 3.4.1 Scenario 0: Asset identification and assessment
- 3.4.2 Scenario 1: Routine patching
- 3.4.3 Scenario 2: Routine patching with cloud delivery model
- 3.4.4 Scenario 3: Emergency patching
- 3.4.5 Scenario 4: Emergency mitigation (and backout if needed)
- 3.4.6 Scenario 5: Isolation of unpatchable assets
- 3.4.7 Scenario 6: Patch management system security (or other system with administrative privileged access)
- 3.5 Risk Assessment
- 4 Components of the Example Solution
- 4.1 Collaborators
- 4.2 Technologies
- 4.2.1 Cisco Firepower Threat Defense (FTD) & Firepower Management Center (FMC)
- 4.2.2 Cisco Identity Services Engine (ISE)
- 4.2.3 Eclypsium Administration and Analytics Service
- 4.2.4 Forescout Platform
- 4.2.5 IBM Code Risk Analyzer
- 4.2.6 IBM MaaS360 with Watson
- 4.2.7 Lookout
- 4.2.8 Microsoft Endpoint Configuration Manager
- 4.2.9 Tenable.io
- 4.2.10 Tenable.sc and Nessus
- 4.2.11 VMware vRealize Automation SaltStack Config
- 4.2.12 Additional Information
- Appendix A Patch Management System Security Practices
- A.1 Security Measures
- A.2 Component Support of Security Measures
- A.2.1 Cisco FTD Support of Security Measures
- A.2.2 Cisco ISE Support of Security Measures
- A.2.3 Eclypsium Administration and Analytics Service Support of Security Measures
- A.2.4 Forescout Platform Support of Security Measures
- A.2.5 IBM Code Risk Analyzer Support of Security Measures
- A.2.6 IBM MaaS360 with Watson Support of Security Measures
- A.2.7 Lookout MES Support of Security Measures
- A.2.8 Microsoft Endpoint Configuration Manager (ECM) Support of Security Measures
- A.2.9 Tenable.sc Support of Security Measures
- A.2.10 VMware vRealize Automation SaltStack Config Support of Security Measures
- Appendix B List of Acronyms
- 1 Introduction
- 2 Tenable
- 3 Eclypsium
- 4 VMware
- 5 Cisco
- 5.1 Cisco FTD and FMC
- 5.2 Cisco Identity Services Engine
- 5.2.1 Cisco ISE Installation
- 5.2.2 Cisco ISE Initial Configuration
- 5.2.3 Configuring AnyConnect VPN Using Cisco FTD and Cisco ISE
- 5.2.4 Cisco Security Group Tags (SGTs)
- 5.2.5 Cisco ISE Integration with Tenable.sc
- 5.2.6 Cisco ISE Integration with Cisco Catalyst 9300 Switch
- 5.2.7 Cisco ISE Policy Sets
- 5.2.8 Client Provisioning Policy
- 5.2.9 Posture Assessment
- 5.2.10 Cisco FTD Firewall Rules
- 5.3 Cisco Maintenance
- 6 Microsoft
- 7 Forescout
- 8 IBM
- 9 Lookout
- 9.1 Integrating Lookout with IBM MaaS360
- 9.2 Adding Lookout for Work to the MaaS360 App Catalog
- 9.3 Configuring MaaS360 Connector in the Lookout MES Console
- 9.4 Firmware Discovery and Assessment
- 9.5 Software Discovery and Assessment
- 9.6 Lookout MES Security Protections
- 9.7 Security Compliance Enforcement with IBM MaaS360
- Appendix A List of Acronyms