Implementing CCM: Threat & Vulnerability Management Controls

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. Created by CSA, the CCM aligns with CSA best practices.

You can use CCM to assess and guide the security of any cloud service. CCM also provides guidance on which actors within the cloud supply chain should implement which controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways.

CSCs use CCM to:

• Assess the security posture of cloud vendors. If a vendor isn’t transparent about their security controls, the risk of doing business with them can be high.
• Compare vendors’ level of compliance with relevant standards like ISO 27001.
• Clarify the security roles and responsibilities between themselves and the CSP.

CSPs use CCM to:

• Assess, establish, and maintain a robust cloud security program. CCM helps solidify CSPs' positions as trusted providers of cloud services.
• Compare their strengths and weaknesses against other organizations.
• Document controls for multiple standards in one place. CSA has mapped the CCM controls to several industry standards.

CCM contains 197 controls structured into 17 domains that cover all key aspects of the cloud:

CCM Domains

Today we’re looking at implementing the 16th domain of CCM: Threat & Vulnerability Management (TVM). The TVM domain includes ten controls designed to help identify vulnerabilities and potential threats in the cloud. This domain focuses on cyber threats that could impact assets, security architectures, and solution components.

The controls include:

1. Threat and Vulnerability Management Policy and Procedures
2. Malware Protection Policy and Procedures
3. Vulnerability Remediation Schedule
4. Detection Updates
5. External Library Vulnerabilities
6. Penetration Testing
7. Vulnerability Identification
8. Vulnerability Prioritization
9. Vulnerability Management Reporting
10. Vulnerability Management Metrics

 

The TVM SSRM

The Shared Security Responsibility Model (SSRM) indicates that CSPs and CSCs share TVM responsibilities. CSPs cover threats related to:

• Infrastructure
• Network devices
• Virtualization technologies
• Operating systems
• Platform applications

CSCs, on the other hand, cover threats to their applications and APIs.

The other CCM domains tend to clearly delineate which controls the CSP versus the CSC handles. However, with the TVM domain, both the CSP and the CSC handle all controls. The difference is who handles which part of the tech stack.

CSPs and CSCs must work together and hand off duties when necessary. They must strive to ensure that someone properly implements, designs, and operates all TVM controls. Their collective goal should be to ensure that:

1) The configuration of all cloud assets is secure

2) Users consume all cloud assets safely

 

Key Risks Associated with TVM

Vulnerability Lifecycle Management

Often, companies manage their cloud and enterprise environments in silos. This means they don't consider cloud vulnerabilities within IT management, especially the emerging threats.

How do we address this risk? Implement TVM Control 1 (TVM Policy and Procedures) and Control 3 (Vulnerability Remediation Schedule). These controls ensure that enterprise security policies align with cloud threat policies.

 

Technical Risks

Malicious software targets cloud platforms, posing a threat to data security and integrity.

To help mitigate this risk, use TVM Control 2 (Malware Protection Policy and Procedures) and Control 8 (Vulnerability Prioritization). These ensure that virtual machine lifecycle procedures address anti-malware controls for all managed workloads. They also make sure the organization mitigates all critical risks.

 

Guidance by Control

1. TVM Policy and Procedures

Establish and maintain procedures to identify, report and prioritize the remediation of vulnerabilities. Review and update the procedures at least annually.

Both the CSP and CSC manage their own vulnerability management program. The CSP may provide the CSC with capabilities and security tools to protect their workloads.

Policies should include the following:

• Scope and Objectives
• Vuln Management Process
• Threat Detection Tools Updates
• External Library Vulns
• Pen Testing
• Vuln Identification
• Vuln Prioritization
• Vuln Remediation Schedule
• Vuln Management Reporting
• Vuln Management Metrics
• Approval
• Communication
• Maintenance and Reviews

 

2. Malware Protection Policy and Procedures

Establish and maintain procedures to protect against malware on managed assets. Review and update the procedures at least annually.

Implement policies across all computing infrastructure, including:

• Compute
• Network devices
• Endpoints
• Secure access gateways

Policies should include the following:

• Scope and Objectives
• Layered Malware Protection
• Threat Intelligence Integration
• Machine Learning and AI
• Sandbox Analysis
• Signature-based and Signatureless Detection
• Malware Solutions Updates
• Malware Solutions Testing
• Monitoring and Alerting
• Approval
• Communication
• Maintenance and Reviews

 

3. Vulnerability Remediation Schedule

Define, implement and evaluate procedures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.

For IaaS service models, the CSP should cover:

• Patch Management
• Configuration Management
• Network Security
• Logging and Monitoring

For PaaS service models, the CSP should cover:

• Vulns Patching
• Secure Coding and Runtime Application Security Protection
• Container Security
• Serverless Security
• PaaS Configuration Management and PaaS Security Assessment
• Runtime Application Security Protection (RASP)

For SaaS service models, the CSP should cover:

• API Security
• Applications and Data Access Control Configuration
• SaaS Usage Monitoring

All service models should cover:

• Vuln Remediation Schedule (VRS)
• Remediation and Patch Management
• Configuration Management
• Vulns Remediation Validation
• Review and Updates

 

4. Detection Updates

Define, implement and evaluate procedures to update detection tools, threat signatures, and indicators of compromise on a frequent basis.

Best practices include:

• Threat Intelligence Platform
• Threat Data Collection and Processing
• Threat Prioritization Criteria
• Threat Signatures and Update Framework
• Detection Tools Updates
• Version Control for Signatures and IoCs
• Continuous Monitoring and Evaluation

5. External Library Vulnerabilities

Define, implement and evaluate procedures to identify updates for applications which use third party or open source libraries. Follow the organization's vulnerability management policy.

CSPs should implement a thorough vulnerability management strategy. This helps effectively identify updates for applications that utilize third-party or open-source libraries.

The strategy should encompass the following best practices:

• Third-Party Libraries Inventory
• Vuln Databases Integration
• Patching and Deployment
• Open Source Library Security
• Dependency Management Tools
• Automated Scanning Tools
• Third-party Vendors Management
• Third Party Libraries Updates
• CI/CD Integration
• Third-party Libraries License

 

6. Penetration Testing

Define, implement and evaluate procedures for the periodic performance of penetration testing by independent third parties.

This is a Shared Dependent control for IaaS and PaaS, since systems and technologies can exist under the CSP or CSC.

CSPs should implement a strategy that encompasses:

• Pen Testing Scope
• Authorization and Notification
• Third-Party Pen Testers Selection
• Engagement Procedures
• Non-Production Environment
• Sensitive Data Handling and Privacy
• Pen Testing Methodology
• Pen Testing Results Communication
• Continuous Improvement

 

7. Vulnerability Identification

Define, implement and evaluate procedures for the detection of vulnerabilities on organizationally managed assets at least monthly.

For IaaS and PaaS, potential threats often include software flaws and control gaps. They can exist for assets and resources under the control of both the CSP and CSC.

For IaaS service models, the CSP should cover:

• Automated Vuln Scanning
• Network Traffic Monitoring
• Pen Testing

For PaaS service models, the CSP should cover:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Container Security Scanning

For SaaS service models, the CSP should cover:

• Application Security Assessments
• API Security Testing
• Data Protection Measures

All service models should cover:

• Vuln Scanning Tools and Schedule
• Log Analysis
• Threat Intelligence Feeds
• Vuln Databases and CVEs
• Vuln Assessments and Pen Testing (VAPT)
• Configuration Management
• Reporting and Escalation Procedures
• Continuous Monitoring and Evaluation

 

8. Vulnerability Prioritization

Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.

Vulnerability prioritization is a critical security control for CSPs. By prioritizing threats on their potential impact and likelihood, CSPs can focus their resources on the most critical ones.

For all identified threats, the CSP should use a risk-based model for effective prioritization. They should use an industry-recognized framework, such as CVSS or the OWASP risk rating methodology.

Prioritize threats by their relative risk, importance, organizational impact, and urgency. When evaluating impact, the CSP should consider exposure levels to applicable threats from its specific usage and/or implementation. When evaluating importance, the CSP should consider the criticality and value of the affected assets. Finally, when assessing urgency, the CSP should consider:

• CVSS ratings
• Relevance to current threats
• Effort required to remediate

Best practices include:

• Risk-based Vulns Prioritization
• Vuln Scoring System (CVSS)
• Threat Intelligence Feeds
• Asset Criticality
• Remediation Workflows
• Prioritization Effectiveness
• CSCs Collaboration
• Continuous Monitoring and Evaluation

 

9. Vulnerability Management Reporting

Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification.

The CSP is responsible for tracking and reporting vulnerability identification and remediation activities for all identified threats on:

• The host infrastructure
• Network devices
• Virtualization technologies
• Operating systems
• Platform applications such as databases
• Web applications

Vuln tracking capabilities should include:

• Tracking when discoveries were made and remediated
• Systems impacted
• Reasons for the delay (where applicable)
• Any communications with stakeholders

The tracking system should:

• Standardize the format and structure of stored vuln data.
• Automate the aggregation of vuln data from various sources. Consider scanners, remediation tools, and third-party feeds.
• Establish a secure platform for sharing threat intelligence information with CSCs.

The reporting and notification system should:

• Communicate remediation plans to stakeholders. Provide clear timelines and expected outcomes for resolution.
• Establish standardized reporting templates that communicate vuln information.
• Tailor reports to the specific needs and interests of different stakeholder groups, such as security teams versus business stakeholders.
• Automate the distribution of vuln reports to relevant stakeholders. Distribute these reports via email, secure file sharing platforms, or designated intranet channels.
• Notify all relevant stakeholders about identification and remediation activities.
• Define a notification protocol for alerting stakeholders about newly identified vulns.
• Send a record of all notifications to stakeholders, including the date, time, recipient, and vuln details.
• Include escalation procedures for notifying senior management or external parties of severe or widespread threats and security incidents.

 

10. Vulnerability Management Metrics

Establish, monitor and report metrics for vulnerability identification and remediation at defined intervals.

The CSP and CSC should each establish a defined frequency of collecting metrics for vulnerability identification, remediation, and reporting within their assets. This activity can be part of an existing and overarching policy and standard.

Some examples of metrics include:

• Vuln Identification Rate
• Time-to-Remediate
• Vuln Severity Distribution
• Open Vulns Over Time
• Patch Compliance Rate
• False Positive Rate
• Vuln Rescan Rate
• Top Remediated Vulns
• Vuln Aging
• Coverage of Vuln Assessments

 

You can find all the details and guidance discussed here, and much more, in the CCM Implementation Guidelines.

Zoom in on other CCM domains by reading the rest of the blogs in this series. Be on the lookout for the final installation coming soon: Universal Endpoint Management.