Security teams are always engaged in a constant battle with vulnerabilities. At present, enterprise groups confront a variety of problems when trying to accomplish effective vulnerability management, such as inadequate IT resources and complexities, resulting in protracted patching periods. Taking into consideration the sped-up manner in which criminals have taken to exploiting vulnerabilities, the potential for data breaches, regulatory fines, and harm to one's reputation, these issues are unlikely to disappear soon. Fortunately, Microsoft Security Services for Incident Response is familiar with this problem and is always helping customers resolve it. This blog will examine approaches to address this issue on your windows clients (servers will be discussed in a separate blog entry) by automating and optimizing the vulnerability management process using applications like Microsoft Defender for Endpoint, Microsoft Intune, and Azure AD while keeping costs low.
Automation is a powerful ally
Automation is an indispensable part of any modern effective vulnerability management system. The core of automation is comprised of reducing or abolishing the following areas:
- Security team members shift between vulnerability management and other security initiatives, thus not having the capacity to ensure the proper implementation of mitigations. Automation eliminates the need for manual authorization and verification of every action, instead causing a single point of human oversight.
- Enterprises find themselves in peril due to a distrust on the results because of human error and environment complexity. When the amount of assets to act on and verify are plentiful, if handled manually, can lead to team fatigue. Automation attempts to reduce differences and enable a more accurate and up-to-date view of what is actually in the environment.
- The business will eventually be subject to wasted time and increased expenses, resulting from unforeseen complications during patching. Automation facilitates comprehensive vulnerability management efforts that are consistent with the desired outcomes, yet affording the ability to adapt to exclusive scenarios.
Deploying a simple solution to streamline the processes
Microsoft Defender for Endpoint is a cloud-based endpoint protection solution that easily integrates with enterprise assets and offers advanced threat protection while providing modern vulnerability management capabilities. Microsoft Intune is a cloud-based endpoint management facility that offers a unified place to manage devices’ life cycles in several areas, including hardening and exposure control. Finally, Azure AD (Azure Active Directory) is a cloud-based identity and access management service designed to manage user identities and access to applications and resources across on-premises and cloud environments.
Together, these tools allow for an end-to-end vulnerability management solution for employees on-premises and on the go. The solution will take the form of:
- Ensure all Windows devices in scope are Azure AD registered or joined. We typically join corporate devices as it allows for greater control to include the capability to implement configuration changes. Bring your own device (BYOD) scenarios will see devices Azure AD registered. Steps to Azure AD register can be found here and steps to Azure AD join can be found here.
- Set up automatic enrollment. This step mitigates the potential for human error by having any Azure AD joined or registered device show on Intune. Be mindful that, as the norm, BYOD will be restricted to Mobile Application Management (MAM), thus preventing the full impact of this solution. Corporate devices will default to mobile device management (MDM), which provides vulnerability management at the device and application levels. Steps for Automatic Enrollment can be found here.
- Onboard devices to Microsoft Defender for Endpoint. Onboarding devices allow for a recurring assessment of vulnerability status on the onboarded devices. Once the device has been onboarded, any user with at least the Security Reader Azure AD role can monitor vulnerabilities in these assets via the Microsoft 365 Defender portal, left panel, endpoints section, and vulnerability management under it. Steps to onboard devices can be found here.
- Create dynamic device groups according to update deployment order. To maintain a level of control during patching, it is suggested that updates are administered in stages starting from the components with the least impact on the environment and advancing to those likely to generate the most disruption. It is advised to employ dynamic groups to abolish the requirement to manually adjust these groups with each new device handed to a user. Guidance on dynamic group rule syntax can be found here.
- Set up automatic deployment of Windows Update using Intune. Set up Windows Update installation to propagate updates to groups in keeping with preset schedules. For instance, low priority collections could get an update within 1 day of release, while top priority resources such as executive laptops could get the update 7 days after. This approach will take advantage of Windows Update to download the patch, thus allowing for patching even when the user is on the move. Steps to configure updates on Intune can be found here.
- Eliminate even more vulnerabilities by deploying security baselines via Intune. Many vulnerabilities will involve a misconfiguration of the asset, establishing baselines will ensure enforcement and uniformity on hardening efforts. Microsoft periodically publishes new ready-to-use baselines via Intune, but custom ones can also be created. Guidance on deploying security baselines can be found here.
- Deploy organizational-approved applications via Intune. By deploying third-party applications via Intune versus giving users permissions to install any application ensures prompt and uniform vulnerability mitigation. Intune allows the freedom to push, remove, and even make installs optional for users by offering an application catalog. Steps for adding applications to Intune can be found here.
- Track and report via the Microsoft 365 Defender portal. Security teams should use the portal to follow vulnerability management efforts and make sure only the most up-to-date information is displayed (results can take up to 24 hours to appear). Certain cases necessitate the export of this data, for which users can either directly export it from the many screens on the security portal or make use of the API to tailor the output. Steps for querying the API can be found here.
Vulnerability management is an indispensable aspect of any enterprise security program and does not have to be difficult. A selection of tools, such as Defender for Endpoint, Intune and Azure AD, which are readily available in many corporate settings, can help businesses automate and optimize their operations, thus liberating time and resources to concentrate on other security-related objectives.
