In November 2021, the U.S. federal government published a Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive. This Department of Homeland Security (DHS) directive mandates federal agencies within the U.S. act to protect themselves from "...increasingly sophisticated malicious cyber campaigns that threaten the public sector, private sector, and ultimately the American people’s security and privacy."
The directive requires United States federal agencies to patch known, "publicly exploited'' vulnerabilities. The list of these vulnerabilities is cataloged and updated by the Cybersecurity & Infrastructure Security Agency (CISA) (on their website) periodically.
What is the reason for this new directive and process?
Several key factors have been considered in CISA’s decision. Critical criterion are highlighted below:
CISA has determined vulnerabilities with publicly known exploits "carry unacceptable risk to the federal enterprise" and as such this new directive is warranted to curb exposure. For most medium-sized organizations or larger, given the technology footprint they have, thousands of vulnerabilities must be analyzed and addressed. This directive helps agencies prioritize their effort on the most critical issues.
Today, Federal agencies are not required to patch all Common Vulnerabilities and Exposures (CVEs). However the new list of known exploited vulnerabilities must be addressed fully by federal agencies due to the active threat associated with each vulnerability, with due date dates for patching ranging from Nov 2021 to May 2022.
How does this apply to private enterprises?
While the directive doesn't directly impact private enterprises, many such organizations may benefit from following CISA's lead.
The steps taken by CISA with this directive are critical in reducing threats to any organization. These threats are not limited to the U.S. federal government. Many enterprises face the same challenges when it comes to vulnerability management and patching cycles as cited in the reasoning for this new directive.
At the top of this list of challenges is prioritization of the issues that need immediate attention for Federal Departments - while not covered by the mandate, these are critical challenges for the private sector as well. Not only are the number of threats increasing for many organizations but challenges are amplified by limited budgets.
Staffing constraints make it challenging to keep up with the increased risk from known exploitations. The bottom line is that all organizations should prioritize mitigation of vulnerabilities and take action to manage their risk exposures.
How can Red Hat Insights help?
Insights provides deep threat analysis of Red Hat Enterprise Linux (RHEL) systems with a simple user interface. Users can more easily triage and manage CVEs that pose a risk to RHEL hosts in their organization.
Earlier this year, Red Hat Insights announced a feature that gives users "Actionable threat intelligence for publicly known exploits for RHEL" for systems registered to Red Hat Insights. This feature was built to solve the same problems that are cited by CISA. Publicly known exploited vulnerabilities pose high risk and must be patched with the highest priority to protect the organization.
The actionable threat intelligence for publicly known exploits for RHEL feature makes it simple to identify Red Hat Enterprise Linux hosts that are vulnerable to publicly known exploited CVEs. Many hours are saved with Red Hat Ansible Automation to apply push-button remediation of vulnerabilities across the entire enterprise.
Figure 1. In Insights, vulnerabilities can easily be filtered for "Known exploit" status. The Insights Vulnerability service shows 4 CVEs with publicly known exploits in this view.
Want more information?
We held a Red Hat Insights webinar about managing security and compliance risk recently that included a short demonstration of the Vulnerability service as part of Red Hat Insights. You can watch its recording on-demand here.
Red Hat Insights is included as part of your RHEL subscription - find more information and get started today by visiting Red Hat Insights.
About the author
Mohit Goyal is a Senior Principal Product Manager for Red Hat Insights. Mohit brings a wealth of experience and skills in enterprise software having held roles as a software engineer, project manager, and as a product manager across software and travel industries. Goyal has a bachelor's degree in Computer Science from the Institute of Technology, University of Minnesota and a MBA from the Carlson School of Management, University of Minnesota.