On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued a new directive – the Binding Operational Directive 22-01-Reducing the Significant Risk of Known Exploited Vulnerabilities – that required U.S. federal agencies to patch known exploited vulnerabilities within specific time frames.
At that time, Axonius published a blog post on how to find all CVEs in the CISA Known Exploited Vulnerabilities (KEV) catalog and import them into the Axonius platform. Since it was a new directive, we provided the import instructions until we were able to offer automated CISA data enrichment as part of our platform.
Today, we’re pleased to announce that we’ve enriched Axonius with CISA KEV data. It is now as easy as selecting an adapter in our Query Wizard to enrich vulnerabilities data with CISA’s known exploited vulnerabilities to prioritize risk.
The data enrichment is a result of the ongoing efforts by Axonius to enable and facilitate the identification and prioritization of vulnerabilities with critical impact to an organization.
CISA’s importance to federal agencies and others
CISA is a federal agency under the U.S. Department of Homeland Security which “leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” CISA regularly maintains its known exploited vulnerability catalog, making it publicly available.
While CISA’s directive is compulsory for federal and executive branch departments and agencies to safeguard information and information systems, it is also recommended for any organization, including those operating in critical infrastructure, energy, utilities, and others doing business with the federal government.
On September 8, 14, and again on September 15, 2022, CISA announced new vulnerabilities that have been added to its catalog, bringing the total to 832 CVEs since its inception just under a year ago. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” according to CISA.
The notice mandates that all appropriate federal agencies have until September 29, October 5, and October 6, 2022, respectively, to patch the vulnerabilities. CISA also “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of cataloged vulnerabilities as part of their vulnerability management practice.”
What does the new Axonius CISA enrichment mean for customers?
The CISA KEV data enrichment is an especially meaningful feature enhancement for our federal customers who must maintain compliance with the Binding Operational Directive 22-01.
By enhancing Axonius data with CISA’s known exploited vulnerabilities, federal customers will improve their mean time to triage and prioritize vulnerabilities. They will identify known exploited vulnerabilities, which must be patched or otherwise remediated within the given time frame, helping them to maintain directive compliance.
For other industries that adopt the directive as a best practice guideline to their own security, this feature provides an additional layer of vulnerability prioritization that is increasingly essential to critical infrastructure and business continuity. Knowing which vulnerabilities to prioritize is based on numerous factors, including asset criticality, the presence of compensating security controls, and the likelihood of exploitation (which can be referenced through the CISA KEV catalog). It can mean the difference between business as usual or a compromised system causing loss of system control, service interruption, lost revenue, personal or customer data loss, and possibly high fines for regulatory non-compliance.
For all, the Axonius CISA enhancement reduces the manual work and time needed to identify and prioritize vulnerability criticality. It helps agencies and organizations identify not only vulnerabilities that exist, of which there are thousands, and those that exist in a network environment. It also identifies those vulnerabilities that are being actively exploited in the wild and exist in that environment. It gives organizations bound by the directive or those that voluntarily follow it a security triage advantage with pinpoint accuracy on where to first direct remediation action.
How do I use CISA KEV enrichment in Axonius?
Since the CISA integration is natively available on Axonius, no new adapter connection or configuration is necessary. Simply log in and select whether you want to enrich vulnerabilities with CISA KEV information in global settings.
CISA KEV information can be referenced through the Vulnerability Management Module or the Devices page when there is a device with a known vulnerability on the CISA KEV catalog.
From the Vulnerability Management Module, create a new query using our Multi-Level Query Wizard. Under the “Show Vulnerabilities” section of the query, select the CISA adapter icon, where “ID exists”.
From the Devices page, use the Query Wizard to select the Axonius icon in the adapter field. Use the field drop-down menu to select from a number of available CISA-related field names, such as “CISA Known Exploited Vulnerabilities: CVE ID” or “CISA Known Exploited Vulnerabilities: Due Date”. Then use the operator drop-down comparison function field to define the search criteria. For instance, where “CISA Known Exploited Vulnerabilities: CVE ID” exists.
From either query results, display the columns of CISA-related information that matter most, like CISA description, date added to catalog, recommended remediation action, and perhaps most importantly, the remediation due date.