| Additional metadata |
Name/Id: ACF1668 / Microsoft Managed Control 1668
Category: System and Information Integrity
Title: Flaw Remediation - Remediates Flaws
Ownership: Customer, Microsoft
Description: The organization: Identifies, reports, and corrects information system flaws;
Requirements: Flaw Identification
To identify applicable software flaws, the C+AI Security team tracks multiple sources of information for vulnerability-related data. These sources include the Microsoft Security Response Center (MSRC), vendor websites, and other third-party websites. Updates tracked by these sources are monitored by C+AI Security for possible inclusion on its monthly security bulletins, notifications, and advisories. Based on their applicability to the Azure environment, Only a subset of these updates may be required by C+AI Security.
Microsoft publishes bulletins that include specific information relevant to the security update being released. Azure reviews vulnerabilities that are deemed to have a significant impact to the operational environment. Microsoft bulletins are disseminated to all personnel. Additional information can be found on the following websites:
* MSRC:
* MSRC Bulletins and Advisories:
Non-Microsoft software used in Azure to provide infrastructure services and client services is kept current for the optimal operation of the environment. Each software vendor provides information about their security updates. Vendor websites are monitored, including, but not limited to:
* Cisco:
* Juniper:
* TippingPoint:
* F5 Networks: and
* NetScaler:
For network devices, vendors make Azure Networking aware of security vulnerabilities on their products via email. The email is logged into Azure DevOps and analysis is performed to evaluate possible risks and mitigations. Azure Networking has dedicated support engineers from the major hardware vendors, including Cisco, Juniper, and F5, that assist with the analysis and determination of the course of action. Azure Networking tracks the issue to completion. A similar process is followed with updates provided by other vendors, with the goal of matching the updates required to the current Azure environment.
The C+AI Security team monitors Azure using automated vulnerability scanning tools. These tools are configured to provide the C+AI Security team and users specific system security flaws. Azure configures these tools based on knowledge provided by vendors and other sources, including analysis by C+AI Security. The C+AI Security team conducts the following activities monthly.
On the Thursday prior to release, the C+AI Security team holds a conference call with Azure stakeholders to review updates that are required in the Azure environment, based on the data provided in the Advance Notification Service by MSRC. Minutes from this call are recorded and saved for historical understanding of the rationale used to determine which updates were required in the past.
On release day, the second Tuesday of every month, MSRC provides a review via conference call of detailed information with Azure stakeholders for inclusion on the list of updates required in the Azure environment. A consensus is reached with Azure stakeholders on the required security updates for the Azure environment. Meeting minutes record attendees and any concerns regarding all released security updates.
MSRC sends e-mail communication to broad Azure distribution lists that includes list of required updates, the download location of required software, and deadline for installation of the updates. After the email communication is sent, the same information is posted to the internal C+AI Security website for future reference.
Impact assessments are conducted for all vulnerabilities identified. The assessment encompasses multiple factors, including:
* Access required, local or remote
* Authentication requirements
* Exploit availability
* Outcome of exploitation such as remote code execution or elevation of privilege
Flaw Correction
The C+AI Security team assesses the vulnerability severity and criticality impact based on documented and deduced software and technology deployment and use in Azure environments. For example, Microsoft Expression Web is not used in Azure servers and therefore a vulnerability that impacts Expression Web is outside of the scope of updates required to be applied.
C+AI Security collects information from a variety of sources and scanners to help determine the inventory of applications installed in servers and the current threat surface. Specific steps in the vulnerability process include:
* Review mitigating controls that may affect the vulnerability rating such as firewalls, Microsoft Defender for Endpoint (MDE) antivirus software, and ACLs
* Review the Asset Value for the affected assets
* Determine the timeframe for the application of the required updates
Most security updates are required to be installed within thirty (30) days of the notification of the update’s availability. C+AI Security occasionally requires an expedited timeline for the application of security updates based on the following criteria:
* Applications or services affected
* Availability of reliable exploit code
* Prevalence of exploit activity
* External regulator requirements, such as a Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive
Information collected from C+AI Security monitoring efforts or an increase on the risk level faced by Azure servers may be used to expedite remediation of outstanding security vulnerabilities after the original deadline was set. These changes are communicated to the necessary personnel.
In partnership with other Azure teams, C+AI Security collects, analyzes, and alerts the security contacts for the affected property on system and network behavior that may be deemed malicious or that could be the effect of an intrusion. In coordination with the Security Response Team, events are analyzed and, if deemed to be an incident, are handled in accordance with the Incident Management SOP.
Verified flaws identified for Azure as a result of the Vulnerability Scanning Tools scan process are identified and tracked as part of the Azure Plan of Actions and Milestones (POA&M) process.
Flaw Reporting
Reporting of security vulnerabilities is conducted via vulnerability scanning tool results. Azure provides a Vulnerability Management and Reporting Tool which provides Microsoft personnel the ability to review vulnerability data from a reporting interface. Vulnerability scans are conducted monthly at minimum. The vulnerability scan tools provide reports based on multiple criteria, including property, server, and security update. Communication from the C+AI Security team via Service 360 (S360) and email is used to notify service teams in cases of elevated risk or when expedited action is necessary. The remediation of vulnerabilities is one of the primary goals of the C+AI Security team. A variety of tools and processes are used to drive remediation:
* Direct engagement with properties
* Targeted efforts
* Direct e-mail communication with service teams to drive remediation of high risk or expedited vulnerabilities.
* Security updates deployment services
|