The campus Security Operations Center (SOC) manages a vulnerability management program, which is part of UCSB’s comprehensive Information Security program and a vital product of the Unified Security Posture Management initiative.
Vulnerabilities are software or configuration defects that allow an attacker to gain control of a system or disrupt its normal operations.
Critical vulnerabilities generally allow an attacker with network access to a computer to completely take control of the system by running arbitrary code at elevated privilege. In IT security circles, this is called “pwning” a system. The attacker can steal data, disrupt operations, or use the system as a jumping-off/pivot point to attack other systems behind otherwise closed networks. In this way, a critically vulnerable system puts the entire university at risk.
Vulnerabilities rated as high severity may be more difficult to exploit. They may give an attacker less control of a system, but they can severely compromise it, allow data to be stolen or modified, and disrupt normal operations.
Additionally, the risk context around vulnerabilities matters. Vulnerabilities rated as critical or high-severity with exploits occurring in the wild are more urgent to patch than those with proof-of-concept exploits or those without available exploits. System/service visibility (whether a system or service is publicly accessible) also provides vital context to overall risk.
Vulnerability Findings
Vulnerability findings and data are aggregated from several sources.
Regular scans are conducted using network-based scanning (from public and internal scanners) and agent-based scanning from Nessus Agents. Nessus Agents are lightweight, low-footprint programs installed locally on Windows, Mac, and Linux systems to supplement traditional network-based scanning and provide visibility into gaps (like application vulnerabilities) missed by traditional network-based scanning. Nessus Agents collect vulnerability, compliance, and system data and report them to UCSB’s Tenable.io instance for analysis. The agents do not access the contents of any files or return any information about the filesystem or contents to UCSB's Tenable.io instance.
Nessus Agents provide vulnerability scan data from systems that may not be accessible with traditional network-based methods because they are not on the campus network during traditional network scan windows. Agents are considerably more secure and easier to manage than credentialed scanning.
Additionally, tools in UCSB’s Unified Security Posture Management program ingest vulnerability findings from other third-party reporters and attack surface management services and systems.
Roles and Responsibilities
The SOC will communicate and publish the applicable SLAs and policies surrounding vulnerability response and mitigation. The SOC will configure USPM tooling to intake relevant asset and vulnerability data and administer access controls to these systems for UISLs and Service Providers. The SOC will administer workflows for risk exception, zero-day vulnerability response, and quarantine of systems as needed. The CISO will review risk exception requests.
Unit Information Security Leads (UISLs) are responsible for systems in their Unit being patched or being subject to removal from the network.
Department Service Providers have access to the USPM tooling to locate assets. Their role is to identify the vulnerable system, identify the system owner, and assign them or the appropriate Team the vulnerability to ensure that it is mitigated, usually by patching. Service Providers are also responsible for submitting Risk Exception requests for false positives and vulnerabilities that can not be patched or are otherwise mitigated with compensating controls.
Quick Links:
- Nessus Agent - Installation and Troubleshooting
- Nessus Agent - Vendor Documentation
- Nessus Agent - Report a Problem - ServiceNow
- Nessus Agent - Question - ServiceNow