ClearArmor CSRP - 01.01 SOFTWARE BASED VULNERABILITIES CyberSecurity is a Business Issue, not a Technology Issue CyberSecurity is not just about reacting. It includes Risk Management, Audit, Compliance, and training. It also requires continuous attention to Cyber Hygiene. CyberSecurity requires continuous measurement, monitoring, and remediation. Is your organization reactive or proactive? Move to proactive CyberSecurity. To comply with the intent of the NIST CyberSecurity Framework (CSF), Cyber Hygiene is a requirement. To Comply with NIST 800-53, 800-171, DFARS, NY State DFS Part 500, and a plethora of other frameworks and compliance guidelines requires continuous risk reduction through vulnerability remediation. ClearArmor CyberSecurity Resource Planning (CSRP) enables your organization to meet those requirements.

1. CYBER RISK
REDUCTION SERIES
01.01

SOFTWARE BASED
VULNERABILITITES
Overview
Organizations
continuously face risk
rooted in an increasing
and evolving set of threat
vectors. These threat
vectors aggregate to
create an overall attack
surface area. Reducing the underlying vulnerabilities results in a
reduced attack surface area. This reduction limits adversaries’
ability to exploit vulnerabilities and impact what your
organization has identified as valuable.
ClearArmor
ClearArmor™ Corporation
519 Easton Rd.
Riegelsville, PA 18077
info@cleararmor.com
http://www.cleararmor.com
+1-(610) 816-0101
Step 1 – Accept that no risk reduction is sustainable possible without a structured
CyberSecurity program. That Program must be based on a recognized standard.
The most accepted standard is the NIST CyberSecurity Framework (CSF).
Step 1- Structure and Standards are foundational to CyberSecurit
Step 2 – A structured CyberSecurity program requires process, technology, and
governance. ClearArmor CyberSecurity Resource Planning (CSRP) is the only
solution that truly aligns organizations to the NIST CSF. This is achieved by
ClearArmor’s Momentum Methodology (M2) and the Intelligent CyberSecurity
Platform (ICSP).
Step 2 - Process, Technology, and Governance are foundational to CyberSecurity
Step 3 – Assign Ownership to all NIST CSF Functions, Categories, and Sub-
Categories. These are the ‘Things’ that organizations must do to ensure
‘CyberSecurity’. Ownership requires a Responsible Role (Responsible for Doing)
and an Accountable Rile (Responsible for Auditing). By assigning ownership,
organizations are able to comply with guidance provide by the NIST CSF.
Step 3- Assignment of Accountable and Responsible Roles are foundational to CyberSecurity
Step 4 – Policy - establish your organizations software patching, upgrade policy.
A subset of this will include maximum durations for remediations to reach
production, testing guidance, and methods to distribute software patches.
Step 4 – Creation of clearly defined policy is foundational to CyberSecurity

2. 2 Copyright © 2018 Clear Armor Corporation. All Rights Reserved
Step 5 – Discovery your entire network. This includes, but is not limited to, all
hardware, software, configuration information, used ports, utilization, etc. This
requires technology and process that are complete. Only the ClearArmor
Discovery, Classification, Indentification (DCI) process achieves a level of insight
into your organizations networked assets, software, hardware, utilization that is
instrumental to a significant number of NIST CSF sub-categories.
Step 5 – Discovery is foundational to CyberSecurit
Step 6 – Categorization is critical to achieving focused efforts. Quantities of
active vulnerabilities in an organization can be staggering. Lack of prioritization
of efforts increases risk and the likelihood of a successful exploit. In the
ClearArmor ICSP, categorization occurs at three levels.
 Level 1 – Automated Categorization based on device type (Network
Devices, Storage Device, Workstation device, Server Device)
 Level 2 – White Listing – Devices are initially not listed. Through automations
or manual methods, all endpoints are identified as ‘White Listed’, ‘Limited
Duration White Listed’, or ‘Black Listed’.
 Level 3 – Landscape (Examples: Production, QA, Test, Dev1, Dev2, Patch)
 Level 4 – System Membership (Example: HRIS, ERP, AD, eMail, BI, etc)
Last, ClearArmor provides organizations with a workflow that allows organizations
to categorize Risk Imperatives – to – Business Functions – to – Systems – to
Endpoints Based on this ability, it is possible to focus remediations that directly
relate to business risk imperatives, business functions, systems, or landscapes.
Step 6- Categorization is foundational to CyberSecurity
Step 7 – Precision Identification of Vulnerabilities is achieved through our
 advanced automated software discovery and identification. This goes
beyond typical methods that only go as far are reading registry
information. The ClearArmor discovery process includes all executables,
services, dll’s, and other types of files to gain greater understanding of
what is installed where. All software, all version information, all distribution
across the organization. At this stage a baseline of the preliminary
vulnerability information is achieved, allowing for progress measurement.
 Consumption of our Proprietary IT-Pedia data, the de facto source for
understanding critical information such as associated NIST Identified
vulnerabilities, end of support, end of sales, end of life, and a multitude of
other information. If a new device, software package, vulnerability, or
other details are identified in the wild, we bring that information down into
your installation of the ICSP.
Step 7- Identification of vulnerabilities is a critical element of all CyberSecurity Programs

3. 3 Copyright © 2018 Clear Armor Corporation. All Rights Reserved
Step 8 – Review the discovered vulnerabilities in any number of ways, by
distribution across the organization, by severity, by location, by type of devices,
by category of device, etc. Every organization will prioritize their remediation
targets differently. There is no one right way. At first this will seem to be
overwhelming, once your organization has adopted its patching and
vulnerability remediation process, and has begin to remediate issues, the noise
and information will begin to calm.
Step 8- Assessing active vulnerabilities is a critical element of all CyberSecurity Programs
Step 9 – Target the vulnerabilities to remediate, following your organizations
policy. This may change after initial work efforts are underway. More specifically,
the organization may focus on mitigating the top ‘X’ % of impacted software
packages. In many cases an initial focus may eliminate a large percentage of
existing issues. After this first pass, the organization may go through a series of
passes aimed at high importance systems.
Additionally, the data available to your organization is significant at this point. It
provides you with the ability to visualize the problem, target the solution, and
catalytically enable your patching solutions to successfully operate.
Step 9- Focused efforts are a key to cost effectively reducing risk
Step 10 – As your endpoints are patched or software is upgrades, the discovery
process will automatically pick up changes through the organization. Daily
review off changes to your current vulnerabilities provide the ability to
continuously remediate and assess success.
Step 10 – Vulnerability remediation is a recurring process of a structured CyberSecurity Program
ClearArmor CSRP is CyberSecurity
See your Active Vulnerabilities

4. 4 Copyright © 2018 Clear Armor Corporation. All Rights Reserved
Assign CyberSecurity Ownership Across Your Organization
See Detailed Information on All Active Vulnerabilities
See Detailed Information on the affected Endpoints
Understand the Number of distinct Version affected by the Vulnerability and the Distribution across your organization

5. 5 Copyright © 2018 Clear Armor Corporation. All Rights Reserved
CyberSecurity Resource Planning
CSRP = Methodology + Technology
A structured approach to CyberSecurity