8.2: Ensure Anti-Malware Software and Signatures Are Updated
Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Devices |
Protect |
1, 2, 3 |
Dependencies
Sub-control 1.4: Integrate Software and Hardware Asset Inventories
Sub-control 2.1: Maintain Inventory of Authorized Software
Sub-control 2.4: Track Software Inventory Information
Inputs
Endpoint Inventory: Endpoint inventory (with entry for each endpoint indicating whether that endpoint can support anti-malware software or not; sub-control 1.4)
Anti-malware software version information (this is a list of acceptable versions for the scanning engines and the signature databases for any anti-malware products in use on endpoints in Input 1; this version information needs to be updated frequently to reflect current version information and age off outdated versions; reference the ASL per sub-control 2.1 and ideally leverage the software inventory in sub-control 2.4)
Maximum time allowed for anti-malware software updates to be applied to endpoints
Assumptions
Some endpoints, such as network devices, may not support anti-malware software. Whether an endpoint supports anti-malware software is provided as part of Input 1. Devices that cannot support anti-malware software are removed from the list of endpoints to be checked during Operation 1, and these devices are not counted in the metric below.
Operations
Refine the endpoint inventory (Input 1) to only contain endpoints that can support anti-malware software endpoint inventory - this reduced list of endpoints becomes M1
For each endpoint in M1, generate a list of those endpoints that have an acceptable version of anti-malware software installed and enabled (both scanning engine and signature database) according to the information provided in Input 2 (M2) and a list of those endpoints that do not have an acceptable version of anti-malware software installed and enabled (M3).
For each endpoint in M1, generate a list of those endpoints that have been updated within the time frame specified by Input 3 (M4), and a list of those endpoints that have not been updated within that time-frame (M5)
Measures
M1 = List of endpoints capable of supporting anti-malware software
M2 = List of endpoints with an acceptable version of anti-malware software installed and enabled (version compliant list)
M3 = List of endpoints that do not have an acceptable version of anti-malware software installed and enabled (version non-compliant list)
M4 = List of endpoints that have had their anti-malware software updated within the specified time-frame (time compliant list)
M5 = List of endpoints that have not had their anti-malware software updated within the specified time-frame (time non-compliant list)
M6 = Count of endpoints in M1 (number of endpoints capable of supporting anti-malware software)
M7 = Count of endpoints in M2 (number of version compliant endpoints)
M8 = Count of endpoints in M3 (number of version non-compliant endpoints)
M9 = Count of endpoints in M4 (number of time compliant endpoints)
M10 = Count of endpoints in M5 (number of endpoints that have not had updates within acceptable time frame)
Metrics
Coverage
Metric |
The ratio of anti-malware software version compliant endpoints to the total number
of endpoints capable of supporting anti-malware software?
|
Calculation |
|
Freshness
Metric |
The ratio of endpoints whose anti-malware software has been updated within the specified
timeframe?
|
Calculation |
|
NOTE: Comparing the coverage metric to the freshness metric can serve as a useful check - for instance, if the coverage metric tends to be high, while the freshness metric is low, that would suggest that Input 2 might not have been updated recently enough (that is, outdated versions are being considered acceptable)?