The Center for Internet Security (CIS) Top 18 Critical Security Controls are used by companies large and small across all industries to strengthen their cybersecurity programs. While many other frameworks may provide deeper technical processes, the CIS Top 18 remains an invaluable control to ensure organizations are covering essential security functions that reduce cyber risk.
Let’s take a look at CIS Controls 1 and 2, including what they mean, and how Axonius provides the foundation to achieve the rest of the CIS Controls.
CIS Control 1: Inventory & Control of Enterprise Assets
CIS defines Control 1 as: “Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.”
As we can see, CIS Control 1, formally known as “Inventory & Control of Hardware Assets” now includes assets in a more dynamic environment.
CIS Control 1 is strictly about managing an asset inventory for devices, ensuring only authorized users and systems are given access. It makes sense that this is the first control — after all, you can’t secure company data if you can’t track all the devices and users that have access to it.
Specifically, CIS Control 1 calls for identifying unmanaged devices, including unauthorized devices that shouldn’t have access to the company network. CIS provides five safeguards to implement Control 1, which boil down to three key steps:
- Identify all devices
- Document the inventory
- Keep the inventory current
Meeting CIS Control 1 is easier said than done
While this control is considered “basic”, maintaining an asset inventory isn’t easy.
Many asset inventories are still managed manually, using Configuration Management Databases (CMDBs), IT Asset management (ITAM) tools, or even spreadsheets. Moreover, many organizations believe they are using an active discovery tool, but in practice, the asset discovery methods are often periodic and incomplete — especially when it comes to discovering the vulnerabilities and risks associated with deployed and in-use assets.
For example, scanning-based approaches may be incomplete because scan cycles are periodic and they can’t account for devices that are inoperable at the time of the scan. This includes assets like OT, IoT, and connected medical devices. Scan-based approaches also make it hard to identify ephemeral devices, like containers and virtual machines, which are used for ephemeral instances.
Agent-based technologies can benefit asset inventories by providing a wealth of information about devices. However, agents are rarely applied on all devices. That means it's difficult to rely on them for asset discovery if you want a comprehensive asset inventory.
Further, organizations frequently use a mix of tools and processes, like scanning or agent-based approaches to discover assets. This means that asset inventories are not only incomplete, but also siloed between these sources. What’s more, because disparate technologies produce their own, individual data sets, correlating data manually to achieve one reliable and dependable source is highly time consuming and error prone.
CIS Control 2: Inventory and Control of Software Assets
CIS defines Control 2 as: “Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”
CIS provides seven different safeguards for Control 2, recommending that organizations:
- Use software inventory tools to automate documentation of all software used throughout the organization
- Use technology to ensure that only authorized software is running and executed on IT assets
You can't restrict software you don't know about
On the surface, satisfying this control seems easy. There are many application control tools at the disposal of IT and security teams that only allow systems to run permitted software.
But that’s just for assets that IT and security know about. Software may be harder to identify because of today’s dynamic IT environment, especially if it hasn’t been properly vetted —including instances of software running on mobile and BYOD devices that connect and leave networks frequently.
And, with employees working remotely, this has become even more challenging. If company-issued devices don’t have all the necessary controls, employees may be unintentionally installing malicious software. Or they may be using personal devices for work, and accessing corporate data on a machine running unwanted software.
How Axonius makes meeting CIS Controls 1 and 2 Easier
Source: Axonius, meeting CIS Controls 1 & 2 examples
When it comes to CIS Control 1, Axonius solves the recommended CIS guidelines. Using Axonius, IT and security teams can get an always up-to-date, comprehensive view of all enterprise assets connected to their organization's network. Axonius automatically identifies managed, unmanaged, and IoT devices, as well as ephemeral devices such as cloud containers and virtual machines. Axonius also provides important context for each device, including OS, installed software, vulnerable software, agent versions, and more. Automation of actions to address variances is integral to Axonius.
Axonius is a strong solution to meet CIS Control 2, since it details a continuously updated list of installed software for each hardware asset. The Axonius Query Wizard allows for one-off and programmatic searches for unauthorized software, and the Axonius Security Policy Enforcement Center delivers ad hoc or programmatic actions to address assets that don’t meet compliance.
If you’re interested in how Axonius maps to all of the CIS Top 18 Critical Security Controls, see how Axonius supports each control here.