The Center for Internet Security (CIS) Top 20 Critical Security Controls are used by companies large and small across all industries to strengthen cybersecurity. While many other frameworks go beyond these security domains, the CIS Top 20 remains an invaluable control to ensure organizations are covering essential security functions that reduce cyber risk.
In previous blogs, we detailed how Axonius can help teams satisfy basic controls (CIS Controls 1 and 2), as well as foundational controls (CIS Control 3).
In this blog, we’ll dive into how Axonius can help strengthen CIS Control 19, an organizational control focused on incident response.
CIS Control 19: Incident Response & Management
CIS Control 19 details that organizations should protect their information and reputation by implementing an incident response infrastructure. Incident response infrastructure includes:
- Written plans to execute when incidents occur
- Defined roles and responsibilities
- Internal and external communications
- Management and oversight
- Testing (simulations and tabletop exercises)
The ultimate goal of CIS control 19 is to eradicate the attacker’s presence and recovery as quickly as possible in order to reduce impact — whether it’s data theft, system outages, or a tarnished reputation.
Better Alert Triage Leads to More Effective Incident Response Management
As breaches have become more common, many companies have the necessary organizational infrastructure in place to respond to incidents. However, these processes are contingent on the process of actually ascertaining what the incident is in the first place. This extends beyond the organizational infrastructure and is centered around technology infrastructure.
Incident response management is often weakened due to slow, incomplete alert triage. Security analysts often receive alerts that tell them what happened and how it happened, but they still spend a great deal of time tracking down all of the information necessary to fully understand the full scope and whether or not events are isolated or a larger incident that needs to be escalated to management.
A large reason for this is because of poor asset management: security analysts simply don’t have enough context around devices, which users are (or were) associated with them, and rich information from numerous data sources in one place.
Moreover, since asset data is often incomplete or outdated, it’s not only hard to trust this information at one point in time — it’s also difficult to reference on an ongoing basis.
How Axonius Helps Speed Alert Triage
Axonius is used by analysts to correlate alerts with rich context around devices and users for incident response. By connecting adapter sources that provide rich information on devices, users, and cloud assets, security analysts can easily correlate alerts with data in Axonius to triage alerts quickly and answer questions such as:
- Which devices and users were associated with the alerts?
- Where are relevant devices located?
- What software is running on the device?
- Which users are associated with the device?
- What was the state of assets affected on a particular date?
How Axonius Can Speed Incident Response
Based on any set conditions or by simply selecting assets, Axonius can take customized response actions on an ad-hoc or programmatic basis. This includes the ability to create tickets, notify teams, isolate devices from the network, or deploy files and commands remotely.
Using the Axonius API, data can be ingested into SIEM/SOAR solutions to contextualize incidents with Axonius data.
All of this means you can get fully contextualized info to the right person automatically. And that means incident response playbooks and procedures can be initiated more quickly when needed.