Enhance Malware Protection with Proper CIS Control 10 V.8 Implementation

2021 was the Year of the Ransomware attack, with attackers deploying malware against organizations ranging from utilities to kindergartens. Highly disruptive ransomware attacks on critical infrastructure, including the temporary Colonial Pipeline shutdown, got most of the attention.

However, lower-profile organizations, such as elementary schools, are not immune. The problem is that criminals can  have a business model that depends on compromising new troves of data and they can easily launch attacks at scale. tIn essence, any data that stores personal data on employees, customers, patients, or students has become a potential target for ransomware gangs looking for upfront payments and data that can be used to commit identity theft.

Anyone hoping for a break in the ransomware trend this year will be disappointed. There’s no indication that malware attacks are decreasing in 2022. Researchers have found that some ransomware gangs now have the means to launch zero-day attacks. This behavior indicates that these groups are planning to scale up, not dial back.

With zero-day exploits in their arsenal, attackers can go after organizations that regularly patch vulnerabilities but lack complete visibility into device activity. The ongoing threat to businesses, governments and critical infrastructure has prompted the U.S. and Israel to announce a joint task force to fight ransomware attacks.

The expectation that ransomware will continue as a pervasive threat means that organizations should take some time now to assess their malware defenses to identify gaps and close them. The CIS Critical Security Controls (CIS Controls) list offers a straightforward implementation plan for initiating or enhancing malware protection. However, the way CIS structures its recommendations has changed with its 2021 Version 8 update. The update is intended to make the Controls easier to prioritize and implement.

Here’s what’s changed.

A 2021 Overhaul Changed CIS Cybersecurity Controls’ Structure and Organization

In mid-2021, CIS consolidated its Controls from 20 to 18. This update means that some of the Control numbers are different from previous versions.

Within each Control, CIS also regrouped the 153 Safeguards, previously known as Sub-Controls, into three CIS Control Implementation Group (IGs). The reorganization into these groups makes it easier for organizations to select the appropriate Safeguards in each Control based on the organizational maturity, complexity, data types, and available IT and security resources.

• Implementation Group 1 (IG1) covers the basic security controls that every organization should implement. Safeguards in IG1 are relatively easy to address, even for small organizations with limited technical resources and no high-level security expertise.

• Implementation Group 2 (IG2) includes the Safeguards for enterprises with complex devices. These Safeguards help organizations plan to implement preventive security controls across a variety of systems in a scalable way, using the organization’s available IT resources.

• Implementation Group 3 (IG3) also includes Safeguards for enterprises. The Safeguards in this group, however, are specific to organizations tasked with securing sensitive/confidential data. Government contractors, financial institutions, healthcare organizations, and critical infrastructure providers are the audience for IG3. These safeguards require expert IT resources to plan and deploy correctly.

CIS Control 10 Now Addresses Protection Against Malware

Before CIS Controls v8 was released, virus and malware protection Sub-Controls were grouped under Control 8 in CIS Version 7. They were in the Foundational category, not Basic. Now, CIS Control 10 addresses defenses against software flaws and malware. Control 10 also includes Safeguards for all three IGs, so that protection from software vulnerabilities and exploits is addressed at the basic cyber hygiene level for all organizations, regardless of size or resources.

Installing, maintaining and updating anti-malware software is one of the most basic and important steps an organization can take to reduce the likelihood of a ransomware attack. However, just because these IT controls are basic doesn’t mean they’re always simple to implement.

We typically see two kinds of gaps in anti-malware software implementation. The first is incomplete coverage of managed computers across the organization where at least one security agent is set up correctly and running as intended. Achieving a 100% implementation rate is rare—“even well-managed enterprises have difficulty achieving 95% coverage for each type of agent that they wish to run on their managed computers.”

The second gap we see is that unmanaged devices can’t accommodate security agents intended for computers on the IT network. CIS notes in its IoT Companion Guide that “traditional anti-malware techniques are not feasible on IoT devices.” In a typical organization, where up to 90% of devices in the environment are unmanaged, even 100% coverage of managed computers would still leave most of the organization’s devices exposed and vulnerable to ransomware attacks.

How Can Organizations Fully Implement CIS Controls Now?

For Control 10 and others, comprehensive implementation starts with total device visibility. Every asset and endpoint—even temporary, remote, and virtual ones—should be visible to your security platform and team. That level of visibility requires a solution that can identify and monitor IoT/OT devices without interfering with the way they work.

The CIS IoT Companion Guide also emphasizes the fact that many attackers now craft cybersecurity exploits specifically to target IoT technology, “which highlights the need for a robust strategy” to guard against these zero-day threats. The guide recommends continuous monitoring for real-time detection of changes in device activity that can indicate compromise. It also recommends IoT network segmentation when possible, to limit the spread of an attack if unmanaged devices are breached.

Blocking and identifying malware is core to Control 10, but enterprises—especially those handling sensitive data—also need to log device activity and aggregate that data in one location to streamline the process for alerts and response. Logging device activity can also be important for forensics, response review, and security plan adjustments. Threat intelligence services that assess risk ratings for IoT devices are also recommended in the CIS IoT Companion Guide.

How Does Implementing CIS Controls Protect Your Organization?

Endpoint compromises and corrupt firmware updates can undermine any organization’s anti-malware defenses. When your team implements CIS Control 10 Safeguards from the Implementation Group that corresponds to your risk profile, your organization is better protected against ransomware attacks and zero-day malware attacks.

The benefits of a comprehensive anti-malware program that monitors unmanaged devices include:

• Protection from unplanned downtime, which can cost enterprises $1 million or more per hour.
• Protection from ransom demands. The average data ransom in H1 2021 was $570,000.
• Protection from data-privacy fines and lawsuits. The EU levied more than $1 billion in GDPR fines during Q3 2021 against companies accused of failing to protect customer and employee data.
• Protection of customer relationships and brand reputation. According to the Ponemon Institute, 38% of the cost of the average enterprise data breach results from customers taking their business elsewhere.

Always-on monitoring and risk assessment of every device in the environment also saves the security team time. A solution that enables the team to configure and install updates and patches automatically can save even more time. Moreover, instant alerts, combined with comprehensive device information, can help the team prioritize threats, focus on the most urgent issues, and respond quickly.

Implement Advanced Malware Protection for all Your Devices

The Armis platform identifies all the endpoints in your environment and non-invasively monitors both managed and unmanaged devices, such as IoT and OT devices, to detect malicious behavior and issue alerts. To determine a device’s “known-good” baseline, the platform compares its behavior against the Armis Asset Knowledgebase of more than two billion devices. Then, machine-learning driven analysis and monitoring use that baseline to detect any anomalous device activity in real-time, without interfering with the functionality of the unmanaged device. When the Armis platform spots unusual activity, it can issue alerts, enforce policies, and log data for review, helping your organization limit its exposure to ransomware attacks and other malware-driven threats.

Learn how Armis can help your organization implement the CIS Control 10 Safeguards you need.