Improving Continuous Vulnerability Management with CIS Control 7 v8

Vulnerability management has always been a challenge, and now it’s even tougher. The proliferation of unmanaged devices means that up to 90% of an enterprise’s assets may be invisible to their legacy security tools. This expansion of vulnerable devices, combined with growth in nation-state attacks on enterprises and the rise of cybercriminal gangs with the resources to pay millions for zero-day exploits, are among the reasons 2021 broke records for zero-day attacks.

Source: MIT Technology Review

2021 was also the year that the Center for Internet Security (CIS) updated its CIS Controls and its Internet of Things (IoT) Companion Guide to factor in the rising trends of remote work, cloud-based solutions, and unmanaged devices. This is good news for security teams seeking to shore up their vulnerability management programs. However, the update included some major changes to the way CIS defines and organizes both the Controls and the Safeguards. It’s worth looking at what’s new to see how the update can help organizations implement better protection across all their devices.

Changes to Controls in Version 8 Reframe CIS Implementation

Previously, CIS sorted its 20 Controls implementation into three levels: basic recommendations for all organizations, foundational recommendations for all organizations to implement after the basic steps were done, and organizational steps for cybersecurity teams.

In v7.1, continuous vulnerability management was Control 3, in the basic implementation level. But now, CIS has reorganized the Controls. In this round, CIS went from 20 Controls to 18, and continuous vulnerability management is now CIS Control 7 (are you following along?!). CIS has also regrouped each Control’s steps—now called Safeguards—into Implementation Groups (IGs) for different organizational security maturity levels and needs:

• IG1 includes 56 basic cyber hygiene Safeguards for every organization.
• IG2 includes 74 Safeguards for enterprises with complex operational environments and internal IT and cybersecurity implementation resources.
• IG3 includes 23 Safeguards against sophisticated attacks for enterprises holding sensitive and/or confidential data. This CIS Control implementation group requires IT and security expertise that the typical organization may not have.

This new approach allows organizations to see which controls they need to implement for baseline security, addressing complexity and dealing with sensitive data. Because IoT is now such a large part of many organizations’ environments, CIS also offers an IoT Companion Guide for v8 that addresses issues specific to securing these types of devices.

What Continuous Vulnerability Management Safeguards Does CIS Control 7 v8 Include?

Control 7 includes four IG1 Safeguards that describe baseline protections. All organizations, regardless of size, should set up and maintain processes for vulnerability management lifecycle and remediation. They should also automate OS and app patch management to avoid scenarios where attackers exploit vulnerabilities that have been known for weeks, months, or even years.

The remaining three Safeguards are critical for security in complex and sensitive environments, so they apply to IG2 and IG3. For these types of environments, which are more likely to be targeted for attacks, automated vulnerability scans of all assets are the only practical way to manage vulnerabilities at scale and in real-time. Remediation of vulnerabilities must also be a priority for impacted organizations.

When an organization implements all the Safeguards in Control 7, it has the ability to identify and address OS, app, and device vulnerabilities across the environment.

What Risks do Organizations Face Without Comprehensive, Continuous Vulnerability Management?

Unaddressed vulnerabilities can lead to two types of serious problems: those related to data and those related to the physical environment. Vulnerabilities that give attackers access to network traffic and data can put targets at risk for ransomware, data theft, espionage, data exposure, and data loss or corruption. Vulnerabilities that allow attackers to take over the way unmanaged devices operate can lead to unplanned operational downtime, equipment damage, safety risks to workers, and even harm to the public.

Either type of incident can cause expensive, reputation-damaging problems for an organization. Some vulnerabilities impact both data and physical equipment. For example, Armis found 11 zero-day vulnerabilities in the VxWorks operating system, which runs on “over 2 billion devices including critical industrial, medical, and enterprise devices.” This URGENT/11 suite of TCP/IP stack vulnerabilities gives attackers many ways to hijack and control multiple connected devices remotely, as well as ways to leak information and launch denial of service attacks.

What Challenges Await You When Implementing CIS Control 7 Safeguards?

Implementing vulnerability management Safeguards can present challenges, and CIS Controls v8 outlines several. They include:

• Identifying all devices in the environment, including their OS, apps, and rules for communication, segmentation, and firewalls.
• Getting vulnerability updates in real-time.
• Assessing vulnerability-related risks and prioritizing responses.
• Testing and installing patches.
• Scaling vulnerability management and remediation across a complex, multi-system organization.

IoT devices, including OT and ICS devices, present their own set of threats and vulnerability management hurdles, as described in the CIS Internet of Things Companion Guide. They include:

• Pre-deployment vulnerability management and remediation planning for IoT devices “residing outside the enterprise, on-site with clients or functioning in a critical infrastructure sector.”
• Assessing internally deployed and external-facing IoT devices.
• Assessing vulnerabilities without disrupting operations and health of devices and systems.
• Updating and patching IoT devices at scale, when many need to be updated individually.

All of these challenges are easier to handle with a solution that provides complete device identification—including OS, apps, and physical location—and nondisruptive vulnerability assessment and automation tools for updates.

What Does Full CIS Control 7 Implementation Look Like?

After an ideal implementation of all Control 7 Safeguards, your organization should have:

• A documented, regularly updated vulnerability management process (7.1) that includes all devices in the environment, including IoT and OT/ICS devices, and devices that were once considered “air-gapped.”
• A documented “risk-based remediation strategy” and process that’s reviewed at least monthly and allows for IoT/OT firmware, mobile, and communications updates as needed.
• Automated OS and app patch management processes that run monthly or more often and include the necessary tools for IoT OS patch management.

• Automated vulnerability scans of authenticated and unauthenticated internal enterprise assets that run at least quarterly.
• Automated vulnerability scans of externally exposed enterprise assets that run monthly or more often.
• Monthly or more frequent remediation, based on your organization’s documented process and security priorities.

Developing, managing, and deploying these processes, scans, and remediations is easier with a solution that can handle unmanaged devices without disruption, detect vulnerabilities in real-time, and automate patching and remediation.

Continuous Vulnerability Management Starts with Complete Visibility

The Armis platform allows your organization to achieve complete visibility of all types of assets in your environment. That includes the unmanaged devices that legacy security tools can’t see, and devices that connect temporarily to your networks.

Without disrupting their function, the Armis platform provides real-time risk assessment of every  IoT, OT, and ICS device using AI and the Armis Device Knowledgebase, which tracks more than two billion devices. The platform also automates policy enforcement to make response prioritization faster and simpler.

The Armis platform provides this unprecedented visibility with minimal changes or additions to your existing security processes; it integrates with existing IT and security solutions to provide a single source of device truth.
Learn more about how the Armis platform can help you optimize your organization’s vulnerability management program.