Vulnerability management has always been a challenge, and now it’s even tougher. The proliferation of unmanaged devices means that up to 90% of an enterprise’s assets may be invisible to their legacy security tools. This expansion of vulnerable devices, combined with growth in nation-state attacks on enterprises and the rise of cybercriminal gangs with the resources to pay millions for zero-day exploits, are among the reasons 2021 broke records for zero-day attacks.
Source: MIT Technology Review
2021 was also the year that the Center for Internet Security (CIS) updated its CIS Controls and its Internet of Things (IoT) Companion Guide to factor in the rising trends of remote work, cloud-based solutions, and unmanaged devices. This is good news for security teams seeking to shore up their vulnerability management programs. However, the update included some major changes to the way CIS defines and organizes both the Controls and the Safeguards. It’s worth looking at what’s new to see how the update can help organizations implement better protection across all their devices.
Previously, CIS sorted its 20 Controls implementation into three levels: basic recommendations for all organizations, foundational recommendations for all organizations to implement after the basic steps were done, and organizational steps for cybersecurity teams.
In v7.1, continuous vulnerability management was Control 3, in the basic implementation level. But now, CIS has reorganized the Controls. In this round, CIS went from 20 Controls to 18, and continuous vulnerability management is now CIS Control 7 (are you following along?!). CIS has also regrouped each Control’s steps—now called Safeguards—into Implementation Groups (IGs) for different organizational security maturity levels and needs:
This new approach allows organizations to see which controls they need to implement for baseline security, addressing complexity and dealing with sensitive data. Because IoT is now such a large part of many organizations’ environments, CIS also offers an IoT Companion Guide for v8 that addresses issues specific to securing these types of devices.
Control 7 includes four IG1 Safeguards that describe baseline protections. All organizations, regardless of size, should set up and maintain processes for vulnerability management lifecycle and remediation. They should also automate OS and app patch management to avoid scenarios where attackers exploit vulnerabilities that have been known for weeks, months, or even years.
The remaining three Safeguards are critical for security in complex and sensitive environments, so they apply to IG2 and IG3. For these types of environments, which are more likely to be targeted for attacks, automated vulnerability scans of all assets are the only practical way to manage vulnerabilities at scale and in real-time. Remediation of vulnerabilities must also be a priority for impacted organizations.
When an organization implements all the Safeguards in Control 7, it has the ability to identify and address OS, app, and device vulnerabilities across the environment.
Unaddressed vulnerabilities can lead to two types of serious problems: those related to data and those related to the physical environment. Vulnerabilities that give attackers access to network traffic and data can put targets at risk for ransomware, data theft, espionage, data exposure, and data loss or corruption. Vulnerabilities that allow attackers to take over the way unmanaged devices operate can lead to unplanned operational downtime, equipment damage, safety risks to workers, and even harm to the public.
Either type of incident can cause expensive, reputation-damaging problems for an organization. Some vulnerabilities impact both data and physical equipment. For example, Armis found 11 zero-day vulnerabilities in the VxWorks operating system, which runs on “over 2 billion devices including critical industrial, medical, and enterprise devices.” This URGENT/11 suite of TCP/IP stack vulnerabilities gives attackers many ways to hijack and control multiple connected devices remotely, as well as ways to leak information and launch denial of service attacks.
Implementing vulnerability management Safeguards can present challenges, and CIS Controls v8 outlines several. They include:
IoT devices, including OT and ICS devices, present their own set of threats and vulnerability management hurdles, as described in the CIS Internet of Things Companion Guide. They include:
All of these challenges are easier to handle with a solution that provides complete device identification—including OS, apps, and physical location—and nondisruptive vulnerability assessment and automation tools for updates.
After an ideal implementation of all Control 7 Safeguards, your organization should have:
Developing, managing, and deploying these processes, scans, and remediations is easier with a solution that can handle unmanaged devices without disruption, detect vulnerabilities in real-time, and automate patching and remediation.
The Armis platform allows your organization to achieve complete visibility of all types of assets in your environment. That includes the unmanaged devices that legacy security tools can’t see, and devices that connect temporarily to your networks.
Without disrupting their function, the Armis platform provides real-time risk assessment of every IoT, OT, and ICS device using AI and the Armis Device Knowledgebase, which tracks more than two billion devices. The platform also automates policy enforcement to make response prioritization faster and simpler.
The Armis platform provides this unprecedented visibility with minimal changes or additions to your existing security processes; it integrates with existing IT and security solutions to provide a single source of device truth.
Learn more about how the Armis platform can help you optimize your organization’s vulnerability management program.
Sign up to receive the latest news