New CIS Control 1 V.8 Still Poses Challenges for Un-Agentable Assets

The CIS Critical Security Controls—one of the best-known frameworks for network security— have been revised and streamlined to keep pace with the “ever-changing cyber ecosystem.” With CIS Controls v8, the framework has a new consolidated list of controls and safeguards (formerly called sub-controls). CIS made these updates to make it easier for IT professionals to secure a variety of new devices, software applications and communication channels.

Even though the CIS Controls are now streamlined and updated, a lot of IT and security teams still face a big hurdle in implementing the foundational CIS Control 1, which focuses on ITAM best practices. That’s because many organizations can’t identify all the devices on their networks in real-time, including unagentable devices like smart TVs, HVAC systems, security cameras, virtual devices, cloud assets, and just-passing-through devices like the consultant’s smartphone that’s accessing the organization’s visitor Wi-Fi network.

Legacy network scanners can’t see unagentable devices, and they can miss devices that appear on and disappear from the network between scheduled scans. These traditional scanners can also disrupt the function of unagentable devices that can control critical industrial, operational and healthcare processes.

Meanwhile, control of hardware assets is increasingly critical to prevent hazards like Mozi botnet attacks, which rose dramatically during 2020 and can launch DDoS attacks, command-execution attacks, payload executions and more. Mozi has been such a pervasive threat that it comprised 90% of visible IoT traffic in the first half of 2020. Without a comprehensive inventory of all hardware assets, effective network defense against these kinds of threats is impossible.

By using agentless technology that identifies every device, organizations can fully implement CIS Control 1 and lay a strong foundation for the rest of their CIS Controls program. Let’s look at the new CIS Controls v8, CIS Control 1 and the tools that support implementation to see how it can work.

How is the New Version of the CIS Control Framework Structured?

CIS consolidated the 20 Controls in previous frameworks down to 18 Controls in Version 8. The Safeguards—individual steps within each Control—are sorted into three Implementation Groups. These groups are designed to help organizations prioritize security tasks, starting with basic cyber hygiene (IG1), moving on to IT infrastructure management (IG2) and concluding with data protection (IG3).

CIS describes an IG1 enterprise as an SMB with “limited IT and cybersecurity expertise” that’s simply trying to remain operational and doesn’t need to protect sensitive data. An IG2 organization has an IT infrastructure to protect that spans departments and has a variety of risks, which could be regulatory and/or data related. At the IG3 level, security experts protect sensitive data, prevent system intrusions and maintain CIS level 1 compliance. Each IG level builds on the level below it.

What Hardware Security Practices Does CIS Control 1 Require Now?

CIS Control 1 focuses on inventory and control of hardware assets. IG1 lays the foundation with safeguards 1.1, taking hardware inventory and then maintaining its accuracy, and 1.2, dealing with any unauthorized devices your inventory reveals.

IG2 layers on the use of an active discovery tool (1.3) and dynamic host configuration protocol (DHCP) logging to keep your hardware inventory current (1.4).

The final safeguard in Control 1 is to implement a passive asset discovery tool (1.5) to locate unagentable devices like medical devices, industrial control systems and other IoT devices.

Source: CIS Implementation Groups Handout

Because CIS Control 2 focuses on identifying all the software on your network, it’s crucial that you identify all the hardware first. Otherwise, you can miss devices running programs that put your network security at risk.

What Challenges Can You Face as You Put Control 1 Safeguards in Place?

Managing hardware gets more complex with every new device that’s introduced to your network. Here are a few of the challenges.

Invisible devices. We’ve done the math and estimate that by the end of 2021, nine of every 10 enterprise devices will be unmanageable with legacy security solutions.

Source: Armis

Each new endpoint increases your attack surface, and if you can’t see those endpoints, you can’t secure them. Worse, if a team mistakenly thinks their legacy asset discovery solution covers everything, they can operate from a position of false confidence, not knowing what they’re not seeing. The Armis Agentless Device Security Platform provides advanced endpoint defense for malware protection, as it can detect and trace unmanaged devices.

Disruption of critical operations. Agented devices can interfere with unagented medical devices, OT and ICS devices and other hardware that handles crucial tasks like patient monitoring, production line operation and equipment function.

More device data to log and analyze. These devices introduce a huge variety of apps, operating systems, communication protocols and risk profiles to your network security controls. And because these devices may pop on and off the network or move around, their communication profiles and locations may change over time.

Unless you have a way to monitor and log all of that activity, it’s difficult or impossible to answer investigative questions like “What IP address did this laptop have last month, and who owns it?”

Creation of hard-to-manage data silos. Using a collage of different discovery tools to try to reach all your devices can result in siloed data that has to be managed manually. This slows down device vulnerability assessment, inventory updates, threat detection and response.

What Are the Risks When ITAM Fails to Meet CIS Control 1 Standards?

Ransomware is the network security risk that’s getting the most attention right now. Ransomware attacks on organizations like pipeline operators, meatpacking plants and schools now routinely create acute disruptions of daily life. For enterprises, these attacks can destroy or expose sensitive data, create costly business interruptions, cause extensive brand damage and result in expensive litigation and/or regulatory penalties.

There can be lethal effects, too. For example, a 2019 review of U.S. Department of Health and Human Services data on hospitals that were hit with cyberattacks found higher heart-attack patient mortality rates (an extra 36 deaths per 10,000 heart attacks) during the cyberattack remediation phase—up to three years after the breach. The researchers who analyzed the data concluded that breach remediation slowed down the delivery of patient care.

What Does Optimal CIS Control 1 Attainment Look Like?

Unlike a legacy active scanning solution, an agentless, passive monitoring solution can identify agented and unagented devices, including virtual machines and devices that are only on the network temporarily. Because The Armis Platform is always on, there is no risk of missing devices that access the network between scans, and your hardware inventory is always current.

As The Armis Platform identifies each device, it checks it against the Armis Device Knowledgebase, which contains data on more than a billion devices, including known vulnerabilities and risks, banned-device status, the need for patches and updates, DHCP fingerprints and more. Armis also monitors communication among devices on the network and from devices to machines and websites outside your network. These attributes generate a risk score that your team can use to identify and remove unauthorized devices from your network information security controls quickly.

Because The Armis Platform identifies all the hardware on your network, flags vulnerable and risky devices, and updates the device inventory in real time, it makes it possible to implement CIS Control 1 quickly and completely, without investing in multiple solutions and manually reconciling siloed data.

Start or Upgrade Your CIS Controls Adherence With Total Hardware Visibility

The proliferation of unmanaged devices has made legacy security tools and practices incomplete at best and obsolete at worst. Now is the time to move to a comprehensive, automated solution that identifies every device—even temporary and virtual devices—and checks them against a huge knowledgebase of the most current security and performance data available, so you can implement CIS Control 1 correctly and build a strong foundation for following the rest of the CIS Controls.

Learn more about implementing Control 1 and other CIS Controls with Armis. Get your copy of the CIS Controls white paper.