The Next Phase of Armis by Yevgeny Dibrov

Read More
Sep 16, 2021

See What’s New in CIS Critical Security Control 12 Version 8

CIS Controls thumbnail

CIS Control 12 Now Addresses IT Infrastructure and Network Management

As networks become more complex, endpoints proliferate and the stakes for network intrusions keep rising, the Center for Internet Security (CIS) has revamped its widely used Critical Security Controls framework to help companies adapt their cybersecurity best practices to keep pace with change. CIS Controls v8, released in May 2021, includes recommendations for organizations with varying levels of cybersecurity resources, and a roadmap for more secure network infrastructure management.

Securing network infrastructure has always been a challenge, due to the number of ports, firewalls, routers and other devices—physical and virtual—in a typical network environment. Now, with the huge increase in remote work, smart devices and wearables, network infrastructure security challenges are growing exponentially.

The risks of insecure network infrastructure are growing, too. Two years after security researchers raised the alarm about ‘Triton’ hackers prodding at the U.S. electrical grid, there are ongoing concerns about network security risks to the power infrastructure. Meanwhile, for-profit hackers exploiting “a configuration issue on a server” at T-Mobile have exposed personal and sensitive data on more than 40 million people who’ve done business with the company, creating massive opportunities for phishing attacks, identity theft, and fraud.

Network security starts with proper infrastructure management. CIS Control 12 can serve as your guide to each step your organization will need to take in order to protect your network and your data, even if your network is complex and growing.

CIS Controls Version 8 Regroups Network Infrastructure and Other Safeguards

If you’re already familiar with the CIS Controls, there are some changes in store for you with this latest version. The most obvious change in Version 8 is the reduction in the total number of Controls from 20 to 18. CIS also renamed the Sub-Controls for each Control. They’re now called Safeguards, and there are 153 in all. These Safeguards are grouped by Control but also by new Implementation Groups (IGs).

Why create Implementation Groups? The goal for CIS is to help “organizations of different classes focus their scarce security resources” while getting the most value possible from the Controls. The result is a set of more tailored maps to security for small, midsize and large businesses as well as for those that handle sensitive or confidential data.

Implementation Group 1 (IG1) includes the 56 basic Safeguards that serve as “the on-ramp to CIS Controls” for businesses that are starting to shore up their cybersecurity. CIS recommends that every organization should adopt these minimum best practices to reduce their risk from common types of cyberattacks.

Small organizations may be able to stop with IG1, as long as they don’t deal with confidential or otherwise sensitive data. Larger organizations with more complex network infrastructures are encouraged to continue with IG2 implementation. The 74 Safeguards in this group are designed to help maintain security in complex environments.

Any organization that handles confidential or sensitive data, such as protected health information, customer records, credit card data or restricted government information, should also implement the 23 IG3 safeguards that can reduce vulnerability to targeted cyberattacks.

CIS Controls Implementation Groups

Source:  CIS Implementation Groups Handout

CIS Control 12 Lays the Foundation for Stronger Network Infrastructure Security

Network Infrastructure Management is the focus of CIS Control 12 in Version 8, and the eight Safeguards this Control includes are designed to help your organization track all network devices, report on their status, and correct any vulnerabilities such as outdated or unsupported software, urgent patch requirements or misconfigurations.

Within the basic cyber hygiene Implementation Group, there’s only one Safeguard: “Ensure Network Infrastructure is Up-to-Date” (12.1, IG1). On paper, this sounds simple. In practice, keeping all the software on a network current can get extremely complex quickly, depending on the organization’s structure, device inventory, risk profile, and rate of growth.

For example, a small medical practice may have a relatively static infrastructure with a manageable number of devices and related programs running, while a regional medical center will have to manage computer equipment, staff mobile devices, and connected medical equipment plus consumer devices like smart televisions in lobbies and make sure that all the software is up to date to protect patient information.

At the next implementation level, there are six Safeguards. Two deal with setting up, diagramming and maintaining secure network architecture (12.2, 12.4, IG2), including the need to create rules for segmentation and privilege levels. The other four IG2 Safeguards outline the implementation of

  • Secure network infrastructure management (12.3)
  • Centralized network authentication, authorization and auditing (AAA network security) (12.5)
  • Secure management and communication protocols (12.6)
  • Enterprise-managed VPN requirements for remote access (12.7)

The final Safeguard for network infrastructure management is to set up and maintain administrative computing resources that are not internet-connected and are segmented from the main network (12.8, IG3). This adds another layer of security to protect network administration controls from intrusions through the internet or the enterprise network.

CIS Control 12

Source: CIS Implementation Groups Handout

Protect Your Critical Network Infrastructure With CIS Control 12

What steps should your organization take to align with CIS Control 12 now?

  1. Identify every device. Armis has found that at least 37% of enterprise environment devices are unmanaged, and as more people wear smartwatches, fitness trackers and personal medical devices to work, the number of network endpoints to identify and secure grows. When you can see every device, its software and its risk profile, you finally have a clear picture of your network.
  2. Identify and manage configurations. Configuration problems, like the one that may have contributed to the T-Mobile breach, are a common challenge for organizations. CIS observes that when user-requested configuration changes are left in place when they’re no longer needed, network device configuration security degrades and becomes increasingly vulnerable to attack. Continuous, comprehensive monitoring can flag configuration issues so you can act.
  3. Identify and manage network segments. Segmentation can protect administrative resources, but as with configurations, exceptions can create security gaps over time. Segment monitoring can alert you when devices communicate across segment boundaries.
  4. Enforce secure communication. Protected health information and other sensitive data should be encrypted as it moves between devices in your network, but lapses can happen. With a platform that continuously monitors your device communication, you can receive alerts when this kind of data is moving unprotected.

Create and maintain network security records. With a solution that logs device data, communication and updates, your security team always has the forensic information you need for incident review and investigations.

What Are the Risks When Your Network Infrastructure Management Doesn’t Align with CIS Control 12?

Without a comprehensive, real-time view of your network devices, software, segments and communication, your organization is operating in the dark when it comes to security. That can lead to business interruptions, data loss, regulatory and compliance penalties, and additional costs related to remediation, lawsuits and brand damage.

The average cost of a data breach in 2021 is $4.24 million, according to Ponemon Institute data —the highest cost in 17 years of tracking. And for organizations in government, healthcare and industry, network security gaps can create health and safety risks, as well.

What Are the Network Infrastructure Benefits of Full CIS Control 12 Implementation?

Every network can benefit from always-on, real-time security monitoring. For complex networks and those handling sensitive data, this kind of automated security platform is necessary to keep up with software updates and communication monitoring requirements.

The Armis Agentless Device Security Platform helps you secure your network infrastructure by automatically discovering every device in your environment and cataloging their manufacturer, software, update needs and support status. Armis does all of this without disrupting the unagented devices on your network that may control industrial operations, medical care or other sensitive processes.

Armis can help you meet and exceed Safeguard 12.1, which calls for software version reviews at least every month. With Armis, software update notifications are immediate, and updates can be automated to reduce the time that software on your network is out of date or unpatched, while freeing you and your team to focus on other security priorities.

Armis also monitors segmentation (12.8) and communication (12.6) between devices on your network, to alert you if sensitive information is sent unencrypted, if a device makes an unauthorized connection, and if data is being sent out of your network. At the same time, Armis maintains an archive of device connections that your team can use to investigate incidents and search for vulnerabilities.

And lastly, the Armis platform provides traffic analysis to understand traffic load and bandwidth utilization for wired and wireless access points. This analysis helps to identify network issues (e.g., high retransmits) or overloading of a location.

Revamp and Improve Your CIS Controls Practice With Complete Network Device Visibility

Monitoring and managing a network infrastructure is more complex than ever, with a growing number of physical, virtualized, managed and unmanaged endpoints to secure against attackers. Successful network security depends on identifying all devices in your environment and keeping those devices and their software up to date.

That’s a huge and constantly changing task, one that requires an automated solution to show you everything on your network, alert you about required updates and unsupported devices, and help you prioritize your network security to-do list within a single dashboard.

Learn more about how your organization can implement Control 12 and other CIS Controls more effectively with Armis. Get your copy of the CIS Controls white paper.

Get Updates

Sign up to receive the latest from Armis.