The Center for Internet Security (CIS) publishes a set of defense-in-depth best practices called the “CIS Critical Security Controls” that are in the toolkit of every security professional. The Critical Security Controls have been developed over time by a community of experts who apply their first-hand experience with real world attacks and mitigations to give security practitioners a set of fundamental and valuable actions that every enterprise should take.
The Critical Security Controls (20 in total) span everything from Basic elements such as hardware and software inventory, to Foundational elements such as malware and boundary defenses, to Organizational components such as awareness & training programs.
Overall, the Critical Security Controls have developed a great reputation for being both effective and practical. They help security teams stay focused on the day-to-day issues of running a comprehensive security program. Despite the success that CIS has achieved with the Critical Security Controls framework, there are still challenges and areas of exposure. There are two primary challenges IT and Security professionals still face.
CIS Control - Challenge One
The management and security of traditional devices like laptops and servers is still a significant concern. How confident are you in the quality of information in your CMDB? I talk with IT and Security professionals every week, and they candidly share the challenges with the accuracy of their data, the fractured siloes in which device data sits, and the inability to automate processes and security controls.
In a recent webinar, we discussed these challenges with the CISO of Bain Capital, Mark Sutton.
“The CMDB is supposed to be the crown jewels and secret sauce behind everything on your network. Every server, every application, every asset. And then with that, it's supposed to come with owners and dependencies to all of those entities that are inside that CMDB base. The challenge with that, though, is in everyone's environment today, all of those things are very, very fluid. Employees are moving roles and responsibilities, coming in and out of the organization. Servers come on and off line. Workstations change IP address. And now as you move through the cloud, that's compounded even more so by such a rapid rate of change. So the fact that we no longer have this source of truth for us to understand everything that's inside our network, everything that's connected to our network can create some huge challenges down the line.”
The fact is, at a minimum, organizations struggle to meet CIS 1, 2, and 3 - seeing all their hardware assets, the applications running on those devices, and the vulnerabilities associated with them. What security teams struggle with has to do with the siloed nature and narrow scope of their existing security & management tools as applied to traditional managed computers. Each tool knows a little bit about your environment, but they don’t share information, and this makes it hard to answer real-world questions such as:
- What computer had a specific IP address 2 months ago? Who owns that device? (CIS Control 1)
- What applications and versions do I have installed across my entire environment (CIS Control 2)? Am I running any devices with an unpatched version of Chrome or other application?
- How many vulnerable assets do I have, by CVE, business unit, or location? (CIS Control 3)
CIS Control - Challenge Two
The second challenge is applying traditional security controls—like the ones that you probably already own—to unmanaged and IoT devices. Legacy IT and security management solutions simply won’t work. In fact, CIS acknowledged this problem last year when they published the CIS Controls Internet of Things Companion Guide. The Guide even highlights that:
“IoT devices have become embedded into enterprises across the globe and often can’t be secured via standard enterprise security methods… Typical asset tracking tools may not work out of the box with IoT devices. Network scans for legacy and nontraditional devices may be dangerous to device, network, and system stability, potentially leaving IoT endpoints in an error state.”
The CIS document goes on to list challenges associated with each of the 20 Controls if you try to apply them to unmanaged and IoT devices.
What is an IoT device? Even CIS acknowledges there is no one definition of an IoT device. We see them as any unmanaged or un-agentable devices connecting to the network such as smart TVs, webcams, printers, HVAC systems, building automation systems and industrial control systems, PLCs, medical devices and more.
If security teams felt confident that they could just ignore these “nontraditional” devices, that would be fine. But this raises one critical concern. Our research shows that by 2021, 90% of the devices in businesses will be unmanaged, un-agentable, and/or IoT - significantly outnumbering traditional computers in most enterprises. If you ignore them, you are leaving your network open to attack, as Microsoft discussed at last year’s Black Hat conference.
Covering the Gaps
Armis maps to 11 of the 20 CIS Critical Security Controls.
As an agentless device security platform, Armis addresses both of the challenges outlined above. Armis provides a broad range of security functions that span 11 of the 20 Critical Security Controls as shown in the diagram above. Because Armis does not require agents, it works with all types of assets — managed, unmanaged, and IoT devices — and solves many of the challenges listed by CIS in their Internet of Things Companion Guide. And by aggregating, normalizing and correlating information from your existing disparate security tools, Armis is able to help you easily answer many kinds of real-world questions.
To learn more about how Armis aligns to the CIS Critical Security Controls, download our CIS Controls white paper.