The Center for Internet Security (CIS) Top 20 Critical Security Controls are used by companies large and small across all industries to strengthen cybersecurity. While many other frameworks go beyond these security domains, the CIS Top 20 remains an invaluable control to ensure organizations are covering essential security functions that reduce cyber risk.
CIS Control 1: Inventory & Control of Hardware Assets
CIS Control 1 is strictly about managing an asset inventory for hardware devices, ensuring only authorized devices are given access. It makes sense that this is the first control — after all, you can’t secure company data if you can’t track all the devices and users that have access to it.
Specifically, CIS Control 1 calls for identifying unmanaged devices, including unauthorized devices that shouldn’t have access to the company network.
CIS recommends that organizations:
- Use an active discovery tool to identify assets
- Maintain an accurate and up-to-date inventory of all assets, whether connected to the network or not
Easier Said Than Done
While this control is considered “basic”, managing an asset inventory isn’t always easy.
How do I +1000 it on Twitter? I always say "if you show me an org with great asset management, I will tell you that you found a door to an alternate dimension" :-)— Dr. Anton Chuvakin (@anton_chuvakin) July 25, 2018
Many asset inventories are still managed manually, using Configuration Management Databases (CMDBs) or even spreadsheets. Moreover, many organizations believe they are using an active discovery tool — but in practice, the asset discovery methods used are often periodic and incomplete.
For example, scanning-based approaches may be incomplete because scan cycles are periodic. They often don’t involve devices that require availability at all times, like OT and connected medical devices. Scan-based approaches also make it hard to identify ephemeral devices, like containers and virtual machines, which are used for short periods of time.
Agent-based technologies can benefit asset inventories by providing a wealth of information about devices. However, agents are rarely (if ever) applied on all devices. That means it's difficult to rely on them for asset discovery if you want a comprehensive asset inventory.
Organizations frequently use a mix of scanning and agent-based approaches to discover assets. This means that asset inventories are not only incomplete, but also siloed between these sources.
Ultimately, the tools that many organizations use today are siloed — meaning there isn’t one reliable method to both discover and manage assets.
How Axonius Makes Meeting CIS Control 1 Easier
By connecting to solutions that already know about assets, Axonius aggregates, correlates, and normalizes asset information to provide an always up to date, comprehensive asset inventory. This includes hardware assets connected to an organization's network. Rich information for each hardware device often details operating systems, installed software, vulnerable software, agent versions, and more.
The Axonius Cybersecurity Asset Management Platform automatically identifies unmanaged and IoT devices as well as ephemeral devices such as cloud containers and virtual machines. When devices are found missing from asset inventories or need to be updated with the latest information, teams can use Axonius to automatically update CMDBs or sent alerts to teams in their platform of choice.