Skip to content

    The Center for Internet Security (CIS) Top 20 Critical Security Controls are used by companies large and small across all industries to strengthen cybersecurity. While many other frameworks go beyond these security domains, the CIS Top 20 remains an invaluable control to ensure organizations are covering essential security functions that reduce cyber risk.

    Previously, we covered how Axonius helps achieve and maintain CIS Control CIS Control 1and CIS Control 2. In this blog, we’ll talk about how Axonius helps maintain CIS Control 3.

    CIS Control 3: Continuous Vulnerability Management

    CIS Control 3 helps organizations minimize opportunities for attackers by continuously identifying and remediating vulnerabilities. The control specifies that organizations should utilize a vulnerability scanning tool to scan all systems on a network at least weekly, if not more frequently.

    It also details that organizations should use automated software update tools to ensure operating systems are running the most recent security updates provided by software vendors.

    Scanning is Easy — Ensuring Full Vulnerability Management Coverage Isn’t

    Vulnerability management tools have existed for years now and are a staple of any security program. However, today’s dynamic and complex IT environment means that maintaining vulnerability management tools is harder than ever.

    For instance, the rapid creation of new cloud workloads, virtual machines, or provisioning of devices means that ensuring complete vulnerability scan coverage is easier said than done.

    The same holds true for finding devices that already have outdated, vulnerable software. Vulnerability scanners do a great job finding outdated software— but what about devices that aren’t in the scope of current scans?

    With many employees working remotely, security teams may also rely on IT or endpoint security agents to gather vulnerability data devices. Ensuring all devices have these necessary agents is also difficult (more on that topic here).

    How Axonius Makes Meeting CIS Control 3 Easier


    Axonius integrates with leading vulnerability management platforms to provide a correlated view of vulnerabilities and severity levels for each asset. Other adapter sources, such as cloud security and endpoint security adapters often include vulnerability information.

    Finding the Presence of Vulnerable Software

    Finding the presence of vulnerable software in Axonius is simple. The Axonius Query Wizard can be used to search for the presence of vulnerable software from any adapter source, as well as vulnerability severity level, specific CVE identifiers, and more.

    Find Devices That Haven’t Been Assessed for Vulnerabilities Recently (or at all)

    By combining vulnerability assessment adapters with additional adapter connections, Axonius surfaces devices where vulnerability scans are outdated, or missing completely. You can use the Axonius Query Wizard to search for unscanned devices on specific network segments, by operating system version, and more.

    Update The Scope of Vulnerability Assessments

    It’s not enough to simply find devices out of the scope of scans. Using the Axonius Security Policy Enforcement, you can automatically update and add unscanned devices to asset groups and scheduled scans in Qualys, Tenable, or Rapid7.

    Using the automation of the Axonius Cybersecurity Asset Management platform, maintaining CIS Control 3 is a lot less of a headache.

    Want to learn how Axonius maps to all of the CIS Top 20 Critical Security Controls? See how Axonius supports each control here.

    Sign up to get first access to our latest resources