For years, the Cyber Security Agency of Singapore (CSA) has been working to protect the country from the risk of cyber attack. In 2018, the agency released its Singapore Cybersecurity Act, which established a legal framework for the oversight and maintenance of national cybersecurity in Singapore. And in 2022, in accordance with the Cybersecurity Act, CSA published the Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition (CCoP2.0) in an effort to specify the minimum cybersecurity requirements that critical infrastructure operators should implement.
What is CCoP2.0?
CCoP2.0 is the second edition of the Cybersecurity Code-of-Practice issued by CSA, and it went into effect on 4 July 2022. It outlines the cybersecurity capabilities every Critical Information Infrastructure Owner (CIIO) should have that can help them better protect and defend their organisation against cyber threats.
The second edition covers a wider variety of topics than the first edition and applies to CIIOs across 11 critical sectors, including healthcare, banking and finance, energy, and others. The cybersecurity capabilities recommended include network security, patch management, incident response, and even asset management. Listed under section 4.1 of the “Identification Requirements,” asset management is defined as:
“Asset management includes creating and maintaining a comprehensive inventory of all CII assets, including hardware and software. This is a key component in ensuring cybersecurity as it provides visibility of CII assets and allows operators to prioritize assets for protection.”
But gaining an accurate and comprehensive asset inventory is just one piece of asset management. Being able to use the inventory’s asset intelligence to then identify security gaps and enforce security policies is where the real value comes in.
How to Comply With CCoP2.0 Requirements
To ensure asset security and meet CCoP2.0 asset management requirements, here are some of the necessary actions every CIIO needs to take.
1. Perform automated asset discovery
Maintaining an up-to-date inventory of assets is essential for good cybersecurity posture, but it’s become increasingly difficult. Today, IT and security teams struggle to manage a complex sprawl of devices, users, cloud services, applications, and software. Traditional asset management methods, including spreadsheets and collecting information from different siloed sources, are unsuitable for this growing environment. They are too time-consuming (Axonius estimates that each manual asset audit takes about 86 hours of labor), and they lead to significant asset inventory and data knowledge gaps that exacerbate a CIIO’s security challenges.
That’s why automation is so important. With automated and comprehensive asset discovery, CIIOs can find assets at any cadence and not be tied to periodic and time-consuming manual scanning cycles. Their inventories can be updated in real-time, ensuring that they always have a handle on which assets are being used on their networks.
2. Enumerate vulnerabilities across all discovered assets
CCoP2.0 requires CIIOs to monitor for new vulnerabilities and apply security patches in a timely manner. But correlating assets to known vulnerabilities, remediating them, and then double-checking to ensure everything’s been patched can be a difficult and onerous manual task. Even if security personnel keep a running tally of known vulnerabilities, combing through a thicket of asset intelligence compiled through disparate sources can be confusing and error-prone. It also takes a lot of time.
It’s better to employ an automated system to quickly correlate information from disparate sources and assets, including those that IT may not know about. Find an asset management solution that uses API-based integrations to bring in context from hundreds of different data sources to create a comprehensive “single source of truth” for all assets. This process greatly simplifies asset and vulnerability management so that CIIOs can quickly collect accurate information and stay in compliance with CCoP2.0.
3. Improve incident response
Per CCoP2.0, CIIOs must “minimise the impact of cybersecurity incidents through processes that include the identification, containment and eradication of cybersecurity threats, and the recovery of systems, root-cause analysis and implementation of corrective actions to prevent recurrence.” In other words, CIIOs need effective incident response.
Incident response management is often weakened due to slow, incomplete alert triage. Security analysts often receive alerts that tell them what happened and how it happened, but they still spend a great deal of time tracking down all of the information necessary to completely understand the full scope and whether or not events are isolated or a larger incident that needs to be escalated to management.
A large reason for this is because of poor asset intelligence: security analysts simply don’t have enough context around devices, which users are (or were) associated with them, and rich information from numerous data sources in one place.
And this is where asset intelligence comes in. An asset intelligence solution can provide rich information on devices, users, and cloud assets so that security analysts can easily correlate alerts with asset data and answer questions such as:
- Which devices and users were associated with the alerts?
- Where are relevant devices located?
- What software is running on the device?
- Which users are associated with the device?
- What was the state of assets affected on a particular date?
A Modern Approach to Asset Intelligence
Each of the aforementioned actions highlight the need for a more comprehensive and modern approach to protecting attack surfaces. No longer is “good enough” good enough. CIIOs need complete confidence that they have total and clear visibility into every asset, security gap, and potential vulnerability. They also need to be able to manage, remediate, and report on all three of them very quickly.
Axonius can help. Our solutions can help any CIIO create a comprehensive asset inventory, identify security gaps, and enforce the CCoP2.0 cybersecurity requirements. Our work with federal governments exemplifies the effectiveness of automated cybersecurity asset management as a fundamental component of meeting federal mandates, including those set forth by the Cyber Security Agency of Singapore (CSA). Interested in learning more about Axonius? Request a demo.
