Many organizations trust the Centre for Internet Security (CIS) for hardening guides and policy frameworks for information security. In this article, we discuss how ActZero can meet 15 of the top 20, and assist with the other 5.
Catch Up: If you need to familiarize yourself with the requirements see: CIS Top 20. ActZero Managed Detection and Response (MDR) services can use our Gartner-recognized security platform and outsourced Risk Mitigation Center (RMC) SOC to achieve compliance with the CIS top 20. Below is how we achieve the requirements.
1) Inventory of Authorized and Unauthorized Devices
We support tracking, monitoring and controlling device connections. ActZero can survey the network and passively listen to DHCP messages to identify all devices and create a living inventory of each asset. This information is collected automatically and populated in our console. We can also setup alerts to notify administrators of new devices as they are attached to the network (5-10 minute delay given size of network.)
See graphic below - summary of all devices and security issues from our dashboard:
A detailed view of the connected port, MAC address and "Authorization" of each device:
2) Inventory of Authorized and Unauthorized Software
We support, collect, monitor and control software on endpoints. Software inventory is centrally collected and reported by the ActZero sensors. Unlike desktop-only monitors, ActZero supports applications from iOS, Android, Chromebook, Windows and Macintosh. See below inventory screenshots from our Dashboard:
3) Secure Configurations for Hardware and Software
CIS hardening guides are used to enforce secure configurations and imaging software used to maintain a standard. ActZero sensors are part of the image but do not play a part in control #3.
4) Continuous Vulnerability Assessment and Remediation
ActZero's Vulnerability Scanner is part of the MDR platform and proactively scans the local network for issues and provides advice in the form of remediation. See screenshot below:
5) Controlled Use of Administrative Privileges
ActZero monitors system logs and endpoint processes for use of Administrative Privileges and changes to accounts. See screenshot below:
6) Maintenance, Monitoring, and Analysis of Audit Logs
ActZero collects and analyzes audit logs across multiple operating systems to monitor and manage security response for customers. This may be collected from Firewalls/IPS, endpoints and applications. See screenshot below:
7) Email and Web Browser Protections
ActZero monitors for browsers and anti-phishing protection on the operating system as part of compliance and application inventory.
8) Malware Defenses
ActZero monitors for endpoint anti-malware by examining the operating system for the last scan, last AV definition update, real-time protection status, and running state of anti-virus software present. ActZero also functions as an Endpoint Detection and Response (EDR) agent, examining the security impact of changes to the operating systems to block or quarantine devices that have malicious software or exploits not tracked by the anti-virus:
9) Limitation and Control of Network Ports
ActZero will perform port scans across the network to determine if open ports are in use. Using our sensor, ActZero can also map these ports to processes and define malicious activity. See screenshot below:
10) Data Recovery Capability
ActZero audits endpoints for the backup of files to ensure that they are recoverable after an incident. See screenshot below:
11) Secure Configurations for Network Devices
While the service includes scans of network configuration, the team does not regularly compare configurations for firewalls unless managed as part of the service. This can be added to the service if required for certain vendor types.
12) Boundary Defense
As with the #11, a review of boundary defenses is not included by default but may be added to the MDR service for certain firewall vendors.
13) Data Protection
ActZero audits encryption of disks and file systems but also allows EDR agents to function as USB controls and can detect in-flight exfiltration and stop it using a variety of mechanisms. See screenshots below:
14) Controlled Access Based on the Need to Know
ActZero supports authentication of devices by MAC Address, Certificate (in-built CA only) or guest username and password (local database only). This can provide dynamic VLAN segmentation and enforce a need-to-know requirement for CIS. See Policy Overview.
15) Wireless Access Control
ActZero is a Gartner-recognized Network Access Control system. We provide authentication of devices over 802.1X to wireless networks (as well as wired) using in-built certificates distributed through our sensors or for IoT devices using a MAC address. We also have a local database to authenticate guest users. See Network Access Control.
16) Account Monitoring and Control
ActZero support account monitoring is performed through log management and EDR agents which track the use of expired accounts through system logs. Auditing of systems for expired accounts may also need to be performed manually.
17) Security Skills Assessment and Appropriate Training to Fill Gaps
ActZero provides a service which includes qualified and capable staff who are trained on cybersecurity for the purpose of protecting your network. This helps to ensure that qualified analysts are monitoring, retained and trained as part of your program.
18) Application Software Security
ActZero does not support the WAF requirement. ActZero supports checking the version of software in use by endpoints. See screenshot below:
19) Incident Response and Management
ActZero MDR supports incident response management by keeping track of all OS modifications and looking for high-impact behavior. After an attack the ActZero team has already collected all the necessary file, registry, DNS, IP and process information to determine if sensitive data was accessed and what artifacts remain after an infection, providing very accurate remediation and breach notification.
20) Penetration Tests and Red Team Exercises
ActZero MDR can include a bi-annual penetration test which utilizes special tactics.
How do you examine your own environment for these capabilities using ActZero? We offer a Prevention Posture Assessment to cover the main areas of our service and provide you with documentation on your own environment to show how we can help.