The Rapid7 Security Advisory Service relies heavily on the CIS top 20 critical controls as a framework for security program analysis because they are universally applicable to information security and IT governance. Correct implementation of all 20 of the critical controls greatly reduces security risk, lowers operational costs, and significantly improves any organization’s defensive posture. The 20 critical controls are divided into System, Network, and Application families, and each control can be subdivided into sections in order to facilitate implementation and analysis.
The first of the 20 controls, “Inventory of Authorized and Unauthorized Devices” is split into 6 focused sections relating to network access control, automation and asset management. The control specifically addresses the need for awareness of what’s connected to your network (Tip: Don't forget to scan your network for IoT devices), as well as the need for proper internal inventory management and management automation. Implementing inventory control is probably the least glamorous way to improve a security program, but if it's done right it reduces insider threat and loss risks, cleans up the IT environment and improves the other 19 controls.
What it is:
The Inventory of Authorized and Unauthorized Devices is part of the “systems” group of the CIS top 20 critical security controls. It specifically addresses the need for awareness of what is on your network, as well as awareness of what shouldn’t be. Sections 1.1, 1.3 and 1.4 address the need for automated tracking and inventory, while 1.2, 1.5 and 1.6 are related to device-level network access control and management. The theme of the control is fairly simple; You should be able to see what is on your network, know which systems belong to whom, and use this information to prevent unauthorized users from connecting to the network. High maturity organizations often address the automation and management sections of this control well, but Rapid7 often sees gaps around network access control based on inventory due to the perceived complexity of implementing NAC.
How to implement it:
There are numerous effective ways to implement the Inventory of Authorized and Unauthorized Devices control. Many of them will also significantly improve the implementation of other controls relating to network access, asset configuration, and system management. Successful implementations often focus on bridging existing system inventory or configuration management services and device-based network access control. The inventory management portion is usually based on software or endpoint management services such as SCCM, while access control can leverage existing network technology to limit device access to networks.
Robust implementation of DHCP logging and management will effectively address sections 1.1, 1.2, and 1.4 of Critical Control #1. Deploying DHCP logging and using the outputs to establish awareness of what is currently connected to the network is an extremely good first step to full implementation. Tracking DHCP activity has an additional impact on the IT support and management side of the organization, as well; it serves as a sort of “early warning” system for network misconfiguration and management issues. For organizations with a SIEM solution or centralized audit repository, ingested DHCP logs can allow correlation with other security and network events. Correlating the logs against additional system information from tools like SCCM or event monitoring services can also assist with inventory tracking and automated inventory management, which has added benefits on the financial and operations management side of the shop, as well.
- For DHCP-enabled network segments that have lower change rates (non-workstation segments) consider adding a detective control such as a notification of a new DHCP lease. Backup, VOIP, or network device management networks are often effective conduits for an attacker’s lateral movement efforts, and usually don’t have a high amount of device churn, so increasing detective controls there may create little administrative overhead and increase the possibility of detecting indicators of compromise.
- The Inventory of Authorized and Unauthorized Devices control also recommends the use of automated inventory tools that scan the network to discover new systems or devices, as well as tracking the changes made to existing systems. While DHCP logging is an effective basic measure, tools such as SCCM, KACE, Munki, and SolarWinds effectively lower the effort and time surrounding inventory management, asset configuration, and system management.
- Many customers with existing Microsoft Enterprise Agreements may already have licenses available for SCCM. When combined with Certificate Authorities, Group Policies, and some creativity with Powershell, a handful of Administrators can maintain awareness and control of authorized devices to address many aspects of this foundational critical control.
- If you’re a Nexpose customer, thank you, and Nexpose will let you import your DHCP logs into your deployment to perform dynamic scans of new assets joining your network.
Even if you don’t use SCCM or Nexpose, most agent-based system discovery and configuration management will allow organizations to address this control and other governance requirements. Effective implementation of inventory based access control will let the organization see and manage what is connecting to their network, which is critical for any good security program. While management tools often require time and effort to deploy, the cost benefit is significant; it allows smaller IT teams to have a major impact on their network quickly, and assists with patching, situational awareness, and malware defense.
Hat tip and thanks to Jason Beatty and Magen Wu for application-specific info and editorial suggestions.