Apply Zero Trust Isolation™ to CIS Critical Security Controls v8
Understanding the importance of CIS v8 controls
The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software. The movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise’s security as they move to both full cloud and hybrid environments.
CIS Critical Security Controls also have cross-compatibility and/or directly map to a number of other compliance and security standards, many of which are industry-specific including NIST 800-53, PCI DSS, FISMA, and HIPAA meaning organizations that must follow these regulations can use the CIS controls as an aid to compliance. In addition, the NIST Cybersecurity Framework, another tool commonly employed to better streamline and strengthen an organization’s security posture, draws from the CIS CSC as their baseline for a number of their recommended best practices.
Applying CIS v8 controls to OT/ICS/IOT platforms for micro-segmentation
The CIS Controls are important because they minimize the risk of data breaches, data leaks, theft of intellectual property, corporate espionage, identity theft, privacy loss, denial of service and other cyber threats. The CIS Controls reflect the combined knowledge of experts from all parts of the ecosystem (companies, governments, individuals), in all roles (threat responders and analysts, technologists, information technology (IT) operators and defenders, vulnerability-finders, toolmakers, solution providers, users, policy-makers, auditors, and etc.), and from a wide range of industries (government, power, defense, finance, transportation, academia, consulting, security, IT, and etc.), who have worked together to develop them to support the CIS support. Studies are proven that 85% of cyberattacks can be prevented by just implementing the basic Critical security controls.
Specific to the OT/ICS/IOT devices, standard CIS v8 may not be applicable. Most of these industrial devices reside within closed loop networks with very little exposure to outside systems. Many CIS controls are relevant to classic IT networks and workloads. By leveraging Airgap networks agentless strategy, industrial, healthcare, and control system organization can provide deeper containment and compartmentalizing of their closed loop device by segmenting their flat networks into protection zones.
How to microsegment a flat network with Airgap
Airgap provide the agentless modern segmentation that can shrink the flatness and provide zero trust granular intra-VLAN controls down to the protocol level. Many industrial control systems (ICS) or national critical infrastructure (NCI) have much lower or zero tolerance which goes to the fact that these environments don’t change very often. We will go over the CIS Control v8 published in 2021 and provide a high level on how Airgap can come into play.
According to the latest Center for Internet Security CIS report, Airgap Networks aligns well with several data governance compliances. With Airgap’s Ransomware Kill Switch the client will have agentless ransomware incident response within the microsegments. Additionally, a typical organization takes hours or days to detect and respond to ransomware attacks and often resorts to a draconian approach of shutting down the entire network during a cyber event resulting in operational impact. Therefore, Air gap built a specialized ransomware kill switch that surgically stops ransomware propagation without operational impact.
Airgap aligns with several CIS controls under version 8:
Control 1: Inventory and Control of Enterprise Assets
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, including end-user devices, network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address, hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. Ensure that a process exists to address unauthorized assets on a weekly basis. Airgap Zero Trust Isolation™ provides segregation for different endpoints in the production lines and reduces the attack surface by enabling the SSO/MFA for unauthorized access.
Control 2: Inventory and Control of Software Assets
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. Software needs to be monitored in a way that allows the organization to see what’s been installed, who did the installation, and what the software is doing. The software can be used as a vulnerable point of entry into the protected network. Airgap Zero Trust Isolation provides the continuous monitoring of the network traffic and ringfences every IP endpoint in its own network and has support integration with SIEM/SOAR solutions for advanced traffic and logs analytics.
Control 3: Data Protection
Utilize CIS CSCs to ensure that all data is properly protected before being shared or stored. It is important to remember that most companies don’t think about data and system security until after a breach has occurred. Companies must have a proven methodology for rapid information recovery capabilities, and critical systems and data must be secured and backed up on a regular basis. Airgap Zero Trust Isolation is an agentless segmentation platform that provides thread protection by detecting and blocking the lateral threads from one device to another device.
Control 4: Secure Configuration of Enterprise Assets and Software
Default configurations should be updated, and procedures to maintain changes should be automated. Configuration management is required to prevent attackers from exploiting unnecessary risks. Establish and maintain a secure configuration process for network devices.
Control 5: Account Management
To prevent unauthorized access to sensitive data, ensure all users have strong, unique, and often updated passwords. By implementing CIS CSCs, access controls such as VPN or remote authentication can help protect your company’s network. Multi-factor authentication should be required for all user accounts on all systems, regardless of whether they are administered locally or by a third-party source. Airgap has provided the Agentless Secure Asset Access solution provides an additional security layer with MFA and SSO for any healthcare device, a consumer from any location, and provides multiple gateways for a set of applications and DNS.
Control 6: Access Control Management
It’s critical to keep track of service accounts, administrator credentials, and password requirements. In order to prevent attackers from using administrative accounts, they must be secured. To prevent attackers from using administrative accounts, they must have controlled access-based privileges. Airgap provides OpenID Connect compatible integration to ensure authorized and authenticated users with role-based control access can gain “just-in-time” access to mission critical applications and data.
Control 7: Continuous Vulnerability Management
The purpose of vulnerability management is to keep your network safe from known exploits while also ensuring that it meets any regulatory requirements. It accomplishes this by scanning your network for incompatibilities, missed updates and common weaknesses within the software. Scanning the network for weak spots, which can then be swiftly fixed, is critical. If you want the testing to be most effective, keep up with vulnerability updates. With the continuous learning and profiling of any IP connected devices in the network, Airgap provides the deep observability of anything down to protocol communications and is able to put a stop in real time as needed. The patented agentless Ransomware Kill Switch™ built with Zero Trust segmentation and containment in mind can help deliver DEFCON like policy violation alerts and autonomously trigger the network shut-off valve on lateral intra-VLAN IP communications under Ransomware attacks.
Control 8: Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. Logging records are also critical for incident response. After an attack has been detected, log analysis can help enterprises understand the extent of an attack. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. Airgap Zero Trust Segmentation provides the continuous monitoring of the network traffic and built-in syslog flow integration with log management tools for audit log management and log analytics.
Control 9: Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. To minimize their attack surface, Organizations must use only fully supported web browsers and email clients. Of course, there will always be someone clicking on emails or putting malware through portable devices. Airgap takes zero implicit trust on all endpoint devices. When the detection software misses on zero-day vulnerability, Airgap ringfenced every single IP connected device with zero trust to contain the blast radius to the “patient 0” without the chance of Ransomware spreading across your networks.
Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. Anti-malware software should be controlled centrally to ensure that all the company’s workstations and servers are constantly monitored and protected. Airgap Zero Trust Isolation platform provides centralized cloud-delivered and autonomous zero trust policy framework to help analyze the traffic and ringfence the IP endpoint for network protection.
Control 11: Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. Backups protect against data loss in the case of a cyberattack. Backups keep data safe and provide a point of comparison for data comparison if data integrity is questioned after a security breach. Establish that all system data and critical systems are backed up on a regular basis. Customers leverage Airgap’s Secure Asset Access to secure their backup and recovery server from unauthorized shared admin access. For details on the the Fortune 500 insurance company’s use case,
Control 12: Network Infrastructure Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. Organizations must establish, implement, and maintain secure configurations of network infrastructure devices such as routers, mobile devices, firewalls, and switches. Airgap Zero Trust Isolation platform provides policy enforcement that enforces Intra VLAN policies using autonomous devices group and stops lateral thread movement.
Control 13: Network Monitoring and Defense
It’s critical to monitor the network for both external and internal threats. Operate processes and tools to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base. Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. Airgap Zero Trust Segmentation provides the continuous monitoring of the network and analyzes every IP address associated with network infrastructure and provides Built-in integration with leading SIEM/SOAR platform for advanced traffic and access log analytics.
Control 14: Security Awareness and Skills Training
Businesses must be aware of and prepared for a variety of cyber-attacks. Employees must be educated on phishing, phone fraud, and impersonation calls, among other intrusions.
One approach to address such threats is to provide security awareness training. It’s designed to assist employees to detect the temptation that hackers throw out in the open to avert cyber-attacks on your company. The training usually comprises various modules delivered on a regular, ongoing basis to reinforce the learning process. Airgap works with cyber insurance and cyber incident response team to partner up the service chain from proactive policy configuration to post exfiltration response.
Control 15: Service Provider Management
Today, more and more companies are using third-party service providers for business functions. Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. Monitor service providers consistent with the enterprise’s service provider management policy. The SaaS platform is designed with multi-tenants in mind and can be deployed in physical or virtual instances with clear management, control, and data plane separation to ensure sensitive data remain at customer’s domain for compliance.
Control 16: Application Software Security
To avoid vulnerabilities, keep applications up to date and harden applications where possible to prevent vulnerabilities. Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect and remediate security weaknesses before they can impact the enterprise. Airgap Zero Trust Segmentation provides zero false-positive threat detection for offending endpoints and lateral threads and hides vulnerable ports and protocols from the advisories so no hacker can find the vulnerability in the enterprise.
Control 17: Incident Response Management
An incident response plan is necessary for businesses to have in place. Organizations must be prepared for a variety of cyber threats, including malware and ransomware attacks, data breaches, system failures or disruptions, and social engineering attempts by attackers impersonating corporate workers, among others. Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. Airgap help configure the agentless Ransomware Kill Switch™ policies when onboarding every customer and understand their existing incident response capabilities so they can ease the detection and response process.
Control 18: Penetration Testing
Penetration testing is an important aspect of maintaining security. It’s critical to have a robust penetration testing strategy in place for evaluating vulnerabilities in the organization’s corporate applications, data repositories, and network devices. Identify and remediate sites of the breach when they are discovered. As the attack vectors evolve, continue to test, and remediate. Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
About Airgap Networks
Security experts know that network segmentation is the best defense against evolving cyber threats. However, available segmentation solutions either require agents to be installed everywhere or upgrade networking hardware with proprietary implementations. Airgap is the only vendor that offers agentless network segmentation and autonomous policy controls through a patented and innovative approach that enables isolation at every layer and down to every device. All this means malware is immediately blocked from traversing the network, even within the same VLAN or same subnet - unique protection not offered by any other solution.
About SANS CIS Controls
The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. SANS supports the CIS Controls with training, research, and certification.
Additionally, a typical organization takes hours or days to detect and respond to ransomware attacks and often resorts to a draconian approach of shutting down the entire network during a cyber event resulting in operational impact. Therefore, Airgap built a specialized ransomware kill switch that surgically stops ransomware propagation without operational impact.
Finally, enterprises often enable direct access to high-value assets over vulnerable protocols such as Windows RDP. Airgap’s identity-based access control provides strong Zero-Trust safeguards as the layer of protection to secure high-value assets against cyber threats.
Airgap’s patented solution is custom designed to reduce the enterprise attack surface and protect high-value assets in Manufacturing, Healthcare, Retail, and Critical Infrastructure verticals where a compromise of core operational systems can disrupt mission-critical processes. Airgap Security Platform is the easiest to implement and manage and it is currently deployed across many large multinational customers.