First Steps to Overcoming a Lack of Asset Visibility
Asset visibility remains a problem in the wake of the COVID-19 pandemic. In a 2021 study conducted by Axonius and Enterprise Strategy Group (ESG), 79% of enterprises said that they're experiencing greater visibility gaps in their cloud infrastructure – an increase of 10% over 2020. Three-quarters of participants said the same about their end-user devices and Internet of Things (IoT) initiatives.
This lack of asset visibility is important to address, as it limits enterprises' ability to meet their security and operational objectives, and increases the likelihood of data breaches and other security incidents.
A Starting Point for Comprehensive Security
To improve asset visibility and reduce security incidents, enterprises can turn to foundational security measures such as the CIS Critical Security Controls® (CIS Controls®) and the recently released Guide to Enterprise Assets and Software. Adopters of the CIS Controls should use this guide as a reference during activities such as implementation or auditing to verify that they're accounting for and securing all in-scope assets.
Developed by a community of information technology (IT) experts from a wide range of sectors, the Controls offer a starting point and foundation for an enterprise to build a comprehensive security program by providing procedural and technical actions that defend against the most common types of cyber-attacks and digital threats. They can also function as a bridge to other frameworks, including NIST 800-53, SOC 2, PCI DSS, MITRE ATT&CK v8.2, and more.
In CIS Controls v8, we made several enhancements that reflect evolving technology, emerging threats, and the virtual or hybrid workplace. A big part of v8’s development involved simplifying the language, giving practical guidance, and verifying that each Safeguard is measurable.
Simplifying Asset Visibility
At the foundation of the CIS Controls are a few critical actions that you should take before you implement any other Safeguards. They specifically surround knowing your environment. In order to protect what you have, you first must know what you have.
When implementing and auditing the Controls, there are several references to terms such as enterprise assets, software, end-user devices, and more. It's not always clear how these different types of resources fit into the Controls, however. CIS did simplify the language in v8 to provide guidance on how enterprise assets and software are organized in the CIS Controls, and to help explain what we mean when we say things like “Establish and Maintain Detailed Enterprise Asset Inventory.” We're now in the process of getting the word out.
An Order of Operations for the Future
Asset visibility is the first step of implementing the CIS Controls. This means little without understanding which types of devices exist in your environments and what they mean to your security program. Using our Guide to Enterprise Assets and Software, you'll learn how to develop an accurate asset inventory that lays the groundwork for your security efforts going forward.