Version 8 of CIS controls came into force in 2021 and has updated the way that enterprises are responsible for managing cybersecurity in their environment with a wide range of additional compliance responsibilities.
While they used to be focused on the engineers or technicians who were managing devices, they are now related to the tasks themselves. Want some more information on how Atera can support your compliance initiatives, and what the updated regulations mean for you? Let’s get to it!
What is CIS v8 compliance?
The CIS controls are a recommended set of actions for defending an IT environment against cyber risk. Previously the controls were called the SANS Critical Security Controls, or SANS Top 20, and worked hand in hand with the CIS Critical Security Controls. As of 2021, the regulations have been consolidated and are now called the CIS controls. SANS was still involved in the creation of v8 and served on its editorial panel.
V8 was released in 2021, and the idea was to update the controls to support IT businesses with an ever-changing risk landscape that now includes cloud and hybrid computing, Work from Home, and new sophisticated attack methods.
CIS v8 also includes Implementation groups, which each of the controls can be compartmentalized into. IG1 which stands for Implementation Group 1 is the most critical group. This defines basic cyber hygiene in an IT environment and can be considered the minimum standard of information security. IG2 and IG3 follow on from there.
In v8 of the controls, the CIS has simplified every safeguard in the group down to a single task, and measurement of these controls is included in the safeguard, too. There are 153 safeguards, grouped into 18 controls. As each control is based on the activity, it’s less about who implements the controls than it was in v7, and more about ensuring each task is considered and covered in your cybersecurity protocols and processes.
The guidelines for using CIS controls are to treat it less like a specific checklist, and more as a starting point to understand where your security-focused activities should be placed.
What are the 18 controls for CIS v8?
Here are a few words about each of the 18 controls, and where relevant, how Atera can support your journey to CIS compliance.
Inventory and control of enterprise assets
This is about knowing what’s under your roof. Think about how you’re going to create an inventory of all your enterprise assets including end-user devices, mobile and network devices, and IoT and servers. On-premises, virtual, remote, and more. Atera’s Network Discovery is your first line of defense here, giving you a full view of an entire network at a glance. The auditor report is also a great resource providing a comprehensive view of an environment in detail.
Inventory and control of software assets
Network Discovery is also a useful tool for control number two when keeping track of and monitoring software assets. This includes monitoring operating systems and applications so that only authorized software can make changes, and that you always know immediately about unauthorized or unmanaged software applications. Atera’s software inventory report allows you to act quickly if shadow IT is found, uninstalling software from multiple devices with a single click.
In today’s world, cybercriminals are acting with greater sophistication than ever to access valuable data from your customers, including medical records, financial details, credentials, and more. This control is around how you manage and secure data both at transit and at rest. You can learn more about how Atera keeps your data secure here, and make sure to check out our integrations, too. We partner with a wide range of cybersecurity market leaders, many of which have specific technologies in place for anti-ransomware, chain-free data backups, and more.
Secure configuration of enterprise assets and software
How are all devices and software solutions configured and monitored? This control is focused on your visibility and control across the networks you are responsible for. At Atera, we offer the monitoring agent for both Windows OS and Mac devices and allow you to monitor network assets of all kinds, including HTTP and SNMP devices.
Account management and…
Access control management
Controls 5 and 6 are around access control, namely the processes and the tools that are used for authorization. Think about how you administer and manage admin accounts and service accounts, and the way you ensure that you can create, revoke, rotate and manage credentials as necessary. Atera allows you to create various roles and permissions so that you can grant specific access privileges to certain technicians where necessary.
Continuous vulnerability management
All IT professionals should have a plan in place for continuous assessment and tracking of vulnerabilities. Once an attacker has made it inside your network, the dwell time is an essential metric. The longer they stay around, the more damage and cost will be caused. Alert threshold profiles are a great tool to support this control, allowing you to set up alerts on your own terms for factors that may signify a cyberattack such as CPU load or disk usage. Don’t forget to check out our partner integrations to find the best fit for in-depth Endpoint detection and response, or threat intelligence capabilities.
Audit log management
CIS v8 describes how you should be able to collect, alert, review and retain comprehensive audit logs, which will be used in case of an attack to contribute to incident response. Atera’s activity logs allow you to view all technician activity — and as the logs cannot be edited, they are perfect as an audit trail. Filter by date, log type, technician, and item, so that you can easily find what you’re looking for in an emergency.
Email and web browser protections
Email is still the most common route for attackers to gain access to an IT environment, and it only takes a single misclicked link to open risk to a whole network. Consider your email security closely, including how you’re monitoring incoming traffic, any sandbox solutions for attachments and links, and also security awareness training that could support employees in improving their ability to spot a phishing scam ahead of time.
Anyone could get hit by a cyberattack, but what happens next? Is the malware able to execute, spread, and reach critical assets? Atera’s partners include robust anti-malware providers such as Malwarebytes, Webroot, Bitdefender, and Emsisoft, giving you the flexibility to choose exactly the technology you need to fight malware on your own terms.
If the worst occurs, how quickly and seamlessly can you get your business or your end-user environment back to a pre-incident state? This control includes data backups and recovery of course but is also about the IT automation that you have up your sleeve. If you need to offer end-users a new machine or virtual environment to work from while you restore backups, then features such as the ability to install a software bundle in a single click will come in seriously useful.
Network infrastructure management and…
Network monitoring and defense
Controls 12 and 13 look at how you manage and monitor network events. You can track, alert for and manage network events using IT automation profiles from within Atera, remotely monitoring and managing as many environments as you need in granular detail. For example, you can use the Windows event viewer to track Windows events like backups or security updates.
Don’t forget to set up automation for patch management, making sure that all hardware and software are always up to date, reducing the chances of an opportunistic hacker making it into the network.
Security awareness and training
Often you might find that end-users are the weakest links in the security chain. After all, as we said – most attacks still arrive in an employee’s inbox. Education is really important, whether that’s a specific Security Awareness Training program, or something more informal. At Atera you can set up your customers with a particular portal where you include a knowledgebase full of tips and tricks, or articles on the latest threats.
Service provider management
No business is an island, and in today’s connected environment, most users have sensitive data held by third parties. This control is about creating a process for making sure that providers are protecting your third-party data. You can read more about how Atera protects your data on the Atera cloud here.
Application software security
Software might be third-party managed, or might be developed in-house, or acquired and managed. No matter what, you need a process in place to ensure the software is secured, as even a third-party weakness could negatively affect your IT environment. Software patch management is an important element of this toolbox, allowing you to automate patches for known vulnerabilities at a cadence that works for you.
Incident response management
If the worst occurs, and your customer or corporate environment is hit by an attack, what processes do you have in place to limit the threat, and get business returned to normal as soon as possible? There are many ways to create a robust incident response procedure, but you want to make sure that you have a centralized view of your networks so that you can act quickly with all the information.
When you simulate the actions of an attacker, you can often uncover gaps and vulnerabilities before they impact you in a real-world attack. The obvious type of penetration test checks how hard your network is to a simulated attacker. But further than that, this control makes you think hard about how often you test critical procedures and processes, including anything from testing how your employees would act in the face of a phishing scam with phishing simulations, to testing your backups to make sure there is no corrupted data.
Looking for any specific advice about compliance and security processes for your IT networks? Reach out, we’re always happy to help!