Note: This is the first in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense. Each post of this series will focus on one of the 20 Critical Security Controls.
CyberSheath has worked with countless customers who are just beginning their GRC journey. As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense. These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.
20 Critical Security Controls
Control 1: Inventory of Authorized and Unauthorized Devices
The first Critical Control, Inventory of Authorized and Unauthorized Devices, tells us that organizations should “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.” To accomplish this, companies need to maintain an asset inventory of all systems connected to the network, preferably deploying an automated asset inventory system to gather the data. The idea behind this control is that we can’t protect what we don’t know we have and therefore, having an accurate asset inventory is always the first step in both mature security and GRC projects.
Many organizations today have a CMDB or other asset inventory methods but they often use manual spreadsheets that are not automated, and the information isn’t accessible enough to be actionable. That information is also usually just a list of computer names, IP Addresses, and possibly some operating system info but that’s usually where it ends. Additionally, the responsibility for maintaining this repository is often not clear and the data isn’t tied into any other security processes, such as incident response or vulnerability management.
When we use RSA Archer to manage our asset inventory, we can satisfy the security objectives of this control with a best-in-class asset inventory system. Utilizing Archer’s Enterprise Management module, and specifically the “Devices” application, we can import all our known asset information from multiple sources. Archer accepts information from many different databases and other sources of asset data utilizing the data feed capability. Organizations can, for example, import asset information from their CMDB, vulnerability scanners, configuration compliance tools, and any other source. Then use the different feeds to augment, edit, and improve the inventory so that it becomes the “master list” of all devices. No other product collects and rationalizes asset data like Archer.
Managing asset inventory is just the beginning, tying the data into other parts of Archer is where we start to see real GRC context and meaning. Mapping assets to the employees that own them, the facilities they reside in, and the business units they belong to can help us visualize our IT infrastructure like no other tool can. Digging deeper, we can map our servers to applications and those applications to business processes. When we then conduct Business Impact Analyses against those business processes, the criticality of the assets (servers) becomes quantified and all of this is measurable with reports and metrics.
It’s no coincidence that the first step in building a secure organization is also the first step conducted when beginning a GRC journey. When we combine these efforts we accomplish both goals for far less than the cost of what separate projects would cost, and security organizations are able to show real value from their Archer deployment as we begin to address the Critical Controls and stop attacks. Download our GRC datasheet to learn more about how we can assist your organization on your GRC journey.
Watch for our next post as we discuss how Archer can assist with the second Critical Control, Inventory of Authorized and Unauthorized Software, coming soon.