- Aug 22, 2022

Cybersecurity Control Review - Utilize an Active Discovery Tool, CIS 1.3

Updated: Jan 11, 2023

Cybersecurity Frameworks - Cybersecurity Guides

Cybersecurity Control Review: Utilize an Active Discovery Tool, CIS 1.3

Summary:

Utilize an Active Discovery Tool, which is considered a Detection control, and is part of CIS Control 01: Inventory and Control of Enterprise Assets. Utilize an active discovery tool to detect and identify assets/devices connected to the company's network that are unauthorized to do so. The discovery tool chosen by the organization should be configured to execute daily, or more frequently.

Recommendations:

Being that Control 1.2 of the CIS Controls is defining how to address unauthorized devices, Control 1.3 addresses the next important step which is using a tool for detecting those potential devices. An active discovery tool could be something as simple as an IP scanner that scans all the subnets on your internal network and provides simple information, such as IP address, host name, and the Domain the device is connected to. If you were to schedule a scan like this to run every day, an assigned resource could conduct a quick, manual review of the scan to see if there are any unrecognized devices found in the scan.

For example, if all of the computers on your network should be joined to the company Active Directory Domain, and you find a device in the scan that is not joined any Domain, or maybe a different Domain, then you should investigate the device further and follow the process you defined in Control 1.2 on how to remove or quarantine a device that should not be connected to your network.

There are many options for software solutions and tools that can satisfy this control. There are more sophisticated solutions that can run scans and then send a notification out to designated personnel, usually members of the IT and Security departments, when an unrecognized device is detected. This will significantly increase the speed and efficiency of the process, as opposed to a manual review, and the notification can automatically provide all the information needed to locate and analyze the device in question.

As stated in the control summary, these scans should be run at least once per day, but if the process is partly or fully automated, it can be accomplished in essentially real-time. Going a step even further, there are security solutions that not only identify and detect unauthorized devices, but they will then automatically quarantine or block the device by creating network rules to prevent it from connecting to anything on the network. These solutions are obviously much more costly, so for small businesses this may not fit in the budget. That said, some of these solutions can solve for several different controls and necessary functions within IT and Security. So it is likely you can invest in one product that serves many functions.

The point is that no matter how large, or how small the organization is, there needs to be plan in place to review the devices on your network, detect any unauthorized devices and then follow a defined process on how to remove that device from the network.

Keep in mind, there are many variables in real-world scenarios and you won't be able to define every possible situation that could occur. So it's important not to get paralyzed by creating a perfect process, but putting something in place that covers around 80% of the possibilities and then the other 20% are treated as exceptions and handled similarly but with some discretion applied.

There are some example discovery tools and solutions in the list of references below that you can look into further to see what would satisfy this control and get some ideas on the right fit for your network.