By Ofer Amitai
For midsize organizations, the Center for Internet Security’s basic guidelines can be largely addressed with network access control.
In organizations of all sizes, network security has been overwhelmed by the unchecked growth of the Internet of Things (IoT) trend, bring your own device phenomenon and mobile devices.
The traditional concept of protecting the corporate network within a physical perimeter is long gone and has been replaced by a model where each device requires its own security perimeter. To implement this approach, companies are turning to device-based network access control (NAC).
While NAC is one of the security layers used by large enterprises that are rich in resources and employees, it can play a foundational role in protecting midsize companies. While these businesses face many of the same attacks as their larger cousins, they often lack comparable in-house IT expertise.
NAC and CIS Controls
To help organizations select and implement a set of cyber defense best practices that will protect against today's most pervasive and dangerous threats, the Center for Internet Security (CIS) devised a list of 20 controls. A principal benefit of the CIS Controls is their ability to prioritize and focus on a smaller number of actions with high pay-off results.
CIS Controls are the top security requirements recommended by governmental and private sector security research organizations since they can eliminate approximately 85 percent of vulnerabilities.
For midsize companies, the best practices outlined in the “First 5 CIS Controls” [note: opens a PDF] provide a solid foundation for securing their IT environments. Let’s consider how NAC provides coverage for these controls:
Control #1 - Inventory of Authorized and Unauthorized Devices
This involves the active management (inventory, track and correct) of all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
NAC provides visibility into all of the devices on the network. Certain solutions can accomplish this by using simple non-intrusive methods such as connecting via management protocols directly to the network infrastructure, while more cumbersome approaches use port mirroring, IP scans or by implementing 802.1x. The goal is to achieve a real-time view of all connected endpoints and categorize them as authorized and not authorized devices.
Control #2 - Inventory of Authorized and Unauthorized Software
Similar to Control number 1, this requires actively managing (inventory, track and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installing or executing.
Here NAC can gather information on the software installed on each endpoint and, more importantly, whether security software is enabled. Based on predefined policy, NAC can perform a variety of actions, including notifying users of security violations on the device, forcing remediation or blocking unauthorized software. Depending on the solution, such actions can be done with or without agents installed on the endpoints. Ideally both options should be available since IoT devices require agentless deployment, whereas BYOD can not be controlled without an agent.
Control #3 - Secure Configurations for Hardware and Software
This process requires that organizations establish, implement and actively manage (track, report on, correct) the security configuration of laptops, servers and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
NAC can inspect configurations on all endpoints connected to a network. While some NAC solutions come with pre-configured assessment templates, others give administrators the freedom to create their own configuration inspections.
Control #4 - Continuous Vulnerability Assessment and Remediation
Continuously acquiring, assessing and taking action on new information in order to identify and remediate vulnerabilities will minimize the window of opportunity for attacks.
Most NAC solutions provide continuous compliance validation and remediation measures for connected devices — and will make changes to a device’s risk score when configurations are modified.
When a device falls out of compliance, or is compromised, NAC can help contain attacks, prevent lateral movement and limit damages to allow for business continuity.
Some of the remediation actions NAC can perform include:
Incident Response. Containing events by remotely blocking endpoints with suspicious configurations from accessing the network, ideally without manual intervention.
Launching Endpoint Detection and Response (EDR) software, and enforcing the installation of security patches and software updates before an endpoint can regain access.
Segment, quarantine and disconnect endpoints based on their risk level and the threat they pose to the network.
Control #5 - Controlled Use of Administrative Privileges
Here, organizations should use processes and tools to track/control/prevent/correct the use, assignment and configuration of administrative privileges on computers, networks and applications.
Since administrative privileges allow devices to perform sensitive activities within the network, they pose a serious security threat if compromised or abused. NAC can continuously monitor which users on which endpoints have administrator privilege, thus helping organizations comply with security policies.
For midsize organizations, implementing the “First 5 CIS Controls” will reduce their level of exposure to the vast majority of security threats. NAC’s ability to shrink risks and enforce a security perimeter on individual devices provides a centralized, cost-effective and quick path to compliance with these best practices. By controlling access both to and within the network, NAC reduces digital business risks in ways that are much greater than the sum of its parts.
About Ofer Amitai
Ofer Amitai is CEO and co-founder of Portnox, where he is responsible for day-to-day operations and setting the company's strategic direction. He has over 20 years' experience in network security, during which time he established the first IT security team in the Israeli Air Force, managed the security division at Xpert Integrated Systems, and served as Microsoft regional director of security.