The Cybersecurity & Infrastructure Security Agency (CISA) kicked off Cybersecurity Awareness Month with a bang yesterday, with its latest binding operational directive that requires federal agencies to account for a complete inventory of assets and vulnerabilities. In past CISA coverage, we recommended that organizations doing business with the federal government, looking to maintain good cyber posture, or wanting a head start on potential regulatory requirements down the road should also familiarize teams with and strive to meet CISA requirements.  CISA provided a compliance start date for federal agencies of April 3, 2023.

Flying Blind

Security teams have been flying blind when trying to enumerate vulnerabilities on unknown assets for decades. Organizations often have multiple or outdated configuration management databases, spreadsheets, or vulnerability scans limited to known IP ranges and sites.

A lot of teams knew about assets that existed in silos or shadow IT that they couldn’t validate. Attempting to aggregate any asset data led to messy duplicate and contradicting data.

Features in vulnerability management solutions have expanded to address these challenges. Companies providing specific solutions include Axonius, JupiterOne, and Noetic Cyber.

Required actions from CISA regarding asset discovery include the following:

  • Automated asset discovery every seven days
  • Discovery, at a minimum, must include the organization’s entire IPv4 space
  • Ability to initiate on-demand asset discovery
  • Inclusion of IP addressable operational technology and roaming/cloud assets
  • Exclusion of ephemeral assets such as containers or SaaS

Vulnerability Discovery Requirements

Well-defined vulnerability management guidelines or frameworks are few in the US, but CISA provides explicit requirements in this directive. The requirements do not address additional timelines for remediation but has done so previously with directives for known exploited vulnerabilities. Vulnerability management solutions from vendors such as Qualys, Rapid7, or Tenable will help meet the below requirements:

  • Vulnerability scans must be conducted on all discovered assets every 14 days, including nomadic assets such as laptops.
  • Scans on managed endpoints must be conducted with privileged credentials. Credentialed network and agent-based scans are acceptable, per the directive. 
  • Detection signatures must be updated within 24 hours of the vendor release date.
  • If available, vulnerability enumeration on mobile (iOS and Android devices) must be conducted.

Writing On The Wall

CISA’s outlined importance of asset enumeration in security programs is an exclamation mark on years of security team proclamations, an aging NIST cybersecurity framework, and recent attack surface management acquisitions. Although discovery of unknown external assets is not specifically mentioned in the directive, external attack surface management vendors have been gobbled up over the past several months. IBM announced its Randori acquisition last June, the same month Tenable closed on its purchase of Bit Discovery, and CrowdStrike revealed its intention to buy Reposify during Fal.Con last month — quickly adding what we believe will become a standard capability in several security tech categories.

We expect the definition of attack surface to grow over the coming months and that federal agencies and regulated organizations will eventually be expected to account for every asset, known or not.

Forrester Attack Surface Management Coverage

As attack vectors and threats continue to evolve, so does Forrester’s coverage of technologies available to help organizations get a handle on their massive technology estate. I will be taking on cyber asset attack surface management from Jess Burn while she continues her coverage of external attack surface management.

We hope you can join us in person or virtually at Forrester’s Security & Risk Forum this November. I will be presenting a session entitled “Reinvent Your Vulnerability Management Program To Regain Trust.” This talk will cover methods to prioritize vulnerability remediation so that we can extend the olive branch to operations teams that have grown increasingly skeptical of the VRM team’s ongoing flood of (often inaccurate) vulnerability predictions.

If you have questions about attack surface management, vulnerability risk, or the directive, please get in touch with us! Forrester customers can schedule an inquiry or guidance session. Also, feel free to reach out through Twitter (@eriknost/@Jess_Burn_) or email.