This is part 3 of our 4-part CISA BOD 23-01 series. Check out part 1 to start at the beginning of the series.
The deadline for CISA BOD 23-01 compliance is coming up on April 3, 2023. In less than two months, federal civilian executive branch (FCEB) departments and agencies must have implemented solutions to fully meet the requirements outlined in the directive, including the ability to automate asset discovery every 7 days and initiate on-demand discovery within 72 hours of receiving a request from CISA.
One of the key takeaways from the directive is the importance of identifying unmanaged assets on the network because of the risks they introduce. A comprehensive asset inventory is the only way to fully address the directive.
When CISA first issued this directive, we'd hear agencies say, "We already have an asset inventory through our CAASM. We're in good shape!" While Cyber Asset Attack Surface Management (CAASM) solutions can definitely help with building asset inventory and reducing cyber risk, they may not be enough to meet the requirements in the directive–especially if they are leveraging an API-only approach.
Challenges with API integrations-only approach #
Most CAASMs leverage an API-only (or a very API-dominant) approach to bring asset data from hundreds (or even thousands) of security and management tools into the solution. Theoretically, with a shared data set, security and IT teams can focus on improving their cyber hygiene and security posture, and not spending time tracking down information. However, the truth is: the information in the CAASM is often incomplete, and data quality may be unreliable.
Let's dig into some of the key challenges of relying on CAASMs that only offer an API-based approach and what you can do instead.
Challenge #1: Finding unmanaged assets #
Over and over again, we hear security teams say, "We can't protect or manage what we don't know." Exacerbated by common issues like shadow IT, rogue access, and oversight, unmanaged devices continue to fly under the radar, creating potential entry points for attackers. Unmanaged devices are usually the first foothold for attackers because they tend to miss security controls and don't have an owner maintaining them.
Many CAASM vendors claim that unmanaged devices can be solved by leveraging integrations with existing tooling. This approach ignores the fact that security teams have tried to use data from vulnerability scanners and EDR agents for asset inventory without success. These approaches cannot find unmanaged assets because they typically require credentials to scan or deploy, which are not available for rogue, IoT, and OT devices. As a result, these teams will continue to miss unmanaged devices if they rely on their vuln scanners or EDR agents for asset inventory.
Ultimately, the completeness and accuracy of the data in a CAASM will depend on the quality of the sources you use. While an integration-based approach is a good way to discover managed assets, it's not the most effective one for unmanaged ones. The best way to discover unmanaged assets is through unauthenticated scanning.
Challenge #2: Getting accurate data #
Most CAASMs build asset inventories from API imports with third-party solutions, like vuln scanners and EDRs; they don't discover assets independently. Instead, they rely on their security and IT stack for asset inventory, so the data is only as good as the source itself. You can generally get a lot of depth about managed devices through integrations, but the quality may be inconsistent and/or inaccurate. Many solutions, like your vuln scanner and EDRs, are not purpose-built for asset inventory, so fingerprinting falls below expectations. Instead, you may get some basic information about the device, like the IP address, MAC address, and vendor, which isn't significantly helpful for asset inventory. And on top of that, you're completely in the dark about unmanaged devices.
According to Gartner, data quality affects labor productivity by about 20%. The lack of access to high-quality, accurate data impacts the ability for security teams to make decisions quickly, especially in the face of critical events. To deliver on its full promise, CAASMs need to complement these data sources with active discovery to accurately fingerprint assets.
Complement your integrations-based approach with active scanning for full asset inventory #
CAASMs can help with comprehensive asset inventory – if complemented with unauthenticated active discovery. This approach ensures that you're able to cover all your bases for the CISA BOD 23-01 directive. With a scanner that leverages a security-research based approach to accurately fingerprint devices, you can feel confident that you have a comprehensive asset inventory of managed and unmanaged assets.
By combining active scanning with an integrations-based approach, managed assets get the benefit of being enriched with additional attributes, while unmanaged assets are identified and fingerprinted.
Follow the story #
Check out Part 4 of this story, which wraps up our overall recommendations for meeting the requirements in the directive.