SANS Top 20 Critical Control #1: Inventory of Authorized and Unauthorized Devices

2 minute read Ken Kantzer on

CISOs have a tough job. They are faced with securing data across thousands of devices. They are often brought in after a bad breach and are asked to make sure “it never happens again.” Throw in ISO/IEC 27001 or PCI-DSS compliance reporting, and it can lead to an overwhelmed question: when it comes to developing a roadmap for my company’s security, where is the best to start?

The Crux of the Control

There are only 2 controls in the Top 20 list that are designated “Foundational,” and an inventory of your authorized devices is one of them. I paraphrase this control slightly differently: if there was ever a Golden Rule in enterprise security, it’s this: know what you have. If you don’t know what you have, how can you protect it? This is exactly how attackers win: they find (or install) devices that you don’t know about, and since you don’t know about it, it’s unprotected and they get in. This is how how the Target hack happened.

The PKC Insight

This control is typically a pitfall for CISOs because it is a lot harder than it sounds to get right. At the technical capability level, this is what this control means:

Given any IP address on any device in your enterprise, I have a way to instantly know (a) where logically on my network this device resides (b) where physically on my enterprise this device resides (c) the function of this device in the larger enterprise picture (i.e. if it were to go down, what would be the impacts?).

I highlighted the words “any” and “instantly” here, to indicate the two greatest problems CISOs have with fulfilling this control. Generally, an enterprise has a well-curated centrally managed network that has some degree of network monitoring (a slightly out of date list is on wikipedia). All is good. But chances are, your enterprise has many, many more devices that aren’t part of this centrally managed core: mobile devices, maintenance laptops used by IT staff, isolated or remote facility LANS. These are the weak points where attackers get in. “Any” means you have to take care of all the corner cases: 95% coverage of your devices is a failure. You have to know 100%, all the time.

I once worked at an enterprise where I spent nearly 4 months trying to track down devices that no one at the company knew anything about: the information the IT staff had was either out of date or factually incorrect because it had been collected by hand. Granted, it was a very large network, but the company had invested millions on security. This is where “instantly” comes into play: it’s essential to have a centralized, automated system in place which updates and records comprehensive information on each device you own.

The payoffs of having an inventory system that is both comprehensive and automated are enormous, since the 18 other Top 20 controls depend on it. It takes hard, grinding work to track down everything and to get the monitoring in place, but it’s well worth it.

The next article will talk about the second Foundational control: Inventory of Authorized and Unauthorized Software


Ken is a Founding Partner of PKC