CIS Compliance

The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of CIS compliance.

 

CIS Controls

The Center for Internet Security (CIS) provides a set of Critical Security Controls (CSC) that help organizations in improving their cyber defense. These controls are the recommended practices for thwarting prevalent attacks and focus on the most fundamental and valuable actions that every enterprise should take. Accomplishment of these controls would be the starting point for every enterprise seeking cyber security. Endpoint Central helps you in improving the security posture of your organization by facilitating the implementation of these controls.

How does Endpoint Central help?

Requirement Requirement Description How Endpoint Central fulfills it?
1.1

Utilize an active discovery tool to identify devices connected to the organization’s network and update the hardware asset inventory.

Endpoint Central's AD scan supports discovering the computers automatically and installing agents once they are added to the Active Directory. Once the Agents are installed, it performs an inventory scan on computers to fetch the hardware and software inventory information. It also supports scheduled scan functionality to ensure that computers are periodically scanned and inventory information is always up to date. Instant alerts can also be generated through e-mail/SMS to the users when the hardware is detected or removed from a specific computer.

1.4

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization’s network or not.

Once the Endpoint Central agents are installed on computers, it performs an inventory scan on devices to fetch the hardware and software inventory information. It also supports scheduled scan functionality to ensure that devices are periodically scanned and inventory information is always up to date.

Endpoint Central can maintain the inventory information up to date for roaming devices also through the internet which is not connected to the organization's network. (Note: Server should be reachable from Agent).

1.5

Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

Endpoint Central maintains inventory details in the database and assets through the inventory and file scan feature. Using customized columns, the approval status of the assets can be verified.

1.7

Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.

Using Endpoint Central, 802.1x settings can be configured on the devices for WiFi, VPN and Ethernet connections. Also Endpoint Central's Firewall configuration helps customer to allow/block the ports of windows computers in their network.

With the help of DCP addon in DC, we can able to manage 17 types of device to allow or block in their network.

1.8

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.

Using Endpoint Central, IT admin can configure client certificates and authentication settings for the devices, for WiFi, VPN and Ethernet settings. With these configurations in place, client certificates can be automatically applied for network authetication from devices. Certificate renewal can be managed, and also certificate details can be viewed in asset scan to identify any missing certificates.

2.3

Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.

Endpoint Central scans the desktops and mobile devices in your network and collects the software details. Using Endpoint Central's Inventory Management, you can schedule a scan for actively tracking software and E-mail alerts can be configured for the same.

2.4

The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.

Endpoint Central's Inventory Management lists software details such as name, version, publisher and the installation date for all software applications and operating systems, authorized by the organization.

2.5

The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.

With the help of Endpoint Central, an IT admin can acquire comprehensive data on all the hardware and software details in a network.

For every managed computer, Endpoint Central lists the entire inventory data pertaining to that particular computer.

2.6

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.

Endpoint Central's Application Control helps customers to Blocklist the applications as well as executables that are not intended to run on their network. Read more about this here : https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

2.7

Utilize application Allowlisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.

Endpoint Central's Application Control  also helps customer to Allowlist the applications as well as executables which helps none other than the listed software is not allowed to run on computers. Read more about this here : https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

3.1

Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.

Endpoint Central's Vulnerability Management performs vulnerability scan on every endpoints to identify the software vulnerabilities which also helps to remediate those vulnerabilities through zero day vulnerability mitigation capability. Refer: https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

3.2

Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.

Endpoint Central's Vulnerability Management helps customer to preform vulnerability scanning on all computers with the help of agent installed on them. Refer: https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

3.4

Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

Endpoint Central periodically scans the systems in your organizations for missing patches by OS.

Endpoint Central's Automated Patch Deployment (APD) empowers the IT admins with the ability to deploy the missing patches automatically without any user intervention. Click here to know about the supported patch list: https://www.manageengine.com/products/desktop-central/patch_management_supported_application.html

3.5

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

Apart from identifying the missing patches for native applications, Endpoint Central identifies missing patches for third party applications as well.

Endpoint Central's Automated Patch Deployment (APD) empowers the IT admins with the ability to deploy the missing patches automatically without any user intervention. Click here to know about the supported patch list: https://www.manageengine.com/products/desktop-central/patch_management_supported_application.html

3.7

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

Endpoint Central provides the list of patches with risk group based on their severity like Critical, Important, moderate, Low. With this information customer can prioritize the remediation based on the severity of patches.

In addition to the above, the customer can also configure the risk-rating process using "System health Policy" settings.

4.1

Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.

Endpoint Central provides complete AD reports and user based reports which gives detailed insights on the priviledges of the users and computers in the network.

In addition to this, Data Protection Officer (DPO) dashboard helps an IT admin take a glimpse at the computers and the user access associated with the accounts.

4.2

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

The User Management configuration of Endpoint Central allows an IT admin to change a password and configure password settings for the end users.

Apart from this, a Windows user account can be added, removed or modified.

4.9

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

Endpoint Central furnishes an IT admin with Logon Based Reports with details of unused user accounts, recently logged on user accounts and last logon failed user accounts. Using these, one can get details of sucessful and unsuccessful logins into the administrative account.

5.2

Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

Endpoint Central's OS Imaging and Deployment creates and deploys secure images to the Windows machines in the network. These images are stored and can be accessed only by Endpoint Central agent, thus making the configuration of the systems secure.

5.3

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.

The images created in Endpoint Central's OS Imaging are stored and can be accessed only by Endpoint Central agents, Integrity check also will be performed before deploying the image, thus making the configuration of the systems secure.

7.1

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.

Updating the browsers can be ensured by deploying the latest patches available in Endpoint Central.

7.2

Uninstall or disable any unauthorized browser or email client plugins or add-on applications.

The Browser Security Plus of Endpoint Central aids IT admin in blocklisting/allowlisting the browsers, Add-on management. Refer: https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

7.4

Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not.

The Browser Security Plus of Endpoint Central aids IT admin in filtering the sites based on trust and the imposed restrictions, whether or not they are physically at the organization's facilities. Refer: https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

7.7

Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

Endpoint Central with Browser Security  can block or prevent access to malicious domains.

8.2

Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.

Endpoint Central's Patch Management provides regular antivirus updates for prominent anti-malware software applications. Amongst all the different kinds of data fetched during an asset scan, the antivirus status of Windows machines is fetched as well. Please refer the following link for supported Antivirus Definition Updates: https://www.manageengine.com/products/desktop-central/antivirus-updates.html

9.1

Associate active ports, services and protocols to the hardware assets in the asset inventory.

Endpoint Central provides the list of service details of computers as part of the Inventory Information of that computer. With the help of "System Manager" under the Tools tab allows to remotely perform actions to start, stop, restart the service as well as set their mode of start-up as needed for best performance.

Endpoint Central also supports Firewall configuration which helps customers to block/unblock the protocols and ports on the computers.

9.2

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Firewall and Services configuration of Endpoint Central helps you in the creation of rules for either restricting or enabling ports, protocols and services in Windows machines.

10.2

Ensure that all of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.

The complete system backup of a machine can be taken as an OS image in Endpoint Central and stored in the image repository.

13.6

Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.

Endpoint Central's mobile device management provides Containerization, which can be used to isolate personal and corporate data. This ensures that there is no access over the personal data present in the user's device(BYOD devices). The container encapsulates all the corporate policies, apps and the app data constituting a corporate workspace which is demarcated from the personal space.

13.7

If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.

Endpoint Central's Device Control  helps customer to block/unblock all types of USB devices in the endpoints. USB Audit history can also be maintained. Refer: https://www.manageengine.com/products/desktop-central/endpoint-security-features.html

14.6

Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.

Endpoint Central's permission management configuration provides control for only authorized individuals to have access to information based on their responsibilities.

15.4

Disable wireless access on devices that do not have a business purpose for wireless access.

Endpoint Central's WiFi configuration helps in enabling/disabling of wireless adapter in Computers seamlessly.

16.8

Disable any account that cannot be associated with a business process or business owner.

With the help of user management configuration customer can delete/add the local users from windows computers.

16.11

Automatically lock workstation sessions after a standard period of inactivity.

Endpoint Central's power management configuraion helps customer to define to make computer sleep after certain period of inactivity/idle of computers.

16.6

Maintain an inventory of all accounts organized by authentication system.

Endpoint Central fetches all user accounts available in computers as part of the Inventory scan. With the help of "User Management" Configuration, local users can be deleted/modified/added.

CIS benchmarks

While CIS Controls are practices recommended to secure a wide array of systems and devices, CIS benchmarks are more like guidelines or rules that are meant to enhance the security of software, specific OS, and network infrastructure. Endpoint Central's vulnerability management module can also be leveraged to audit managed endpoints against these CIS benchmarks to ensure their compliance with them. Learn more.