Download the datasheet

The CIS Critical Security Controls

Introduced in 2008 in response to extreme data losses in the US, the 20 Critical Security Controls prioritizes a list of measures that are effective in improving risk posture against real-world threats.

Derived from the most common attack patterns and vetted across government and industry bodies, the 20 Critical Controls focus on a small number of actionable controls with immediate benefits, aiming for a “must do first” philosophy. This document focuses on how Defendpoint can help you meet many of its recommendations.



How Defendpoint maps to the control

CSC 1 & CSC 2

Inventory of Authorized and Unauthorized Devices: "Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access."

Inventory of Authorized and Unauthorized Software: "Actively manage (inventory, track and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution."

Defendpoint can help with devising a list of authorized software and versions for each type of systems (server, desktop, laptop etc.). There is a requirement that this list is monitored through file integrity checking tools, but where this list is stored in a Defendpoint policy, we could digitally sign the configuration to maintain integrity. Application whitelisting, which Defendpoint can deliver, is also mentioned, as well as file integrity (system files are given as examples - which least privilege achieves without monitoring)


Secure Configurations for Hardware and Software: "Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings."

Defendpoint allows you to maintain your gold standard build by providing the most granular, flexible approach to policy design. This means that configurations scale easily with a firewall style engine for management and clear, logical process flows.

Avecto leverages existing infrastructure and integrates tightly with Microsoft Group Policy or McAfee ePO - or alternatively utilize Avecto’s own iC3 cloud infrastructure based on Azure. In addition, all employees become standard users, ensuring a safe, clean and secure environment.


Continuous Vulnerability Assessment and Remediation

With Defendpoint you can quickly distribute update packages for third-party applications without the need for administrative privileges. Defendpoint complements your patching strategy by ensuring proactive and holistic defense in depth.


Controlled Use of Administrative Privileges: "The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications"

Defendpoint provides enterprises with an effective solution to ensure minimum impact for end users, for maximum productivity gain. It allows all Windows users to operate as standard users across desktops and servers, with admin rights applied directly to applications, tasks and scripts.

Defendpoint’s privilege management capability allows you to remove admin rights from all users, even sysadmins in the data centre. Its flexible approach allows users to carry out their job function without restriction, while providing an effective security solution with low maintenance overheads and implementation costs.


Maintenance, Monitoring and Analysis of Audit Logs: "Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack."

This control describes how audit data should include data, timestamp and other characteristics and that it should be in a standardized format - Defendpoint’s event output can do this. It also talks about weekly reports/reviews for anomalies in the data - our enterprise reporting and some of the discovery dashboards (or custom reports) could offer or support this. Use of a SIEM tool is also mentioned. This is something Defendpoint can feed into, and its application characteristics can help to prioritize the events within the system.


Email and Web Browser Protections: "Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems."

7.1 Defendpoint’s application control features enable full compliance with this requirement by ensuring that only approved web browsers and email clients can be used on the endpoints. In addition, minimum versions of approved applications can be specified, preventing older and potentially vulnerable versions from launching. Defendpoint provides fully customisable messaging to inform users that a newer version is available, and provide the ability to update the application.

7.5 Defendpoint enables compliance with this requirement with context aware application control. This allows defined URL groups to operate with approved applications/plugins, and undefined URLs to be subjected to a more restrictive policy, which could be could be a subset of approved plugins and scripting languages, or prevent them entirely.


Malware Defences: "Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action."

8.3 This control is split into two parts, the first of which is to limit the ability to use external devices to only approved individuals and secondly control auto-run applications on external devices from executing. The second is fully supported. Defendpoint features application matching criteria based upon the storage type and can prevent applications launching from removable media.