I'm trying to get a grip on how to effectively adhere to CIS CSAT controls 2.1, 2.2, and 2.3. To give you some context, here's what they involve: Control 2.1 is about creating and maintaining a detailed software inventory for all licensed software on our assets, including details like title, publisher, install dates, and purpose. Control 2.2 stresses that only currently supported software should be in our inventory, and if we're using unsupported software, we need to document it and list any mitigating controls. Lastly, Control 2.3 requires that we address any unauthorized software by either removing it or getting an exception documented.
We've been using Defender for Endpoint P2 to gather our software inventory, but it lists everything installed—around 2000 packages in our small environment! Even with AppLocker in place, it feels overwhelming. Plus, Defender doesn't always show when software is vulnerable or end-of-life if it doesn't recognize it. How do you all manage this? Did you invest in any tools to make it easier?
1 Answer
For Control 2.1, focus on cataloging all your IT-approved software first. Then go to the end users' machines to document every single piece of software they have, including any PowerShell modules. After you gather this info, meet with your IT leaders to decide which software stays and which gets removed. It's crucial to establish a process for users to request new software so that IT can vet it properly.
The headache comes with preventing unauthorized installations. In the past, it was straightforward since most software needed local admin rights, but some install under the user profile now, making it tricky. We do monthly reports to review all software and have internal meetings to address new installs and reinforce the change approval process.
That sounds like a solid approach! We have AppLocker set up as well, so all installations are managed by IT or approved by publisher rules. The tough part comes from devices like scanners that can have countless components. They're technically approved but not explicitly on our list, which complicates things. And catching outdated software that Defender doesn't flag is a real challenge.