CIS Control v8 Overview- Control 13

Control 13: Network Monitoring and Defense: Operate processes and tools to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Why is this Control important?

While network defenses do offer protection, Organizations should not solely rely on them to do all the work “as advertised”. To be effective, an organization should fully understand its enterprise risk posture to configure, tune, and log these tools. Adversaries continue to evolve and mature, as they share, or sell, information among their community on exploits and bypass security controls.

Often, misconfigurations due to human error or lack of knowledge of tool capabilities give enterprises a false sense of security. Security tools can only be effective if they are supporting a process of continuous monitoring that allows staff the ability to be alerted and respond to security incidents quickly. Enterprises that adopt a purely technology-driven approach will also experience more false positives, due to their over-reliance on alerts from tools. Identifying and responding to these threats requires visibility into all threat vectors of the infrastructure and leveraging humans in the process of detection, analysis, and response.

It is critical for large or heavily targeted enterprises to have a security operations capability to prevent, detect, and quickly respond to cyber threats before they can impact the enterprise. This process will generate activity reports and metrics that will help enhance security policies and support regulatory compliance for many enterprises. As we have seen many times in the press, enterprises have been compromised for weeks, months, or years before discovery. The primary benefit of having comprehensive situational awareness is to increase the speed of detection and response. This is critical to respond quickly when malware is discovered, credentials are stolen, or when sensitive data is compromised to reduce impact to the enterprise.

Through good situational awareness (i.e., security operations), enterprises will identify and catalog Tactics, Techniques, and Procedures (TTPs) of attackers, including their IOCs that will help the enterprise become more proactive in identifying future threats or incidents. Recovery can be achieved faster when the response has access to complete information about the environment and enterprise structure to develop efficient response strategies.

And its Safeguards?

This Control has eleven (11) Safeguards which include: centralizing security event alerting, deploying a host-based intrusion detection solution, deploying a network intrusion detection solution, performing traffic filtering between network segments, managing access control for remote assets, collecting network traffic flow logs, deploying a host-based intrusion prevention solution, deploying a network intrusion prevention solution, deploying port-level access control, performing application-layer filtering, tune security event alerting thresholds.

How is this Control implemented?

Many organizations utilize Security Operations Centers (SOC) to monitor and manage awareness. This is done by first understanding critical business functions, network and server architectures, data and data flows, vendor service and business partner connection, and end-user devices and accounts. Once these are understood, the security architecture, technical controls, logging, monitoring, and response procedures are then developed. Next, a team is trained to implement processes for incident detection, analysis, and mitigation.

Organizations should consider network, enterprise assets, user credentials, and data access activities. Technology will play a crucial role to collect and analyze all of the data, and monitoring networks and enterprise assets internally and externally to the enterprise. Enterprises should include visibility to cloud platforms that might not be in line with on-premises security technology. Forwarding all-important logs to analytical programs, such as Security Information and Event Management (SIEM) solutions, can provide value; however, they do not provide a complete picture. Weekly log reviews are necessary to tune thresholds and identify abnormal events. Correlation tools can make audit logs more useful for subsequent manual inspection.

The tools are not a replacement for skilled information security personnel and system administrators since human expertise and intuition are often required to identify and understand attacks. Organizations also create, maintain, and evolve a knowledge base that will help to understand and assess the business risks, developing an internal threat intelligence capability. Threat intelligence is the collection of TTPs from incidents and adversaries. To accomplish this, a situational awareness program will define and evaluate which information sources are relevant to detect, report, and handle attacks. As their experiences and processes Most mature enterprises can evolve to threat hunting, where trained staff manually review system and user logs, data flows, and traffic patterns to find anomalies.

Key Reminder(s)

In the next post, we will look at Control 14: Security Awareness and Skills Training. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!

Contact Temples Consulting (a CIS SecureSuite Partner) to schedule a no-cost consultation for Network Monitoring and Defense strategies based using the latest CIS Benchmarks.

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity #phishing #vishing #smishing