Cybersecurity today seems like an arms race: Enterprises implement more and more security tools to try defend their networks against increasingly frequent and sophisticated attacks. But simply increasing the number of tools in your arsenal is not an effective cybersecurity strategy. Rather, what organizations need is a framework that provides proven guidelines for secure management of their digital resources so they can implement tools and processes that actually protect their business, customers and partners.
The Center for Internet Security (CIS) provides just such a framework — the CIS Critical Security Controls. Implementing these controls can help you protect your infrastructure, software applications, services and data, effectively and efficiently.
The CIS Controls framework is periodically updated to meet evolving threats. In particular, the world has changed dramatically since version 7 was released in 2019, thanks to the widespread adoption of remote and hybrid work during the pandemic. Accordingly, CIS released version 8 in 2021. It includes an important new control, Network Monitoring and Defense, and drops three others, including Boundary Defense. Let’s look into this change and what it means for your cybersecurity strategy.
CIS Control 13: Network Monitoring and Defense
There was a time in which a strong boundary defense was the main priority in a cybersecurity strategy. Today, however, traffic flows to and from a multitude of sites outside the traditional network perimeter. Therefore, it’s essential to know what devices are connected to your network at any given time and to continually monitor attempts to access sensitive data and other high-value resources. The goal is to quickly identify suspicious traffic patterns or events so you can detect threats before they result in a data breach or disrupt operations.
Control 13 in version 8 of the CIS Control shifts the strategic approach away from ‘fencing’ the organization towards a ‘meshed’ approach to monitoring and defense that adopts to modern processes used in supply chain connections, for example the data exchange established with them.
To help organizations achieve this goal, CIS Control 13 recommends the following 11 safeguards:
1. Centralize security event alerting
Manual threat monitoring is insufficient in the face of modern attack methodologies. For example, ransomware can encrypt data at machine speed, and spotting sophisticated cyberattacks involves correlating data across multiple systems. Fortunately, there are advanced tools that use automation and artificial intelligence to quickly analyze data across complex hybrid networks. CIS Control 13 recommends using a SIEM solution to aggregate, correlate and analyze event log data from multiple systems and alert the right personnel about threats in real time.
2. Deploy a host-based intrusion detection solution
Software application that is installed locally on the computer infrastructure that it will analyze. Its job is to detect, log and alert on suspicious behavior, malicious traffic and policy violations.
3. Deploy a network intrusion detection solution.
A network intrusion detection (NID) solution is a security appliance that analyzes inbound and outbound network traffic to identify anomalies, suspicious traffic patterns and potential packet threats. A NID can be a licensed component within a next-generation firewall (NGFW) appliance, or it can utilize sensors or application agents placed strategically across the network.
4. Perform traffic filtering between network segments
Traffic filtering restricts the flow of traffic between network segments according to source, destination or traffic type. For instance, all HR machines can be segmented from the rest of organization to ensure that only traffic originating from prescribed users can go to HR machines. You can use routers or firewalls to segment areas; a router will filter using access control lists (ACLs) while a firewall will use policies to filter.
5. Manage access control for remote assets
Remote access should be granted only to user accounts that absolutely need it, in accordance with the principle of least privilege. Remote access policies should also align with any required industry or government regulations.
6. Collect network traffic flow logs
Network traffic flow logs can be used to troubleshoot connectivity issues and determine whether traffic flows work as anticipated. They are also used to investigate suspicious traffic and resource access in the event of a cybersecurity incident.
7. Deploy a host-based intrusion prevention solution
An intrusion prevention solution (IPS) is like an intrusion detection system (IDS) in that they both look for suspicious traffic and malicious code. However, while an IDS strictly analyzes the traffic and issues an alert, a local IPS can proactively prevent the identified packets from accessing the local device by dropping them.
8. Deploy a network intrusion prevention solution
A network IPS resides on a network appliance and will drop traffic it deems a threat before it can enter or exit a particular network segment.
9. Deploy port-level access control
Port-level access control utilizes 802.1x or similar protocols to ensure that only authorized devices can connect to the network. For instance, it can prevent a visitor from connecting a portable computer to a network using an ethernet cable, thus forcing them to use the provided wireless network. Access can be granted by using certificates, MAC addresses or user authentication.
10. Perform application layer filtering
Application layer filtering ensures that users cannot communicate using applications that don’t comply with corporate policies. For instance, some organizations may prevent users from using certain social media, streaming media or proxy applications.
11. Tune security event alerting thresholds
If IT or security personnel are inundated with alerts, they will begin to ignore them. One way to prevent this is to assign thresholds to various event types so that an alert is triggered only when a threshold has been exceeded. Events can be automatically cleared using thresholds as well.
How Netwrix Can Help
Netwrix provides solutions that can help you implement many of the safeguards in CIS Control 13, quickly and effectively. Netwrix security solutions empower you to identify and correct gaps in your security posture, and well as spot threats in their early stages and respond promptly. In particular, our insider threat detection capabilities alerts you to anomalous behavior across your environment so you can defend your network against both malicious insiders and attackers who take over their accounts.