The Center for Internet Security (CIS) provides a comprehensive security framework called The CIS Critical Security Controls (CSC) for Effective Cyber Defense, which provides organizations of any size with a set of clearly defined controls to reduce their risk of cyberattack and improve their IT security posture. The framework consists of 20 controls to implement, however, according to CIS, implementation of the first first five controls provides effective defense against 85% of the most common cyberattacks. CIS provides guidance on how to implement the controls and which tools to use to reduce the burden on security teams. Without these controls, those teams have to spend time deciphering the meaning and objective of each critical security control.
SolarWinds offers several tools that provide the capabilities to implement many of the CIS Controls. In this post, I'm going to break down each Critical Security Control and discuss how SolarWinds® products can assist.
Critical Security Control 1: Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
Asset Discovery is an important step in identifying any unauthorized and unprotected hardware being attached to your network. Unauthorized devices undoubtedly pose risks and must be identified and removed as quickly as possible.
SolarWinds User Device Tracker (UDT) enables you to detect unauthorized devices on both your wired and wireless networks. Information such as MAC address, IP address, and host name can be used to create blacklists and watch lists. UDT also provides the ability to disable the switch port used by a device, helping to ensure that access is removed.
Critical Security Control 2: Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
As the saying goes, you don’t know what you don’t know. Making sure that software on your network is up to date is essential when it comes to preventing against attacks on known vulnerabilities. It’s very difficult to keep software up to date if you don’t know what software is running out there.
SolarWinds Patch Manager can create an inventory of all software installed across your Microsoft® Windows® servers and workstations. Inventory scans can be run ad-hoc or on a scheduled basis, with software inventory reports scheduled accordingly. Patch Manager can also go a step further and uninstall unauthorized software remotely. CSC2 also mentions preventing the execution of unauthorized software. SolarWinds Log and Event Manager can be leveraged to monitor for any non-authorized processes and services launching and then blocking them in real-time.
Critical Security Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, and correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.
Attackers prey on vulnerable configurations. Identifying vulnerabilities and making necessary adjustments helps prevent attackers from successfully exploiting them. Change Management is critical to helping ensure that any configuration changes made to devices do not negatively impact the their security.
Lacking awareness of access and changes to important system files, folders and registry keys can threaten device security. SolarWinds LEM includes File Integrity Monitoring, which monitors for any alterations to critical system files and registry keys that may result in insecure configurations. LEM will notify you immediately to any changes, including permission changes.
CSC 4: Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
To help remediate vulnerabilities, we need to first identify those that already exist on your network. SolarWinds Risk Intelligence includes host-based vulnerability scanning capabilities. Risk Intelligence leverages the CVSS database to uncover the latest threats. If vulnerabilities are identified as a result of outdated software and missing OS updates, SolarWinds Patch Manager can be used to apply those updates to remediate the vulnerabilities. If you have a vulnerability scanner such as Nessus®, Rapid7® or Qualys® - LEM can parse event logs from these sources to alert on detected vulnerabilities and correlate activity. SolarWinds Network Configuration Manager can help to identify risks to network security and reliability by detecting potential vulnerabilities in Cisco ASA® and IOS®-based devices via integration with the National Vulnerability Database. You can even update the firmware on IOS-based devices to remediate known vulnerabilities.
CSC 5: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Administrative privileges are very powerful and can cause grave damage when those privileges are in the wrong hands. Administrative access is the Holy Grail for any attacker. As the control states, administrative privileges needs be tracked, controlled and prevented. A SIEM tool such as SolarWinds LEM can and should be used to monitor for privileged account usage. This can include monitoring authentication attempts, account lock outs, password changes, file access/changes and any other actions performed by administrative accounts. SIEM tools can also be used to monitor for new administrative account creation and existing accounts being granted privileged escalation. LEM includes real-time filters, correlation rules and reports to assist with the monitoring of administrative privileges.
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
As you've probably guessed by the title, this one has Security Information and Event Management (SIEM) written all over it. Collecting and analyzing your audit logs from all the devices on your network can greatly reduce your MTTD (mean time to detection) when an internal or external attack is taking place. Collecting logs is only one part of the equation. Analyzing and correlating event logs can help to identify any suspicious patterns of behavior and alert/respond accordingly. If an attack takes place, your audit logs are like an evidence room. They allow you to put the pieces of the puzzle together, understand how the attack took place, and remediate appropriately. SolarWinds LEM is a powerful SIEM tool that includes such features as log normalization, correlation, active response, reporting, and more.
CSC 7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems
SolarWinds Patch Manager can identify and uninstall any unauthorized browsers or e-mail clients installed on servers and workstations. For authorized browsers and e-mail clients such as Google® Chrome® , Mozilla® Firefox®, Internet® Explorer®, Microsoft® Outlook® and Mozilla® Thunderbird®, Patch Manager can help ensure that they are up-to-date. LEM can take it a step further and block any unauthorized browsers and e-mail clients from launching, thanks to it's "kill process" active response. LEM can also collect logs from various proxy and content filtering appliances to monitor for URL requests. This also helps validate any blocked URL requests.
CSC 8: Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
LEM can integrate with a wide range of Anti-Virus and UTM Appliances to monitor for malware detection and respond accordingly. LEM also provides threat feed integration to monitor for communication with bad known actors associated with malware and other malicious activity. Control 8.3 involves limiting the use of external devices such as USB thumb drives and hard drives. LEM includes USB Defender® technology, which monitors the USB storage device usage and detach any unauthorized usage.
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
Attackers are constantly scanning for open ports, vulnerable services, and protocols in use. The principle of least privilege should be applied to ports, protocols and services - if there isn't a business need for the, they should be disabled. When people talk about ports they generally think of checking perimeter devices, such as firewalls, but internal devices such as servers should also be taken into to consideration when tracking open ports, enabled protocols, etc.
SolarWinds provides a free tool that can scan available IP addresses and their corresponding TCP and UDP ports in order to identify any potential vulnerabilities. The tool is aptly named SolarWinds Port Scanner. Network Configuration Manager can be used to report on network device configuration to identify any vulnerable or unused ports, protocols and services running on your network devices. Netflow Traffic Analyzer (NTA) can also be used to monitor flow data in order to identify traffic flowing across an individual port or a range of ports. NTA also identifies any unusual protocols and the volume of traffic utilizing those protocols. Finally, LEM can monitor for any unauthorized services launching on your servers/workstations, as well as monitoring for traffic flowing on specific ports based on syslog from your firewalls.
CSC 10: Data Recovery Capability
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
Currently, ransomware attacks take place every 40 seconds, which means that data backup and recovery capabilities are incredibly critical. CSC10 involves ensuring backups are taking place on at least a weekly basis, and more frequently for sensitive data. Some of the controls in this category also include testing backup media and restoration processes on a regular basis as well as ensuring backups and protected via physical security or encryption. SolarWinds MSP Backup & Recovery can assist with this control. Server & Application Manager can validate that backup jobs are sucessful, thanks to application monitors for solutions such as Veaam® Backup and Symantec® BackupExec®.
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
This critical control is similar to CSC3, which focuses on secure configurations for servers, workstations, laptops, and applications. CSC11 focuses on the configuration of network devices, such as firewalls, routers and switches. Network devices typically ship with default configurations including default usernames, passwords, SNMP strings, open ports, etc. All of these configurations should be amended to help ensure that attackers cannot take advantage of default accounts and configurations. Device configuration should also be compared against secure baselines for each device type. CSC11 also recommends that an automated network configuration management and change control system be in place, enter NCM.
NCM is packed with features to assist with CSC11 including real-time change detection, configuration change approval system, Cisco IOS® firmware updates, configuration baseline comparisons, bulk configuration changes, DISA STIG reports and more.
CSC 12: Boundary Defense
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
There is no silver bullet when it comes to boundary defense to detect and prevent attacks and malicious behavior. Aside from firewalls, technologies such as IDS/IPS, SIEM, Netflow and web content filtering can be used to monitor traffic at the boundary to identify any suspicious behavior. SolarWinds LEM can ingest log data from sources such as IDS/IPS, firewalls, proxies, and routers to identify any unusual patterns, including port scans, ping sweeps, and more. NetFlow Traffic Analyzer can also be used to monitor both ingress and egress traffic to identify anomalous activity.
CSC 13: Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
Data is one of every organizations most critical assets and needs to be protected accordingly. Data exfiltration is one of the most common objectives of attackers, so controls need to be in place to prevent and detect data exfiltration. Data is everywhere in organizations. One of the first steps to protecting sensitive data involves identifying the data that needs to be protected and where it resides.
SolarWinds Risk Intelligence (RI) is a product that performs a scan to discover personally identifiable information and other sensitive information across your systems and points out potential vulnerabilities that could lead to a data breach. The reports from RI can be helpful in providing evidence of due diligence when it comes to the storage and security of PII data. Data Loss Prevention and SIEM tools can also assist with CSC13. LEM includes File Integrity Monitoring and USB Defender which can monitor for data exfiltration via file copies to a USB drive. LEM can even automatically detach the USB device if file copies are detected, or even detach it as soon as its inserted to the machine. LEM can also audit URL requests to known file hosting/transfer and webmail sites which may be used to exfiltrate sensitive data.
CSC 14: Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
As per the control descrption 'job requirements should be created for each user group to determien what information the group needs access to in order to perform its jobs. Based on the requiremnts, access should only be given to the segments or servers that are needed for each job function.' Basically, provide users with the appropriate level of access required by their role, but don't give them access beyond that. Some of the controls in this section involve network segmentation and encrypting data in transit over less-trusted networks and at rest. CIS also recommends enforcing detailed logging for access to data. LEM can ingest these logs to monitor for authentication events and access to sensitive information. File Integrity Monitoring includes the ability to monitor for inappropriate file access, including modifications to permissions. LEM can also monitor Active Directory® logs for any privileged escalations to groups such as Domain Admins.
CSC 15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
Wireless connectivity has become the norm for many organizations, and just like wired networks, access needs be controlled. Some of the sub-controls in this section involve creating VLANs for BYOD/untrusted wireless devices, helping to ensure that wireless traffic leverages WPA2 and AES as well as identifying rogue wireless devices and access points.
Network Performance Monitor and User Device Tracker can be used to identify rogue access points and unauthorized wireless devices connected to your WLAN. brad.hale has a great blog post on the topic of monitoring rogue access points here.
CSC 16: Account Monitoring and Control
Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
Account management, monitoring and control is vital to making sure that accounts are being used for their intended purposes and not for malicious intent. Attackers tend to prefer leveraging existing, legitimate accounts rather than trying to discover vulnerabilities to exploit. It saves a lot of time and effort. Outside of having clearing defined account management policies and procedures, having a SIEM in place, like LEM, can go a long way to detecting potentially compromised or abused accounts.
LEM includes a wide range of out-of-the-box content to assist you with Account Monitoring and Control, including filters, rules and reports. You can easily monitor for events such as:
- Account creation
- Account lockout
- Account expiration (especially important when an employee leaves the company)
- Escalated privileges
- Password changes
- Successful and failed authentication
Active Response is also included, which can respond to these events via actions, such as automatically disabling an account, removing from a group, and logging users off.
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
You can have all the technology, processes, procedures and governance in the world, but your IT Security is only as good as its weakest link - and that is people. As Dez always says, "Security is not an IT problem, it's everyone's problem." A security awareness program should be in place in every organization regardless of its size. Users need to be educated on the threats they face everyday, for example social engineering, phishing attacks, and malicious attachments. If users are equipped with this knowledge and are aware of threats and risks, they are far more likely to identify, prevent, and alert on attacks. Some of the controls included in CSC17 include performing a gap analysis of users IT security awareness, delivering training (preferably from senior staff), implementing a security awareness program, and validating and improving awareness levels via periodic tests. Unfortunately, SolarWinds doesn't provide any solutions that can train your users for you, but know that we would if we could!
CSC 18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
Attackers are constantly on the look out for vulnerabilities to exploit. Security practices and processes must be in place to identify and remediate vulnerabilities in your environment. There are an endless list of possible attacks that can capitalize on vulnerabilities, including buffer overflows, SQL injection, cross-site scripting, and many more. For in-house developed applications, security shouldn't be an afterthought that is simply bolted on at the end. It needs to be considered at every stage of the SDLC. Some of the sub-controls within CSC18 address this with controls, including error checking for in-house apps as well as testing for weaknesses and ensuring that development artifacts are not included in production code.
CSC 19: Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
An incident has been identified. Now what? CSC19 focuses on people and process rather than technical controls. This critical control involves helping to ensure that written incident response procedures are in place, making sure that IT staff are aware of their duties and responsibilities when an incident is detected. It's all well and good to have technical controls, such as SIEM, IDS/IPS and Netflow in place, but they need to be backed up with an incident response plan once an incident is detected.
CSC 20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
Now that you've implemented the previous 19 Critical Security Controls, it's time to test them. Testing should only take place once your defensive mechanisms are in place. Testing needs to be an ongoing effort, just not a once off. Environments and the threat landscape are constantly changing. Some of the controls within CSC20 include vulnerability scanning as the starting point to guide and focus penetration testing, conducting both internal and external penetration tests and documenting results.
I hope at this point you now have an understanding of each Critical Security Controls and some of the ways in which SolarWinds tools can assist. While it may seem like a daunting exercise to implement all 20 controls, it's worth casting your mind back to the start of this post, whereby I mentioned that by implementing even the first five critical controls, provides effective defense against 85% of cyberattacks.
I hope that you've found this post helpful. I look forward to hearing about your experiences and thoughts on the CIS CSC's in the comments.