Skip navigation

Product Blog

2 Posts authored by: jhynds Employee

The Center for Internet Security (CIS) provides a comprehensive security framework called The CIS Critical Security Controls (CSC) for Effective Cyber Defense, which provides organizations of any size with a set of clearly defined controls to reduce their risk of cyberattack and improve their IT security posture. The framework consists of 20 controls to implement, however, according to CIS, implementation of the first first five controls provides effective defense against 85% of the most common cyberattacks. CIS provides guidance on how to implement the controls and which tools to use to reduce the burden on security teams. Without these controls, those teams have to spend time deciphering the meaning and objective of each critical security control.

 

SolarWinds offers several tools that provide the capabilities to implement many of the CIS Controls. In this post, I'm going to break down each Critical Security Control and discuss how SolarWinds® products can assist.

 

Critical Security Control 1: Inventory of Authorized and Unauthorized Devices

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Asset Discovery is an important step in identifying any unauthorized and unprotected hardware being attached to your network. Unauthorized devices undoubtedly pose risks and must be identified and removed as quickly as possible.

 

    

SolarWinds User Device Tracker (UDT) enables you to detect unauthorized devices on both your wired and wireless networks. Information such as MAC address, IP address, and host name can be used to create blacklists and watch lists. UDT also provides the ability to disable the switch port used by a device, helping to ensure that access is removed.

 

Critical Security Control 2: Inventory of Authorized and Unauthorized Software

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

As the saying goes, you don’t know what you don’t know. Making sure that software on your network is up to date is essential when it comes to preventing against attacks on known vulnerabilities. It’s very difficult to keep software up to date if you don’t know what software is running out there. 

 

 

SolarWinds Patch Manager can create an inventory of all software installed across your Microsoft® Windows® servers and workstations. Inventory scans can be run ad-hoc or on a scheduled basis, with software inventory reports scheduled accordingly. Patch Manager can also go a step further and uninstall unauthorized software remotely. CSC2 also mentions preventing the execution of unauthorized software. SolarWinds Log and Event Manager can be leveraged to monitor for any non-authorized processes and services launching and then blocking them in real-time.

 

 

Critical Security Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Establish, implement, and actively manage (track, report on, and correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.

Attackers prey on vulnerable configurations. Identifying vulnerabilities and making necessary adjustments helps prevent attackers from successfully exploiting them. Change Management is critical to helping ensure that any configuration changes made to devices do not negatively impact the their security.

 

 

Lacking awareness of access and changes to important system files, folders and registry keys can threaten device security. SolarWinds LEM includes File Integrity Monitoring, which monitors for any alterations to critical system files and registry keys that may result in insecure configurations. LEM will notify you immediately to any changes, including permission changes.

 

CSC 4: Continuous Vulnerability Assessment and Remediation

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

 

 

 

To help remediate vulnerabilities, we need to first identify those that already exist on your network. SolarWinds Risk Intelligence includes host-based vulnerability scanning capabilities. Risk Intelligence leverages the CVSS database to uncover the latest threats. If vulnerabilities are identified as a result of outdated software and missing OS updates, SolarWinds Patch Manager can be used to apply those updates to remediate the vulnerabilities. If you have a vulnerability scanner such as Nessus®, Rapid7® or Qualys® - LEM can parse event logs from these sources to alert on detected vulnerabilities and correlate activity. SolarWinds Network Configuration Manager can help to identify risks to network security and reliability by detecting potential vulnerabilities in Cisco ASA® and IOS®-based devices via integration with the National Vulnerability Database. You can even update the firmware on IOS-based devices to remediate known vulnerabilities.

 

CSC 5: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Administrative privileges are very powerful and can cause grave damage when those privileges are in the wrong hands. Administrative access is the Holy Grail for any attacker. As the control states, administrative privileges needs be tracked, controlled and prevented. A SIEM tool such as SolarWinds LEM can and should be used to monitor for privileged account usage. This can include monitoring authentication attempts, account lock outs, password changes, file access/changes and any other actions performed by administrative accounts. SIEM tools can also be used to monitor for new administrative account creation and existing accounts being granted privileged escalation. LEM includes real-time filters, correlation rules and reports to assist with the monitoring of administrative privileges.

 

 

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

As you've probably guessed by the title, this one has Security Information and Event Management (SIEM) written all over it. Collecting and analyzing your audit logs from all the devices on your network can greatly reduce your MTTD (mean time to detection) when an internal or external attack is taking place. Collecting logs is only one part of the equation. Analyzing and correlating event logs can help to identify any suspicious patterns of behavior and alert/respond accordingly. If an attack takes place, your audit logs are like an evidence room. They allow you to put the pieces of the puzzle together, understand how the attack took place, and remediate appropriately. SolarWinds LEM is a powerful SIEM tool that includes such features as log normalization, correlation, active response, reporting, and more.

 

 

CSC 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems

According to a recent study from Barracuda®, 76% of ransomware is distributed via e-mail. Web Browsers are also an extremely popular attack vendor, from scripting languages, such as ActiveX® and JavaScript®, unauthorized plug-in's, vulnerable out-of-date browsers, and malicious URL requests. CSC7 focuses on limiting the use of unauthorized browsers, email clients, plugins, scripting languages and monitoring URL requests.

SolarWinds Patch Manager can identify and uninstall any unauthorized browsers or e-mail clients installed on servers and workstations. For authorized browsers and e-mail clients such as Google® Chrome® , Mozilla® Firefox®, Internet® Explorer®, Microsoft® Outlook® and Mozilla® Thunderbird®, Patch Manager can help ensure that they are up-to-date. LEM can take it a step further and block any unauthorized browsers and e-mail clients from launching, thanks to it's "kill process" active response. LEM can also collect logs from various proxy and content filtering appliances to monitor for URL requests. This also helps validate any blocked URL requests.

 

CSC 8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

LEM can integrate with a wide range of Anti-Virus and UTM Appliances to monitor for malware detection and respond accordingly. LEM also provides threat feed integration to monitor for communication with bad known actors associated with malware and other malicious activity. Control 8.3 involves limiting the use of external devices such as USB thumb drives and hard drives. LEM includes USB Defender® technology, which monitors the USB storage device usage and detach any unauthorized usage.

 

 

 

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

Attackers are constantly scanning for open ports, vulnerable services, and protocols in use. The principle of least privilege should be applied to ports, protocols and services - if there isn't a business need for the, they should be disabled. When people talk about ports they generally think of checking perimeter devices, such as firewalls, but internal devices such as servers should also be taken into to consideration when tracking open ports, enabled protocols, etc.

 

 

SolarWinds provides a free tool that can scan available IP addresses and their corresponding TCP and UDP ports in order to identify any potential vulnerabilities. The tool is aptly named SolarWinds Port Scanner. Network Configuration Manager can be used to report on network device configuration to identify any vulnerable or unused ports, protocols and services running on your network devices. Netflow Traffic Analyzer (NTA) can also be used to monitor flow data in order to identify traffic flowing across an individual port or a range of ports. NTA also identifies any unusual protocols and the volume of traffic utilizing those protocols. Finally, LEM can monitor for any unauthorized services launching on your servers/workstations, as well as monitoring for traffic flowing on specific ports based on syslog from your firewalls.

 

CSC 10: Data Recovery Capability

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

Currently, ransomware attacks take place every 40 seconds, which means that data backup and recovery capabilities are incredibly critical. CSC10 involves ensuring backups are taking place on at least a weekly basis, and more frequently for sensitive data. Some of the controls in this category also include testing backup media and restoration processes on a regular basis as well as ensuring backups and protected via physical security or encryption. SolarWinds MSP Backup & Recovery can assist with this control. Server & Application Manager can validate that backup jobs are sucessful, thanks to application monitors for solutions such as Veaam® Backup and Symantec® BackupExec®.

 

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

This critical control is similar to CSC3, which focuses on secure configurations for servers, workstations, laptops, and applications. CSC11 focuses on the configuration of network devices, such as firewalls, routers and switches. Network devices typically ship with default configurations including default usernames, passwords, SNMP strings, open ports, etc. All of these configurations should be amended to help ensure that attackers cannot take advantage of default accounts and configurations. Device configuration should also be compared against secure baselines for each device type. CSC11 also recommends that an automated network configuration management and change control system be in place, enter NCM.

 

 

NCM is packed with features to assist with CSC11 including real-time change detection, configuration change approval system, Cisco IOS® firmware updates, configuration baseline comparisons, bulk configuration changes, DISA STIG reports and more.

 

CSC 12: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

There is no silver bullet when it comes to boundary defense to detect and prevent attacks and malicious behavior. Aside from firewalls, technologies such as IDS/IPS, SIEM, Netflow and web content filtering can be used to monitor traffic at the boundary to identify any suspicious behavior. SolarWinds LEM can ingest log data from sources such as IDS/IPS, firewalls, proxies, and routers to identify any unusual patterns, including port scans, ping sweeps, and more. NetFlow Traffic Analyzer can also be used to monitor both ingress and egress traffic to identify anomalous activity.

 

CSC 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

 

Data is one of every organizations most critical assets and needs to be protected accordingly. Data exfiltration is one of the most common objectives of attackers, so controls need to be in place to prevent and detect data exfiltration. Data is everywhere in organizations. One of the first steps to protecting sensitive data involves identifying the data that needs to be protected and where it resides.

 

 

SolarWinds Risk Intelligence (RI) is a product that performs a scan to discover personally identifiable information and other sensitive information across your systems and points out potential vulnerabilities that could lead to a data breach. The reports from RI can be helpful in providing evidence of due diligence when it comes to the storage and security of PII data. Data Loss Prevention and SIEM tools can also assist with CSC13. LEM includes File Integrity Monitoring and USB Defender which can monitor for data exfiltration via file copies to a USB drive. LEM can even automatically detach the USB device if file copies are detected, or even detach it as soon as its inserted to the machine. LEM can also audit URL requests to known file hosting/transfer and webmail sites which may be used to exfiltrate sensitive data.

 

CSC 14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

As per the control descrption 'job requirements should be created for each user group to determien what information the group needs access to in order to perform its jobs. Based on the requiremnts, access should only be given to the segments or servers that are needed for each job function.' Basically, provide users with the appropriate level of access required by their role, but don't give them access beyond that. Some of the controls in this section involve network segmentation and encrypting data in transit over less-trusted networks and at rest. CIS also recommends enforcing detailed logging for access to data. LEM can ingest these logs to monitor for authentication events and access to sensitive information. File Integrity Monitoring includes the ability to monitor for inappropriate file access, including modifications to permissions. LEM can also monitor Active Directory® logs for any privileged escalations to groups such as Domain Admins.

 

 

CSC 15: Wireless Access Control

The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.

Wireless connectivity has become the norm for many organizations, and just like wired networks, access needs be controlled. Some of the sub-controls in this section involve creating VLANs for BYOD/untrusted wireless devices, helping to ensure that wireless traffic leverages WPA2 and AES as well as identifying rogue wireless devices and access points.

 

 

Network Performance Monitor and User Device Tracker can be used to identify rogue access points and unauthorized wireless devices connected to your WLAN. brad.hale has a great blog post on the topic of monitoring rogue access points here.

 

CSC 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts their creation, use, dormancy, deletion in order to minimize opportunities for attackers to leverage them.

Account management, monitoring and control is vital to making sure that accounts are being used for their intended purposes and not for malicious intent. Attackers tend to prefer leveraging existing, legitimate accounts rather than trying to discover vulnerabilities to exploit. It saves a lot of time and effort. Outside of having clearing defined account management policies and procedures, having a SIEM in place, like LEM, can go a long way to detecting potentially compromised or abused accounts.

 

LEM includes a wide range of out-of-the-box content to assist you with Account Monitoring and Control, including filters, rules and reports. You can easily monitor for events such as:

 

  • Account creation
  • Account lockout
  • Account expiration (especially important when an employee leaves the company)
  • Escalated privileges
  • Password changes
  • Successful and failed authentication

 

Active Response is also included, which can respond to these events via actions, such as automatically disabling an account, removing from a group, and logging users off.

 

CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

You can have all the technology, processes, procedures and governance in the world, but your IT Security is only as good as its weakest link - and that is people. As Dez always says, "Security is not an IT problem, it's everyone's problem." A security awareness program should be in place in every organization regardless of its size. Users need to be educated on the threats they face everyday, for example social engineering, phishing attacks, and malicious attachments. If users are equipped with this knowledge and are aware of threats and risks, they are far more likely to identify, prevent, and alert on attacks. Some of the controls included in CSC17 include performing a gap analysis of users IT security awareness, delivering training (preferably from senior staff), implementing a security awareness program, and validating and improving awareness levels via periodic tests. Unfortunately, SolarWinds doesn't provide any solutions that can train your users for you, but know that we would if we could!

 

CSC 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

Attackers are constantly on the look out for vulnerabilities to exploit. Security practices and processes must be in place to identify and remediate vulnerabilities in your environment. There are an endless list of possible attacks that can capitalize on vulnerabilities, including buffer overflows, SQL injection, cross-site scripting, and many more. For in-house developed applications, security shouldn't be an afterthought that is simply bolted on at the end. It needs to be considered at every stage of the SDLC. Some of the sub-controls within CSC18 address this with controls, including error checking for in-house apps as well as testing for weaknesses and ensuring that development artifacts are not included in production code.

 

CSC 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

An incident has been identified. Now what? CSC19 focuses on people and process rather than technical controls. This critical control involves helping to ensure that written incident response procedures are in place, making sure that IT staff are aware of their duties and responsibilities when an incident is detected. It's all well and good to have technical controls, such as SIEM, IDS/IPS and Netflow in place, but they need to be backed up with an incident response plan once an incident is detected.

 

CSC 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

Now that you've implemented the previous 19 Critical Security Controls, it's time to test them. Testing should only take place once your defensive mechanisms are in place. Testing needs to be an ongoing effort, just not a once off. Environments and the threat landscape are constantly changing. Some of the controls within CSC20 include vulnerability scanning as the starting point to guide and focus penetration testing, conducting both internal and external penetration tests and documenting results.

 

I hope at this point you now have an understanding of each Critical Security Controls and some of the ways in which SolarWinds tools can assist. While it may seem like a daunting exercise to implement all 20 controls, it's worth casting your mind back to the start of this post, whereby I mentioned that by implementing even the first five critical controls, provides effective defense against 85% of cyberattacks.

 

I hope that you've found this post helpful. I look forward to hearing about your experiences and thoughts on the CIS CSC's in the comments.

What is NIST 800-171 and how does it differ from NIST 800-53?

 

NIST SP 800-171 – "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in non-federal information systems and organizations. The publication is focused on information that is shared by federal agencies with a non-federal entity. If you are a contractor or sub-contractor to governmental agencies whereby CUI resides on your information systems, NIST-800-171 will impact you.

 

Cybercriminals regularly target federal data such as healthcare records, Social Security numbers, and more. It is vital that this information is protected when residing on non-federal information systems. NIST 800-171 has an implementation deadline of 12/31/2017, which has contractors scrambling.

 

Many of the controls contained within NIST 800-171 are based on NIST 800-53, but they are tailored to protect CUI in nonfederal information systems. There are 14 “families” of controls within NIST 800-171, but before we delve into those, we should probably discuss Controller Unclassified Information (CUI) and what it is.

 

There are several categories and subcategories of CUI, which you can be view here. You may be familiar with Sensitive but Unclassified (SBU) information—there were various categories that fell under SBU—but CUI replaces SBU and all its sub-categories. CUI is information which is not classified but in the federal government’s best interest to protect.

 

NIST 800-171 Requirements

As we mentioned above, there are 14 classes of controls within NIST 800-171. These are:

 

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

 

We will now delve further into each of these categories and discuss the basic and derived security requirements where SolarWinds® products can help. Basic security requirements are high-level requirements, whereas derived requirements are the controls you need to put in place to meet the high-level objective of the basic requirements.

 

3.1 Access Control

3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

 

3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

 

This category limits access to systems to authorized users only and limits user activity to authorized functions only. There are a few areas within Access Control where our products can help, but many of these controls are implemented at the policy or device levels.

 

3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.

SolarWinds Log & Event Manger (LEM) can audit deviations from least privilege—e.g., unauthorized file access and unexpected system access. Auditing can be done in real-time or via reports. LEM can also monitor Microsoft® Active Directory® (AD) for unexpected escalated privileges being assigned to a user.

 

3.1.6 – Use of non-privileged accounts when accessing non-security functions.

SolarWinds LEM can monitor privileged account usage and audit the use of privileged accounts for non-security functions.

 

3.1.7 – Prevent non-privileged users from executing privileged functions and audit the execution of such functions.

Execution of privileged functions such as creating and modifying registry keys and editing system files can be audited in real-time or via reports in LEM. On the network device side, SolarWinds Network Configuration Manager (NCM) includes a change approval system which helps ensure that non-privileged users cannot execute privileged functions without approval from a privileged user.

 

3.1.8 – Limit unsuccessful logon attempts.

The number of logon attempts before lockout are generally set at the domain/system policy level, but LEM can confirm if the lockout policy is being enforced via reports/nDepth. LEM can also be used to report on unsuccessful logon attempts, as well as automatically lock a user account via the Active Response feature.

 

3.1.12 – Monitor and control remote access sessions.

LEM can monitor and report on remote logons. Correlation rules can be configured to alert and respond to unexpected remote access (e.g., access outside normal business hours). SolarWinds NCM can audit how remote access is configured on your network device, identify any configuration violations, and remediate accordingly.

 

3.1.21 – Limit use of organizational portable storage devices on external information systems.

LEM can audit and restrict usage of portable storage devices with its USB Defender feature.

 

3.2 Awareness and Training

3.2.1 – Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.

 

3.2.2 – Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.

 

This section relates to user awareness training, especially around information security. Users should be aware of policies, procedures, and attack vectors such as phishing, malicious email attachments, and social engineering. Unfortunately, SolarWinds can’t provide information security training your users—we would if we could!

 

3.3 Audit and Accountability

3.3.1 – Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

 

3.3.2 – Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

 

This set of controls helps to ensure that audit logs are in place and that they are monitored to identify authorized or suspicious activity. These controls relate to the data you want LEM to ingest and how those logs are protected and retained. LEM can help satisfy some of the controls in this section directly.

 

3.3.3 – Review and update audited events.

LEM helps with the review of audited events, provided the appropriate logs are sent to LEM.

 

3.3.4 – Alert in the event of an audit process failure.

LEM can generate alerts when agents go offline or the log storage database is running low on space. LEM can also alert on behalf of systems when audit logs are cleared—e.g., if a user clears the Windows® event log.

 

3.3.5 – Correlate audit review, analysis and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.

LEM’s correlation engine and reporting can assist with audit log reviews and help ensure that administrators are alerted to indications of inappropriate, suspicious, or unusual activity.

 

3.3.6 – Provide audit reduction and report generation to support on-demand analysis and reporting.

Audit logs can generate a huge amount of information. LEM can analyze event logs and generate scheduled or on-demand reports to assist with analysis. However, you will need to ensure that your audit policies and logging levels are appropriately configured.

 

3.3.7 – Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

LEM satisfies this requirement through Network Time Protocol server synchronization. LEM also includes a predefined correlation rule that monitors for time synchronization failures.

 

3.3.8 – Protect audit information and audit tools from unauthorized access, modification, and deletion.

LEM helps satisfy this requirement through the various mechanisms outlined in this post: Log & Event Manager Appliance Security and Data Protection.

 

3.3.9 – Limit management of audit functionality to a subset of privileged users.

As per the response to 3.3.8, LEM provides role-based access control, which limits access and functionality to a subset of privileged users.

 

3.4 Configuration Management

3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

 

3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.

 

Minimum acceptable configurations must be maintained and change management controls must be in place. Inventory comes into play here, too. NCM will have the biggest impact here (on the network device side), thanks to its ability to establish baseline configurations and report on violations. LEM and SolarWinds Patch Manager can also play roles within this set of controls.

 

3.4.3 – Track, review, approve/disapprove, and audit changes to information systems.

NCM’s real-time change detection, change approval management and tracking reports can be used to detect, validate, and document changes to network devices. LEM can monitor and audit changes to information systems, provided the appropriate logs are sent to LEM.

 

3.4.8 – Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

LEM can monitor for the use of unauthorized software. Thanks to Active Response, you can configure LEM to automatically kill nonessential programs and services.

 

3.4.9 – Control and monitor user-installed software.

LEM can audit software installations and alert accordingly. Patch Manager can inventory machines on your network and report on the software and patches installed.

 

3.5 Identification and Authentication

3.5.1 Identify information system users, processes acting on behalf of users, or devices.

 

3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

 

This section includes controls such as using multifactor authentication, enforcing password complexity and storing/transmitting passwords in an encrypted format. SolarWinds does not have products to support these requirements.

 

3.6 Incident Response

3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

 

3.6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.

 

There is only one derived security requirement within the Incident Response section, namely:

3.6.3 Test the organizational incident response capability.

 

LEM can play a role in the incident generation and the subsequent investigation. LEM can generate an incident based on a defined correlation trigger and respond to an incident via the Active Responses. Reports can be produced based on detected incidents.

 

3.7 Maintenance  

3.7.1 Perform maintenance on organizational information systems.

 

3.7.2 Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.

 

SolarWinds isn’t relevant to most of the requirements in this section. Controls contained within the maintenance category include: ensuring equipment remove for off-site maintenance is sanitized of CUI, checking media for malicious code and requiring multifactor authentication for nonlocal maintenance sessions.

 

LEM can assist with the 3.7.6 requirement that states “Supervise the maintenance activities of maintenance personnel without required access authorization.” Provided the appropriate logs are being generated and sent to LEM, reports can be used to audit the activity performed by maintenance personnel. NCM also comes into play, allowing you to compare configurations before and after maintenance windows.

 

3.8 Media Protection

3.8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.

 

3.8.2 Limit access to CUI on information system media to authorized users.

 

3.8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.

 

Most of the controls within the Media Protection systems are not applicable to SolarWinds products. However, LEM can assist with one control.

 

3.8.7 – Control the use of removable media on information system components. 

LEM’s USB Defender feature can monitor for usage of USB removable media and can automatically detach USB devices when unauthorized usage is detected.

 

3.9 Personnel Security

3.9.1 Screen individuals prior to authorizing access to information systems containing CUI.

 

3.9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.

 

There are no derived security requirements within this section. LEM can assist with 3.9.2 by auditing usage of credentials of terminated personnel, validating that accounts are disabled in a timely manner, and validating group/permission changes after a personnel transfer.

 

3.10 Physical Protection

3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

 

3.10.2 Protect and monitor the physical facility and support infrastructure for those information systems.

 

SolarWinds cannot assist with any of the physical security controls contained within this section.

 

3.11 Risk Assessment

3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.

 

3.11.2 Vulnerable software poses a great risk to every organization. These vulnerabilities should be identified and remediated—that is exactly what the controls within this section aim to do.

 

Risk Assessment involves lots of policies and procedures; however, Patch Manager can be leveraged to keep systems up to date with the latest security patches.

 

3.11.2 – Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.

Patch Manager cannot perform vulnerability scans, but it can be used to identify missing application patches on your Windows machines. NCM identifies risks to network security based on device configuration. NCM also accesses the NIST National Vulnerability Database to get updates on potential emerging vulnerabilities in Cisco® ASA and IOS® based devices.

 

3.11.3 – Remediate vulnerabilities in accordance with assessments of risk.

Patch Manager can remediate software vulnerabilities on your Windows machines via Microsoft® and third-party updates. Patch Manager can be used to install updates on a scheduled basis or on demand. On the network device side, NCM performs Cisco IOS® firmware upgrades to potentially mitigate identified vulnerabilities.

 

3.12 Security Assessment

3.12.1 – Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.

 

3.12.2 – Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

 

3.12.3 – Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.

We can help with one of the Security Assessment controls. LEM can monitor event logs relating to information system security and perform correlation, alerting, reporting, and more. SolarWinds has several other modules that support monitoring the health and performance of your information systems and networks.

 

3.13 System and Communications Protection

3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

 

3.13.2 – Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

 

Many of the controls in this section involve protecting confidentiality of CUI at rest, ensuring encryption is used and keys are appropriately managed, and networks are segmented. However, the basic security requirement 3.13.1 is certainly an area where SolarWinds can assist. This requirement involves monitoring (and controlling/protecting) communication at external and internal boundaries. LEM can collect logs from your network devices and alert to any suspicious traffic. SolarWinds NetFlow Traffic Analyzer (NTA) can also be used to monitor traffic flows for specific protocols, applications, domain names, ports, and more.

 

3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

LEM can ingest traffic from network devices that provides auditing to validate that traffic is being appropriated denied/permitted. NPM and NTA can also be used to monitor traffic. NCM can provide configuration reports to help ensure that your access control lists are compliant with “deny all and permit by exception,” as well as providing the ability to execute scripts to make ACL changes en masse.

 

3.13.14 – Control and monitor the use of VoIP technologies.

NPM/NTA and SolarWinds VoIP & Network Quality Manager can be used to monitor VoIP traffic/ports.

 

3.14 System and Information Integrity

3.14.1 – Identify, report, and correct information and information system flaws in a timely manner.

 

3.14.2 – Provide protection from malicious code at appropriate locations within organizational information systems.

 

3.14.3 – Monitor information system security alerts and advisories and take appropriate actions in response.

 

The controls within this section set out to ensure that the information system or the information within the system has been compromised. Patch Manager and LEM can play a role in system/information integrity.

 

3.14.4 Update malicious code protection mechanisms when new releases are available.

Essentially, this control requires you to patch your systems. Patch Manager provides the ability to patch your systems with Microsoft and third-party updates on a scheduled or ad-hoc basis. Custom packages can also be created to update products that are not included in our catalog.

 

3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.

This control ensures that you have an anti-virus tool in place to scan for malicious files. LEM can receive alerts from a wide range anti-virus/malware solutions to correlate, alert, and respond to identified threats.

 

3.14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

This security control is very well suited to LEM—the correlation engine can monitor logs for any suspicious or malicious behavior. LEM can be used to monitor inbound/outbound traffic, although NPM/NTA could be used to detect unusual traffic patterns.

 

3.14.7 Identify unauthorized use of the information system.

LEM can monitor for unauthorized activity. User-defined groups come into play here which can create blacklists/whitelists of authorized users and events. 

 

Still with me? As you can see, there is a substantial number of requirements within the 14 sets of controls, but when implemented correctly, the framework can go a long way to ensure the confidentiality, integrity, and availability of Controlled Unclassified Information and your information system as a whole. The SolarWinds products I’ve mentioned above all include a wide variety of out-of-the-box content such as rules, alerts, and reports that can help with the NIST 800-171 requirements.

 

I hope this blog post has helped you with untangling some of the NIST-800-171 requirements and how you can leverage SolarWinds products to help. If you’ve got any questions or feedback, please feel free to comment below. 

Filter Blog

By date: By tag: