SolarWinds and CIS Critical Security Controls
The Center for Internet Security Critical Security Controls (CIS Controls) are prioritized Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. CIS Controls Version 8 have been enhanced to keep up with modern systems and software. The update has been spurred on by issues such as the move to cloud-based computing, outsourcing, work from home, and changing attacker tactics.
SolarWinds offers several solutions designed to implement many of the CIS Controls. In this post, I will break down each Critical Security Control and discuss how SolarWinds® products can assist.
The latest CIS Controls Version 8.1 comprises 18 measure packages (down two from the previous version). Three implementation groups (IG) - IG1, IG2, and IG3 - are distinguished with each implementation group building on the previous one.
IG1—Measures for micro-enterprises (56 individual measures): The CIS Controls define this as the cyber hygiene minimum standard and require every company to implement it. These are usually small companies with limited IT security know-how and resources. The measures are designed to work with commercially available hardware and software for small companies.
IG2 - Measures for SMEs (contains IG1, 130 individual measures): The company has employees who are responsible for managing and protecting its IT infrastructure. Such companies often store and process sensitive customer or company data and can withstand short interruptions in service. This Implementation Group helps security teams manage increased operational complexities, sophisticated security technology, and specialized expertise.
IG3 - Measures for large companies with their own IT security team (contains IG1 and IG2, 153 individual measures): An IG3 company has IT security experts who specialize in various aspects of cyber security (e.g., risk management, penetration testing, and application security). In this context, the processed data are often subject to regulatory requirements beyond data protection. The company must guarantee the confidentiality and integrity of sensitive data and ensure the availability of services. The measures selected for Implementation Group 3 should also be effective against targeted attacks by sophisticated adversaries.
CIS Control 1: Inventory and Controls of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Asset Discovery is essential in identifying any unauthorized and unprotected hardware attached to your network. Unauthorized devices pose risks and must be identified and removed quickly.
User device tracking in SolarWinds Hybrid Cloud Observability enables you to detect unauthorized devices on your wired and wireless networks. Information such as MAC address, IP address, and hostname can be used to create blocklists and watch lists. Hybrid Cloud Observability also provides the ability to disable the switch port used by a device, helping to ensure that access is removed.
CIS Control 2: Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is istalled and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
As the saying goes, you don’t know what you don’t know. Ensuring that your network's software is up to date is essential to preventing attacks on known vulnerabilities. Keeping software up to date is challenging if you don’t know what software is running out there.
SolarWinds Patch Manager can inventory all software installed across your Microsoft Windows servers and workstations. Inventory scans can be run ad hoc or scheduled, with software inventory reports scheduled accordingly. Patch Manager can also uninstall unauthorized software remotely. Patch Manager integrates with Hybrid Cloud Observability to quickly address software vulnerabilities, helping you save time and making it easier to keep your servers and workstations patched and compliant.
CSC2 also mentions preventing the execution of unauthorized software. SolarWinds Security Event Manager (SEM) can be leveraged to monitor any unauthorized processes and services launching and block them in real time. With the Security Event Manager integration into Hybrid Cloud Observability, organizations can strengthen their overall security posture by detecting and addressing potential threats early on a single pane of glass before they disrupt business operations.
CIS Control 3: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Data is one of every organization's most critical assets and needs to be protected accordingly. Data exfiltration is one of the attackers' most common objectives, so controls must be in place to prevent and detect data exfiltration. One of the first steps to protecting sensitive data involves identifying the data that needs to be protected and where it resides.
Security Observability offers real-time visibility to enable early prevention, detection, and remediation of security threats. With the security integration into SolarWinds Hybrid Cloud Observability, you can now see security-related events across networks, infrastructures, applications, and databases on a dedicated security dashboard. The security dashboard shows summary widgets from Security Event Manager and Access Rights Manager; essential updates from SolarWinds Patch Manager are also displayed. Security-related information from Network Configuration Manager and Server Configuration Monitor is also populated on this dashboard. The Vulnerability and Risk Dashboard gives customers a new perspective to identify infrastructure-related risks and vulnerabilities that could lead to a data breach. Security Observability and SEM tools can assist with Control 3.
Security Event Manager (SEM) includes File Integrity Monitoring and USBDefender®, which can monitor for data exfiltration via file copies to a USB drive. SEM can even automatically detach the USB device if file copies are detected or detach it as soon as it's inserted into the machine. SEM can also audit URL requests to known file hosting/transfer and webmail sites, which may be used to exfiltrate sensitive data.
CIS Control 4: Secure Configurations of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile, network devices, non-computing/IoT devices, and servers) and software (operating systems and applications).
Systems and application configurations change constantly. Knowing when these changes took place, what changed, and who made the change without a change monitoring tool is nearly impossible. Server configuration monitoring in Hybrid Cloud Observability is designed to alert you to system and application changes so you know first. Agent-based monitoring allows for near real-time awareness and the ability to track changes made offline.
CIS Control 5: Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Account management, monitoring, and control are vital to ensuring that accounts are used for their intended purposes, not malicious intent. Attackers tend to prefer leveraging existing, legitimate accounts rather than trying to discover vulnerabilities to exploit as it saves a lot of time and effort. Outside of having clearly defined account management policies and procedures, having a SIEM in place, like SEM, can go a long way to detecting potentially compromised accounts.
SEM includes a wide range of out-of-the-box content to assist you with Account Monitoring and Control, including filters, rules, and reports. You can easily monitor for events such as:
- Account creation
- Account lockout
- Account expiration (especially important when an employee leaves the company)
- Escalated privileges
- Password changes
- Successful and failed authentication
Active Response is also included, which can respond to these events by automatically deactivating an account, removing users from a group, and logging off.
CIS Control 6: Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Administrative access is the Holy Grail for any attacker. As the control states, administrative privileges must be tracked, controlled, and prevented. A SIEM tool such as SolarWinds SEM can and should be used to monitor for privileged account usage. This can include monitoring authentication attempts, account lockouts, password changes, file access/changes, and any other actions performed by administrative accounts. SIEM tools can also be used to monitor new administrative account creation and existing accounts being granted privileged escalation. SEM includes real-time filters, correlation rules, and reports to assist with monitoring administrative privileges.
Access Rights Manager can help with CIS 6, which asks for a process to revoke access rights and accounts. With ARM, you can grant access and automatically schedule the process of withdrawing these access rights. In addition, this will be logged and tracked in access reports for compliance requirements.
CIS Control 7: Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Attackers prey on vulnerable configurations. Identifying vulnerabilities and making necessary adjustments helps prevent attackers from successfully exploiting them. Change Management is critical to helping ensure that any configuration changes made to devices don't negatively impact security.
Lacking awareness of access and changes to critical system files, folders, and registry keys can threaten device security. SolarWinds SEM includes file integrity monitoring, which monitors for any alterations to critical system files and registry keys that may result in insecure configurations. SEM will notify you immediately of any changes, including permission changes.
To help remediate vulnerabilities, the vulnerability and risk dashboard in Security Observability enables customers to identify environmental risks based on vulnerabilities. This feature gives customers a new view to identify risks and vulnerabilities within their infrastructure. This will assist them in prioritizing and reducing risk in important assets by enabling them to comprehend the severity of the risk. Risk-based prioritization is the benchmark for managing mounting cyber threats and remediating the most significant risks.
If vulnerabilities are identified because of outdated software and missing OS updates, you can use SolarWinds Patch Manager to apply those updates to remediate the Vulnerabilities. For CIS Control 7, companies of all sizes are asked to deploy automated software update tools to ensure the operating systems are running the most recent security updates provided by the software vendor.
If you have a vulnerability scanner such as Nessus, Rapid7, or Qualys - SEM can parse event logs from these sources to alert on detected vulnerabilities and correlate activity. Network configuration management in Hybrid Cloud Observability can help to identify risks to network security and reliability by detecting potential vulnerabilities in Cisco ASA and IOS based devices via integration with the National Vulnerability Database. You can even update the firmware on a range of network devices to remediate known vulnerabilities.
SolarWinds Network Configuration Manager can help protect your network from malware by looking at network vulnerabilities. Take the hassle out of vulnerability detection using Hybrid Cloud Observability's integration with the National Vulnerability Database and access to the most current CVEs to identify vulnerabilities in your network.
CIS Control 8: Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
As you've probably guessed by the title, this one has Security Information and Event Management (SIEM) written all over it. Collecting and analyzing your audit logs from all the devices on your network can significantly reduce your MTTD (mean time to detection) when an internal or external attack occurs. Collecting logs is only one part of the equation. Analyzing and correlating event logs can help identify suspicious behavior patterns and allow you to respond accordingly. If an attack occurs, your audit logs are like an evidence room. They allow you to assemble the puzzle pieces, understand how the attack occurred, and remediate appropriately. SolarWinds SEM is a powerful SIEM tool with log normalization, correlation, active response, reporting, and more features.
Taking this further, CIS 8 asks companies of all sizes to activate audit logging for all system and network devices. SolarWinds Access Rights Manager (ARM) covers logging on user access rights and changes to these for you.
CIS Control 9: Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
According to a recent study by Dataprot, 36% of all ransomware attacks in 2022 were distributed via email. Web Browsers are top-rated attack vendors, from scripting languages like ActiveX and JavaScript to unauthorized plug-ins, vulnerable out-of-date browsers, and malicious URL requests. CIS Control 9 limits unauthorized browsers, email clients, plugins, and scripting languages and monitors URL requests.
SolarWinds Patch Manager can identify and uninstall unauthorized browsers or email clients installed on servers and workstations. For authorized browsers and email clients such as Google Chrome, Mozilla Firefox, Internet Explorer, Microsoft Outlook and Mozilla Thunderbird, Patch Manager can help ensure that they are up to date.
SEM can take it a step further and block any unauthorized browsers and email clients from launching, thanks to its "kill process" active response. SEM can also collect logs from various proxy and content-filtering appliances to monitor for URL requests. This also helps validate any blocked URL requests.
CIS Control 10: Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
SEM can integrate with a wide range of Anti-Virus and UTM Appliances to monitor for malware detection and respond accordingly. SEM also provides threat feed integration to monitor for communication with bad actors known to be associated with malware and other malicious activity. Control 10 involves limiting the use of external devices such as USB thumb drives and hard drives. SEM includes USBDefender technology, which monitors the USB storage device usage and detaches any unauthorized usage.
CIS Control 11: Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Ransomware attacks occur every 14 seconds, meaning data backup and recovery capabilities are critical. CSC11 involves ensuring backups occur on at least a weekly basis and more frequently for sensitive data. Some controls in this category also include regularly testing backup media and restoration processes and ensuring backups and protection via physical security or encryption.
CIS Control 12: Network Infrastructure Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
This critical control is like CSC7, which focuses on secure configurations for servers, workstations, laptops, and applications. CSC12 focuses on configuring network devices, such as firewalls, routers, and switches. Network devices typically ship with default configurations, including usernames, passwords, SNMP strings, open ports, etc. All these configurations should be amended to help ensure that attackers cannot take advantage of default accounts and configurations. Device configuration should also be compared against secure baselines for each device type. CSC12 also recommends that an automated network configuration management and change control system be in place. (Re)Enter Hybrid Cloud Observability’s configuration management, packed with features to assist with CSC12, including real-time change detection, configuration change approval system, Cisco IOS firmware updates, configuration baseline comparisons, bulk configuration changes, DISA STIG reports, and more.
CIS Control 13: Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
There's no silver bullet when it comes to boundary defense to detect and prevent attacks and malicious behavior. Aside from firewalls, technologies such as IDS/IPS, SIEM, NetFlow, and web content filtering can monitor traffic at the boundary and identify suspicious behavior. SolarWinds SEM can ingest log data from sources such as IDS/IPS, firewalls, proxies, and routers to identify any unusual patterns, including port scans, ping sweeps, and more. Hybrid Cloud Observability can also be used to monitor both ingress and egress traffic to identify anomalous activity.
CIS Control 14: Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
You can have all the technology, processes, procedures, and governance in the world, but your IT Security is only as good as its weakest link - and that is people. A security awareness program should be in place in every organization, regardless of size. Users need to be educated on the threats they face every day, such as social engineering, phishing attacks, and malicious attachments. If users are equipped with this knowledge and are aware of threats and risks, they are far more likely to identify, prevent, and alert to attacks. Some of the controls in CIS14 include performing a gap analysis of user's IT security awareness, delivering training (preferably from senior staff), implementing a security awareness program, and validating and improving awareness levels via periodic tests.
CIS Control 15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
This new addition considers the increasing importance of cloud computing, software-as-a-service, and supply chain security. Also noticeable but plausible is the shift of the control Data Protection to the front to position three and the increase in Account Management and Access Control Management priorities. In sum, the changes at the control level are not very extensive. In contrast, over 200 changes were made at the Safeguards level. Therefore, organizations already using the CIS controls should look at the changes in detail.
CIS Control 16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they impact the enterprise.
Attackers are constantly on the lookout for vulnerabilities to exploit. Security practices and processes must be in place to identify and remediate vulnerabilities in your environment. An endless list of possible attacks can capitalize on vulnerabilities, including buffer overflows, SQL injection, cross-site scripting, etc. For in-house developed applications, security shouldn't be an afterthought bolted on at the end. It needs to be considered at every stage of the SDLC. Some sub-controls within Control 16 address this with controls, including error checking for in-house apps, testing for weaknesses, and ensuring that development artifacts are not included in production code.
Secure by Design is our guiding principle for approaching security and cyber resiliency at SolarWinds. Consisting of several fundamental principles, we’re working to create a more secure environment and build a system centered around transparency and maximum visibility.
CIS Control 17: Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
An incident has been identified. Now what? Control 17 focuses on people and processes rather than technical controls. This critical control involves helping to ensure that written incident response procedures are in place and that IT staff are aware of their duties and responsibilities when an incident is detected. It's all good to have technical controls, such as SIEM, IDS/IPS, and NetFlow, but they must be backed up with an incident response plan once an incident is detected.
CIS Control 18: Penetration Testing
Test the effectiveness and resiliency of enterprise assets by identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objectives and actions of an attacker.
Now that you've implemented the previous 17 Critical Security Controls, it's time to test them. Testing should only take place once your defensive mechanisms are in place. Testing must be an ongoing effort, not just a once-off, as environments and the threat landscape constantly change. Some controls within CSC18 include vulnerability scanning as the starting point to guide and focus penetration testing, conducting internal and external penetration tests, and documenting results.
While it may seem daunting to implement all 18 controls, it increases security standards, regulations, guidelines, and tools to help organizations of all sizes assess risks correctly and take effective measures for adequate protection.
I hope that you've found this post helpful. I look forward to hearing your experiences and thoughts on the CIS CSCs in the comments.
Disclaimer: This article is provided for informational purposes only and should not be relied upon as legal advice. SolarWinds makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.