Notes from the Field: CIS Control 13 – Network Monitoring and Defense
by Greg Halpin / December 15th, 2023
“How would you know if your network or systems have been compromised?”
That’s the question I often ask clients when discussing their networking monitoring and defense tools. An IT manager of a small company I worked with recently was honest and said he wasn’t sure. He was so busy putting out different fires every day, he didn’t know where to begin. The IT team consisted of four people, and he didn’t have much of a budget to implement expensive tools and create a Security Operations Center (SOC), like large companies have. That was a good opportunity to introduce him to the Center for Internet Security Controls, specifically Control 13 – Network Monitoring and Defense.
The overview for Control 13 – Network Monitoring and Defense is:
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
Control 13 includes 11 safeguards or sub-controls:
- 13.1 Centralize Security Event Alerting
- 13.2 Deploy a Host-Based Intrusion Detection Solution
- 13.3 Deploy a Network Intrusion Detection Solution
- 13.4 Perform Traffic Filtering Between Network Segments
- 13.5 Manage Access Control for Remote Assets Devices
- 13.6 Collect Network Traffic Flow Logs
- 13.7 Deploy a Host-Based Intrusion Prevention Solution
- 13.8 Deploy a Network Intrusion Prevention Solution
- 13.9 Deploy Port-Level Access Control
- 13.10 Perform Application Layer Filtering
- 13.11 Tune Security Event Alerting Thresholds
Why is this control critical?
No network is 100% secure, no matter how well architectured. Even with appropriately implemented security controls, misconfigurations or lack of knowledge of security goals can cause gaps in the tools and security.
Many companies I audit have little to no network monitoring tools and processes in place
while others have advanced tools in place but no processes to leverage the tools. Security alerts go uninvestigated. Companies that are successful in this area have both tools to identify threats and a person or a team of people to review security alerts and investigate.
Skilled security and operations staff must monitor alerting tools and respond before threats can impact the organization. Companies of all sizes must develop incident response capabilities to detect, analyze, and mitigate attacks.
When a company is compromised, they may not discover the breach for months or years. During that time, the attacker is exfiltrating company and customer data.
The CIS Control document discusses the use of weekly log reviews to tune triggers of alerting tools. The document stresses that while tools are necessary for logging and alerts, they cannot replace skilled information security staff and systems administrators that can understand and investigate the alerts.
Let’s take a look at some of these safeguards and how companies I’ve worked with have successfully implemented them.
Safeguard 13.1
For safeguard 13.1, Centralize Security Event Alerting, the clients I work with often have a SIEM tool in place, such as Splunk, OSSEC, Wazuh, the ELK stack, or similar tools in place. These tools collect logs from all types of systems. Security staff can configure alerts to be sent via email or text on different types of activity, such as change in account privileges, account password changes, unusual login activity, system and data access.
The tools also provide reporting capabilities to identify new errors or potential threats so that organizations can take appropriate action. Some of the tools, such as OSSEC, are open-source and do not require license fees. Proprietary tools can be quite pricey. In all cases, there is a cost in terms of staffing to implement and monitor the tools. Staff must fine tune the queries and alerting to keep up with changing threats.
Safeguards 13.2 and 13.7
Some of the tools above, such as OSSEC, include an agent to install on systems. Among other features, the agents of the different tools provide host-based intrusion detection and prevention capabilities. The agents can prevent malware from being installed by blocking changes to sensitive files. OSSEC is an open-source product that I’ve seen used at many organizations. Endpoint Detection and Response (EDR) tools, such as SentinelOne and CrowdStrike, provide similar functionality and are also widely used among my clients.
Safeguards 13.3 and 13.8
This safeguard addresses deploying network intrusion detection and prevention tools. Most on-premises firewalls have IDS/IPS tools that can be enabled, such as Snort or Suricata. These tools also exist for cloud environments to enhance security rather than solely relying on, for example, AWS security group rules to restrict network traffic.
Safeguard 13.10 Perform Application Level Filtering
A web application firewall (WAF) is often used to protect web applications from SQL injection, Cross Site Scripting, and other Layer 7 attacks. Companies I’ve worked with often use Cloudflare or AWS WAF for the cloud hosted applications. ModSecurity is a popular choice for companies that don’t want to pay for premium services such as Cloudflare or AWS WAF.
Protect Your Org with Proper Network Monitoring Controls
No matter the size of your organization or budget, you need to implement strong network monitoring and defense tools and procedures. Attackers look for easy targets. Don’t be one of them. Utilize the tools and procedures listed in the CIS Controls to better protect your company network and customer data.
We understand how challenging it can be to make sure you’ve implemented the right controls. Our experts are here to help! Connect with us today to build a security program that will allow you to face today’s threats confidently.
