CIS Control 13: Network Monitoring and Defense
Networks form a critical core for our modern-day society and businesses. People, processes, and technologies should be in place for monitoring, detecting, logging, and preventing malicious activities that occur when an enterprise experiences an attack within or against their networks.
Key Takeaways for Control 13
Enterprises should understand that their systems and networks are never perfectly immune to a cyberattack. Enterprises can leverage the safeguards provided by Control 13 to guide the evolution and maturity of their security posture.
Network monitoring and defense should be viewed as a continuous improvement capability that involves the enterprises’ people, processes, and technologies. Enterprises need a well-trained staff to execute the organizations’ network monitoring and defense ecosystem. Monitoring and logging technologies and processes provide both real-time and historical data that can be used to understand what malicious actors are doing and their behaviors. This provides valuable knowledge that can be used by the organization as they continuously improve and mature their security posture.
Detection and prevention technologies are also necessary in today’s environment because many attack techniques move at machine speed, and human reaction can be too slow to defend against an automated attack. Control 13 is designed to help organizations enable and maintain good network monitoring and defense.
Safeguards for Control 13
13.1) Centralize Security Event Alerting
Description: Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.
Notes: The security function associated with this safeguard is Detect.
13.2) Deploy a Host-Based Intrusion Detection Solution
Description: Deploy a host-based intrusion detection solution on enterprise assets where appropriate and/or supported.
Notes: The security function associated with this safeguard is Detect.
13.3) Deploy a Network Intrusion Detection Solution
Description: Deploy a network intrusion detection solution on enterprise assets where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Notes: The security function associated with this safeguard is Detect.
13.4) Perform Traffic Filtering Between Network Segments
Description: Perform traffic filtering between network segments where appropriate.
Notes: The security function associated with this safeguard is Protect.
13.5) Manage Access Control for Remote Assets
Description: Manage access control for assets remotely connecting to enterprise resources. Determine the amount of access to enterprise resources based on whether there’s up-to-date anti-malware software installed, whether the requesting device maintains configuration compliance with the enterprise’s secure configuration process, and whether the device’s operating system and applications are up-to-date.
Notes: The security function associated with this safeguard is Protect.
13.6) Collect Network Traffic Flow Logs
Description: Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Notes: The security function associated with this safeguard is Detect.
13.7) Deploy a Host-Based Intrusion Prevention Solution
Description: Deploy a host-based intrusion prevention solution on enterprise assets where appropriate and/or supported. Example implementations include the use of an Endpoint Detection and Response (EDR) client or a host-based IPS agent.
Notes: The security function associated with this safeguard is Protect.
13.8) Deploy a Network Intrusion Prevention Solution
Description: Deploy a network intrusion prevention solution where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Notes: The security function associated with this safeguard is Protect.
13.9) Deploy Port-Level Access Control
Description: Deploy port-level access control. Port-level access control utilizes 802.1x or similar network access control protocols such as certificates. They may incorporate user and/or device authentication, as well.
Notes: The security function associated with this safeguard is Protect.
13.10) Perform Application Layer Filtering
Description: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Notes: The security function associated with this safeguard is Protect.
13.11) Tune Security Event Alerting Thresholds
Description: Tune security event alerting thresholds monthly or more frequently.
Notes: The security function associated with this safeguard is Detect.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security