Transcription
Version 7.1www.netsurion.com/eventtrackerSANS Top 20 CISSANS Top 20 CISCritical Security ControlSolution Brief
About NetsurionNetsurion powers secure and agile networks for highly distributed and small-to-medium enterprises andthe IT providers that serve them. In such environments, the convergence of threat protection and networkmanagement are driving the need for greater interoperability between the NOC (network operations center)and the SOC (security operations center) as well as solutions that fuse technology and service to achieve optimalresults. To this end, Netsurion has converged purpose-built network hardware, innovative security software, andflexible managed services.Netsurion’s SD-Branch solution, BranchSDO, is a comprehensive network management and security solutionconsisting of SD-WAN, next-gen security, cellular, Wi-Fi, and PCI DSS compliance tools and support. At the heart ofthe solution is the CXD, Netsurion’s SD-WAN edge appliance.Netsurion’s Security Operations solution, EventTracker, delivers advanced threat protection and compliancebenefits in a variety of deployment options: a SIEM platform, a co-managed SIEM service with 24/7 SOC, and amanaged SIEM for MSPs.SANS Top 20 CIS Critical Security Control OverviewThe 20 Critical Security Controls were developed in the U.S. by a consortium led by the Center for Strategic andInternational Studies (CSI).The Consensus Audit Guidelines (CAG), also known as the 20 Critical Security Controls, is a publication of bestpractices relating to computer security that essentially encompass twenty (20) core controls. Today’s growingcyber security threats are posing serious challenges for organizations regarding the confidentiality, integrity andavailability (CIA) of their networks, ultimately requiring comprehensive measures to protect critical assets andinfrastructure. What’s interesting to note about the 20 Critical Security Controls is its formation itself, which cameabout due to a collaborative effort amongst a number of well-known entities, including U.S. government agencies,information security forensics experts and others.Protective MonitoringThe policy is not reproduced here and public sector bodies should obtain it from the CESG. However, insummary, the logging requirements regarding user access to your network and systems include recording thefollowing events: Unauthorized application access (where applicable) Unsuccessful login / logout Successful login / logout Privileged system changes (e.g. account management, policy changes, device configuration)Logs should be kept for at least 6 months. This may include the use of backup tapes, but logs should be easilyavailable for use as part of your incident response policy, as well as help with an investigation. In practice this mayneed a system which maintains logs readily recoverable from any archive.2SANS Top 20 CIS File access attempts to protectively marked information (e.g. RESTRICTED data).
EventTracker Provides a Full View of the Entire IT InfrastructureEventTracker SIEM improves security, helps organizations demonstrate compliance and increases operationalefficiencies. EventTracker SIEM enables your organization to be more aware of potential security risks and internal/external threats. It provides you with the ability to respond to a security incident with comprehensive dataand forensic tools for analysis. The time required to investigate and mitigate security incidents can be greatly reduced, minimizing potential exposure and costs.SIEMphonic is our managed services offering that enhances the value of EventTracker implementations.Our expert staff can assume responsibility for some or all EventTracker SIEM-related tasks, including systemmanagement, incident reviews, daily/weekly log reviews, configuration assessments and audit support.We augment your IT Security team, allowing you to focus on your priorities by leveraging our expertise,discipline and efficiency.Scalable, Log Collection and Processing with Notifications based on CriticalityEventTracker SIEM provides automatic consolidation of thousands or even millions of audit events to meet theneeds of any size organization. The inbound log data is identified by EventTracker’s built-in Knowledge Base, whichcontains log definitions for thousands of types of log events, and automatically identifies which events are criticalto security standards.EventTracker SIEM provides real-time and batch aggregation of all system, event and audit logs from your firewalls, IDS/IPS, network devices, Windows, Linux/Unix, VMware ESX, Citrix, databases, MS Exchange web servers,EHRs and more.Ease of Deployment and ScalabilityEventTracker SIEM is available on premises or as a highly scalable cloud-based SIEM and Log Management solution.It offers several deployment options to meet the needs of organizations with a few dozen systems or thosewith thousands of systems spread across multiple locations. EventTracker Cloud is available as an AMI onAmazon EC2, Microsoft Azure or your cloud infrastructure provider of choice. It supports multi-tenantimplementations for MSSP organizations serving the needs of smaller customers.SANS Top 20 CIS3
SANS Top 20 CIS Critical Security Control Version 6 RequirementsRequirementsEventTracker SolutionEventTrackerEventTrackerCSC-1 Inventory of Authorized andUnauthorized DeviceActively manage (inventory, track, and correct)all hardware devices on the network so thatonly authorized devices are given access, andunauthorized and unmanaged devices arefound and prevented from gaining access.EventTracker can import from asset databases, andcorrelate actual devices present on the network againstlists of approved devices. EventTracker can also collectlogs from DHCP servers to help detect unknown orunauthorized systems.YesYesCSC 2: Inventory of Authorized andUnauthorized SoftwareActively manage (inventory, track, and correct)all software on the network so that onlyauthorized software is installed and canexecute, and that unauthorized andunmanaged software is found andprevented from installation or execution.EventTracker monitors for the installation or executionof software. EventTracker can also create and maintaindynamic lists of approved software based on behavioralmonitoring that may be operated in the environment.YesYesCSC 3: Continuous Vulnerability Assessmentand RemediationContinuously acquire, assess, and takeaction on new information in order to identifyvulnerabilities, remediate, and minimize thewindow of opportunity for attackers.EventTracker collects logs from vulnerability scanners. Itis able to correlate event logs with data from vulnerabilityscans. EventTracker can monitor the use of the accountthat was used to perform the vulnerability scan.YesYesCSC 4: Controlled Use of AdministrativePrivilegesEventTracker collects logs from almost any device andcan monitor the use of default, generic, service and otherprivileged accounts.YesYesThe processes and tools used to track/control/prevent/correct the use, assignment,and configuration of administrative privilegeson computers, networks, and applications.EventTracker supports the Control 4 Metric by collectinglogs on administrative activities from across theinfrastructure. EventTracker offers out-of-the-boxPrivileged User Monitoring, which simplifies the task oftracking and monitoring accounts with elevated privilegesand automates a number of tasks that are generally donemanually. EventTracker can be used in combination withmultiple operating systems (various Linux distributions,Windows, Solaris, etc.) in addition to MS Exchangeserver 2007 and 2010. EventTracker’s unique ability tosimultaneously correlate data across multiple applicationsand devices strengthens privileged user monitoring andexposes suspicious activity performed by administrativeaccounts.CSC 5: Secure Configurations for Hardwareand Software on Mobile Devices, Laptops,Workstations, and ServersEstablish, implement, and actively manage(track, report on, correct) the securityconfiguration of laptops, servers, andworkstations using a rigorous configurationmanagement and change control process inorder to prevent attackers from exploitingvulnerable services and settings.EventTracker monitors the use of privileged or genericaccounts, the startup of services, the use of ports, andthe application of patches. EventTracker can also detectchanges to key files through its Change Audit feature.YesYesAlertsEventTracker supports the Control 1 Metric by identifyingnew unauthorized devices being connected to thenetwork in near real time (for example via DHCP logs).EventTracker supports the Control 2 Metric by identifyingattempts to install authorized/unauthorized software(for example via Windows application logs/Applicationmonitoring feature), by identifying attempts to executeunauthorized software (by monitoring process startups).EventTracker supports the Control 3 Metric by collectinglogs and data from vulnerability scans. This enablesEventTracker to correlate both the data from the scanand the logs about the scan, providing the basis to reporton progress of the vulnerability scan, and of any deviceswhere the scan did not take place. EventTracker can alsocollect logs relating to patch installation, and can triggeran alert based on successful completion.EventTracker supports the Control 5 Metric by identifyingchanges to key files, services, ports, configuration files, orsoftware installed on the system.SANS Top 20 CIS4Reports
RequirementsEventTracker SolutionEventTrackerEventTrackerCSC 6: Maintenance, Monitoring, andAnalysis of Audit LogsCollect, manage, and analyze audit logs ofevents that could help detect, understand,or recover from an attack.EventTracker provides a comprehensive platform for themaintenance, monitoring and analysis of audit logs.YesYesCSC 7: Email and Web Browser ProtectionsMinimize the attack surface and theopportunities for attackers to manipulatehuman behavior though their interactionwith web browsers and email systems.EventTracker can collect logs from email and web-contentfiltering tools. EventTracker is tightly integrated withMS Exchange, Office 365 and many more.YesYesCSC 8: Malware DefensesControl the installation, spread, and executionof malicious code at multiple points in theenterprise, while optimizing the use ofautomation to enable rapid updating ofdefense, data gathering, and corrective action.EventTracker collects logs from malware detection toolsand correlate those logs with other data collected inreal time to eliminate false positives and detect blendedthreats. EventTracker can also collect logs from emailand web-content filtering tools. Via its advanced agent,EventTracker can detect and report data copied toremovable storage devices. EventTracker is tightlyintegrated with industry-leading security vendors includingFireEye, Fortinet and Palo Alto, among many others.YesYesYesYesReportsAlertsEventTracker supports the Control 6 Metric by collectingall events from across the network.EventTracker performs extensive processing of everylog that is collected, assigning a common event andestablishing a risk based priority for each log.EventTracker’s patented real-time analytics technologycan baseline behavior of users, hosts and data from acrossthe network. Once a baseline is established, abnormalbehavior can be detected and alerted on.EventTracker supports the Control 8 Metric bycontinually collecting and monitoring logs from a widevariety of malware detection tools, in addition to itsown agent technology.CSC 9: Limitation and Control of NetworkPorts, Protocols, and ServicesManage (track/control/correct) the ongoingoperational use of ports, protocols, andservices on networked devices in order tominimize windows of vulnerability availableto attackers.By collecting logs from port scanners, EventTracker isable to detect open ports on the network. EventTrackercan also collect logs on protocols in use and servicesstarting up on individual devices.CSC 10: Data Recovery CapabilityThe processes and tools used to properlyback up critical information with a provenmethodology for timely recovery of itEventTracker collects logs from Windows and otherbackup systems. EventTracker can detect backupsthat did not successfully complete, or backups that didnot start.YesYesCSC 11: Secure Configurations for NetworkDevices such as Firewalls, Routers, andSwitchesEstablish, implement, and actively manage(track, report on, correct) the securityconfiguration of network infrastructuredevices using a rigorous configurationmanagement and change control process inorder to prevent attackers from exploitingvulnerable services and settings.EventTracker collects logs from any network devicethat generates syslog or SNMP.YesYesEventTracker supports the Control 11 Metric bycollecting logs from network devices and correlatingchanges against a change control system to identifyand alert on any unauthorized changes.SANS Top 20 CIS5EventTracker supports the Control 9 Metric by collectinglogs from across the environment and baselining thebehavior patterns observed over a period of time. Usingthis baseline, deviations from normal or expected behavior can be detected and alerts generated.
RequirementsEventTracker SolutionEventTrackerEventTrackerCSC 12: Boundary DefenseDetect/prevent/correct the flow ofinformation transferring networks ofdifferent trust levels with a focus onsecurity-damaging data.EventTracker collects logs from a wide variety of boundarydefense devices for correlation or compliance purposes.YesYesCSC 13: Data ProtectionThe processes and tools used to preventdata exfiltration, mitigate the effects offiltrated data, and ensure the privacy andintegrity of sensitive information.EventTracker collects logs from both endpoints andnetwork perimeter devices in order to assist in thedetection of data loss incidents.YesYesCSC 14: Controlled Access Based on theNeed to KnowThe processes and tools used to track/control/prevent/correct secure access tocritical assets (e.g., information, resources,systems) according to the formaldetermination of which persons, computers,and applications have a need and right toaccess these critical assets based on anapproved classification.EventTracker collects audit logs from across the network.YesFully integrated Change Auditing capabilities monitor forand alert on a variety of malicious behaviors, includingimproper user access of confidential files to botnet relatedbreaches and transmittal of sensitive data.YesCSC 15: Wireless Access ControlThe processes and tools used to track/control/prevent/correct the security use ofwireless local area networks (LANS), accesspoints, and wireless client systems.EventTracker collects logs from a variety of wirelessdevices and management systems. In conjunction withlogs collected from DHCP servers, wireless clients may bedetected when connecting to the organization’s network.AlertsEventTracker supports the Control 12 Metric by collectinglogs from boundary defense devices. EventTracker canbuild trends of data flows based on observed behaviorand alert on deviations from normal behavior. Byunderstanding the internal network infrastructure,internal and external context can be added to alerts,helping identify unexpected traffic flows such as a websitein the DMZ communicating directly with a SQL database,rather than communicating via the application layer.EventTracker also offers out-of-the-box support for thirdparty threat lists and custom IP address blacklists, andcan alert in real-time when connections are made to anyblacklisted IP address or host.EventTracker supports the Control 13 Metric by collectinglogs from endpoints, authentication systems, boundarydefense devices, proxies and email servers, amongstothers. EventTracker is able to detect abnormal activityin real time. EventTracker’s patented, real-time analyticstechnology, is able to establish baselines of behavior.EventTracker supports the Control 14 Metric by collectinglogs of all attempts by users to access files on localsystems or network accessible file shares without theappropriate privileges. EventTracker’s Change Audit canalso be used to establish a baseline of normal behavioragainst a file or file set, and can alert on deviations fromthat behavioral baseline.EventTracker supports the Control 15 Metric by collectinglogs from wireless devices, wireless managementsystems, and DHCP. Real-time correlation of theselogs enables the identification of unauthorized wirelessdevices or configurations.YesYesSANS Top 20 CIS6Reports
RequirementsEventTracker SolutionEventTrackerEventTrackerCSC 16: Account Monitoring and ControlActively manage the life cycle of systemand application accounts -their creation, use,dormancy, deletion -in order to minimizeopportunities for attackers to leverage them.EventTracker collects audit logs from across the networkfor both local and network accounts.YesYesReportsAlertsEventTracker supports the Control 16 Metric by collectinglogs of all user activity and correlating this with lists ofprivileged, generic and service accounts, and also with listsof accounts for users that are terminated. Using ChangeAudit, lists can be automatically maintained whenchanges take place in the environment. EventTracker canalert when the use of terminated accounts is observed,and offers extensive reporting capabilities in this area.EventTracker can also establish baselines of normalaccount behavior. For example, EventTracker can trackwhich servers a user normally connects to, and alert ona deviation from that norm.CSC 17: Security Skills Assessment andAppropriate Training to Fill GapsFor all functional roles in the organization(prioritizing those mission-critical to thebusiness and its security), identify the specificknowledge, skills, and abilities needed tosupport defense of the enterprise; developand execute an integrated plan to assess,identify gaps, and remediate through policy,organizational planning, training, andawareness programs.SANS Control 17 is policy-based and focuses on skills andtraining. EventTracker is able to monitor user compliancewith policy and send alerts in real time when credentialsare used in an abnormal manner. Since all user activityis logged and collected, correlation and reporting areeffective methods for monitoring the adherence to policy.YesYesCSC 18: Application Software SecurityManage the security life cycle of all in-housedeveloped and acquired software in orderto prevent, detect, and correct securityweaknesses.EventTracker collects logs from web application firewallsand from vulnerability scanners.YesYesYesYesEventTracker supports the Control 18 Metric through itsability to correlate across various applications and devicelogs at once. It is especially well positioned to createmeaningful, relevant alerts around suspicious web logdata. EventTracker provides out-of-the-box alerts fordetecting suspicious URL characters and malicious useragent strings, in addition to automatically populating an“attacking IPs list.” This list enables reporting to be doneon source IPs that is attacking the web applications.EventTracker collects logs from WAFs and IDS/IPSsystems, in addition to vulnerability scanners. All securityevent logs are correlated in real time.7SANS Control 19 is policy-based and focuses on havinga clear Incident Response policy. EventTracker has anintegrated incident management capability, providingreal-time updates on an incident’s status (i.e., working,closed, etc.). Status and commentary can be attachedto each alert and progress reports can be generatedon demand.SANS Top 20 CISCSC 19: Incident Response and ManagementProtect the organization’s information, aswell as its reputation, by developing andimplementing an incident responseinfrastructure (e.g., plans, defined roles,training, communications, managementoversight) for quickly discovering an attackand then effectively containing the damage,eradicating the attacker’s presence, andrestoring the integrity of the networkand systems.
RequirementsEventTracker SolutionEventTrackerEventTrackerCSC 20: Penetration Tests and Red TeamExercisesTest the overall strength of an organization’sdefenses (the technology, the processes, andthe people) by simulating the objectives andactions of an attacker.EventTracker collects logs from across the environment.It is a valuable monitoring tool during any penetrationtest, or red team exercise. EventTracker enables theaccounts used in the penetration test to be automaticallymonitored for legitimate use. EventTracker also enablesthe detection of unusual behavior and may be used todetect the attempts to exploit the enterprise systemsduring penetration ns.org/critical-security-controlsSANS Top 20 CIS8
SANS Top 20 CIS Critical Security Control Overview The 20 Critical Security Controls were developed in the U.S. by a consortium led by the Center for Strategic and International Studies (CSI). The Consensus Audit Guidelines (CAG), also known as the 20 Critical Security Controls, is a publication of best
