CIS Control 13: Network Monitoring and Defense

Networks form a critical core for our modern-day society and businesses. People, processes, and technologies should be in place for monitoring, detecting, logging, and preventing malicious activities that occur when an enterprise experiences an attack within or against their networks.

Key Takeaways for Control 13

Enterprises should understand that their systems and networks are never perfectly immune to a cyberattack. Enterprises can leverage the safeguards provided by Control 13 to guide the evolution and maturity of their security posture. Network monitoring and defense should be viewed as a continuous improvement capability that involves the enterprises’ people, processes, and technologies. Enterprises need a well-trained staff the executes the organizations’ network monitoring and defense ecosystem. Monitoring and logging technologies and processes provide both real-time and historical data that can be used for understanding what malicious actors are doing along with understanding their behaviors. This provides valuable knowledge that can be used by the organization as they continuously improve and mature their security posture. Detection and prevention technologies are also necessary in today’s environment because many attack techniques move at machine speed and human reaction can be too slow to defend against an automated attack. Control 13 is designed to help organizations enable and maintain good network monitoring and defense.

Safeguards for Control 13

1:   Centralize Security Event Alerting

Description: Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.

Notes: The security function associated with this safeguard is Detect.

2:   Deploy a Host-Based Intrusion Detection Solution

Description: Deploy a host-based intrusion detection solution on enterprise assets where appropriate and/or supported.

Notes: The security function associated with this safeguard is Detect.

3:   Deploy a Network Intrusion Detection Solution

Description: Deploy a network intrusion detection solution on enterprise assets where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

Notes: The security function associated with this safeguard is Detect.

4:   Perform Traffic Filtering Between Network Segments

Description: Perform traffic filtering between network segments where appropriate.

Notes: The security function associated with this safeguard is Protect.

5:   Manage Access Control for Remote Assets

Description: Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on whether there’s up-to-date anti-malware software installed, whether the requesting device maintains configuration compliance with the enterprise’s secure configuration process, and whether the device’s operating system and applications are up-to-date.

Notes: The security function associated with this safeguard is Protect.

6:   Collect Network Traffic Flow Logs

Description: Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Notes: The security function associated with this safeguard is Detect.

7:   Deploy a Host-Based Intrusion Prevention Solution

Description: Deploy a host-based intrusion prevention solution on enterprise assets where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or a host-based IPS agent.

Notes: The security function associated with this safeguard is Protect.

8:   Deploy a Network Intrusion Prevention Solution

Description: Deploy a network intrusion prevention solution where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Notes: The security function associated with this safeguard is Protect.

9:   Deploy Port-Level Access Control

Description: Deploy port-level access control. Port-level access control utilizes 802.1x or similar network access control protocols such as certificates. They may incorporate user and/or device authentication, as well.

Notes: The security function associated with this safeguard is Protect.

10:   Perform Application Layer Filtering

Description: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

Notes: The security function associated with this safeguard is Protect.

11:   Tune Security Event Alerting Thresholds

Description: Tune security event alerting thresholds monthly or more frequently.

Notes: The security function associated with this safeguard is Detect.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense