SANS Institute Information Security Reading Room - SANS.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SANS Institute Information Security Reading Room Security Intelligence and the Critical Security Controls v6 ______________________________ G. W. Ray Davidson, PhD Copyright SANS Institute 2019. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Security Intelligence
and the Critical Security Controls V6
A SANS Spotlight Paper
Written by G. W. Ray Davidson, PhD
September 2016
Sponsored by
LogRhythm
©2016 SANS™ InstituteSecurity data is everywhere—in our logs, feeds from security devices (IDS/IPS/firewalls,
whitelists, etc.), network and endpoint systems, anomaly reports, access records,
network traffic data, security incident and event monitoring (SIEM) systems, and even
in applications hosted in the cloud. All of this data—and the processes that use them—
combine to form an organization’s security intelligence ecosystem.
The major challenge of managing this ecosystem of security data is tying all these
bits of data together and automating their correlation and use, with the goal of faster
detection, prevention, continued security improvement and ultimately, reduced risk.1
The key to success is through automation and integration, according to the CIS Critical
Security Controls, which is now in version 6.2
Security Intelligence Through CIS Controls
Unifying security Unfortunately, in SANS’ most recent survey on security analytics and intelligence, 32
intelligence processes percent of respondents had no automation at all, and only 3 percent said their processes
were “fully automated.”3 The rest fell somewhere in between, reporting only partial
through automation
automation, while many responders reported their desire to unify their security-related
and integration is data for better cross-functional visibility and control over events. Often this security
key to successfully intelligence ecosystem is unified under a platform or SIEM, according to respondents.
integrating security- Automated security intelligence addresses most, if not all, of the CIS Controls. Table 1
related data into the calls out some of the key aspects of the security intelligence ecosystem that should be
workflow of detection, made available through a platform or SIEM to prevent, detect and respond swiftly and
accurately to threats.
prevention and
response/remediation. Table 1. The Role of Security Intelligence in CIS Critical Security Controls
Control Actions to Automate Security Intelligence Applied
CIS Control 1: Use an asset inventory system to Visibility into the asset and inventory
Inventory of Authorized compare devices accessing the data combined with “normal”
and Unauthorized Devices network against the inventory of network monitoring data provide
known and approved devices. Use a baseline of the known and
DHCP logs or other data to detect authorized devices on the network
new/unauthorized systems. Deny (and their attributes). Continuous
access or quarantine unknown monitoring (a key component of
devices. security intelligence) enables the
organization to quickly identify,
locate and remediate anomalies as
needed.
CIS Control 2: Detect and prevent attempts to Security intelligence systems make
Inventory of Authorized install unauthorized software use of approved whitelists and
and Unauthorized or uninstall required software. If blacklists, provide a baseline of the
Software execution of unauthorized software known and authorized applications
is detected, terminate the process. and processes on the network (and
Quarantine the device if that is their attributes), support workflow
unsuccessful. and remediation, and report when
unauthorized systems are detected.
1
A verage time to detect and respond is most often due to lack of automation/integration, according to the SANS 2015 Analytics and
Intelligence Survey, www.sans.org/reading-room/whitepapers/analyst/2015-analytics-intelligence-survey-36432
2
CIS Critical Security Controls, Center for Internet Security, www.cisecurity.org/critical-controls.cfm
3
“ SANS 2015 Analytics and Intelligence Survey,” Table 2, page 6,
www.sans.org/reading-room/whitepapers/analyst/2015-analytics-intelligence-survey-36432
SANS ANALYST PROGRAM
1 Security Intelligence and the Critical Security Controls V6Table 1 (continued)
Control Actions to Automate Security Intelligence Applied
CIS Control 3: Maintain an inventory of Utilize the baseline configuration
Secure Configurations for approved software and hardware available in these records, such as a
Hardware and Software on configurations, and monitor network configuration management database
Mobile Devices, Laptops, and endpoint devices for changes in (CMDB), along with output from
Workstations, and Servers ports, services, files, registry keys, etc. continuous monitoring through
Remediate unauthorized changes, or the security intelligence platform to
quarantine the device automatically detect excursions from “normal” and
using network access control (NAC), changes in configuration of devices
mobile device management (MDM) and applications on the network.
or other endpoint or network device
management tools.
CIS Control 4: Regularly scan for vulnerabilities Apply real-time security analytics
Continuous Vulnerability in the environment using a and vulnerability assessment data
Assessment and continuously updated tool to identify to create a dynamic risk profile
Remediation missed patch installations. Use to detect cyber attacks that seek
vulnerability scan data to determine to exploit those vulnerabilities,
relevance of detected threats and and adjust existing defensive
adjust risk profiles accordingly. capability. Supplement real-time
vulnerability data with additional
change information that may not be
included in standard vulnerability
assessments. This feedback loop is a
key aspect of the security intelligence
ecosystem.
CIS Control 5: Minimize administrative privileges Monitor for account misuse through
Controlled Use of and use them only when required. the application of behavioral analytic
Administrative Privileges Change default passwords, and use techniques to proactively detect
secure, multifactor authentication for anomalous privileged account
administrative duties. Monitor access behavior. The security intelligence
and event logs for attempts to access system serves to automate baselining
password files, escalate privilege or of normal admin activity so that
add accounts. anomalous behavior can be detected
early in the threat lifecycle.
CIS Control 6: Collect and analyze logs from Real-time data ingestion through
Maintenance, Monitoring, monitoring systems to identify automated collection, normalization
and Analysis of Audit Logs suspicious activity and implement and analytics is a characteristic of a
remediation. Do that automatically mature security intelligence platform.
where possible. Periodically validate Automated collection, processing,
that devices are still generating monitoring and analysis of log data
logs and forwarding them to the helps in developing behavioral
appropriate location. heuristics, proactively identifying risk
and responding to incidents.
CIS Control 8: Use relevant input from external The security intelligence platform
Malware Defenses threat feeds combined with should automatically combine
indicators of compromise developed security intelligence from external
from internal logs to detect feeds with information from internal
malicious activity and update malware defense systems to support
defense capabilities. Update real-time, accurate and actionable
the organizational risk profile in detection. The intelligence system
response to changes in the external should also work with and tune
threat environment as well. Do that malware defenses for better future
automatically if possible. protection.
CIS Control 9: Monitor networking devices and Correlate output from network
Limitation and Control of endpoints using port scanners and monitors to detect and facilitate
Network Ports, Protocols, other tools. Detect open ports and remediation of any deviations
and Services running services and protocols, from the baseline. In a mature
and compare them against the intelliegence ecosystem, these
baseline for deviations. Remediate activities will be automated and
automatically where possible. performed in real time to reduce the
mean-time-to-detect (MTTD) and
mean-time-to-respond (MTTR).
SANS ANALYST PROGRAM
2 Security Intelligence and the Critical Security Controls V6Table 1 (continued)
Control Actions to Automate Security Intelligence Applied
CIS Control 10: Use regular automated scans Monitor backup logs to detect
Data Recovery Capability to ensure backup technology is modifications to backup files, which
installed and working correctly. may be an indicator of ransomware
Analyze logs to determine previous that can render backups useless.
backup time, and remediate Security intelligence systems should
automatically when backups are automatically digest information
missed. Test restore capability as from backup logs to detect failures in
well. backup execution and automatically
support remediation.
CIS Control 11: Monitor and compare Network monitoring output, combined
Secure Configurations configurations of these devices with vulnerability data, provides better
for Network Devices such against standard/gold build, and visibility into threats attempting to
as Firewalls, Routers, and alert change attempts and unusual exploit vulnerable network devices
Switches network attempts. that are misconfigured. The platform
should make this vulnerability data
readily available for use during threats
and remediation.
CIS Control 12: Collect and utilize network flow Security intelligence processes should
Boundary Defense data and data (including device correlate data from real-time network
logs) from boundary devices to monitoring with baseline data to
detect anomalies and add context adjust and tune boundary defenses on
Employ a security to other activities happening on the a real-time basis. The system should
network. Combine this edge data also include visibility into automated
intelligence platform with internal data to decrease the remediation actions (e.g., issue an
information that must be examined access control list (ACL) rule to block
to achieve end-to- within the network for network an IP address from which an attack is
behavior anomaly detection (NBAD). originating).
end threat lifecycle CIS Control 13: Apply protection at both the Monitor logs and other data from data
Data Protection endpoints and the network to protection systems (including access
management to detect and prevent access and control systems, endpoint systems,
to exfiltrate data based on the boundary defenses, network perimeter
improve prevention, organizational risk management devices, proxies, email servers, etc.)
policy. Detect access to sensitive to provide additional context when
detection, response data, and monitor for violations of investigating potential exfiltration
policy. attempts. This additional context
is a hallmark of a mature security
and neutralization intelligence ecosystem.
of cyber threats that CIS Control 15: Detect when new devices request Utilize network monitoring and
Wireless Access Control access to the network and when analytics to detect when rogue or
pose a risk to your access points come online. Deny unknown devices connect to the
access or quarantine automatically network, as well as when unauthorized
when the device is not present or unknown applications are used
organization. in the approved list or doesn’t over wireless access points. The system
conform to specs. must also support responders.
CIS Control 16: Monitor all accounts and usage. Monitor user and system behavior for
Account Monitoring and Review and disable system unauthorized or deviant activity. Employ
Control accounts that cannot be associated immediate and, when appropriate,
with business processes or dormant automated responses based on policy
accounts. Alert when previously through the security intelligence
dormant accounts are used. system. Correlate the output of
Maintain audit trails to support monitoring processes to produce
changes. Maintain updated account behavioral information for detecting
and activity log listings, subject to anomalies in real time and responding
change control. quickly to indicators of account misuse
to reduce the risk of data loss.
CIS Control 19: Ensure written procedures to deal Utilize security intelligence systems
Incident Response and with incidents. Conduct periodic to make data automatically available
Management incident scenarios. to incident responders so they can
identify, scope and react appropriately.
Utilize lessons learned to identify A mature security intelligence system
indicators of compromise, aid should support full incident response
investigations and support orchestration, including remediation
continuous process improvement. workflow.
As this table shows, security intelligence automation helps realize the true threat
management potential of the CIS Controls.
SANS ANALYST PROGRAM
3 Security Intelligence and the Critical Security Controls V6Keys to Effectiveness
Start by surveying what machine data exists in your enterprise, and develop a
classification scheme to determine what data is most valuable and important to protect,
along with models describing the threats to that data. On an ongoing basis, collect,
process, store and analyze machine data from across the enterprise, and
Reduce Risk and Contain Damage
monitor the segments most closely tied to the most critical assets.
Create your own customized security intelligence
ecosystem. Develop and implement processes specific Utilize security intelligence data to expand risk scoring of other areas of the
to your business to create a detection and response enterprise. For instance, if regular vulnerability monitoring (CIS Control 4)
framework that does the following: detects an unpatched device that is included in the scope of monitoring,
• Concentrates on high-risk areas that device deserves a higher risk score until it is patched and the
• Discovers attacks quickly automated workflow system has alerted the security intelligence platform
• Contains damage effectively the patches are completed and tested.
• Completely eradicates the attacker’s footprints Standards for consuming and normalizing the information, along
• Restores the integrity of the network and with automated workflow for detecting and disseminating new threat
systems in a timely fashion
information, are critical to making these moving parts work together.
• Utilizes any new security data for future
prevention, detection and remediation By designing and implementing the appropriate security intelligence
architecture and having appropriate communication standards and staffing,
security intelligence improves visibility, detection and response, according to the SANS
survey on security intelligence and analytics.4
4
“ SANS 2015 Analytics and Intelligence Survey,”
www.sans.org/reading-room/whitepapers/analyst/2015-analytics-intelligence-survey-36432
SANS ANALYST PROGRAM
4 Security Intelligence and the Critical Security Controls V6About the Author
G. W. Ray Davidson, PhD, is the former dean of academic affairs for the SANS Technology Institute.
He continues to serve as a mentor, subject matter expert and technical reviewer for the SANS Institute
and holds several GIAC certifications. Ray started his career as a research scientist and subsequently
led global security projects for a major pharmaceutical company. He has taught at the college level
and worked at a security startup. Ray currently works with clients to develop and implement network
security monitoring and threat intelligence capabilities. He is also active in the leadership of the
Michigan Cyber Civilian Corps.
Sponsor
SANS would like to thank this paper’s sponsor:
SANS ANALYST PROGRAM
5 Security Intelligence and the Critical Security Controls V6Last Updated: July 8th, 2019
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS Rocky Mountain 2019 Denver, COUS Jul 15, 2019 - Jul 20, 2019 Live Event
SANS Pen Test Hackfest Europe Summit & Training 2019 Berlin, DE Jul 22, 2019 - Jul 28, 2019 Live Event
SANS San Francisco Summer 2019 San Francisco, CAUS Jul 22, 2019 - Jul 27, 2019 Live Event
DFIR Summit & Training 2019 Austin, TXUS Jul 25, 2019 - Aug 01, 2019 Live Event
SANS Riyadh July 2019 Riyadh, SA Jul 28, 2019 - Aug 01, 2019 Live Event
SANS July Malaysia 2019 Kuala Lumpur, MY Jul 29, 2019 - Aug 03, 2019 Live Event
SANS Boston Summer 2019 Boston, MAUS Jul 29, 2019 - Aug 03, 2019 Live Event
SANS Melbourne 2019 Melbourne, AU Aug 05, 2019 - Aug 10, 2019 Live Event
Security Awareness Summit & Training 2019 San Diego, CAUS Aug 05, 2019 - Aug 14, 2019 Live Event
SANS London August 2019 London, GB Aug 05, 2019 - Aug 10, 2019 Live Event
SANS Crystal City 2019 Arlington, VAUS Aug 05, 2019 - Aug 10, 2019 Live Event
SANS San Jose 2019 San Jose, CAUS Aug 12, 2019 - Aug 17, 2019 Live Event
SANS Prague August 2019 Prague, CZ Aug 12, 2019 - Aug 17, 2019 Live Event
SANS Minneapolis 2019 Minneapolis, MNUS Aug 12, 2019 - Aug 17, 2019 Live Event
Supply Chain Cybersecurity Summit & Training 2019 Arlington, VAUS Aug 12, 2019 - Aug 19, 2019 Live Event
SANS Virginia Beach 2019 Virginia Beach, VAUS Aug 19, 2019 - Aug 30, 2019 Live Event
SANS MGT516 Beta Three 2019 Arlington, VAUS Aug 19, 2019 - Aug 23, 2019 Live Event
SANS Chicago 2019 Chicago, ILUS Aug 19, 2019 - Aug 24, 2019 Live Event
SANS Amsterdam August 2019 Amsterdam, NL Aug 19, 2019 - Aug 24, 2019 Live Event
SANS Tampa-Clearwater 2019 Clearwater, FLUS Aug 25, 2019 - Aug 30, 2019 Live Event
SANS New York City 2019 New York, NYUS Aug 25, 2019 - Aug 30, 2019 Live Event
SANS Copenhagen August 2019 Copenhagen, DK Aug 26, 2019 - Aug 31, 2019 Live Event
SANS Hyderabad 2019 Hyderabad, IN Aug 26, 2019 - Aug 31, 2019 Live Event
SANS Munich September 2019 Munich, DE Sep 02, 2019 - Sep 07, 2019 Live Event
SANS Brussels September 2019 Brussels, BE Sep 02, 2019 - Sep 07, 2019 Live Event
SANS Canberra Spring 2019 Canberra, AU Sep 02, 2019 - Sep 21, 2019 Live Event
SANS Philippines 2019 Manila, PH Sep 02, 2019 - Sep 07, 2019 Live Event
SANS Oslo September 2019 Oslo, NO Sep 09, 2019 - Sep 14, 2019 Live Event
SANS Network Security 2019 Las Vegas, NVUS Sep 09, 2019 - Sep 16, 2019 Live Event
SANS Dubai September 2019 Dubai, AE Sep 14, 2019 - Sep 19, 2019 Live Event
SANS Rome September 2019 Rome, IT Sep 16, 2019 - Sep 21, 2019 Live Event
SANS Raleigh 2019 Raleigh, NCUS Sep 16, 2019 - Sep 21, 2019 Live Event
SANS Columbia 2019 OnlineMDUS Jul 15, 2019 - Jul 20, 2019 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self PacedYou can also read
