SANS Institute Information Security Reading Room -

SANS Institute Information Security Reading Room -
SANS Institute
Information Security Reading Room

Security Intelligence and the
Critical Security Controls v6
G. W. Ray Davidson, PhD

Copyright SANS Institute 2019. Author Retains Full Rights.

This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express
written permission.
Security Intelligence
and the Critical Security Controls V6

         A SANS Spotlight Paper
        Written by G. W. Ray Davidson, PhD
                September 2016

                  Sponsored by

                                             ©2016 SANS™ Institute
Security data is everywhere—in our logs, feeds from security devices (IDS/IPS/firewalls,
                         whitelists, etc.), network and endpoint systems, anomaly reports, access records,
                         network traffic data, security incident and event monitoring (SIEM) systems, and even
                         in applications hosted in the cloud. All of this data—and the processes that use them—
                         combine to form an organization’s security intelligence ecosystem.

                         The major challenge of managing this ecosystem of security data is tying all these
                         bits of data together and automating their correlation and use, with the goal of faster
                         detection, prevention, continued security improvement and ultimately, reduced risk.1
                         The key to success is through automation and integration, according to the CIS Critical
                         Security Controls, which is now in version 6.2

                         Security Intelligence Through CIS Controls
  Unifying security      Unfortunately, in SANS’ most recent survey on security analytics and intelligence, 32
intelligence processes   percent of respondents had no automation at all, and only 3 percent said their processes
                         were “fully automated.”3 The rest fell somewhere in between, reporting only partial
 through automation
                         automation, while many responders reported their desire to unify their security-related
  and integration is     data for better cross-functional visibility and control over events. Often this security
  key to successfully    intelligence ecosystem is unified under a platform or SIEM, according to respondents.
 integrating security-   Automated security intelligence addresses most, if not all, of the CIS Controls. Table 1
 related data into the   calls out some of the key aspects of the security intelligence ecosystem that should be
workflow of detection,   made available through a platform or SIEM to prevent, detect and respond swiftly and
                         accurately to threats.
   prevention and
response/remediation.                     Table 1. The Role of Security Intelligence in CIS Critical Security Controls
                             Control                              Actions to Automate                                Security Intelligence Applied

                             CIS Control 1:                       Use an asset inventory system to                   Visibility into the asset and inventory
                             Inventory of Authorized              compare devices accessing the                      data combined with “normal”
                             and Unauthorized Devices             network against the inventory of                   network monitoring data provide
                                                                  known and approved devices. Use                    a baseline of the known and
                                                                  DHCP logs or other data to detect                  authorized devices on the network
                                                                  new/unauthorized systems. Deny                     (and their attributes). Continuous
                                                                  access or quarantine unknown                       monitoring (a key component of
                                                                  devices.                                           security intelligence) enables the
                                                                                                                     organization to quickly identify,
                                                                                                                     locate and remediate anomalies as
                             CIS Control 2:                       Detect and prevent attempts to                     Security intelligence systems make
                             Inventory of Authorized              install unauthorized software                      use of approved whitelists and
                             and Unauthorized                     or uninstall required software. If                 blacklists, provide a baseline of the
                             Software                             execution of unauthorized software                 known and authorized applications
                                                                  is detected, terminate the process.                and processes on the network (and
                                                                  Quarantine the device if that is                   their attributes), support workflow
                                                                  unsuccessful.                                      and remediation, and report when
                                                                                                                     unauthorized systems are detected.

                             A verage time to detect and respond is most often due to lack of automation/integration, according to the SANS 2015 Analytics and
                              Intelligence Survey,
                             CIS Critical Security Controls, Center for Internet Security,
                             “ SANS 2015 Analytics and Intelligence Survey,” Table 2, page 6,
                                                                     1                                           Security Intelligence and the Critical Security Controls V6
Table 1 (continued)
                       Control                      Actions to Automate                           Security Intelligence Applied

                       CIS Control 3:               Maintain an inventory of                      Utilize the baseline configuration
                       Secure Configurations for    approved software and hardware                available in these records, such as a
                       Hardware and Software on     configurations, and monitor network           configuration management database
                       Mobile Devices, Laptops,     and endpoint devices for changes in           (CMDB), along with output from
                       Workstations, and Servers    ports, services, files, registry keys, etc.   continuous monitoring through
                                                    Remediate unauthorized changes, or            the security intelligence platform to
                                                    quarantine the device automatically           detect excursions from “normal” and
                                                    using network access control (NAC),           changes in configuration of devices
                                                    mobile device management (MDM)                and applications on the network.
                                                    or other endpoint or network device
                                                    management tools.
                       CIS Control 4:               Regularly scan for vulnerabilities            Apply real-time security analytics
                       Continuous Vulnerability     in the environment using a                    and vulnerability assessment data
                       Assessment and               continuously updated tool to identify         to create a dynamic risk profile
                       Remediation                  missed patch installations. Use               to detect cyber attacks that seek
                                                    vulnerability scan data to determine          to exploit those vulnerabilities,
                                                    relevance of detected threats and             and adjust existing defensive
                                                    adjust risk profiles accordingly.             capability. Supplement real-time
                                                                                                  vulnerability data with additional
                                                                                                  change information that may not be
                                                                                                  included in standard vulnerability
                                                                                                  assessments. This feedback loop is a
                                                                                                  key aspect of the security intelligence
                       CIS Control 5:               Minimize administrative privileges            Monitor for account misuse through
                       Controlled Use of            and use them only when required.              the application of behavioral analytic
                       Administrative Privileges    Change default passwords, and use             techniques to proactively detect
                                                    secure, multifactor authentication for        anomalous privileged account
                                                    administrative duties. Monitor access         behavior. The security intelligence
                                                    and event logs for attempts to access         system serves to automate baselining
                                                    password files, escalate privilege or         of normal admin activity so that
                                                    add accounts.                                 anomalous behavior can be detected
                                                                                                  early in the threat lifecycle.
                       CIS Control 6:               Collect and analyze logs from                 Real-time data ingestion through
                       Maintenance, Monitoring,     monitoring systems to identify                automated collection, normalization
                       and Analysis of Audit Logs   suspicious activity and implement             and analytics is a characteristic of a
                                                    remediation. Do that automatically            mature security intelligence platform.
                                                    where possible. Periodically validate         Automated collection, processing,
                                                    that devices are still generating             monitoring and analysis of log data
                                                    logs and forwarding them to the               helps in developing behavioral
                                                    appropriate location.                         heuristics, proactively identifying risk
                                                                                                  and responding to incidents.
                       CIS Control 8:               Use relevant input from external              The security intelligence platform
                       Malware Defenses             threat feeds combined with                    should automatically combine
                                                    indicators of compromise developed            security intelligence from external
                                                    from internal logs to detect                  feeds with information from internal
                                                    malicious activity and update                 malware defense systems to support
                                                    defense capabilities. Update                  real-time, accurate and actionable
                                                    the organizational risk profile in            detection. The intelligence system
                                                    response to changes in the external           should also work with and tune
                                                    threat environment as well. Do that           malware defenses for better future
                                                    automatically if possible.                    protection.
                       CIS Control 9:               Monitor networking devices and                Correlate output from network
                       Limitation and Control of    endpoints using port scanners and             monitors to detect and facilitate
                       Network Ports, Protocols,    other tools. Detect open ports and            remediation of any deviations
                       and Services                 running services and protocols,               from the baseline. In a mature
                                                    and compare them against the                  intelliegence ecosystem, these
                                                    baseline for deviations. Remediate            activities will be automated and
                                                    automatically where possible.                 performed in real time to reduce the
                                                                                                  mean-time-to-detect (MTTD) and
                                                                                                  mean-time-to-respond (MTTR).

                                                      2                                      Security Intelligence and the Critical Security Controls V6
Table 1 (continued)
                          Control                      Actions to Automate                      Security Intelligence Applied

                          CIS Control 10:              Use regular automated scans              Monitor backup logs to detect
                          Data Recovery Capability     to ensure backup technology is           modifications to backup files, which
                                                       installed and working correctly.         may be an indicator of ransomware
                                                       Analyze logs to determine previous       that can render backups useless.
                                                       backup time, and remediate               Security intelligence systems should
                                                       automatically when backups are           automatically digest information
                                                       missed. Test restore capability as       from backup logs to detect failures in
                                                       well.                                    backup execution and automatically
                                                                                                support remediation.
                          CIS Control 11:              Monitor and compare                      Network monitoring output, combined
                          Secure Configurations        configurations of these devices          with vulnerability data, provides better
                          for Network Devices such     against standard/gold build, and         visibility into threats attempting to
                          as Firewalls, Routers, and   alert change attempts and unusual        exploit vulnerable network devices
                          Switches                     network attempts.                        that are misconfigured. The platform
                                                                                                should make this vulnerability data
                                                                                                readily available for use during threats
                                                                                                and remediation.
                          CIS Control 12:              Collect and utilize network flow         Security intelligence processes should
                          Boundary Defense             data and data (including device          correlate data from real-time network
                                                       logs) from boundary devices to           monitoring with baseline data to
                                                       detect anomalies and add context         adjust and tune boundary defenses on
  Employ a security                                    to other activities happening on the     a real-time basis. The system should
                                                       network. Combine this edge data          also include visibility into automated
 intelligence platform                                 with internal data to decrease the       remediation actions (e.g., issue an
                                                       information that must be examined        access control list (ACL) rule to block
  to achieve end-to-                                   within the network for network           an IP address from which an attack is
                                                       behavior anomaly detection (NBAD).       originating).
  end threat lifecycle    CIS Control 13:              Apply protection at both the             Monitor logs and other data from data
                          Data Protection              endpoints and the network to             protection systems (including access
   management to                                       detect and prevent access and            control systems, endpoint systems,
                                                       to exfiltrate data based on the          boundary defenses, network perimeter
 improve prevention,                                   organizational risk management           devices, proxies, email servers, etc.)
                                                       policy. Detect access to sensitive       to provide additional context when
 detection, response                                   data, and monitor for violations of      investigating potential exfiltration
                                                       policy.                                  attempts. This additional context
                                                                                                is a hallmark of a mature security
  and neutralization                                                                            intelligence ecosystem.

 of cyber threats that    CIS Control 15:              Detect when new devices request          Utilize network monitoring and
                          Wireless Access Control      access to the network and when           analytics to detect when rogue or
  pose a risk to your                                  access points come online. Deny          unknown devices connect to the
                                                       access or quarantine automatically       network, as well as when unauthorized
                                                       when the device is not present           or unknown applications are used
    organization.                                      in the approved list or doesn’t          over wireless access points. The system
                                                       conform to specs.                        must also support responders.
                          CIS Control 16:              Monitor all accounts and usage.          Monitor user and system behavior for
                          Account Monitoring and       Review and disable system                unauthorized or deviant activity. Employ
                          Control                      accounts that cannot be associated       immediate and, when appropriate,
                                                       with business processes or dormant       automated responses based on policy
                                                       accounts. Alert when previously          through the security intelligence
                                                       dormant accounts are used.               system. Correlate the output of
                                                       Maintain audit trails to support         monitoring processes to produce
                                                       changes. Maintain updated account        behavioral information for detecting
                                                       and activity log listings, subject to    anomalies in real time and responding
                                                       change control.                          quickly to indicators of account misuse
                                                                                                to reduce the risk of data loss.
                          CIS Control 19:              Ensure written procedures to deal        Utilize security intelligence systems
                          Incident Response and        with incidents. Conduct periodic         to make data automatically available
                          Management                   incident scenarios.                      to incident responders so they can
                                                                                                identify, scope and react appropriately.
                                                       Utilize lessons learned to identify      A mature security intelligence system
                                                       indicators of compromise, aid            should support full incident response
                                                       investigations and support               orchestration, including remediation
                                                       continuous process improvement.          workflow.

                         As this table shows, security intelligence automation helps realize the true threat
                         management potential of the CIS Controls.
                                                          3                                    Security Intelligence and the Critical Security Controls V6
Keys to Effectiveness
                                              Start by surveying what machine data exists in your enterprise, and develop a
                                              classification scheme to determine what data is most valuable and important to protect,
                                              along with models describing the threats to that data. On an ongoing basis, collect,
                                                                  process, store and analyze machine data from across the enterprise, and
    Reduce Risk and Contain Damage
                                                                  monitor the segments most closely tied to the most critical assets.
  Create your own customized security intelligence
  ecosystem. Develop and implement processes specific             Utilize security intelligence data to expand risk scoring of other areas of the
  to your business to create a detection and response             enterprise. For instance, if regular vulnerability monitoring (CIS Control 4)
  framework that does the following:                              detects an unpatched device that is included in the scope of monitoring,
    • Concentrates on high-risk areas                             that device deserves a higher risk score until it is patched and the
    • Discovers attacks quickly                                   automated workflow system has alerted the security intelligence platform
    • Contains damage effectively                                 the patches are completed and tested.
    • Completely eradicates the attacker’s footprints            Standards for consuming and normalizing the information, along
    • Restores the integrity of the network and                  with automated workflow for detecting and disseminating new threat
       systems in a timely fashion
                                                                  information, are critical to making these moving parts work together.
    • Utilizes any new security data for future
       prevention, detection and remediation                      By designing and implementing the appropriate security intelligence
                                                                  architecture and having appropriate communication standards and staffing,
                                              security intelligence improves visibility, detection and response, according to the SANS
                                              survey on security intelligence and analytics.4

                                                   “ SANS 2015 Analytics and Intelligence Survey,”
                                                                                      4                                     Security Intelligence and the Critical Security Controls V6
About the Author
        G. W. Ray Davidson, PhD, is the former dean of academic affairs for the SANS Technology Institute.
        He continues to serve as a mentor, subject matter expert and technical reviewer for the SANS Institute
        and holds several GIAC certifications. Ray started his career as a research scientist and subsequently
        led global security projects for a major pharmaceutical company. He has taught at the college level
        and worked at a security startup. Ray currently works with clients to develop and implement network
        security monitoring and threat intelligence capabilities. He is also active in the leadership of the
        Michigan Cyber Civilian Corps.

                              SANS would like to thank this paper’s sponsor:

                                                             5                            Security Intelligence and the Critical Security Controls V6
Last Updated: July 8th, 2019

                     Upcoming SANS Training
                     Click here to view a list of all SANS Courses

SANS Rocky Mountain 2019                                       Denver, COUS           Jul 15, 2019 - Jul 20, 2019   Live Event

SANS Pen Test Hackfest Europe Summit & Training 2019           Berlin, DE             Jul 22, 2019 - Jul 28, 2019   Live Event

SANS San Francisco Summer 2019                                 San Francisco, CAUS    Jul 22, 2019 - Jul 27, 2019   Live Event

DFIR Summit & Training 2019                                    Austin, TXUS           Jul 25, 2019 - Aug 01, 2019   Live Event

SANS Riyadh July 2019                                          Riyadh, SA             Jul 28, 2019 - Aug 01, 2019   Live Event

SANS July Malaysia 2019                                        Kuala Lumpur, MY       Jul 29, 2019 - Aug 03, 2019   Live Event

SANS Boston Summer 2019                                        Boston, MAUS           Jul 29, 2019 - Aug 03, 2019   Live Event

SANS Melbourne 2019                                            Melbourne, AU          Aug 05, 2019 - Aug 10, 2019   Live Event

Security Awareness Summit & Training 2019                      San Diego, CAUS        Aug 05, 2019 - Aug 14, 2019   Live Event

SANS London August 2019                                        London, GB             Aug 05, 2019 - Aug 10, 2019   Live Event

SANS Crystal City 2019                                         Arlington, VAUS        Aug 05, 2019 - Aug 10, 2019   Live Event

SANS San Jose 2019                                             San Jose, CAUS         Aug 12, 2019 - Aug 17, 2019   Live Event

SANS Prague August 2019                                        Prague, CZ             Aug 12, 2019 - Aug 17, 2019   Live Event

SANS Minneapolis 2019                                          Minneapolis, MNUS      Aug 12, 2019 - Aug 17, 2019   Live Event

Supply Chain Cybersecurity Summit & Training 2019              Arlington, VAUS        Aug 12, 2019 - Aug 19, 2019   Live Event

SANS Virginia Beach 2019                                       Virginia Beach, VAUS   Aug 19, 2019 - Aug 30, 2019   Live Event

SANS MGT516 Beta Three 2019                                    Arlington, VAUS        Aug 19, 2019 - Aug 23, 2019   Live Event

SANS Chicago 2019                                              Chicago, ILUS          Aug 19, 2019 - Aug 24, 2019   Live Event

SANS Amsterdam August 2019                                     Amsterdam, NL          Aug 19, 2019 - Aug 24, 2019   Live Event

SANS Tampa-Clearwater 2019                                     Clearwater, FLUS       Aug 25, 2019 - Aug 30, 2019   Live Event

SANS New York City 2019                                        New York, NYUS         Aug 25, 2019 - Aug 30, 2019   Live Event

SANS Copenhagen August 2019                                    Copenhagen, DK         Aug 26, 2019 - Aug 31, 2019   Live Event

SANS Hyderabad 2019                                            Hyderabad, IN          Aug 26, 2019 - Aug 31, 2019   Live Event

SANS Munich September 2019                                     Munich, DE             Sep 02, 2019 - Sep 07, 2019   Live Event

SANS Brussels September 2019                                   Brussels, BE           Sep 02, 2019 - Sep 07, 2019   Live Event

SANS Canberra Spring 2019                                      Canberra, AU           Sep 02, 2019 - Sep 21, 2019   Live Event

SANS Philippines 2019                                          Manila, PH             Sep 02, 2019 - Sep 07, 2019   Live Event

SANS Oslo September 2019                                       Oslo, NO               Sep 09, 2019 - Sep 14, 2019   Live Event

SANS Network Security 2019                                     Las Vegas, NVUS        Sep 09, 2019 - Sep 16, 2019   Live Event

SANS Dubai September 2019                                      Dubai, AE              Sep 14, 2019 - Sep 19, 2019   Live Event

SANS Rome September 2019                                       Rome, IT               Sep 16, 2019 - Sep 21, 2019   Live Event

SANS Raleigh 2019                                              Raleigh, NCUS          Sep 16, 2019 - Sep 21, 2019   Live Event

SANS Columbia 2019                                             OnlineMDUS             Jul 15, 2019 - Jul 20, 2019   Live Event

SANS OnDemand                                                  Books & MP3s OnlyUS             Anytime              Self Paced
You can also read
Next slide ... Cancel