CIS Critical Security Controls: Technical Control · PDF fileCIS Critical Security Controls:...
Transcript of CIS Critical Security Controls: Technical Control · PDF fileCIS Critical Security Controls:...
CIS Critical Security Controls:
Technical Control Automation
Automating the Center for Internet Security’s 20 CSCs with Tenable SecurityCenter Continuous View™
June 21, 2016
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 2
Table of Contents
Introduction ............................................................................................................................................................................................................................ 3
What are the CIS Critical Security Controls? ........................................................................................................................................................ 3
Tenable’s Solution ................................................................................................................................................................................................................. 4
Account Monitoring and Control............................................................................................................................................................................... 5
Data Protection ................................................................................................................................................................................................................ 6
Vulnerability Management .......................................................................................................................................................................................... 7
Secure Configuration ..................................................................................................................................................................................................... 8
Hardware and Devices .................................................................................................................................................................................................. 9
Software and Applications ........................................................................................................................................................................................... 9
Logging and Monitoring ................................................................................................................................................................................................ 9
Foundational Cyber Hygiene .................................................................................................................................................................................... 10
About Tenable Network Security ................................................................................................................................................................................. 10
Appendix A: Tenable Solution for the CIS Critical Security Controls .............................................................................................................. 11
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 3
Introduction This paper provides insight to how Tenable addresses the Center for Internet Security (CIS) Critical Security Controls for
Effective Cyber Defense (CSC) version 6.0. The CSCs are a recommended set of actions that provide specific and actionable
protection against cyberattacks.
Specifically, this paper describes how Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) can be leveraged to
help meet the guidelines and practices outlined in the CSCs through automation of their technical controls. Organizations
can use the CSCs to take a prioritized approach to selecting and deploying security controls. Because the CSCs are not
intended to be a “one size fits all” approach, Tenable’s solution is scalable across all organizational sizes and can be adapted
for specific use across multiple industries.
What are the CIS Critical Security Controls?
The CIS Critical Security Controls are 20 prioritized, vetted, and well supported security actions to assess and improve cyber
security. They were created, are regularly reviewed, and updated by a collaboration of security experts from all types of
organizations, roles, and sectors. The practical knowledge and contribution of these stakeholders to the CSCs ensure that
control specifications will provide “the most effective and specific set of technical measures available to detect, prevent,
respond, and mitigate damage from the most common to the most advanced of those attacks.”1 The CIS notes the controls’
five critical tenets for effective cyber defense:2
Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.
Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.
Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
A comprehensive summary of the requirements in all of the CSC controls and sub-controls is detailed in Appendix A with
corresponding automation capabilities for technical controls provided by Tenable.
1 CIS Critical Security Controls, Version 6.0, p. 2. 2 Quoted from CIS Critical Security Controls, Version 6.0, p. 3.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 4
Tenable’s Solution SecurityCenter CV is a robust solution that addresses about 66% of the CSCs’ technical controls. SecurityCenter CV is also
extremely powerful for communicating CSCs’ conformance results to many different internal and external stakeholders.
SecurityCenter CV is a comprehensive solution that utilizes active scanning, intelligent connectors, agent scanning, passive
listening, and host data to provide continuous visibility and critical context, enabling decisive action. With advanced
analytics, it gives you continuous assurance that your security program is working. Capabilities include:
Information on which assets are connected to the network and how they are communicating
Active monitoring of host activities and events, including who is accessing them and what is changing
Identification of previously unknown resources, changes in behavior, and new application usage
Near real-time metrics for continuous security and compliance
Correlation of real-time activity with the state-based vulnerability data
Security assurance using Tenable exclusive Assurance Report Cards™ (ARCs) that measure effectiveness of security
investments
Highly customizable dashboards, reports, and workflows for rapid response
Communication of consolidated metrics
Trends across systems, services, and geographies
Controls team member permissions by role
Advanced analytics with actionable information and trending to prioritize events/alerts
The key features and functionality of SecurityCenter CV as they relate to automating the CSCs’ technical controls are
described in the following sections.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 5
Account Monitoring and Control
User account management, access control, and enforcement of least privilege are critical to effective information security
practices. Without proper user account management, an organization may not know who has access to their assets, whether
or not the old accounts of former employees are still active, and whether or not user passwords meet policy requirements.
Without proper access control and enforcement of least privilege, users inadvertently access information they should not
access, change files, or install malware on the network. This increases the risk of network intrusion and compromise, insider
activity, and data loss. Monitoring user access and least privilege and taking appropriate actions are very important to
protect the organization.
Account Monitoring and Control is required by CSC 5 – Controlled Use of Administrative Privileges, and CSC 16 – Account
Monitoring and Control. SecurityCenter CV addresses these controls via its Account Monitoring and Control dashboard.
This dashboard provides components to assist an organization in identifying the users, identifying users who have performed
administrative actions, monitoring for account and credential vulnerabilities, and identifying any user access, password
requirement, or least privilege compliance failures. The dashboard also provides components that allow an organization to
monitor user access-related events and changes, such as first time logons to a system, login failures due to expired
passwords or disabled accounts, and privilege and group membership changes. Indicators for suspicious and anomalous user
activity are also presented. Analysts can use this dashboard to easily drill down into the data presented and gain more
detailed information.
SecurityCenter Continuous View Dashboard for Account Monitoring and Control
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 6
Data Protection
Data leakage can happen when organizations lose track of where sensitive data is stored, who has access to that data, and
how sensitive data traverses the network. Financial information, payment card numbers, and personally identifiable
information (PII) can be leaked both unintentionally and intentionally. Security incidents can increase the risk of identity
theft, stolen account information, and exfiltration of sensitive internal data, which can be costly and damaging to an
organization’s reputation and business. This dashboard can assist the organization in reducing data leakage, protecting
sensitive data, and monitoring for related suspicious activity.
Data Protection is required by CSC 13 – Data Protection, and CSC 14 – Controlled Access Based on the Need to Know.
SecurityCenter CV addresses these controls via its Data Protection dashboard.
The dashboard automatically collects and correlates input from several Tenable sensors. Passive listening analyzes data in
motion and can detect sensitive data such as unencrypted credit card numbers and Social Security numbers traversing the
network. These events as well as events from Data Loss Prevention (DLP) systems are forwarded to SecurityCenter CV.
Active scans can identify vulnerabilities that could lead to data leakage. The dashboard presents all this information to assist
the organization in detecting data exfiltration and securing sensitive data. Analysts can also use this dashboard to easily drill
down and gain more detailed information.
SecurityCenter Continuous View Dashboard for Data Protection
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 7
Vulnerability Management
Vulnerable devices and applications on an organization's network pose a great risk. Vulnerabilities such as outdated
software, susceptibility to buffer overflows, risky enabled services, etc. are weaknesses in the network that could be
exploited. Organizations that do not continuously look for vulnerabilities and proactively address discovered flaws are very
likely to have their network compromised and their data stolen or destroyed.
Vulnerability Management is required by CSC 4 – Continuous Vulnerability Assessment and Remediation. SecurityCenter
CV addresses these controls via its Vulnerability Management dashboard. This dashboard provides a high-level overview of
an organization's vulnerability management program and can assist the organization in identifying vulnerabilities,
prioritizing remediations, and tracking remediation progress.
Analysts can also use this dashboard to easily drill down into the data presented by the dashboard components. This enables
the analyst to gain more detailed information about the vulnerabilities found on the network, such as which vulnerabilities
are the most dangerous. The analyst can also determine the root cause of vulnerabilities that are not patched within your
corporate standard timeframes. This information might include on which hosts a vulnerability is found and what
remediations would most benefit a particular group of machines. Knowing these details can enable better and more efficient
vulnerability management, patching, and mitigation within the organization. This in turn will help the organization better
protect itself from exploitation of network vulnerabilities, and potential intrusions, attacks, and data loss.
SecurityCenter Continuous View Dashboard for Vulnerability Management
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 8
Secure Configuration
Compliance and regulatory changes can be challenging for organizations to manage effectively. Not only do organizations
have to keep systems updated with the latest patches, but systems also need to be hardened to reduce the attack surface.
Default configurations for operating systems, applications, and devices tend to be geared for ease-of-use rather than
security. If these systems are not locked down, attackers will find opportunities to exploit them. Hardening systems will
remove access to unnecessary services, software, and users, which helps to ensure the security of network systems.
Secure Configuration is required by CSC 3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops,
Workstations, and Servers, and CSC 11 – Secure Configurations for Network Devices. SecurityCenter CV addresses these
controls via its Secure Configuration dashboard.
This dashboard reports the results of compliance scans across various compliance standards and network systems, in order
to assist in the compliance and device hardening efforts of an organization. It can measure compliance using audit files that
cover a wide range of major regulatory and other auditable standards, such as CIS benchmarks, HIPAA, NIST SP 800-53, PCI,
STIGs, and more. Tenable provides over 450 audit files, available for download from the Tenable Support Portal, in
categories such as operating systems, applications, databases, and network devices. Audit files can be customized if desired
to match an organization’s security policy. For more information on using audit files, see the Nessus Compliance Checks paper.
The components on this dashboard present various views into the compliance scan results, providing an analyst with
targeted information such as compliance results per standard, per device type, and per keyword. Analysts can easily drill
down into the data presented by the dashboard components to gain more detailed information about the compliance checks.
This might include the systems on which compliance failures were found, expected vs. actual policy values, and the specific
sections of the various standards to which a compliance check relates. The organization can then use this information to
apply hardening techniques and reduce the organization’s overall attack surface.
SecurityCenter Continuous View Dashboard for Secure Configuration
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 9
Hardware and Devices
As new technologies continue to advance, personal devices are increasingly found connected to enterprise networks. New or
unknown devices on an organization's network can pose a great risk to the organization. Managing control of all network
devices is critical in maintaining a secure environment.
This requirement for Hardware and Devices is in CSC 1 – Inventory of Authorized and Unauthorized Hosts, and CSC 9 –
Limitation and Control of Network Ports, Protocols, and Services. SecurityCenter CV addresses these controls via its
Devices and Ports dashboard.
Analysts can use this dashboard to easily drill down into the data presented by the dashboard components. Detailed
information on devices and ports provide a starting point to determine what further steps are the most beneficial. This
information can provide more effective and efficient vulnerability management, patching, and remediation within the
organization. In turn, further assisting the organization to better protect itself from exploitation of network vulnerabilities,
potential intrusions, attacks, and data loss.
Software and Applications
Identifying when software is installed, changed, out of date, or contains malware is important in maintaining a secure
environment. This information is required to assist in protecting organizations from unwanted or potentially dangerous
applications, enabling better and more efficient vulnerability management, and identifying software and application
vulnerabilities within the organization.
This functionality is required by CSC 2 – Inventory of Authorized and Unauthorized Devices, CSC 3 – Secure Configurations
for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, CSC 7 – Email and Web Browser
Protections, CSC 8 – Malware Defenses, and CSC 18 – Application Software Security. SecurityCenter CV addresses these
controls via its Software and Applications dashboard.
This dashboard presents tables and indicators for events that identify when software is installed, changed, or removed.
Unsupported applications, missing patches, browser, and malware checks are also identified. Software and application
vulnerabilities present on a network can pose a risk to the organization. Evaluating and remediating software and
applications vulnerabilities is critical in maintaining a secure environment.
Analysts can use this dashboard to easily drill down into the data presented by the dashboard components. Detailed
information on software and application vulnerabilities provides a starting point to determine what further steps are the
most beneficial. This information can provide more effective and efficient vulnerability management, patching, and
remediation within the organization. In turn, further assisting the organization to better protect itself from exploitation of
network vulnerabilities, potential intrusions, attacks, and data loss.
Logging and Monitoring
Monitoring of system logs is critical in reducing the potential of data compromise as logs contain alerts events and historical
data. This data provides details and information on logging and monitoring efforts, and can aid in improving vulnerability
management and intrusion detection.
Logging and Monitoring is required by CSC 6 – Maintenance, Monitoring, and Analysis of Audit Logs, CSC 12 – Boundary
Defense, and CSC 15 – Wireless Access Control. SecurityCenter CV addresses these controls via its Logging and Monitoring
dashboard.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 10
This dashboard presents tables and indicators for events that, if present on an organization's network, can pose risk to the
organization. Analysts can also use this dashboard to easily drill down into the data, which provides detailed information on
events including log sources, wireless events, bot-net activity, event spikes, and others. Each of the indicators on this
dashboard provide a starting point to determine any further steps that are required to identify an incident or track
unauthorized activity. Knowing the details of these events can enable better and more efficient vulnerability management
practices within the organization. This information will help the organization prevent or minimize exploitation of network
vulnerabilities, potential intrusions, attacks, and data loss.
Foundational Cyber Hygiene
Establishing a starting point can improve an organizations security posture to provide the greatest protection against threats
and vulnerabilities, and is beneficial to every security program. New or unknown devices, software, applications, and
vulnerabilities on an organization's network pose a great risk to the organization. Continuous monitoring for vulnerabilities,
including new/unknown devices, and proactively addressing discovered flaws could reduce the risks of network compromise,
data theft, or destruction. These activities are collectively known as “Foundational Cyber Hygiene.”
Foundational Cyber Hygiene is required by CSC 1 – Inventory of Authorized and Unauthorized Devices, CSC 2 – Inventory
of Authorized and Unauthorized Software, CSC 3 – Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers, CSC 4 – Continuous Vulnerability Assessment and Remediation, and CSC 5 – Controlled
Use of Administrative Privileges. SecurityCenter CV addresses these controls via its Foundational Cyber Hygiene
dashboard.
To streamline management of these controls, Tenable aligns our dashboard with the Top 5 Priorities of the National Cyber
Hygiene Campaign: “Count, Configure, Control, Patch, and Repeat.” The National Cyber Hygiene Campaign was developed
as a foundation to assist in implementing the CIS Critical Security Controls. The campaign begins by asking five questions
that align with the first five CSC categories: What is connected to the network? What software is running on the network?
Are you managing your systems? Are you looking for known bad software? Do you track those with administrative
privileges?
Analysts can use this dashboard to easily drill down into the data to determine further steps that can be the most beneficial
in securing the network. Knowing these details can enable better and more efficient vulnerability management strategies
within the organization. Subsequently the organization may be better protected from exploitation of network vulnerabilities,
and potential intrusions, attacks, and data loss.
“Appendix A” breaks down the CSCs by controls and sub-controls, and describes how SecurityCenter CV can automate the
vast majority of the CSCs’ technical controls.
About Tenable Network Security Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive
solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization.
Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and
more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's
customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses
in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with
Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 11
Appendix A: Tenable Solution for the CIS Critical Security Controls Note: Tenable SecurityCenter CV can help organizations automate about 66% of the CIS Critical Security Controls’ technical
controls. Specific categories of each Critical Control are listed in the table below, along with how SecurityCenter CV can be
matched to each item. The examples below are not all-inclusive, and in many cases, SecurityCenter CV can be used for more
in-depth coverage of a specific category.
Process Name How Tenable Can Help
CSC-1 Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
1.1 /
System
Deploy an automated asset inventory discovery tool
and build inventory of networked systems
Tenable presents a list of all assets discovered on
the network; list must be reviewed/filtered to
denote unauthorized assets.
1.2 /
System
Deploy dynamic host configuration protocol server
logging to improve asset inventory (if DHCP is used)
Tenable does this for MS DHCP servers only and
the MS server needs to have the Log Correlation
Engine client installed.
1.3 /
System
Automatically update asset inventory with addition
of new equipment
Partly an administrative control; n/a.
1.4 /
System
Maintain asset inventory of all networked systems
and devices
Tenable can partially fulfill 1.4.
1.5 /
System
Deploy network level authentication via 802.1x to
control network access
n/a
1.6 /
System
Use client certificates to validate and authenticate
systems for network access
n/a
CSC-2 Inventory of Authorized and Unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
2.1 /
System
Devise list of authorized software and versions;
monitor for integrity
Tenable’s Software Enumeration capability can
build a list of currently deployed software that can
be reviewed to determine what is authorized.
2.2 /
System
Deploy whitelisting software to deny execution of
unauthorized software
Tenable’s dynamic assets lists can identify systems
containing an enumerated list of whitelisted or
blacklisted software. Tenable also supports
whitelist plugins to search authorized and
unauthorized software.
2.3 /
System
Deploy software inventory tools to centrally track
software & OSes on all networked devices
Tenable presents a list of software; list must be
reviewed/filtered to find unauthorized assets.
Tenable supports a few plugins that inventory
software via SSH, WMI, and for OS X.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 12
2.4 /
System
Run higher risk applications on virtual machines
and/or air-gapped systems
Administrative control; n/a.
CSC-3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
3.1 /
System
Establish standard secure configurations of OSes and
software applications
Tenable supplies a series of audit files based on the
CIS Critical Security Controls OS and configuration
standard.
3.2 /
System
Follow strict configuration management to build a
secure image on all new deployed systems
n/a
3.3 /
System
Securely store master images to prevent
unauthorized changes
Tenable can scan systems cloned from the master
image provided the cloned OS is running during the
scan.
3.4 /
System
Perform all remote administration over secure
channels
Tenable partially fulfills 3.4 with passive
monitoring, which can detect the use of
unencrypted VNC and RDP protocols.
3.5 /
System
Use file integrity checking tools to ensure that critical
system files have not been altered
Tenable partially fulfills 3.5 by monitoring critical
system files and application executables for
change, and can identify suspicious changes by
comparing the changed files to known malware.
3.6 /
System
Implement and test automated configuration
monitoring (preferably SCAP) to detect and alert
unauthorized changes
Tenable can use regularly scheduled agent
assessments to detect, log, and alert on these
events.
3.7 /
System
Deploy system configuration management tools to
automatically enforce and redeploy configuration
settings
Tenable can detect configuration change when
new policies are applied.
CSC-4 Continuous Vulnerability Assessment and Remediation Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
4.1 /
System
Run automated vulnerability scanning tools against
all systems on the network on a weekly or more
frequent basis; inform system administrators of most
critical vulnerabilities
Tenable can run automated vulnerability scans
against all systems on the network on a weekly or
more frequent basis – even continuously for
maximum security vigilance. Tenable dashboards,
reports, and alerts inform system administrators of
the most critical vulnerabilities and their relative
threat to specific assets on your network.
4.2 /
System
Correlate event logs with vulnerability scanning data Tenable correlates event logs with vulnerability
scanning data and provides reports using the SCAP
framework and CVSS scores.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 13
4.3 /
System
Perform vulnerability scanning on each end system in
authenticated mode with agents or remote scanners
Tenable can provide authenticated vulnerability
scanning on all networked end systems using
software agents or remote scanners.
4.4 /
System
Subscribe to vulnerability intelligence services or
ensure vulnerability scanning tools and data are
regularly updated
SecurityCenter CV incorporates vulnerability
intelligence from leading industry sources. The
newest vulnerability intelligence is automatically
provided to you with the current version of
SecurityCenter CV. Updates occur automatically
with our cloud-based solution and can be
automatically configured in local deployments.
4.5 /
System
Deploy automated patch management tools and
software update tools for OS and software; apply
patches to all systems
Tenable integrates with leading patch management
tools and software update tools via an API. The
integrations allow Tenable to validate patching to
assist with remediation and updates, and detects,
logs, and can alert updates as they occur.
4.6 /
System
Monitor logs associated with any scanning activity
and associated administrator accounts to ensure
legitimate scans
Scans by Tenable are permitted by role-based
access control, and alerts of scans by specific
administrators can be configured as needed to
ensure there is no abuse of privilege.
4.7 /
System
Compare results from back-to-back vulnerability
scans to verify remediation or compensating control
Tenable scan reports provide back-to-back
comparisons of scans to verify the application of a
patch, re-configuration, or other remedial action.
4.8 /
System
Establish a process to risk-rate vulnerabilities based
on exploitability and potential impact
Tenable assists in the classification process by
assigning severity levels to vulnerabilities based on
CVE and the business value of particular network
and other IT assets.
CSC-5 Controlled Use of Administrative Privileges The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
5.1 /
System
Minimize administrative privileges and only use
administrative accounts when required; audit them
closely
Tenable continuously monitors and logs anomalous
events on administrative accounts; it provides least
privilege compliance checks and alerts when
attempts are made to exceed privileges. Tenable’s
agent-based scans also fulfill this function.
5.2 /
System
Use automated tools to inventory administrative
accounts and privileges, and validate their
authorization
Tenable continuously monitors administrative
accounts and privileges, and logs and alerts
changes to privileges and group memberships on
Microsoft Windows and Apple OS machines. This
includes tracking use of root privilege.
5.3 /
System
Before deployment of any new networked device,
change all default passwords
n/a
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 14
5.4 /
System
Configure systems to issue a log entry and alert when
administrative assignments change
Tenable can audit systems to verify that 5.4 logging
is enabled and log relevant events.
5.5 /
System
Configure systems to issue a log entry and alert on
any unsuccessful login to an administrative account
Tenable can audit systems to verify that 5.5 logging
is enabled and log relevant events.
5.6 /
System
Use multi-factor authentication for all administrative
access
n/a
5.7 /
System
Where multi-factor authentication is not supported,
passwords for user accounts must be longer than 14
characters
Tenable can test for password length as defined by
policy.
5.8 /
System
Administrators should be required to access a system
using a fully logged and non-administrative account –
then use tools for administrative privileges
Tenable partially fulfills 5.8 by tracking the sudo or
RUNAS events.
5.9 /
System
Administrators shall use a dedicated machine for all
administrative tasks or tasks requiring elevated
access
Administrative control; n/a.
CSC-6 Maintenance, Monitoring, and Analysis of Audit Logs Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
6.1 /
System
Include at least two synchronized time sources to
consistently timestamp logs for all network devices
Tenable can audit configurations for use of two
time sources. Also can detect NTP Servers and NTP
server configurations.
6.2 /
System
Validate audit log settings for each hardware device
and software
Tenable can audit configurations for compliance.
6.3 /
System
Ensure that all systems storing logs have adequate
storage space; archive and sign logs periodically
Administrative control; n/a.
6.4 /
System
Security personnel and/or system administrators
should run biweekly reports on log anomalies, review
and document findings
Tenable partially fulfills 6.4 by automatically
running reports and sending them to security
responders and/or system administrators.
6.5 /
System
Configure network boundary devices to verbosely
log all inbound traffic
Tenable partially fulfills 6.5 by auditing
configurations for compliance.
6.6 /
System
Deploy a SIEM or log analytic tools for log
aggregation and consolidation from multiple
machines, and for log correlation, analysis and more
accurate reporting
Tenable reporting integrates data with APIs from
SIEM and log analytic tools.
CSC-7 Email and Web Browser Protections Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
7.1 /
System
Ensure that only fully supported web browsers and
email clients are allowed to execute, ideally with
most recent update
Tenable can identify unsupported browsers and
clients and create an alert to trigger action by
system administrators.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 15
7.2 /
System
Uninstall or disable any unnecessary or unauthorized
browser or email client plugins or add-on
applications
Tenable can detect browser plugins.
7.3 /
System
Limit use of unnecessary scripting languages in all
web browsers and email clients
n/a
7.4 /
System
Log all URL requests from all local or remote devices
to identify potentially malicious activity or
compromised systems
Tenable can log requests specified by 7.4.
7.5 /
System
Deploy two separate browser configurations to each
system, one to disable unnecessary functionality and
the other to add authorized functionality
n/a
7.6 /
System
Use URL filters and controls to limit a system’s ability
to connect to non-approved websites
Tenable partially fulfills 7.6 by normalizing bad
URL events with a content filter and creating
related alerts.
7.7 /
System
Minimize spoofed email by using the Sender Policy
Framework (SPF) and DNS
n/a
7.8 /
System
Scan and block all inbound email and attachments
with malicious code or unnecessary file types
n/a
CSC-8 Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
8.1 /
System
Use automated tools to continuously monitor all
devices with anti-virus, anti-spyware, and host-based
IPS functionality, and alert when malware events are
detected
Tenable can fulfill 8.1.
8.2 /
System
Use centralized anti-malware software or manually
push updates to all machines
n/a
8.3 /
System
Monitor for and limit use of external devices without
an approved, documented business need
Tenable can monitor attempted use of external
devices and audit configuration to determine if
they comply with policy.
8.4 /
System
Enable anti-exploitation features and apply them
broadly for more protection
n/a
8.5 /
System
Use network-based anti-malware tools with
advanced detection techniques to identity and filter
out malicious content
Tenable partially fulfills 8.5 by identifying malicious
content.
8.6 /
System
Enable DNS query logging to detect hostname
lookup for known malicious C2 domains
Tenable can fulfill 8.6.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 16
CSC-9 Limitation and Control of Network Ports Manage (track/control/correct) the ongoing operational use of port, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
9.1 /
System
Ensure that only ports, protocols, and services with
valid business needs are running on each system
Tenable can audit configurations for compliance
and monitor actual port, protocol, and service
usage.
9.2 /
System
Apply host-based firewalls or port filtering tools on
end systems to deny all unauthorized traffic
Tenable can audit configurations for compliance
and collect Netflow traffic.
9.3 /
System
Perform automated port scans on a regular basis and
alert when baseline configurations are changed
Tenable can fulfill 9.2.
9.4 /
System
Verify the non-business requirement for any server
visible from the internet or untrusted network and
move it to an internal VLAN
Administrative and technical control. Tenable
partially fulfills 9.4 by identifying these servers,
and can identify the systems with plugins.
9.5 /
System
Operate critical services on separate physical or
logical hosts
Tenable can partially fulfill 9.5 by identifying
critical services running on machines not matching
a dynamic asset list. With the Tenable List of
Services tool, you can use Netflow and netstat to
identify services.
9.6 /
System
Place applications firewalls in front of critical servers
to block unauthorized traffic
Administrative and technical control; n/a.
CSC-10 Data Recovery Capability The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
10.1 /
System
Backup each system at least week, and more often
for systems storing sensitive information following
policies for compliance
Administrative and technical control; n/a.
10.2 /
System
Test data on backup media by performing regular
data restoration
Administrative control; n/a.
10.3 /
System
Protect backup data in transmission or at rest with
physical security or encryption
n/a
10.4 /
System
Key systems must have at least one backup
destination not continuously addressable via OS calls
Tenable can partially fulfill 10.4 by auditing
configurations for compliance.
CSC-11 Secure Configurations for Network Devices Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
11.1 /
System
Compare configurations of network devices with
standard configurations
Tenable can fulfill 11.1.
11.2 /
System
All new configuration rules for network devices must
conform to business reasons for each change
n/a
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 17
11.3 /
System
Use automated tools to verify standard device
configurations, and detect and alert changes
Tenable can fulfill 11.3.
11.4 /
System
Manage network devices using two-factor
authentication and encrypted sessions
Tenable can partially fulfill 11.4 by auditing
configurations for compliance.
11.5 /
System
Install the latest stable version of any security-
related updates on all network devices
Tenable can partially fulfill 11.5 by auditing
configurations for compliance.
11.6 /
System
Network engineers shall use a dedicated machine for
all administrative tasks or tasks requiring elevated
access
Administrative control; n/a.
11.7 /
System
Manage network infrastructure with connections
separate from production links; use VLANs or
separate physical networks
Administrative and technical control; n/a.
CSC-12 Boundary Defense Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
12.1 /
Network
Deny communications with known malicious IPs or
limit access only to trusted sites
Tenable can partially fulfill 12.1 by identifying
these communications, logging, and alerting.
12.2 /
Network
On DMZ networks, configure monitoring systems to
record log data about traffic traversing the network
border
Partially fulfills 12.2 by passively monitoring and
analyzing packet headers and the first x,000 bytes
of payload.
12.3 /
Network
Deploy network-based IDS sensors to detect unusual
attack mechanisms and compromised systems
n/a
12.4 /
Network
Deploy network-based IPS devices to block known
bad signatures or the behavior of potential attacks
n/a
12.5 /
Network
Design and implement network perimeters so all
outbound traffic must pass through at least one
application layer filtering proxy server.
n/a
12.6 /
Network
Require all remote login access to use two-factor
authentication
Tenable can partially help fulfill 12.6 by auditing
configurations for compliance, logging, and
alerting.
12.7 /
Network
An organization must manage remote access of all
enterprise devices, including remote control of
configurations; and scan third party devices before
allowing access
Tenable can partially fulfill 12.7 by providing
intelligence connectors to MDM systems.
12.8 /
Network
Periodically scan for back-channel connections that
bypass the DMZ
Tenable fulfills 12.8.
12.9 /
Network
Deploy Netflow collection and analysis to DMZ
network flows to detect anomalous activity
Tenable fulfills 12.9 by analyzing Netflow data.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 18
12.10 /
Network
Use firewall session tracking to identify and alert
discovery of covert channels exfiltrating data
Tenable fulfills 12.10 by auditing configurations for
compliance, including identifying unusually long
sessions.
CSC-13 Data Protection The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
13-1 /
Network
Assess data to identify sensitive information
requiring encryption / integrity controls.
Administrative control; n/a.
13.2 /
Network
Deploy approved hard drive encryption software to
mobile devices and systems with sensitive data.
Tenable partially fulfills 13.2 by auditing
configurations for compliance (with the exception
of mobile devices).
13.3 /
Network
Deploy automated tool on network perimeters
monitoring sensitive information and unauthorized
exfiltration and alert / block activity.
Tenable partially fulfills 13.3 by scanning for and
identifying unencrypted sensitive data in transit.
Tenable does not block these vulnerabilities.
13.4 /
Network
Use automated tools to periodically scan servers for
sensitive data stored in clear text.
Tenable can scan file systems for sensitive data.
There are special audits for Windows and Unix;
these scan the first 60k of the file.
13.5 /
Network
Use controls protecting data on USB devices. n/a
13.6 /
Network
Use network-based DLP solutions to monitor and
control internal data flows.
Tenable can partially fulfill 13.6 by detecting
anomalies; it cannot control the data flows.
13.7 /
Network
Monitor all traffic leaving the organization and
detect any unauthorized use of encryption.
Plugins used with Tenable can detect the use of
encryption on random ports.
13.8 /
Network
Block access to known file transfer and email
exfiltration websites.
n/a
13.9 /
Network
Use host-based DLP to enforce ACLs even when data
is copied off a server.
n/a
CSC-14 Controlled Access Based on the Need to Know The processes and tools used to track, control, prevent and correct secure access to critical assets based on approval of need and right to know.
14.1 /
Application
Segment network based on classification of
information on servers – including VLANs. Ensure
access authorization is based on specific
responsibilities.
n/a
14.2 /
Application
Encrypt all sensitive information sent over less-
trusted networks.
n/a
14.3 /
Application
All network switches will enable VLANs to limit
access by unauthorized parties and limit lateral
movement in a network.
n/a
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 19
14.4 /
Application
Use controls to protect sensitive information by
limiting access only to authorized parties with a
need-to-know.
Tenable partially fulfills 14.4 by detecting changes
to file permissions and related rights.
14.5 /
Application
Encrypt sensitive information as it is stored on
systems. For access, use secondary authentication
not integrated into the operating system.
n/a
14.6 /
Application
Enforce detailed audit logging to nonpublic data and
special authentication for sensitive data.
Tenable partially fulfills 14.6 by auditing
configurations for compliance.
14.7 /
Application
Archived data sets or systems not regularly accessed
shall be removed from the organization’s network.
Administrative control; n/a.
CSC-15 Wireless Access Control The processes and tools used to track/control/prevent the security use of wireless local area networks (LANs), access points, and wireless client systems.
15.1 /
Network
Wireless devices connected to the network must
match an authorized configuration and security
profile
Administrative and technical control; n/a.
15.2 /
Network
Configure network vulnerability scanning tools to
detect and deactivate unauthorized wireless access
points
Administrative and technical control. Tenable
partially fulfills 15.2 by detecting wireless access
points.
15.3 /
Network
Use wireless intrusion detection to detect rogue
wireless devices and attacks
n/a
15.4 /
Network
Configure wireless access on clients to allow access
only to authorized networks; disable access by
unauthorized clients
Tenable can audit configurations for compliance
with custom audit files.
15.5 /
Network
All wireless traffic must use at least AES encryption
with at least WPA2
Tenable partially fulfills 15.5 by auditing
configurations for compliance; it concurrently
checks clients to use WPA or WEP.
15.6 /
Network
Wireless networks must use authentication
protocols such as EAP/TLS
Tenable partially fulfills 15.6 by auditing
configurations for compliance.
15.7 /
Network
Disable peer-to-peer wireless network capabilities
on clients
Tenable partially fulfills 15.7 by auditing
configurations for compliance.
15.8 /
Network
Disable wireless peripheral access of devices unless
required for business need
Tenable partially fulfills 15.8 by auditing
configurations for compliance.
15.9 /
Network
Create separate VLANs for BYOD systems or other
untrusted devices
n/a
CSC-16 Account Monitoring and Control Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
16.1 /
Application
Review all system accounts and disable those
unassociated with a business process and owner
Administrative control; n/a.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 20
16.2 /
Application
Ensure all accounts have an expiration date that is
monitored and enforced
Tenable partially fulfills 16.2 by auditing
configurations for compliance.
16.3 /
Application
Establish and follow a process to revoke system
access by disabling accounts immediately upon
termination of an employee or contractor
Administrative control; n/a.
16.4 /
Application
Regularly monitor use of all accounts; automatically
log off users after standard period of inactivity
Tenable partially fulfills 16.4 by auditing
configurations for compliance.
16.5 /
Application
Configure screen locks on systems to limit access to
unattended workstations
Tenable partially fulfills 16.5 by auditing
configurations for compliance.
16.6 /
Application
Monitor account usage to determine dormant
accounts, notifying the user or user’s manager
Tenable fulfills 16.6.
16.7 /
Application
Use and configure account lockouts for set number
of failed login attempts
Tenable audits configurations for compliance.
16.8 /
Application
Monitor attempts to access deactivated accounts Tenable tracks all access attempts by all user
accounts, including deactivated accounts and
displays suspicious access activity.
16.9 /
Application
Configure access for all accounts through a
centralized point of authentication
Tenable fulfills 16.9 by auditing configurations for
compliance.
16.10 /
Application
Profile each user’s typical account usage and flag for
unusual variances
Tenable continuously monitors system and host
access by all users and alerts administrators when
detecting suspicious activity.
16.11 /
Application
Require multi-factor authentication for all access to
sensitive data or systems
n/a
16.12 /
Application
Where multi-factor authentication is not supported,
passwords must exceed 14 characters
n/a
16.13 /
Application
All account usernames and authentication
credentials must use encrypted network channels
n/a
16.14 /
Application
Verify all authentication files are encrypted or
hashed and cannot be accessed without root or
administrator privileges; audit all access to password
files in the system
Tenable fulfills 16.14.
CSC-17 Security Skills Assessment and Appropriate Training to Fill Gaps For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
17.1 /
Application
Perform gap analysis to spot missing needs for
employee training
Administrative control; n/a.
17.2 /
Application
Deliver training to fill skills gap Administrative control; n/a.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 21
17.3 /
Application
Implement a security awareness program Administrative control; n/a.
17.4 /
Application
Validate and improve awareness levels through
periodic employee tests and targeted training
Administrative control; n/a.
17.5 /
Application
Use security skills assessments for each of the
mission critical roles to identify skills gaps
Administrative control; n/a.
CSC-18 Application Software Security Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
18.1 /
Application
Verify software to be current; update and patch if
needed
Administrative control; n/a.
18.2 /
Application
Protect web applications with web application
firewalls
n/a
18.3 /
Application
For in-house developed software, test and document
for explicit error checking for all input
n/a
18.4 /
Application
Test in-house-developed and third-party-procured
web applications with automated remote web
application scanners
n/a
18.5 /
Application
Do not display system error messages to end-users n/a
18.6 /
Application
Maintain separate environments for production and
non-production systems
n/a
18.7 /
Application
For applications relying on a database, use standard
hardening configuration templates
Tenable fulfills 18.7.
18.8 /
Application
All software developers must be trained in writing
secure code for their specific environments
Administrative control; n/a.
18.9 /
Application
For in-house developed applications, all development
artifacts must be excluded from deployed software
and be inaccessible in the production environment
Administrative control; n/a.
CSC-19 Incident Response and Management Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
19.1 /
Application
Provide written incident response procedures and
define personal roles for handling incidents
Administrative control; n/a.
19.2 /
Application
Assign job titles and duties for handling computer
and network incidents to specific individuals
Administrative control; n/a.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous
View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 22
19.3 /
Application
Define management personnel who will be deciders
in the incident handling process
Administrative control; n/a.
19.4 /
Application
Devise standards for the time required by system
administrators and others to report anomalous
events to the response team
Administrative control; n/a.
19.5 /
Application
Assemble and maintain information for everyone in
the organization about incidents and responses
Administrative control; n/a.
19.6 /
Application
Publish information for everyone in the organization
about incidents and responses
Administrative control; n/a.
19.7 /
Application
Conduct periodic incident scenario training sessions
with team responders
Administrative control; n/a.
CSC-20 Penetration Tests and Red Team Exercises Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
20.1 /
Application
Conduct regular external and internal penetration
tests to assess vulnerabilities and attack vectors
n/a
20.2 /
Application
Users and system accounts used to perform
penetration testing should be controlled and
monitored for legitimate use
Administrative control; n/a.
20.3 /
Application
Perform periodic Red Team exercises to test
organizational readiness for attack response
Administrative control; n/a.
20.4 /
Application
Include tests for the presence of unprotected system
information and artifacts useful to attackers
Administrative control; n/a.
20.5 /
Application
Plan clear goals of the penetration test with blended
attacks in mind on specific target assets
Administrative control; n/a.
20.6 /
Application
Use vulnerability management and penetration
testing tools in concert
Tenable partially fulfills 20.6 with vulnerability
scanning.
20.7 /
Application
When possible, document Red Team results with
open, machine-readable standards and scoring
Administrative and technical control; n/a.
20.8 /
Application
Create a test bed that mimics a production
environment for specific penetration tests and Red
Team attacks on extraordinary assets such as a
SCADA system
Administrative control; n/a.