The current version of these tables are built on the CIS Controls Version 7.1. Mapping to Version 8 of the CIS Controls, will be completed in 2022.
Implementation Group 1
|
Control ID |
Control Wording |
Support Detail |
AIE Rules |
Investigations |
Summary Reports |
Detailed Report |
|---|---|---|---|---|---|---|
|
1.4 |
Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all assets, whether connected to the organization’s network or not. |
|
CCF: New Network Host
|
|
CCF: New Network Host Summary |
|
|
1.6 |
Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner. |
|
CCF: New Network Host
|
|
CCF: New Network Host Summary |
|
|
2.2 |
Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. |
|
CCF: Vulnerability Detected Alarm |
CCF: Vulnerability Detected Inv |
CCF: Vulnerability Detected Summary |
|
|
2.6 |
Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. |
|
CCF: Software Install Rule
|
CCF: Applications Accessed By User Inv |
CCF: Applications Accessed By User Summary |
|
|
3.4 |
Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. |
|
CCF: Critical/PRD Envir Patch Failure Alarm
|
CCF: Malware Detected Inv
|
CCF: Patch Activity Summary
|
|
|
3.5 |
Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. |
|
CCF: Critical/PRD Envir Patch Failure Alarm |
CCF: Patch Activity Inv
|
CCF: Patch Activity Summary
|
|
|
4.2 |
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. |
|
CCF: Account Modification
|
CCF: Account Modification Inv
|
|
CCF: Host Access Granted And Revoked Detail
|
|
4.3 |
Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities. |
|
CCF: Windows RunAs Privilege Escalation
|
CCF: Account Modification Inv
|
CCF: Account Modification Summary CCF: Account Enabled Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary
|
CCF: Host Access Granted And Revoked Detail
|
|
5.1 |
Maintain documented security configuration standards for all authorized operating systems and software. |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv
|
CCF: Config/Policy Change Summary
|
|
|
6.2 |
Ensure that local logging has been enabled on all systems and networking devices. |
|
CSC: Audit Disabled by Admin
|
CCF: Audit Log Inv
|
CCF: Audit Log Summary
|
|
|
7.1 |
Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. |
|
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
7.7 |
Use Domain Name System (DNS) filtering services to help block access to known malicious domains. |
|
CCF: Malware Alarm
|
CCF: Malware Detected Inv |
CCF: Malware Detected Summary |
|
|
8.2 |
Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis. |
|
CCF: PRD Envir Signature Failure Alarm
|
CCF: Malware Detected Inv
|
CCF: Malware Detected Summary CCF: Signature Activity Summary CCF: Vulnerability Detected Summary |
|
|
8.4 |
Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. |
|
CCF: Malware Alarm |
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
9.4 |
Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. |
|
CCF: Blacklisted Egress Port Observed
|
|
|
|
|
10.1 |
Ensure that all system data is automatically backed up on a regular basis. |
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv |
CCF: Backup Activity Summary |
|
|
10.2 |
Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. |
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv |
CCF: Backup Activity Summary |
|
|
11.4 |
Install the latest stable version of any security-related updates on all network devices. |
|
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
12.1 |
Maintain an up-to-date inventory of all of the organization’s network boundaries. |
Lists provide a mechanism for organizing and saving common search criteria used within filters throughout LogRhythm, such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. The lists included in this module, such as CCF: Network Security Systems List, allow an organization to create structure by which asset identification and management can be performed. |
|
CCF: Rogue Access Point Inv |
CCF: Rogue Access Point Summary |
|
|
12.4 |
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries. |
|
CCF: Blacklisted Egress Port Observed
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
13.1 |
Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider. |
|
CCF: Inactive Systems
|
CCF: Object Access Inv
|
CCF: Object Access Summary
|
|
|
13.2 |
Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. |
|
CCF: Unauthorized Data Transfer
|
CCF: Object Access Inv
|
CCF: Access Failure Summary
|
|
|
13.6 |
Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
14.6 |
Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. |
|
CCF: FIM Abnormal Activity
|
CCF: Account Modification Inv
|
CCF: Access Failure Summary
CCF: Account Modification Summary
|
|
|
15.7 |
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
15.10 |
Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly. |
|
CCF: Domain Trust Modified
|
CCF: Rogue Access Point Inv
|
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail |
|
16.8 |
Disable any account that cannot be associated with a business process or business owner. |
|
CCF: Shared Account Access |
CCF: Disabled Account Inv
|
CCF: Account Disabled Summary
|
CCF: Unknown User Account Detail |
|
16.9 |
Automatically disable dormant accounts after a set period of inactivity. |
|
CCF: Dormant User Account Observed
|
CCF: Deleted Account Inv
|
CCF: Account Enabled Summary CCF: Account Deleted Summary CCF: Account Disabled Summary
|
|
|
17.3 |
Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner. |
|
|
CCF: Suspicious Users Inv
|
CCF: Top Suspicious Users
|
|
|
17.5 |
Train workforce members on the importance of enabling and utilizing secure authentication. |
Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. |
|
CCF: Suspicious Users Inv |
CCF: Top Suspicious Users |
|
|
17.6 |
Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls. |
Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. |
|
CCF: Physical Access Inv
|
CCF: Top Suspicious Users |
|
|
17.7 |
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information. |
Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. |
|
CCF: Suspicious Users Inv |
CCF: Top Suspicious Users |
|
|
17.8 |
Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email. |
Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. |
|
CCF: Suspicious Users Inv |
CCF: Top Suspicious Users |
|
|
17.9 |
Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident. |
Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. |
|
CCF: Suspicious Users Inv |
CCF: Top Suspicious Users |
|
Implementation Group 2
|
Control ID |
Control Wording |
Support Detail |
AIE Rules |
Investigations |
Summary Reports |
Detailed Report |
|---|---|---|---|---|---|---|
|
1.3 |
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization’s hardware asset inventory. |
|
CCF: Audit Logging Stopped Alarm
|
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
1.5 |
Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. |
|
CCF: Malware Alarm
|
|
CCF: New Network Host Summary |
|
|
1.7 |
Utilize port level access control, following
|
|
CCF: Vulnerability Detected Alarm
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
2.3 |
Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. |
|
CCF: Software Install Rule
|
CCF: Applications Accessed By User Inv |
CCF: Applications Accessed By User Summary |
|
|
3.1 |
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis
|
|
CCF: Critical/PRD Envir Patch Failure Alarm
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
3.2 |
Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested. |
|
CCF: Critical/PRD Envir Patch Failure Alarm
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
3.3 |
Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. |
|
CCF: Multiple Failed Access Attempts
|
CCF: Host Access Granted And Revoked Inv
|
CCF: Social Media Summary
|
CCF: Account Modification Summary
|
|
3.6 |
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. |
|
CCF: Malware Alarm
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
3.7 |
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. |
Augment through Web Console |
Augment through Web Console |
Augment through Web Console |
Augment through Web Console |
Augment through Web Console |
|
4.1 |
Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. |
|
CCF: Account Modification
|
CCF: Account Modification Inv
|
CCF: Access Success Summary
|
CCF: Unknown User Account Detail
|
|
4.5 |
Use multi-factor authentication and encrypted channels for all administrative account access. |
|
CCF: Account Modification
|
CCF: Host Access Granted And Revoked Inv
|
CCF: Access Success Summary
|
CCF: Account Enabled Summary |
|
4.7 |
Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities. |
|
CCF: Multiple Failed Access Attempts
|
CCF: Excessive Authentication Failure Inv
|
CCF: Access Failure Summary
|
CCF: Account Modification Summary
|
|
4.8 |
Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv
|
CCF: Config/Policy Change Summary
|
CCF: Unknown User Account Detail
|
|
4.9 |
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account. |
|
CCF: Audit Disabled by Admin
|
CCF: Audit Log Inv
|
CCF: Access Failure Summary
|
CCF: Unknown User Account Detail
|
|
5.2 |
Maintain secure images or templates for
|
|
CCF: Malware Alarm
|
CCF: Compromises Detected Inv
|
|
|
|
5.3 |
Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. |
|
CCF: FIM Abnormal Activity
|
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
5.4 |
Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv |
CCF: Config/Policy Change Summary |
|
|
5.5 |
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv |
CCF: Config/Policy Change Summary |
|
|
6.1 |
Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. |
|
CCF: Time Sync Error Alarm |
CCF: Time Sync Error Inv |
CCF: Time Sync Error Summary |
|
|
6.3 |
Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. |
|
CCF: Audit Disabled by Admin
|
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
6.4 |
Ensure that all systems that store logs have adequate storage space for the logs generated. |
|
CCF: Audit Disabled by Admin
|
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
6.5 |
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. |
|
CCF: Audit Disabled by Admin
|
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
6.6 |
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. |
|
Supported through SIEM deployment |
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
6.7 |
On a regular basis, review logs to identify anomalies or abnormal events. |
|
Augment through Web Console, Investigations, and Reports |
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
7.2 |
Uninstall or disable any unauthorized browser or email client plugins or add-on applications. |
|
CCF: Unauthorized Executable Observed |
|
|
|
|
7.4 |
Enforce network-based URL filters that limit
|
|
CCF: Malicious IP Communication
|
CCF: Suspected Wireless Attack Inv |
CCF: Suspected Wireless Attack Summary |
|
|
7.6 |
Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. |
|
CCF: Audit Disabled by Admin
|
CCF: Audit Log Inv
|
CCF: Audit Log Summary
|
|
|
7.9 |
Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business. |
|
CCF: Multiple Failed Access Attempts
|
CCF: Host Access Granted And Revoked Inv
|
CCF: User Object Access Summary |
|
|
8.1 |
Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization’s workstations and servers. |
|
CCF: Malware Alarm
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
8.6 |
Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting. |
|
CCF: Malware Alarm
|
CCF: Audit Log Inv
|
CCF: Audit Log Summary
|
|
|
8.7 |
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. |
|
CCF: Audit Logging Stopped Alarm
|
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
8.8 |
Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash. |
|
CCF: Audit Logging Stopped Alarm
|
CCF: Audit Log Inv |
CCF: Audit Log Summary |
|
|
9.2 |
Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. |
|
CCF: Blacklisted Egress Port Observed
|
CCF: Suspected Wireless Attack Inv |
CCF: Suspected Wireless Attack Summary |
|
|
9.3 |
Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system. |
|
CCF: Blacklisted Egress Port Observed
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary |
|
|
10.3 |
Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. |
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv
|
CCF: Backup Activity Summary
|
|
|
11.2 |
All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv |
CCF: Config/Policy Change Summary |
|
|
11.3 |
Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered. |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv |
CCF: Config/Policy Change Summary |
|
|
11.5 |
Manage all network devices using multi-factor authentication and encrypted sessions. |
|
CCF: Non-Encrypted Protocol Alarm |
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
11.6 |
CCF: Config Change After Attack
|
|
CCF: Multiple Failed Access Attempts
|
CCF: Object Access Inv
|
CCF: Social Media Summary
|
CCF: Host Access Granted And Revoked Detail |
|
12.2 |
Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. |
|
CCF: Blacklist Location Auth
|
|
CCF: Suspected Wireless Attack Summary |
|
|
12.3 |
Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization’s network boundaries. |
|
CCF: Blacklist Location Auth
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
12.6 |
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries. |
|
CCF: Malware Alarm
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
12.11 |
Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication. |
|
CCF: Non-Encrypted Protocol Alarm |
|
|
|
|
13.4 |
Only allow access to authorized cloud storage or email providers. |
|
CCF: Multiple Failed Access Attempts
|
CCF: Object Access Inv
|
CCF: User Object Access Summary |
|
|
13.7 |
If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained. |
|
CCF: Data Loss Prevention |
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
14.3 |
Disable all workstation-to-workstation communication to limit an attacker’s ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. |
|
CCF: Admin Password Modified
|
|
|
|
|
14.4 |
Encrypt all sensitive information in transit. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
15.1 |
Maintain an inventory of authorized wireless access points connected to the wired network. |
|
CCF: New Network Host
|
CCF: Compromises Detected Inv
|
CCF: Compromises Detected Summary
|
|
|
15.2 |
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network. |
|
CCF: New Wireless Host
|
CCF: Rogue Access Point Inv |
CCF: Rogue Access Point Summary |
|
|
15.3 |
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network. |
|
CCF: New Wireless Host
|
CCF: Suspected Wireless Attack Inv |
CCF: Suspected Wireless Attack Summary |
|
|
15.6 |
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. |
|
CCF: Admin Password Modified
|
CCF: Suspected Wireless Attack Inv |
CCF: Suspected Wireless Attack Summary |
|
|
15.9 |
Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose. |
|
|
CCF: Suspected Wireless Attack Inv |
CCF: Suspected Wireless Attack Summary |
|
|
16.7 |
Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
16.10 |
Ensure that all accounts have an expiration date that is monitored and enforced. |
|
CCF: Blacklisted Account Alarm |
CCF: Deleted Account Inv
|
CCF: Access Failure Summary
|
CCF: Unknown User Account Detail
|
|
16.12 |
Monitor attempts to access deactivated accounts through audit logging. |
|
CCF: Account Deleted Rule
|
CCF: Account Modification Inv
|
CCF: Access Failure Summary
|
CCF: Host Access Granted And Revoked Detail
|
|
17.1 |
Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. |
|
CCF: Account Deleted Rule
|
CCF: Account Modification Inv
|
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
|
|
18.3 |
Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations. |
|
CCF: Disabled Account Auth Success
|
CCF: Account Modification Inv
|
CCF: Access Failure Summary
|
CCF: Account Modification Summary
|
|
18.5 |
Use only standardized, currently accepted, and extensively reviewed encryption algorithms. |
|
|
CCF: Object Access Inv
|
CCF: Top Suspicious Users
|
|
|
18.8 |
Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. |
|
CCF: Critical/PRD Envir Patch Failure Alarm |
CCF: Applications Accessed By User Inv
|
CCF: Applications Accessed By User Summary
|
|
|
18.9 |
Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments. |
|
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
18.10 |
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior
|
|
CCF: Critical/PRD Envir Patch Failure Alarm
|
CCF: Applications Accessed By User Inv |
CCF: Applications Accessed By User Summary |
|
|
18.11 |
For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. |
|
|
CCF: Host Access Granted And Revoked Inv
|
CCF: User Object Access Summary |
|
|
20.1 |
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. |
|
CCF: Vulnerability Detected Alarm
|
CCF: Denial of Service Inv
|
CCF: Vulnerability Detected Summary |
|
|
20.2 |
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. |
|
CCF: Critical/PRD Envir Patch Failure Alarm
|
CCF: Critical Environment Error Inv |
CCF: Critical Environment Error Summary |
|
|
20.8 |
Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. |
|
CCF: Config Change then Critical Error
|
CCF: Critical Environment Error Inv
|
CCF: Critical Environment Error Summary
|
|
|
|
|
|
CCF: Vulnerability Detected Alarm |
CCF: User Misuse Inv
|
CCF: Top Suspicious Users
|
|
|
|
|
|
CCF: Account Modification |
CCF: Account Modification Inv
|
CCF: Access Success Summary
|
CCF: Account Modification Summary
|
Implementation Group 3
|
Control ID |
Control Wording |
Support Detail |
AIE Rules |
Investigations |
Summary Reports |
Detailed Report |
|---|---|---|---|---|---|---|
|
1.8 |
Use client certificates to authenticate hardware assets connecting to the organization’s trusted network. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
2.7 |
Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. |
|
CCF: Software Install Rule
|
|
|
|
|
2.8 |
The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process. |
|
CCF: Unauthorized Executable Observed |
|
|
|
|
2.9 |
The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system. |
|
CCF: Unauthorized Executable Observed |
|
|
|
|
6.8 |
On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. |
Augmented through SIEM deployment. |
Augmented through SIEM deployment. |
Augmented through SIEM deployment. |
Augmented through SIEM deployment. |
Augmented through SIEM deployment. |
|
7.10 |
Use sandboxing to analyze and block inbound email attachments with malicious behavior. |
|
CCF: Suspicious Email Attachment |
|
|
|
|
9.5 |
Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged. |
|
CCF: Significant Outbound Traffic Increase
|
|
|
|
|
12.7 |
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization’s network boundaries. |
|
CCF: Significant Outbound Traffic Increase
|
|
|
|
|
12.10 |
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
13.3 |
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. |
|
CCF: FIM Abnormal Activity
|
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
13.5 |
Monitor all traffic leaving the organization and detect any unauthorized use of encryption. |
|
CCF: FIM Abnormal Activity
|
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
13.9 |
If USB storage devices are required, all data stored on such devices must be encrypted while at rest. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
14.5 |
Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or
|
|
CCF: FIM Abnormal Activity
|
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
14.8 |
Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
14.9 |
Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). |
|
CCF: Config Change After Attack
|
CCF: Config/Policy Change Inv
|
CCF: Config/Policy Change Summary
|
|
|
15.8 |
Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication. |
|
CCF: Non-Encrypted Protocol Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv |
CCF: Use Of Non-Encrypted Protocols Summary |
|
|
16.13 |
Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration. |
|
CCF: Abnormal Auth Behavior
|
|
CCF: Auth Failure Summary
|
|
|
19.8 |
Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. |
Augmented through Web Dashboard and incident scoring. |
Augmented through Web Dashboard and incident scoring. |
Augmented through Web Dashboard and incident scoring. |
Augmented through Web Dashboard and incident scoring. |
Augmented through Web Dashboard and incident scoring. |