13: Network Monitoring and Defense
Threats Addressed:
Control Statement
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
13.1: Centralize Security Event Alerting
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.
13.2: Deploy a Host-Based Intrusion Detection Solution
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
13.3: Deploy a Network Intrusion Detection Solution
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
13.4: Perform Traffic Filtering Between Network Segments
Perform traffic filtering between network segments, where appropriate.
13.5: Manage Access Control for Remote Assets
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date.
13.6: Collect Network Traffic Flow Logs
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
13.7: Deploy a Host-Based Intrusion Prevention Solution
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
13.8: Deploy a Network Intrusion Prevention Solution
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
13.9: Deploy Port-Level Access Control
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.
13.10: Perform Application Layer Filtering
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
13.11: Tune Security Event Alerting Thresholds
Tune security event alerting thresholds monthly, or more frequently.