Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

New Updates to the CIS Critical Security Controls

Data Security

If you haven’t already heard, the Top 20 Critical Security Controls has a new name. Last year, after the Center for Internet Security(CIS) integrated with the Council on Cybersecurity, the controls are now referred to as the (CIS) Critical Security Controls.

In addition to a new name, these controls have also been reordered to address current security threats as well as the available technology in the marketplace.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

With a new name and order, the controls are still aimed to protect the organization’s infrastructure and data by strengthening the organization’s defense system through continuous automated protection and monitoring.

Here’s how to best apply the CIS Critical Security Controls to your organization’s unstructured data.

Critical Security Controls Varonis Solutions

4: Continuous Vulnerability Assessment and Remediation

4.2: Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable.

4.6: Monitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans.

User Behavior Analytics (UBA) emphasizes security on the inside – identifying what the user is doing as well as his/her file activity: logins, apps launched, when the data or file been accessed, who accessed it, what was done to the file – copy, move, delete – and how frequently it was accessed.

Once cybercriminals get inside the network, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.

UBA really excels at handling the unknown.  In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves.  For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.

5: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

DatAdvantage helps organizations examine and audit the use of privileged access accounts to detect and prevent abuse.  With a continual audit record of all file, email, SharePoint, and Directory Services activity, DatAdvantage provides visibility into administrative users’ actions.  The log can be viewed interactively or via email reports.

DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business.

DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group.  This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs.

Real-time alerts can also be triggered when administrative users access, modify, or delete business data.

DataPrivilege provides a web-based interface that allows business stakeholders (i.e., stewards) to review, approve, and deny access to their data, putting access control decisions in the hands of the person or people with the right context.

6: Maintenance, Monitoring, and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

DatAdvantage captures, aggregates, normalizes, and analyzes every data access event for every user on Windows, UNIX/Linux, NAS, Exchange and SharePoint servers, without requiring native operating system auditing.

Through its intuitive graphical interface and reports, DatAdvantage clearly presents the answers to questions such as:

  • Who has been accessing this folder?
  • What data has this user been accessing?
  • Who sent emails to whom?
  • Who deleted these files, emails?
  • Where did those files go?

Data for ever access event is collected without impacting performance or storage on production systems, using normal computing infrastructure.

DatAlert leverages the audit trail collected by DatAdvantage and the Metadata Framework to trigger real-time alerts when anomalous behavior occurs.

8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

DatAdvantage’s audit trail and behavioral alerts can help detect when malware or viruses are accessing files, mailboxes, or SharePoint sites.

A Varonis customer used DatAdvantage to quickly isolate and successfully halt the spread of the Cryptolocker virus in their environment.

This was how our customer described the situation: “Within DatAdvantage I ran a query on that specific user and realized that there were over 400,000 access events that had been generated from that user’s account. It was at that point that we knew it was a virus… Once we had identified the second user, we went back to DatAdvantage to identify the files they had accessed. There were over 200,000 access events generated from this user’s account.” Read more

To learn about ransomware, read our Complete Ransomware Guide.

13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

DatAdvantage helps organizations ensure their data at rest is secured against unauthorized theft or accidental loss by providing unprecedented visibility into who has access to data, who is accessing data, where sensitive data resides, and who owns it.

By using DatAdvantage’s recommendation engine to eliminated unnecessary permissions and reduce the access footprint of user accounts and security groups, accounts that are breached have a much smaller potential for harm.

Additionally, since DatAdvantage profiles every user’s normal data access behavior, it can detect and alert when abnormal spikes in access occurs, thus detecting and preventing data breaches and insider threats.

With DatAlert, administrators can be alerted when sensitive data is discovered outside of a specified area so that they can take immediate action.  DatAlert can also be configured to detect privilege escalations, change management violations, changes to GPOs, folder permissions, etc.

14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct
secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

DatAdvantage’s recommendation engine can help eliminate permissions creep by using its bi-directional cluster analysis to determine when a user has access to data they do not need.  DatAdvantage produces a recommendation which can be acted upon by IT or a business user.  DatAdvantage also provides a simulation sandbox to ensure permission changes do not adversely impact the environment.

The IDU Classification Framework scans file systems and SharePoint sites and automatically identifies sensitive content such as credit card numbers, healthcare information, or other critical assets.  Once critical information is discovered, DatAdvantage provides additional context as to who has access to the content, who has been accessing the content, and who should not have access anymore.

The IDU Classification Framework can prioritize risk by highlighting folders with high concentrations of sensitive content and extremely loose permissions.

DataPrivilege enables “need-to-know” access by empowering data owners to make informed decisions about who should and should not have access to their business data. A web-based interface with an automated permissions management workflow involves the data owners directly in decisions related to their business unit’s data, without manual effort or assistance from IT.

16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.

DatAdvantage for Directory Services enables you to easily report and alert on changes to critical security groups, users, group policies, OUs, and other AD objects.

Get real-time alerts on privilege escalations, changes made outside your change management window, abnormal login activity and more. DatAdvantage performs User Behavior Analytics to baseline user activity and detect anomalous behavior to stop breaches before they happen.

17: Security Skills Assessment and Appropriate Training to Fill Gaps

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

Educational and Training Opportunities

Varonis staff are also avid learners and educators. Here are some of the educational opportunities we offer and provide:

Professional Services: ensures our customers can effectively use the product to fulfill all their use cases and to use our products.

Varonis Blog: learn more about security, privacy, IT Operations and more on our blog. We post approximately 3-4 blog posts per week

Office Hours: 1 free hour one-on-one live web session with your local Engineer to discuss operational and security questions.

TechTalk: Customers are invited to our bi-monthly webinars to learn about the latest security threats and  vulnerabilities

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.