The SANS Top 20 Critical Controls are well-respected guidelines that organizations follow to protect their networks and intellectual property from cyberattacks. SANS is a 30-year-old research and educational organization that provides training and resources to cybersecurity experts all over the world.
SANS partners with the Center for Internet Security (CIS), as well as industry professionals from the NSA Red and Blue Teams, US Department of Energy nuclear energy labs, law enforcement, and cybersecurity experts. These teams come together from around the world to develop and maintain the SANS Top 20 Controls so that they remain updated and relevant to the current cybersecurity landscape.
Benefits of Using SANS Top 20
The CIS top 20 controls inform organizations on best practices to protect their networks. SANS built the SANS Top 20 controls around these overriding principles:
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors – and that can be feasibly implemented in your computing environment.
- Measurements and Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous diagnostics and mitigation: Carry out continuous measurements to test and validate the effectiveness of current security measures and to help drive the priority of the next steps.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
And if you want to see how attackers can still work around your carefully constructed defenses, check out this webinar: Attacking the Cloud and Transitioning On-Prem
Those principles drive the critical security controls. All 20 of the controls are linked below, so you can jump to whichever one you need. In this blog, we will cover each one to give you a basic understanding of what each control means.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Devices, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capability
- Secure Configuration for Network Devices
- Boundary Defense
- Boundary Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Complete List of SANS Top 20 CIS Critical Security Controls
1. Inventory and Control of Hardware Assets
Organizations have all kinds of things attached to the network in the modern era. Routers, iPhones, wireless access points, thermostats, smart TVs, and WIFI coffee makers are all potential cyber attack vectors.
Utilize an active discovery tool to identify devices that connect to the company network. Add those devices to the hardware inventory list to maintain an accurate and up-to-date list of all network devices.
Varonis provides monitoring of network telemetry and user activity to help identity which devices are in use by which users.
2. Inventory and Control of Software Assets
Attackers commonly use known software vulnerabilities to infiltrate networks, or they use email phishing to trick users into downloading malware-infested software as their foothold in the network.
Utilize software inventory tools to track and document software and versions installed throughout the network. Use software whitelists to prevent unauthorized software installations or executions on computers or devices.
Varonis monitors and baselines network and user activity, and alerts on abnormal behavior that could indicate attempts at infiltration by a bad actor.
3. Continuous Vulnerability Management
Defenders have to manage software updates, patches, security advisories, threat bulletins, etc., to stay ahead of the known threats to the network. Attackers only need to find one vulnerability to infiltrate.
This means that defenders need a Security Content Administration Protocol (SCAP)-compliant vulnerability scanning tool that scans all systems for known vulnerabilities. SCAP is an open standard that is maintained by the National Institute of Standards and Technology (NIST) for this exact purpose.
Defenders also need some automated mechanism to update the systems to the appropriate versions as patches are released.
Because Varonis is a behavior-based system, it can detect threats that are not already known. Varonis is an extra layer of defense when attackers find an unpatched vulnerability.
4. Controlled Use of Administrative Privileges
Attackers covet administrative users. Admin users give them everything they need to infiltrate, move laterally, and exfiltrate data from a network. Attackers either infiltrate with lower permissions and try to escalate privileges from there, either by stealing admin credentials or adding the user they have to administrative groups.
Best practice for defenders is to provide two accounts for each privileged user, one for everyday use and one for administrative changes. Log and alert upon each use of a privileged user account, so there are oversight and accountability assigned to these accounts.
Varonis provides monitoring and threat modeling to detect administrator logins and potential privilege escalation attempts by attackers.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Computers and devices don’t come from the factory configured for security. Shocking, I know.
Implement a comprehensive security configuration for all devices allowed on the network, and employ a SCAP-compliant configuration monitoring system to verify that security configurations meet organizational standards.
Varonis monitors directory services for any changes to critical security configurations and alerts on any changes so your IR team can verify they are authorized changes.
6. Maintenance, Monitoring, and Analysis of Audit Logs
Audit logs are a core capability for Incident Response teams, so those logs need to be maintained and monitored for uptime and consistency. Employ an automated system to store and analyze audit logs for cyberthreats.
Varonis aggregates and analyzes logging from multiple inputs and analyzes that data for abnormal behavior that could indicate cyber attacks or insider threats.
7. Email and Web Browser Protections
Email and web browsers are the most common points of entry for cyberattacks, based on the 2019 Verizon DBIR. Enforce browser restrictions and patches.
Implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy, and verification, with the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards to protect against spoofed or modified emails.
Varonis monitors for evidence of malware infection from browsers and email-based attacks.
8. Malware Defenses
Malware defense is a key capability for organizations. Employ centralized anti-malware systems to monitor and defend systems from known malware threats continuously.
Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) in the OS or via an application.
Varonis threat detection and analysis augments any centralized anti-malware systems. Attackers have little respect for anti-malware software, which they consider easy to workaround. Varonis monitoring catches the behavior of malware to detect the attacker, and it is harder for them to avoid.
9. Limitation and Control of Network Ports, Protocols and Services
Open network ports and vulnerable or outdated protocols and services are common attack vectors attackers use to infiltrate networks. Close as many network ports as possible, only leaving the ports necessary to operate the business.
Automate port scans to detect any unauthorized open ports.
Varonis monitors perimeter telemetry for abnormal activities that can indicate potential cyberattacks.
10. Data Recovery Capability
In cases of cyberattack or system failure, it might be necessary to recover systems to maintain business continuity. Ensure system and user data gets backed up automatically on a regular schedule. Maintain disk images for critical systems to enable quick recovery of those systems.
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Similarly to hardware devices, network devices are not configured for security out-of-the-box. Attackers specifically look for known vulnerabilities in default configurations in network devices. Manage and compare all network device configurations to secured baselines. Use strong passwords and multi-factor authentication to manage device configurations.
12. Boundary Defense
The outermost layer of a cybersecurity strategy lives on the boundary. Modern security depends on the boundary to control the flow of traffic into the network using firewalls, DMZ, proxies, Intrusion Prevention, and Intrusion Detection systems. Each of these systems is another layer of protection that attackers have to navigate to infiltration and steal data.
Organizations can deny connections from known malicious IP addresses and trust traffic from a limited number of IP addresses. Use IDS and IPS sensors to detect malicious or abnormal activity coming through the boundary.
13. Data Protection
Data is the core asset of any organization. Protect corporate data from ransomware, unauthorized access, and exfiltration.
Data protection is one of Varonis’ key use cases, and we go much further into the intricacies of a broad spectrum data protection strategy than SANS does in their Top 20. One of SANS’ main points is to use tools to detect unauthorized transfer of data, but at that point, the attackers have already accessed an unknown amount of sensitive data. Varonis monitors data and helps you build protections on your data to prevent attackers from moving through the network and stealing data.
14. Controlled Access Based on the Need to Know
This SANS Top 20 Control is basically data encryption. Encrypting data provides a level of assurance that even if the data is compromised, attackers will not be able to read and utilize the data.
Encrypt sensitive data at rest and in motion to protect those assets and limit their access to only authorized users.
Varonis classifies and labels sensitive data so it can be encrypted and protected appropriately. Varonis threat detection detects abnormal access of classified data so the threat can be investigated and negated.
15. Wireless Access Control
WIFI is another common attack vector for attackers. Either they connect to wireless access points inside the network from the parking lot outside the building, or they intercept a low-security wireless connection by a user accessing WIFI outside of the company (coffee shops, airports, etc.).
Only allow wireless connections with AES encryption, and create a separate wireless network for untrusted devices.
16. Account Monitoring and Control
Active Directory (AD) is a treasure trove of unmonitored and over permissive user accounts that attackers target to infiltrate and exfiltrate data. Stale accounts with lower encryption standards and accounts without password requirements are easy targets for compromise.
Require multi-factor authentication and strong passwords for all user accounts. Clean up AD so attackers can’t use these easily compromised accounts to steal data.
Varonis scans and monitors AD for all of these vulnerabilities, and more, so you can remove the risk to your network and track and maintain a stable security posture in AD.
17. Security Skills Assessment and Appropriate Training to Fill Gaps
Humans are a huge component of any cybersecurity strategy, and also the most easily manipulated. Build workflows and processes that promote good security behaviors, and train users on good cybersecurity hygiene, and how to spot a phishing attack or social engineering attempt.
Varonis monitors users for abnormal behaviors to detect evidence of user compromise or insider threats.
18. Application Software Security
Attackers take advantage of any vulnerability they can find to infiltrate the networks, even those created by the application development teams. Developers might use an API that has an unpatched vulnerability or create a software vulnerability of their own.
Promote good development practices with ‘security by design’ principles in place. Think of security during the development process and not as an afterthought. Employ static and dynamic analysis tools to verify that code adheres to best practices and standards.
19. Incident Response and Management
Have an Incident Response (IR) plan in place for any cybersecurity incidents that occur. Check out this blog for details about creating an IR team.
Varonis provides our customers with an IR team to help investigate and understand the alerts they get. It’s a huge value add to an already valuable data security platform.
20. Penetration Tests and Red Team Exercises
Any hacker will tell you, all they need is time and motivation to get into your network. In order to prepare for that eventuality, you need to be running Red Team exercises. The Red Team simulates cyberattacks and probes your defenses to find any weaknesses or deficiencies. It’s best to find them by a Red Team and not after a data breach.
Varonis provides a Purple Team to help facilitate Red Team and Blue Team exercises with your IR and cybersecurity teams.
How To Best Implement CIS Controls
If you were to start over and build a cybersecurity strategy based on the Top 20 SANS Critical Controls, we would start with the Varonis Data Security Platform and the Varonis Operational Journey. Data is the central hub of any cybersecurity environment. If you follow this chart, you can see how Varonis covers a good majority of the Top 20 controls.
Once you have Varonis in place, add other tools and software to fill in the gaps, like perimeter security, encryption, and end-point protection. The end goal is to cover all of the controls, either through processes or software.
|1. Inventory and Control of Hardware Assets||Varonis provides monitoring of network telemetry and user activity to help identify which devices are in use by which users.|
|2. Inventory and Control of Software Assets||Varonis monitors and baselines network and user activity, and alerts on abnormal behavior that could indicate attempts at infiltration by a bad actor.|
|3. Continuous Vulnerability Management||Because Varonis is a behavior-based system, it can detect threats that are not already known. Varonis is an extra layer of defense when attackers find an unpatched vulnerability.|
|4. Controlled Use of Administrative Privileges||Varonis provides monitoring and threat modeling to detect administrator logins and potential privilege escalation attempts by attackers.|
|5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers||Varonis monitors directory services for any changes to critical security configurations and alerts on any changes so your IR team can verify they are authorized changes.|
|6. Maintenance, Monitoring, and Analysis of Audit Logs||Varonis aggregates and analyzes logging from multiple inputs and analyzes that data for abnormal behavior that could indicate cyber attacks or insider threats.|
|7. Email and Web Browser Protections||Varonis monitors for evidence of malware infection from browser and email-based attacks.|
|8. Malware Defenses||Varonis threat detection and analysis augments any centralized anti-malware systems. Attackers have little respect for anti-malware software, which they consider easy to workaround. Varonis monitoring catches the behavior of malware to detect the attacker, and it is harder for them to avoid.|
|9. Limitation and Control of Network Ports, Protocols and Services||Varonis monitors perimeter telemetry for abnormal activities that can indicate potential cyberattacks.|
|13. Data Protection||Varonis monitors data and helps you build protections on your data to prevent attackers from moving through the network and stealing data.|
|14. Controlled Access Based on the Need to Know||Varonis classifies and labels sensitive data so it can be encrypted and protected appropriately. Varonis threat detection detects abnormal access of classified data so the threat can be investigated and negated.|
|16. Account Monitoring and Control||Varonis scans and monitors AD for all of these vulnerabilities, and more, so you can remove the risk to your network and track and maintain a stable security posture in AD.|
|17. Security Skills Assessment and Appropriate Training to Fill Gaps||Varonis monitors users for abnormal behaviors to detect evidence of user compromise or insider threats.|
|19. Incident Response and Management||Varonis provides our customers with an IR team to help investigate and understand the alerts they get. It’s a huge value add to an already valuable data security platform.|
|20. Penetration Tests and Red Team Exercises||Varonis provides a Purple Team to help facilitate Red Team and Blue Team exercises with your IR and cybersecurity teams.|
The SANS Top 20 Critical Controls provide the basics of any modern cybersecurity plan, and Varonis provides the central functionality to satisfying those requirements. Follow the Varonis Operational Journey to level up data security, and fill in the gaps with complementary solutions.
And for the additional context of why you need all of these controls and more, check out this webinar: Attacking the Cloud and Transitioning On-Prem to see how attackers can still work around your carefully constructed defenses and steal data