CIS Control 13: Network Monitoring and Defense

by Lane Thames on December 1, 2021

Networks form a critical core for our modern-day society and businesses. People, processes, and technologies should be in place for monitoring, detecting, logging, and preventing malicious activities that occur when an enterprise experiences an attack within or against their networks.

Key Takeaways for Control 13

Enterprises should understand that their systems and networks are never perfectly immune to a cyberattack. Enterprises can leverage the safeguards provided by Control 13 to guide the evolution and maturity of their security posture. Network monitoring and defense should be viewed as a continuous improvement capability that involves the enterprises’ people, processes, and technologies. Enterprises need a well-trained staff the executes the organizations’ network monitoring and defense ecosystem. Monitoring and logging technologies and processes provide both real-time and historical data that can be used for understanding what malicious actors are doing along with understanding their behaviors. This provides valuable knowledge that can be used by the organization as they continuously improve and mature their security posture. Detection and prevention technologies are also necessary in today’s environment because many attack techniques move at machine speed and human reaction can be too slow to defend against an automated attack. Control 13 is designed to help organizations enable and maintain good network monitoring and defense.

Safeguards for Control 13

1: Centralize Security Event Alerting

Description: Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.