Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applying the CIS Critical Security Controls to the Cloud

Published byKathlyn York Modified over 8 years ago

Similar presentations

Presentation on theme: "Applying the CIS Critical Security Controls to the Cloud"— Presentation transcript:

1 Applying the CIS Critical Security Controls to the Cloud
Bart Westerink April 26, 2016

2 Agenda Migration to the cloud Overview of the top 20 security controls
Adapting the controls to the cloud Leverage the controls to build a highly secure cloud infrastructure

3 Primary Motivation for Deploying Public Cloud IaaS
Source: Gartner

4 Shared Responsibility of Security

5 Traditional Security Perimeter Network segmentation
Strict change controls Slower rate of change Dedicated security hardware

6 Securing the Cloud Shared responsibility No natural perimeter
No network segmentation Elastic and on-demand No dedicated security hardware

7 What are the Top 20 Critical Controls?
A prioritized, risk-based approach to cybersecurity In 2008, the NSA led a consortium of security professionals from government and experts from the private industry, who were asked: “In practice, what works and where do you start?” The Critical Controls have become a blueprint to help CISOs deploy controls that have the greatest impact in improving risk posture Organizations should focus on securing the business first - and documenting the process to show compliance second

8 Five Critical Tenets used to develop the Controls
Offense informs defense Prioritization Metrics Continuous monitoring Automation

9 Five Critical Tenets #1 - Offense informs Defense
Intelligence agencies have performed thousands of investigations Controls are derived from the most common attack patterns All Rights Resevered - CloudPassage

10 Five Critical Tenets #2 - Prioritization
Some controls have greater impact on security risk than others Should I focus on configuration monitoring or awareness training?

11 Five Critical Tenets #3 - Metrics
How many servers are out of compliance with policy? What percentage of my servers have critical vulnerabilities?

12 Five Critical Tenets #4 - Continuous Monitoring
Understand the state of systems at any given time Critical for rapid response A continuous feedback loop to validate your security controls is essential

13 Five Critical Tenets #5 - Automation
Security teams need to find ways to do more with less Managing workloads in elastic cloud environments requires automation

14 The Top 20 Critical Controls...

15 #1 Inventory of Authorized and Unauthorized Devices
Control Description Family CSC1-1 Deploy an automated asset discovery tool. Employ both active and passive tools System CSC1-4 Record network address, system name, purpose and asset owner. CSC1-5 Deploy network level via 802.1x to limit and control which devices can be connected to the network. Must be tied to inventory. In the public cloud, use host-based firewalls to keep unauthorized or unmanaged systems off your Ephemeral resources are still in scope for auditor inspection

16 #2 Inventory of Authorized and Unauthorized Software
Control Description Family CSC2-1 Device a list of authorized software and use file integrity checking to validate that the software has not been modified System CSC2-2 Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system CSC2-3 Deploy a software inventory tool. Track OS, applications, version info, patch levels CSC2-4 Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk... location. Maintaining a real-time inventory of software enables rapid response

17 #3 Secure Configurations for Hardware and Software
Control Description Family CSC3-4 Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. System CSC3-5 Utilize file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered CSC3-6 Implement and test an automated configuration monitoring system. This includes detecting new listening ports, new administrative users, changes to group and local policy objects, (where applicable), and new services running on a system. Developing initial configuration settings is a complex task and systems must be continually managed to avoid security “decay” In the cloud, control costs using lightweight security solutions which provide breadth

18 #4 Continuous Vulnerability Assessments and Remediation
Control Description Family CSC4-1 Run automated vulnerability scanning tools against all systems on the network on a weekly (or more frequent) basis System CSC4-5 Deploy automated patch management tools and software update tools for operating system and software/applications on all systems CSC4-6 Monitor logs for unapproved scanning activity CSC4-8 Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability Continuous monitoring of vulnerabilities enables rapid response Host based scanners provide great visibility, efficiency and speed

19 #5 Controlled Use of Administrative Privileges
Description Family CSC5-1 Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. System CSC5-3 Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts CSC5-4 Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators’ group, or when a new local administrator account is added on a system Closely monitor the creation of privileged accounts Use multifactor authentication to protect administrative accounts

20 #6 Monitoring and Analysis of Audit Logs
Control Description Family CSC6-4 Have security personnel and/or system administrators run bi-weekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings. System CSC6-5 Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device. CSC6-6 Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Automate the collection and reporting of logs Human expertise and intuition are required to identify and understand attack patterns

21 #7 Email and Web Browser Protections
Control Description Family CSC7-3 Limit the use of unnecessary scripting languages in all web browsers and clients. This includes the use of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such capabilities System CSC7-6 Enforce network based URL filters that limit a system's ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. CSC7-8 Scan and block all attachments entering the organization's gateway if they contain malicious code or file types that are unnecessary for the organization's business. Endpoints used to manage production systems should be locked down and monitored closely Use secure jump hosts to separate endpoints from production systems

22 #8 Malware Defenses Control Description Family CSC8-1 Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. System CSC8-5 Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content.. CSC8-6 Enable DNS query logging to detect hostname lookup for known malicious C2 domains. As malware becomes more evasive, re-assess NIDS vs HIDS Monitor logs, file changes, firewall connections and policy violations

23 #9 Limitation and Control of Network Ports

24 #10 Data Recovery Capability

25 #11 Secure Configurations for Network Devices

26 #12 Boundary Defense Control Description Family CSC12-2 On DMZ networks, configure monitoring systems (which may be built into the IDS sensors or deployed as a separate technology) to record at least packet header information Network CSC12-3 Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems In the public cloud, use host-based firewalls to keep unauthorized or unmanaged systems off your network Standardize across public, private or hybrid cloud deployments

27 #12 Boundary Defense Adopt a Least Privilege strategy
Eliminate “soft and chewy” networks Host based firewalls provide a greater level of micro segmentation

28 #13 Data Protection Control Description Family CSC13-2 Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data. Network CSC13-3 Deploy an automated tool on the network perimeter that monitors for sensitive information (e.g. PII) to discover unauthorized attempts to exfiltrate data.. In the public cloud, use use volume based encryption to protect sensitive data on shared storage. Encrypt all network communications Restrict and monitor outbound connectivity and secure remote access

29 #14 Controlled Access based on Need to Know

30 #15 Wireless Access Control

31 #16 Account Monitoring and Control
Description Family CSC16-11 Require multi‐factor authentication for all user accounts that have access to sensitive data or systems. Multi‐factor authentication can be achieved using smart cards, certificates, One Time Password (OTP) tokens, or biometrics. Application CSC16-13 Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Implement MFA for remote access management Encrypt all network connections

32 #17 Security Skills Assessment and Appropriate Training
Control Description Family CSC17-2 Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training.. Application CSC17-3 Implement a security awareness program Security professionals must make security processes more embedded, faster and more continuous The cloud accelerates DevOps because it offers scalable environments to develop and test code

33 #18 Application Software Security
Control Description Category CSC18-1 For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations. . Application CSC18-4 Test in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners prior to deployment. Continuously monitor application libraries and packages for vulnerabilities For applications that rely on a database, use standard hardening configuration templates

34 #19 Incident Response and Management

35 #20 Penetration Tests and Red Team

36 Moving to the Cloud securely...
Use the Top 20 Critical Security Controls to guide you Develop sound processes Continuous monitoring, automation Implement the right technology Light-weight / provides breadth Automated / scalable / API / SaaS Work across in public, hybrid and private clouds Benchmark yourself!

37 Thank You!

Download ppt "Applying the CIS Critical Security Controls to the Cloud"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Security Guidelines and Management

Security Guidelines and Management
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Similar presentations

Ads by Google