by Sharon Everson
February 26, 2016
Ensuring adequate protection against intrusions, attacks, and advance persistent threats requires continuous real-time monitoring of access control and protection technologies. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. The CSF Network Defense Assurance Report Card (ARC) aligns with the access control (PR.AC) and protective technology (PR.PT) categories of the NIST Cybersecurity Framework, which can provide clear visibility into the status of an organization’s network defense capabilities.
Employing a multi layered defense in depth strategy across all endpoints provides the best protection against intrusions or attacks. Internet facing assets including web servers and VPNs need to be monitored to ensure that unauthorized users do not gain access to network resources. Systems must be adequately protected by firewall policy and antivirus, so that critical systems are not left vulnerable to intrusions or attacks. Wireless and mobile device vulnerabilities must be addressed so that additional security risks are not introduced into the network. Organizations that do not continuously monitor and secure network defenses will not be able to respond or defend network assets appropriately.
This ARC assists organizations in improving security and network defense controls. Policy statements included within this ARC report on systems that are sending logs to the Log Correlation Engine (LCE), systems that are covered by firewall and antivirus policies, and systems that have detected intrusion or botnet activity. Additional policy statements report on VPN, wireless, and mobile devices with exploitable vulnerabilities. Having complete visibility of network security allows organizations to proactively respond to threats, mitigate vulnerabilities, and take preventative measures before any serious damage occurs.
The information provided in this ARC provides a baseline to measure the effectiveness of an organization's information security policies and whether the current policies being enforced are effective. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:
- Tenable.sc 5.2.0
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Tenable.sc CV can help an organization continuously monitor and measure the effectiveness of security controls. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network defense posture.
ARC Policy Statements:
At least 95% of systems are sending logs: This policy statement compares the number of systems that are sending logs to the Log Correlation Engine to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Logs can provide valuable information on network, application, and security events from multiple devices across a network. To get the clearest picture of network status and security, all systems on the network should be sending logs to LCE.
At least 95% of Internet facing systems are sending logs: This policy statement compares the number of Internet facing systems that are sending logs to the Log Correlation Engine to total Internet facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems that face the Internet should especially be sending logs to LCE. Logs can provide valuable information on network, application, and security events from multiple devices, which can help to identify possible intrusions or attacks. To get the clearest picture of network status and security, all systems on the network should be sending logs to LCE.
At least 90% of systems are protected by a firewall policy: This policy statement compares the number of systems that are protected by a firewall policy to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Firewall policies may be applied to workstations, servers, and other devices, which can filter both inbound and outbound traffic. When properly configured, firewalls can help to improve network security and reduce risk to network devices by filtering access to ports and services. Systems that are not covered by a firewall policy should be investigated immediately by the organization, as this could indicate a possible unauthorized or unknown host on the network, or a host vulnerable to attack.
At least 90% of Windows and Mac OS systems have active up-to-date antivirus protection: This policy statement compares the number of systems with active and up-to-date antivirus protection to total systems, for Windows and Mac OS systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. All systems should have active and up-to-date antivirus software installed to protect against malware infections. Organization can use this information to identify and resolve antivirus software issues on systems.
Less than 15% of systems have detected intrusion activity: This policy statement compares the number of systems that have detected intrusion activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Intrusion events include password guessing, IDS events, and network sweeps, among other things. Intrusion events could indicate ongoing attacks or hosts that have been compromised. Organizations should investigate intrusion events to determine the scope, impact, and actions needed for remediation.
No systems have been detected interacting with known botnets: This policy statement compares the number of systems detected interacting with known botnets to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Tenable.sc receives a daily updated list of IP addresses and domains that are participating in known botnets. Using this information, systems on the network that interact with known botnets can be detected. Any systems interacting with known botnets should be investigated immediately by the organization to minimize security risks.
No unusual VPN activity has been detected: This policy statement compares the number of systems that have detected unusual VPN activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the LCE event “VPN_Login_From_Unusual_Source”. This event triggers when a VPN login originates from a source IP address that is not part of the same class B address space as what is normal for the login user ID. Systems that detect unusual VPN activity should be investigated immediately by the organization, as this could indicate possible unauthorized activity.
No systems with VPN access have exploitable vulnerabilities: This policy statement compares the number of systems that have exploitable vulnerabilities to total systems, for systems with VPN access. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. VPN access provides secure access over an insecure connection to an organization’s network. Reducing the number of exploitable vulnerabilities can greatly help to reduce the risk to the network. Systems with VPN access that have exploitable vulnerabilities should be remediated immediately.
No mobile devices have exploitable vulnerabilities: This policy statement compares the number of devices that have exploitable vulnerabilities to total devices, for voice and mobile devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on mobile devices increase the network’s potential exposure to malicious activity and should be remediated if possible.
No systems have wireless vulnerabilities: This policy statement compares the number of systems with wireless vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with detected wireless vulnerabilities should be investigated immediately to minimize potential security risks. This information can also assist the organization in finding authorized and unauthorized wireless access points.