Overview

The Consensus Audit Guidelines (CAG), also known as the Twenty Critical Security Controls for Cyber Defense, provide a comprehensive framework for proactive cybersecurity measures. These guidelines, developed by the SANS Institute, focus on essential safeguards and best practices to ensure the confidentiality, integrity, and availability of critical systems resources. The SANS CAG is independent of regulatory compliance requirements and advocates an “offense must inform defense approach” to cybersecurity. 

For more information, refer to the SANS publication: https://www.sans.org/blog/cis-controls-v8/  

Netsurion Managed XDR for SANS CAG Compliance 

Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in SANS CAG compliance. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents. 

By leveraging Netsurion Managed XDR’s capabilities, organizations can effectively address the control objectives outlined in the SANS CAG, bolstering their cybersecurity defenses and ensuring compliance with industry-leading security standards. 

Using Netsurion Managed XDR to meet SANS CAG Requirements

CSC-1 Inventory of Authorized and Unauthorized Device

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Netsurion Open XDR can import from asset databases, and correlate actual devices present on the network against lists of approved devices. Netsurion Open XDR can also collect logs from DHCP servers to help detect unknown or unauthorized systems.

Netsurion Open XDR supports the Control 1 Metric by identifying new unauthorized devices being connected to the network in near real time (for example via DHCP logs).

CSC 2: Inventory of Authorized and Unauthorized Software

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Netsurion Open XDR monitors for the installation or execution of software. Netsurion Open XDR can also create and maintain dynamic lists of approved software based on behavioral monitoring that may be operated in the environment.

Netsurion Open XDR supports the Control 2 Metric by identifying attempts to install authorized/ unauthorized software (for example via Windows application logs/Application monitoring feature), by identifying attempts to execute unauthorized software (by monitoring process startups).

CSC 3: Continuous Vulnerability Assessment and Remediation

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Netsurion Open XDR collects logs from vulnerability scanners. It is able to correlate event logs with data from vulnerability scans. Netsurion Open XDR can monitor the use of the account that was used to perform the vulnerability scan.

Netsurion Open XDR supports the Control 3 Metric by collecting logs and data from vulnerability scans. This enables Netsurion Open XDR to correlate both the data from the scan and the logs about the scan, providing the basis to report on progress of the vulnerability scan, and of any devices where the scan did not take place. Netsurion Open XDR can also collect logs relating to patch installation, and can trigger an alert based on successful completion.

CSC 4: Controlled Use of Administrative Privileges

The processes and tools used to track/ control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Netsurion Open XDR collects logs from almost any device and can monitor the use of default, generic, service and other privileged accounts.

Netsurion Open XDR supports the Control 4 Metric by collecting logs on administrative activities from across the infrastructure. Netsurion Open XDR offers out-of the-box Privileged User Monitoring, which simplifies the task of tracking and monitoring accounts with elevated privileges and automates a number of tasks that are generally done manually.

Netsurion Open XDR can be used in combination with multiple operating systems (various Linux distributions, Windows, Solaris, etc.) in addition to MS Exchange server 2007 and 2010. Netsurion Open XDR’s unique ability to simultaneously correlate data across multiple applications and devices strengthens privileged user monitoring and exposes suspicious activity performed by administrative accounts.

CSC 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting
vulnerable services and settings.

Netsurion Open XDR monitors the use of privileged or generic accounts, the startup of services, the use of ports, and the application of patches. Netsurion Open XDR can also detect changes to key files through its Change Audit feature.

Netsurion Open XDR supports the Control 5 Metric by identifying changes to key files, services, ports, configuration files, or software installed on the system.

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Netsurion Open XDR provides a comprehensive platform for the maintenance, monitoring and analysis of audit logs. Netsurion Open XDR supports the Control 6 Metric by collecting all events from across the network.

Netsurion Open XDR performs extensive processing of every log that is collected, assigning a common event and establishing a risk based priority for each log.

Netsurion Open XDR’s patented real-time analytics technology can baseline behavior of users, hosts and data from across the network. Once a baseline is established, abnormal behavior can be detected and alerted on.

CSC 7: Email and Web Browser Protections

Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.

Netsurion Open XDR can collect logs from email and web-content filtering tools. Netsurion Open XDR is tightly integrated with MS Exchange, Office 365 and many more.

CSC 8: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Netsurion Open XDR collects logs from malware detection tools and correlate those logs with other data collected in real time to eliminate false positives and detect blended threats. Netsurion Open XDR can also collect logs from email and web-content filtering tools. Via its advanced agent, Netsurion Open XDR can detect and report data copied to removable storage devices.

Netsurion Open XDR is tightly integrated with industry leading security vendors including FireEye, Fortinet and Palo Alto, among many others. Netsurion Open XDR supports the Control 8 Metric by continually collecting and monitoring logs from a wide variety of malware detection tools, in addition to its own agent technology

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

By collecting logs from port scanners, Netsurion Open XDR is able to detect open ports on the network.

Netsurion Open XDR can also collect logs on protocols in use and services starting up on individual devices. Netsurion Open XDR supports the Control 9 Metric by collecting logs from across the environment and baselining the behavior patterns observed over a period of time. Using this baseline, deviations from normal or expected behavior can be detected and alerts generated.

CSC 10: Data Recovery Capability

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

Netsurion Open XDR collects logs from Windows and other backup systems. Netsurion Open XDR can detect backups
that did not successfully complete, or backups that did not start.

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Netsurion Open XDR collects logs from any network device that generates syslog or SNMP.

Netsurion Open XDR supports the Control 11 Metric by collecting logs from network devices and correlating changes against a change control system to identify and alert on any unauthorized changes.

CSC 12: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

Netsurion Open XDR collects logs from a wide variety of boundary defense devices for correlation or compliance purposes.

Netsurion Open XDR supports the Control 12 Metric by collecting logs from boundary defense devices.

Netsurion Open XDR can build trends of data flows based on observed behavior and alert on deviations from normal behavior. By understanding the internal network infrastructure, internal and external context can be added to alerts, helping identify unexpected traffic flows such as a website in the DMZ communicating directly with a SQL database, rather than communicating via the application layer.

Netsurion Open XDR also offers out-of-the-box support for third party threat lists and custom IP address blacklists, and can alert in real-time when connections are made to any blacklisted IP address or host.

CSC 13: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of filtrated data, and ensure the privacy and integrity of sensitive information.

Netsurion Open XDR collects logs from both endpoints and network perimeter devices in order to assist in the detection of data loss incidents.

Netsurion Open XDR supports the Control 13 Metric by collecting logs from endpoints, authentication systems, boundary defense devices, proxies and email servers, amongst others. Netsurion Open XDR is able to detect abnormal activity in real time. Netsurion Open XDR patented, real-time analytics technology, is able to establish baselines of behavior.

CSC 14: Controlled Access Based on the Need to Know

The processes and tools used to track / control / prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

Netsurion Open XDR collects audit logs from across the network. Fully integrated Change Auditing capabilities monitor for and alert on a variety of malicious behaviors, including improper user access of confidential files to botnet related breaches and transmittal of sensitive data.

Netsurion Open XDR supports the Control 14 Metric by collecting logs of all attempts by users to access files on local systems or network accessible file shares without the appropriate privileges. Netsurion Open XDR Change Audit can also be used to establish a baseline of normal behavior against a file or file set, and can alert on deviations from that behavioral baseline.

CSC 15: Wireless Access Control

The processes and tools used to track / control / prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.

Netsurion Open XDR collects logs from a variety of wireless devices and management systems. In conjunction with logs collected from DHCP servers, wireless clients may be detected when connecting to the organization’s network.

Netsurion Open XDR supports the Control 15 Metric by collecting logs from wireless devices, wireless management systems, and DHCP. Real-time correlation of these logs enables the identification of unauthorized wireless devices or configurations.

CSC 16: Account Monitoring and Control

Actively manage the life cycle of system and application accounts -their creation, use, dormancy, deletion -in order to minimize opportunities for attackers to leverage them.

Netsurion Open XDR collects audit logs from across the network for both local and network accounts. Netsurion Open XDR supports the Control 16 Metric by collecting logs of all user activity and correlating this with lists of privileged, generic and service accounts, and also with lists of accounts for users that are terminated. Using Change Audit, lists can be automatically maintained when changes take place in the environment. Netsurion Open XDR can alert when the use of terminated accounts is observed, and offers extensive reporting capabilities in this area.

Netsurion Open XDR can also establish baselines of normal account behavior. For example, Netsurion Open XDR can track which servers a user normally connects to, and alert on a deviation from that norm.

CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

SANS Control 17 is policy-based and focuses on skills and training. Netsurion Open XDR is able to monitor user compliance with policy and send alerts in real time when credentials are used in an abnormal manner. Since all user activity is logged and collected, correlation and reporting are effective methods for monitoring the adherence to policy.

CSC 18: Application Software Security

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

Netsurion Open XDR collects logs from web application firewalls and from vulnerability scanners.

Netsurion Open XDR supports the Control 18 Metric through its ability to correlate across various applications and device logs at once. It is especially well positioned to create meaningful, relevant alerts around suspicious web log data. Netsurion Open XDR provides out-of-the box alerts for detecting suspicious URL characters and malicious user agent strings, in addition to automatically populating an “attacking IPs list.” This list enables reporting to be done on source IPs that is attacking the web applications.

Netsurion Open XDR collects logs from WAFs and IDS/IPS systems, in addition to vulnerability scanners. All security event logs are correlated in real time.

CSC 19: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, define droles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

SANS Control 19 is policy-based and focuses on having a clear Incident Response policy. Netsurion Open XDR has an integrated incident management capability, providing real-time updates on an incident’s status (i.e., working, closed, etc.). Status and commentary can be attached to each alert and progress reports can be generated on demand.

CSC 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

Netsurion Open XDR collects logs from across the environment. It is a valuable monitoring tool during any penetration test, or red team exercise.

Netsurion Open XDR enables the accounts used in the penetration test to be automatically monitored for legitimate use. Netsurion Open XDR also enables the detection of unusual behavior and may be used to detect the attempts to exploit the enterprise systems during penetration testing.