Your senior leadership started stressing out about data breaches. It’s not that they haven’t worried before, but they’ve also started looking at the rising tide of data breach awareness. Specifically, they’re starting to see more new security and privacy laws passed at the state and federal levels. Now, you’ve been tasked with the very unenviable job of choosing a compliance framework, and you’re looking at the Center for Internet Security (CIS) Controls. Understanding CIS Control compliance and centralized log management’s ability to document activities can help decision-making.
WHAT ARE THE CIS CONTROLS?
The CIS Controls consist of twenty basic controls organized across three maturity stages to move from basic cyber hygiene to more advanced cybersecurity based on their needs.
Organizations define their security and compliance based on the capabilities across the three Implementation Groups (IG):
- IG 1: Small to medium-sized companies with limited IT and cybersecurity expertise to dedicate to protecting data
- IG 2: Companies with staff responsible for managing and protecting IT infrastructure and some regulatory compliance requirements
- IG 3: Companies that have dedicated security team with individuals specializing in different areas of cybersecurity, highly regulated, and potential for significant harm to public welfare from successful attack
WHY USE THE CIS CONTROLS?
The CIS Controls take a very “come as you are” approach which means organizations of any size, sophistication, and staffing can use them. Even better, you can grow your CIS Controls compliance program and your business so that you don’t need to start all over as you scale.
CIS includes 18 categories of controls and lists a series of safeguards within each category. As a company moves from one IG to the next, it layers additional safeguards on top of what it already has.
The categories of CIS Controls are:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response
- Penetration Testing
To get a sense of how the layering of controls works, let’s look at Control 01: Inventory and Control of Enterprise Assets. Control 01 has five total safeguards:
- IG 1: implement 2 safeguards
- IG 2: implement the original 2 safeguards and layer 2 more on top
- IG 3: implement all 5 safeguards
As a maturity model, the CIS controls consider your current technology and staffing needs, then give you a path to scale security at the pace you scale your business operations.
WHAT REGULATIONS OR STANDARDS MAP TO THE CIS CONTROLS?
Since CIS controls are so flexible, you’ll find that many different standards and regulations reference them. Although the CIS Controls may not get you fully compliant for each, it can be a good jumping-off point, especially if you’re new to compliance.
Some notable regulations and standards include:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Sarbanes-Oxley Act (SOX)
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
- NIST Special Publication 800-171
- NIST SP 800-53
- Federal Information Security Management Act of 2002 (FISMA)
- Federal Financial Institutions Examination Council (FFIEC) Information Security Handbooklet
- North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
- United Kingdom (UK) Cyber Essentials
- UK Information Commissioner’s Office (ICO) Protecting Data
- Payment Card Industry Data Security Standard (PCI DSS)
For companies that need to achieve Cybersecurity Maturity Model Certification (CMMC) compliance requirements, it’s important to note that the ability to map CIS Controls to NIST SP 800-171 and NIST 800-53 can help you. If you’ve put the CIS mitigation controls in place, you can review this mapping document to see what else you need to do.
WHY IS IT HARD TO COMPLY WITH CIS?
CIS Controls seem pretty straightforward. After all, there aren’t that many of them. On the other hand, the deeper you go into them, the more complex they become. Fundamentally, the CIS Controls give you a way to approach compliance by starting with security then documenting what you’re doing.
The more complex your environment is, the more difficult it is to secure. For example, CIS requires you to ensure that you use automated patch management to update operating systems and applications across all three Implementation Groups.
The problem is that while this sounds easy, you need to prove that you actually installed all security updates as required.
The proof here is the hard part. After all, your company may have hundreds of devices, all with multiple applications installed. You need to automate the patch installation and make sure that the patches are actually installed.
One device with one application that isn’t installed correctly can lead to a data breach and a compliance issue.
HOW CENTRALIZED LOG MANAGEMENT HELPS COMPLY WITH CIS CONTROLS
Your audit logs, also referred to as event logs, give you the pieces of data about every action occurring across your environment. Log files give you information about users, devices, networks, and applications so that you know what happened and when it happened.
The Center for Internet Security also recognizes this. In fact, it devotes an entire control – applicable to all three Implementation Groups – to audit log management.
Even just a look at several IG 1 level controls gives insight into how centralized log management’s single location for collecting, aggregating, correlating, and analyzing all event logs can help you secure your environment according to CIS Controls v.8 more effectively.
IG 1 – ESTABLISH AND MAINTAIN AN AUDIT LOG MANAGEMENT PROCESS
This one is pretty obvious since “audit logs” is in the title. However, here’s the challenging part.
According to the CIS Controls, you need to:
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets.Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Not only do you have to collect all the logs, but you need to review and retain them. The whole purpose of collecting the audit logs is to get visibility into your security posture. If you’re not reviewing them, you’re not really going to benefit from just the collection.
Centralized log management gives you the visibility to collect and make sense of all your data. With centralized log management, you can:
- Collect logs: ingest them from across on-premises, multi-cloud, and hybrid locations
- Parse logs: Take out the important information so that you can use the data effectively
- Normalize logs: standardize the formatting to make it easier to engage in review
- Retain logs: store in a compressed format that reduces costs while keeping logs available as required
IG 1: CONTROL 3.3 CONFIGURE DATA ACCESS CONTROL LISTS
Digital transformation and remote work removed the traditional perimeters. Today, managing user access to data is a primary technical control used to mitigate risk. If threat actors gain access to a system or network through a compromised credential, limiting access makes it harder for them to do damage.
According to CIS Controls, you need to:
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
With centralized log management, you can track and monitor user activity to make sure that your controls are working and document your posture.
IG 1: Control 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
You can only report incidents that you’re able to detect. Trying to compare security audit logs manually isn’t practical, efficient, or effective in complex environments.
According to CIS Controls, you need to:
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Centralized log management’s ability to aggregate, correlate, and analyze security event log data helps you manage the reporting timeframes and gives you the information needed to provide reports.
With a centralized log management tool, you can create events that trigger high-fidelity alerts. Even at an IG 1 maturity level, you can focus your staff more efficiently to create a better incident response process.
Graylog for CIS Controls Compliance
Graylog’s centralized log management solution meets you where you are, just like the CIS Controls do. Our solution is flexible and scalable to grow along with your business. We make it easy to visualize and explore data so that you can meet the technical requirements from an IG 1 through IG 3 maturity level. For IG 1 maturity level companies, Graylog helps your team manage daily IT operations and security functions in a single location.