CIS Control 13: Network Monitoring and Defense
DEEP DIVEDetails network monitoring, IDS, and IPS implementations. Updating to link and contextualize within the CIS Critical Security Controls v8 framework.
As an integral component of the CIS Critical Security Controls Version 8 framework, CIS Control 13: Network Monitoring and Defense requires enterprises to operate processes and tooling that establish comprehensive network monitoring. Its primary goal is to actively defend against security threats across both the network infrastructure and the user base.
While foundational controls focus on building secure systems, Control 13 operates on the realistic assumption that preventative network defenses are never perfect. Adversaries continuously evolve, discovering bypasses to static security controls. Consequently, continuous monitoring and active defense mechanisms are necessary to detect malicious activity that slips past initial barriers.
Why Control 13 is Critical
Security tools are only as effective as their configuration and the human analysis behind them. Relying solely on default "out-of-the-box" settings for firewalls or detection engines often results in a false sense of security. Without proper tuning, security tools can generate overwhelming alert fatigue or, conversely, silently drop malicious traffic.
Effective implementation of Control 13 creates a situational awareness program, bridging the gap between passive log collection (covered in CIS Control 8: Audit Log Management) and active incident handling (covered in CIS Control 17: Incident Response Management). Note that implementing Control 13 requires a mature operational capability; therefore, Implementation Group 1 (IG1) is not required to implement these safeguards, while IG2 and IG3 take on progressively more advanced monitoring responsibilities.
Core Safeguards and Implementations
Centralized Security Event Alerting (13.1)
To effectively analyze incidents, organizations must centralize security event alerting. The best practice implementation of this safeguard is the deployment of a Security Information and Event Management (SIEM) system or a log analytics platform.
- Practical Implementation: A SIEM should ingest data from endpoints, network devices, and cloud environments. It must utilize vendor-defined event correlation alerts and custom rules tailored to the organization's specific baseline.
- Edge Cases: In highly segmented networks, ensuring log forwarders can securely reach the centralized SIEM without opening unnecessarily broad firewall rules requires careful architecture.
Intrusion Detection Solutions (13.2 & 13.3)
Control 13 requires the deployment of both Host-Based Intrusion Detection Systems (HIDS) and Network Intrusion Detection Systems (NIDS).
- HIDS (13.2): Installed directly on enterprise assets, HIDS monitors system internals, such as file integrity, registry changes, and local network activity. This is highly effective for identifying laterally moving malware or privilege escalation attempts.
- NIDS (13.3): Placed at strategic network chokepoints, NIDS inspects traffic in transit.
- Cloud Environments: In cloud infrastructure, traditional NIDS appliances are often impractical. Cloud Service Provider (CSP) equivalents, such as AWS GuardDuty or VPC Traffic Mirroring directed to virtual NIDS instances, fulfill this requirement. Furthermore, with the rise of encrypted traffic, NIDS can be "blinded" without TLS decryption, requiring modern deployments to either integrate with load balancers for decrypted inspection or rely more heavily on HIDS and flow logs.
Traffic Filtering Between Network Segments (13.4)
Building upon the architecture established in CIS Control 12: Network Infrastructure Management, this safeguard mandates active traffic filtering between network segments. By compartmentalizing the network (e.g., separating guest Wi-Fi from the core database network, or staging from production), an organization limits the blast radius of a potential breach.
Managing Access Control for Remote Assets (13.5)
Remote work introduces significant risk because assets operate outside the protected corporate perimeter. Control 13 dictates that remote access should not be granted blindly. Access levels must be dynamically determined based on an endpoint's current security posture. Before establishing a VPN or remote connection, the system should verify:
- Active, updated compliance with CIS Control 10: Malware Defenses.
- Alignment with the secure baselines defined in CIS Control 4: Secure Configuration of Enterprise Assets and Software.
- Current patch levels for the OS and critical applications. If a remote asset fails these posture checks, it should be quarantined or granted highly restricted "remediation-only" access.
Collecting Network Traffic Flow Logs (13.6)
Capturing full packet data is often cost-prohibitive and computationally intensive. Collecting network traffic flow logs (such as NetFlow, sFlow, or IPFIX) provides a metadata-level view of network communications. Flow logs are lightweight and highly effective for identifying anomalous traffic patterns, such as a compromised server continuously communicating with a known-bad external IP address, or massive data exfiltration events characterized by sudden, large outbound data transfers.
Advanced Capabilities: Threat Hunting
For highly mature environments (IG3), Control 13 encourages the transition from reactive alerting to proactive Threat Hunting. Even perfectly tuned SIEMs and detection engines will miss novel, "living off the land" attacks. Threat hunting involves highly trained staff manually querying system logs, analyzing data flows, and reviewing behavioral anomalies to uncover hidden adversaries.
Successful threat hunting and network defense ultimately depend on complete visibility. Therefore, Control 13 is highly reliant on accurate asset data provided by CIS Control 1: Inventory and Control of Enterprise Assets—you cannot defend or monitor segments of the network you do not know exist.