Skip to content
    How Blumira Helps With

    CIS Critical Security Controls Version 8 Compliance Framework

    See how Blumira maps to CIS v8 controls, plus how those controls map to other compliance frameworks, including NIST, FFIEC, and PCI DSS. For questions or to learn more on how we can help with compliance, contact us.

    Industry Goverment screenshot
    Introduction

    Data Security and CIS Critical Security Controls Version 8

    Formerly the SANS Critical Security Controls or SANS Top 20, the CIS Top 18 refers to Version 8 of CIS Controls. These are recommended practices for securing systems and devices, informed by an international community that has shared attack insights, identified root causes, and translated it into classes of defensive action. As the importance of physical devices and fixed boundaries lessens, CIS consolidated the controls in Version 8 by activities rather than by who manages the devices. The CIS controls are also mapped to regulatory and compliance frameworks to ensure alignment.

    CIS controls provide a starting point for organizations with no formal strategies or security baselines. Even implementing a few of these controls can significantly improve an organization’s security posture.

    How Blumira Can Help: CIS Controls 1-18

    The Blumira cloud SIEM platform helps your organization easily meet and exceed CIS framework requirements for logging, monitoring, threat detection, and response.

    • 1.0. Inventory and Control of Enterprise Assets: 1.0.

      1.0. Inventory and Control of Enterprise Assets: 1.0.

      1.0. Inventory and Control of Enterprise Assets – Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

      As part of security operations support, Blumira provides an initial network attack surface assessment for all paid users to help identify assets that need to be monitored and protected. We recommend you use an asset inventory solution for ongoing discovery and control of your assets.

    • Inventory and Control of Software Assets: 2.0.

      Inventory and Control of Software 

      2.0. Inventory and Control of Software Assets – Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

      Blumira can identify software running on your network, including previously installed and forgotten programs to help you discover unknown software. The platform can notify you of unauthorized or suspicious software attempting to install or execute that may indicate the presence of malware and help guide you through resolution.

    • Data Protection: 3.0.

      Data Protection: 3.0.

      3.0. Data Protection – Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

      3.14. Log Sensitive Data Access – Log sensitive data access, including modification and disposal.

      Blumira can track user access to applications and services integrated with the Blumira platform for log monitoring, collection, detection, and response. Blumira also keeps historical log records of any file modifications or disposal, notifying you of user activity at the time of detection and providing all relevant information to help with further investigation and response.

    • Secure Configuration of Enterprise Assets and Software: 4.0.

      4.0. Secure Configuration of Enterprise Assets and Software

      Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

      Blumira provides guidance for the systems we monitor to ensure that proper logging policies are enabled, and all logs with security value are being generated. Some systems, including firewalls and Microsoft Windows, have some logging functions disabled by default. Our documentation and setup scripts provide assistance in enabling additional logging to enhance our visibility into systems.

    1.0. Inventory and Control of Enterprise Assets: 1.0.

    1.0. Inventory and Control of Enterprise Assets – Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

    As part of security operations support, Blumira provides an initial network attack surface assessment for all paid users to help identify assets that need to be monitored and protected. We recommend you use an asset inventory solution for ongoing discovery and control of your assets.

    Inventory and Control of Software 

    2.0. Inventory and Control of Software Assets – Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

    Blumira can identify software running on your network, including previously installed and forgotten programs to help you discover unknown software. The platform can notify you of unauthorized or suspicious software attempting to install or execute that may indicate the presence of malware and help guide you through resolution.

    Data Protection: 3.0.

    3.0. Data Protection – Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

    3.14. Log Sensitive Data Access – Log sensitive data access, including modification and disposal.

    Blumira can track user access to applications and services integrated with the Blumira platform for log monitoring, collection, detection, and response. Blumira also keeps historical log records of any file modifications or disposal, notifying you of user activity at the time of detection and providing all relevant information to help with further investigation and response.

    4.0. Secure Configuration of Enterprise Assets and Software

    Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

    Blumira provides guidance for the systems we monitor to ensure that proper logging policies are enabled, and all logs with security value are being generated. Some systems, including firewalls and Microsoft Windows, have some logging functions disabled by default. Our documentation and setup scripts provide assistance in enabling additional logging to enhance our visibility into systems.

    • Account Management: 5.0

      Account Management: 5.0

      5.0. Account Management – Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

      Blumira tracks user account activity and provides reporting  on an on-demand or scheduled basis for user account administration activities. Activities can include new user and administrative account creation, user/admin account deletions, security group modifications, elevation of user account privileges, and more. 

    • Access Control Management: 6.0.

      Access Control Management: 6.0.

      6.0. Access Control Management – Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

      Blumira can help by providing reports  of user account administration activities based on logs that Blumira stores.

    • Continuous Vulnerability Management: 7.0.

      Continuous Vulnerability Management: 7.0.

      7.0. Continuous Vulnerability Management – Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

      Blumira helps with application vulnerabilities on assets by giving your organization insight into attacker behavior, including cases where an attacker leverages an unpatched or undiscovered vulnerability. Blumira notifies all impacted customers via email whenever a high-severity vulnerability is reported by a third-party vendor, such as a firewall provider, that Blumira integrates with.

    Account Management: 5.0

    5.0. Account Management – Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

    Blumira tracks user account activity and provides reporting  on an on-demand or scheduled basis for user account administration activities. Activities can include new user and administrative account creation, user/admin account deletions, security group modifications, elevation of user account privileges, and more. 

    Access Control Management: 6.0.

    6.0. Access Control Management – Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

    Blumira can help by providing reports  of user account administration activities based on logs that Blumira stores.

    Continuous Vulnerability Management: 7.0.

    7.0. Continuous Vulnerability Management – Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

    Blumira helps with application vulnerabilities on assets by giving your organization insight into attacker behavior, including cases where an attacker leverages an unpatched or undiscovered vulnerability. Blumira notifies all impacted customers via email whenever a high-severity vulnerability is reported by a third-party vendor, such as a firewall provider, that Blumira integrates with.

    • Audit Log Management: 8.0.

      Audit Log Management: 8.0.

      8.0. Audit Log Management – Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

      The Blumira platform integrates with an organization’s systems and applications to collect, centralize, and retain audit logs. It automatically reviews events for suspicious or threat activity that could indicate an attack in progress, then alerts you on how to respond quickly to limit impact and damage. 

      See the broad variety of both on-premises and cloud services Blumira integrates with for log monitoring, detection and response.

    • Collect Audit Logs: 8.2.

      Collect Audit Logs: 8.2.

      8.2. Collect Audit Logs – Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

      By offering a wide range of integrations across an enterprise’s on-premises and cloud-based assets, Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.

    • Collect Detailed Audit Logs: 8.5.

      Collect Detailed Audit Logs: 8.5.

      8.5. Collect Detailed Audit Logs – Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

      Blumira provides stacked matched evidence, which means the platform gathers and correlates all related data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source, and destination addresses and more to help with forensic investigations. Reporting functionality in Blumira also provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.

    • Collect DNS Query Audit Logs: 8.6.

      Collect DNS Query Audit Logs: 8.6.

      8.6. Collect DNS Query Audit Logs – Collect DNS query audit logs on enterprise assets, where appropriate and supported.

      By enabling Sysmon (System Monitor) for Windows logging and integration with Blumira, you can track and analyze DNS traffic to help identify malicious remote access tools, security misconfigurations and command and control traffic. It’s easy to install using our Poshim script or manually – read how in How to Enable Sysmon for Windows Logging and Security. 

    • Collect URL Request Audit Logs: 8.7.

      Collect URL Request Audit Logs: 8.7.

      8.7. Collect URL Request Audit Logs – Collect URL request audit logs on enterprise assets, where appropriate and supported.

      Blumira can track URL requests for standard web applications (email servers, web servers, and other internet-facing services), including the number of hits on one specific URL on a web server that could indicate something is being brute-forced or enumerated. Blumira can track other events that provide useful insight into adversaries performing attacks against certain hosts or performing reconnaissance, or discovery of a victim network. Learn more in What to Log in a SIEM.

    Audit Log Management: 8.0.

    8.0. Audit Log Management – Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

    The Blumira platform integrates with an organization’s systems and applications to collect, centralize, and retain audit logs. It automatically reviews events for suspicious or threat activity that could indicate an attack in progress, then alerts you on how to respond quickly to limit impact and damage. 

    See the broad variety of both on-premises and cloud services Blumira integrates with for log monitoring, detection and response.

    Collect Audit Logs: 8.2.

    8.2. Collect Audit Logs – Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

    By offering a wide range of integrations across an enterprise’s on-premises and cloud-based assets, Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.

    Collect Detailed Audit Logs: 8.5.

    8.5. Collect Detailed Audit Logs – Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

    Blumira provides stacked matched evidence, which means the platform gathers and correlates all related data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source, and destination addresses and more to help with forensic investigations. Reporting functionality in Blumira also provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.

    Collect DNS Query Audit Logs: 8.6.

    8.6. Collect DNS Query Audit Logs – Collect DNS query audit logs on enterprise assets, where appropriate and supported.

    By enabling Sysmon (System Monitor) for Windows logging and integration with Blumira, you can track and analyze DNS traffic to help identify malicious remote access tools, security misconfigurations and command and control traffic. It’s easy to install using our Poshim script or manually – read how in How to Enable Sysmon for Windows Logging and Security. 

    Collect URL Request Audit Logs: 8.7.

    8.7. Collect URL Request Audit Logs – Collect URL request audit logs on enterprise assets, where appropriate and supported.

    Blumira can track URL requests for standard web applications (email servers, web servers, and other internet-facing services), including the number of hits on one specific URL on a web server that could indicate something is being brute-forced or enumerated. Blumira can track other events that provide useful insight into adversaries performing attacks against certain hosts or performing reconnaissance, or discovery of a victim network. Learn more in What to Log in a SIEM.

    • Collect Command-Line Audit Logs: 8.8.

      Collect Command-Line Audit Logs: 8.8.

      8.8. Collect Command-Line Audit Logs – Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.

      Blumira can collect and analyze command-line audit logs for security, including PowerShell execution policy bypasses and other executions that could indicate an attacker attempting to download or execute malicious code, move laterally within your environment, and escalate an attack. Our platform notifies you and provides playbooks to help guide you through resolution.

    • Centralize Audit Logs: 8.9.

      Centralize Audit Logs: 8.9.

      8.9. Centralize Audit Logs – Centralize, to the extent possible, audit log collection and retention across enterprise assets.

      By integrating broadly with your entire tech stack, the Blumira platform collects and centralizes logs from your enterprise assets into one repository. It correlates events across firewalls, endpoint security, servers, identity management and authentication systems, databases and more to quickly identify, notify, and provide playbooks for response to critical security findings. Blumira offers up to one year of on-demand, hot storage data retention, ideal for cybersecurity insurance, compliance requirements and investigation. 

    • Retain Audit Logs: 8.10.

      Retain Audit Logs: 8.10.

      8.10. Retain Audit Logs – Retain audit logs across enterprise assets for a minimum of 90 days.

      Blumira SIEM retains an audit log history for 30 days to one year, depending on the edition you purchase, to help your organization with investigation and forensics.

    • Conduct Audit Log Reviews: 8.11.

      Conduct Audit Log Reviews: 8.11.

      8.11. Conduct Audit Log Reviews – Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

      After integrating with your third-party services and applications, Blumira’s platform automatically applies detection rules to your account to rapidly review your logs and detect anomalies or suspicious activity that could indicate potential threats in your environment. With Blumira, there’s no need for security analysts or IT teams to manually review logs for threats, bringing you an affordable and scalable solution to replace a costly and inefficient SOC (security operations center). If you need more assistance, Blumira’s security operations team is available to provide guided support for any critical priority issues.

    • Collect Service Provider Logs: 8.12.

      Collect Service Provider Logs: 8.12.

      8.12. Collect Service Provider Logs – Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.

      Blumira collects many third-party service provider logs. Our platform notifies you and provides response options for events related to authentication and authorization, data creation and exposal, and user management.

    Collect Command-Line Audit Logs: 8.8.

    8.8. Collect Command-Line Audit Logs – Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.

    Blumira can collect and analyze command-line audit logs for security, including PowerShell execution policy bypasses and other executions that could indicate an attacker attempting to download or execute malicious code, move laterally within your environment, and escalate an attack. Our platform notifies you and provides playbooks to help guide you through resolution.

    Centralize Audit Logs: 8.9.

    8.9. Centralize Audit Logs – Centralize, to the extent possible, audit log collection and retention across enterprise assets.

    By integrating broadly with your entire tech stack, the Blumira platform collects and centralizes logs from your enterprise assets into one repository. It correlates events across firewalls, endpoint security, servers, identity management and authentication systems, databases and more to quickly identify, notify, and provide playbooks for response to critical security findings. Blumira offers up to one year of on-demand, hot storage data retention, ideal for cybersecurity insurance, compliance requirements and investigation. 

    Retain Audit Logs: 8.10.

    8.10. Retain Audit Logs – Retain audit logs across enterprise assets for a minimum of 90 days.

    Blumira SIEM retains an audit log history for 30 days to one year, depending on the edition you purchase, to help your organization with investigation and forensics.

    Conduct Audit Log Reviews: 8.11.

    8.11. Conduct Audit Log Reviews – Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

    After integrating with your third-party services and applications, Blumira’s platform automatically applies detection rules to your account to rapidly review your logs and detect anomalies or suspicious activity that could indicate potential threats in your environment. With Blumira, there’s no need for security analysts or IT teams to manually review logs for threats, bringing you an affordable and scalable solution to replace a costly and inefficient SOC (security operations center). If you need more assistance, Blumira’s security operations team is available to provide guided support for any critical priority issues.

    Collect Service Provider Logs: 8.12.

    8.12. Collect Service Provider Logs – Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.

    Blumira collects many third-party service provider logs. Our platform notifies you and provides response options for events related to authentication and authorization, data creation and exposal, and user management.

    • Email and Web Browser Protections: 9.0.

      Email and Web Browser Protections: 9.0.

      9.0. Email and Web Browser Protections – Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

      While the CIS sub-controls for 9.1-9.7 mainly refer to protective measures for email and web browsers, Blumira can help detect common attacker behaviors that indicate compromised email accounts through its integration with Microsoft 365 and other third-party web and email applications.

    • Malware Defenses: 10.0.

      Malware Defenses: 10.0.

      10.0. Malware Defenses – Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

      Blumira can help control the spread of malware by detecting a number of common malware behaviors, including malicious applications, scripts, unauthorized programs, compromised processes, PUPs and more. Then, Blumira provides actionable information to IT and IR teams, who can then use this data to isolate infected systems. Blumira can also detect precursors of ransomware, enabling IT teams to stop an attack before ransomware is introduced into a network. 

    • Data Recovery: 11.0.

      Data Recovery: 11.0.

      11.0. Data Recovery – Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

      Blumira collects security event logs and retains them for up to one year, providing an audit trail for investigation and reporting. Blumira also enables you to review original event logs that are encrypted at rest and in transit to ensure data integrity, safe from attackers that may alter logs after an incident to cover their tracks.

    • Network Infrastructure Management: 12.0.

      Network Infrastructure Management: 12.0.

      12.0. Network Infrastructure Management – Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

      Blumira monitors network infrastructure via the logs that are generated by these devices. By monitoring the inbound and outbound traffic from firewalls as well as connection attempts to servers, Blumira can detect early signs of an attacker attempting to leverage an open port, vulnerability, or other method of access. Blumira often detects these behaviors before an endpoint protection product can, enabling organizations to respond faster and limit the impact of an attack in progress.

    Email and Web Browser Protections: 9.0.

    9.0. Email and Web Browser Protections – Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

    While the CIS sub-controls for 9.1-9.7 mainly refer to protective measures for email and web browsers, Blumira can help detect common attacker behaviors that indicate compromised email accounts through its integration with Microsoft 365 and other third-party web and email applications.

    Malware Defenses: 10.0.

    10.0. Malware Defenses – Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

    Blumira can help control the spread of malware by detecting a number of common malware behaviors, including malicious applications, scripts, unauthorized programs, compromised processes, PUPs and more. Then, Blumira provides actionable information to IT and IR teams, who can then use this data to isolate infected systems. Blumira can also detect precursors of ransomware, enabling IT teams to stop an attack before ransomware is introduced into a network. 

    Data Recovery: 11.0.

    11.0. Data Recovery – Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

    Blumira collects security event logs and retains them for up to one year, providing an audit trail for investigation and reporting. Blumira also enables you to review original event logs that are encrypted at rest and in transit to ensure data integrity, safe from attackers that may alter logs after an incident to cover their tracks.

    Network Infrastructure Management: 12.0.

    12.0. Network Infrastructure Management – Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

    Blumira monitors network infrastructure via the logs that are generated by these devices. By monitoring the inbound and outbound traffic from firewalls as well as connection attempts to servers, Blumira can detect early signs of an attacker attempting to leverage an open port, vulnerability, or other method of access. Blumira often detects these behaviors before an endpoint protection product can, enabling organizations to respond faster and limit the impact of an attack in progress.

    • Network Monitoring and Defense: 13.0.

      Network Monitoring and Defense: 13.0.

      13.0. Network Monitoring and Defense – Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

      Blumira helps by ingesting logs from almost any device that is compatible with syslog. Blumira stores these logs for one year, and uses detection rules to find signs of attacker behavior. Blumira often detects an attacker upon their initial entry into the network before any malicious activity has begun, which allows administrators to stop attacker behavior before damage has been done.

    • Centralize Security Event Alerting: 13.1.

      Centralize Security Event Alerting: 13.1.

      13.1. Centralize Security Event Alerting – Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

      Blumira helps by centralizing logs through our cloud SIEM platform, and correlating event logs and data across many different systems for threat analysis. We reduce alert fatigue by sending prioritized, contextual alerts about only the most critical findings. The Blumira team of incident detection engineers constantly rolls out new alerts to keep up with the latest attack methods and vulnerabilities.

    • Intrusion Detection: 13.2. & 13.3.

      Intrusion Detection: 13.2. & 13.3.

      13.2. Deploy a Host-Based Intrusion Detection Solution – Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

      3.3. Deploy a Network Intrusion Detection Solution – Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

      Blumira monitors system log (syslog) records of OS events to identify attacker behavior, including initial entry into a network, to help IT admins identify and stop an intruder before it impacts an organization. Blumira also integrates with many endpoint protection solutions, firewalls and more to pull log data from a variety of sources.

    • Collect Network Traffic Flow Logs: 13.6.

      Collect Network Traffic Flow Logs: 13.6.

      13.6. Collect Network Traffic Flow Logs – Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

      Blumira collects network traffic logs and reviews them for suspicious behavior. Then, we notify you with findings accompanied with context, sending alerts only for activity that matters to prevent alert fatigue. Each finding is accompanied by step-by-step playbooks, enabling you to easily and quickly remediate a threat.

    • Tune Security Event Alerting Thresholds: 13.11.

      Tune Security Event Alerting Thresholds: 13.11.

      13.11. Tune Security Event Alerting Thresholds – Tune security event alerting thresholds monthly, or more frequently.

      The Blumira incident detection engineering team tests and tunes detection rules regularly in a lab, eliminating the need for manual configuration and fine-tuning. We update our platform every two weeks with improvements and new detection rules, adjusting threshold-based detection rules to reduce noise based on customer feedback and ongoing monitoring. Our new detection rule management feature enables you to toggle rules on and off to further reduce noise and suit your organization’s specific needs.

    Network Monitoring and Defense: 13.0.

    13.0. Network Monitoring and Defense – Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

    Blumira helps by ingesting logs from almost any device that is compatible with syslog. Blumira stores these logs for one year, and uses detection rules to find signs of attacker behavior. Blumira often detects an attacker upon their initial entry into the network before any malicious activity has begun, which allows administrators to stop attacker behavior before damage has been done.

    Centralize Security Event Alerting: 13.1.

    13.1. Centralize Security Event Alerting – Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

    Blumira helps by centralizing logs through our cloud SIEM platform, and correlating event logs and data across many different systems for threat analysis. We reduce alert fatigue by sending prioritized, contextual alerts about only the most critical findings. The Blumira team of incident detection engineers constantly rolls out new alerts to keep up with the latest attack methods and vulnerabilities.

    Intrusion Detection: 13.2. & 13.3.

    13.2. Deploy a Host-Based Intrusion Detection Solution – Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

    3.3. Deploy a Network Intrusion Detection Solution – Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

    Blumira monitors system log (syslog) records of OS events to identify attacker behavior, including initial entry into a network, to help IT admins identify and stop an intruder before it impacts an organization. Blumira also integrates with many endpoint protection solutions, firewalls and more to pull log data from a variety of sources.

    Collect Network Traffic Flow Logs: 13.6.

    13.6. Collect Network Traffic Flow Logs – Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

    Blumira collects network traffic logs and reviews them for suspicious behavior. Then, we notify you with findings accompanied with context, sending alerts only for activity that matters to prevent alert fatigue. Each finding is accompanied by step-by-step playbooks, enabling you to easily and quickly remediate a threat.

    Tune Security Event Alerting Thresholds: 13.11.

    13.11. Tune Security Event Alerting Thresholds – Tune security event alerting thresholds monthly, or more frequently.

    The Blumira incident detection engineering team tests and tunes detection rules regularly in a lab, eliminating the need for manual configuration and fine-tuning. We update our platform every two weeks with improvements and new detection rules, adjusting threshold-based detection rules to reduce noise based on customer feedback and ongoing monitoring. Our new detection rule management feature enables you to toggle rules on and off to further reduce noise and suit your organization’s specific needs.

    • Service Provider Management: 15.0.

      Service Provider Management: 15.0.

      15.0. Service Provider Management – Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

      Blumira can help by providing auditing of actions by any user, including dates/times of logon activities. This can help to audit the actions of third-party service providers that have access to the customer’s environment.

    • Incident Response Management: 17.0.

      Incident Response Management: 17.0.

      17.0. Incident Response Management – Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

      Blumira helps by collecting and collating logs from multiple sources, assisting incident responders in targeting compromised systems quickly and remediating, or isolating them to prevent further escalation. Blumira is also a logging source that is “out of band” from a customer’s environment, which puts it out of the reach of attackers that would attempt to clear logs to cover their tracks.

      The Blumira security team has worked closely with incident response companies to provide log data to help them contain and recover after a ransomware incident. The Blumira SecOps team provides 24/7 support for critical priority issues to help customers with security questions, and provide guided response and recommendations.

    • Penetration Test: 18.0., 18.3., and 18.4.

      Penetration Test: 18.0., 18.3., and 18.4.

      18.0. Penetration Test – Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

      18.3. Remediate Penetration Test Findings – Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

      18.4. Validate Security Measures – Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

      While Blumira does not provide penetration testing services, Blumira’s platform helps your organization successfully pass a pentest by alerting you about attempts to exploit weaknesses and simulate an attacker’s actions. Blumira detects many pentest behaviors that other SIEM platforms miss, including AS-REP roasting, wdigest registry change, and kerberoasting. 

      To help prepare for a pentest, you can also test the effectiveness of Blumira detection rules using our instructions on how to conduct a test. Blumira has also helped many organizations after a failed pentest to remediate pentest findings and detect techniques used during the test. 

    Service Provider Management: 15.0.

    15.0. Service Provider Management – Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

    Blumira can help by providing auditing of actions by any user, including dates/times of logon activities. This can help to audit the actions of third-party service providers that have access to the customer’s environment.

    Incident Response Management: 17.0.

    17.0. Incident Response Management – Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

    Blumira helps by collecting and collating logs from multiple sources, assisting incident responders in targeting compromised systems quickly and remediating, or isolating them to prevent further escalation. Blumira is also a logging source that is “out of band” from a customer’s environment, which puts it out of the reach of attackers that would attempt to clear logs to cover their tracks.

    The Blumira security team has worked closely with incident response companies to provide log data to help them contain and recover after a ransomware incident. The Blumira SecOps team provides 24/7 support for critical priority issues to help customers with security questions, and provide guided response and recommendations.

    Penetration Test: 18.0., 18.3., and 18.4.

    18.0. Penetration Test – Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

    18.3. Remediate Penetration Test Findings – Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

    18.4. Validate Security Measures – Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.

    While Blumira does not provide penetration testing services, Blumira’s platform helps your organization successfully pass a pentest by alerting you about attempts to exploit weaknesses and simulate an attacker’s actions. Blumira detects many pentest behaviors that other SIEM platforms miss, including AS-REP roasting, wdigest registry change, and kerberoasting. 

    To help prepare for a pentest, you can also test the effectiveness of Blumira detection rules using our instructions on how to conduct a test. Blumira has also helped many organizations after a failed pentest to remediate pentest findings and detect techniques used during the test. 

    Get Started for Free

    Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.