CIS Critical Security Controls Version 8 Compliance Framework

Inventory and Control of Software 

2.0. Inventory and Control of Software Assets – Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Blumira can identify software running on your network, including previously installed and forgotten programs to help you discover unknown software. The platform can notify you of unauthorized or suspicious software attempting to install or execute that may indicate the presence of malware and help guide you through resolution.

Data Protection: 3.0.

3.0. Data Protection – Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

3.14. Log Sensitive Data Access – Log sensitive data access, including modification and disposal.

Blumira can track user access to applications and services integrated with the Blumira platform for log monitoring, collection, detection, and response. Blumira also keeps historical log records of any file modifications or disposal, notifying you of user activity at the time of detection and providing all relevant information to help with further investigation and response.

4.0. Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

Blumira provides guidance for the systems we monitor to ensure that proper logging policies are enabled, and all logs with security value are being generated. Some systems, including firewalls and Microsoft Windows, have some logging functions disabled by default. Our documentation and setup scripts provide assistance in enabling additional logging to enhance our visibility into systems.

Access Control Management: 6.0.

6.0. Access Control Management – Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Blumira can help by providing reports  of user account administration activities based on logs that Blumira stores.

Continuous Vulnerability Management: 7.0.

7.0. Continuous Vulnerability Management – Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

Blumira helps with application vulnerabilities on assets by giving your organization insight into attacker behavior, including cases where an attacker leverages an unpatched or undiscovered vulnerability. Blumira notifies all impacted customers via email whenever a high-severity vulnerability is reported by a third-party vendor, such as a firewall provider, that Blumira integrates with.

Collect Audit Logs: 8.2.

8.2. Collect Audit Logs – Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

By offering a wide range of integrations across an enterprise’s on-premises and cloud-based assets, Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.

Collect Detailed Audit Logs: 8.5.

8.5. Collect Detailed Audit Logs – Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

Blumira provides stacked matched evidence, which means the platform gathers and correlates all related data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source, and destination addresses and more to help with forensic investigations. Reporting functionality in Blumira also provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.

Collect DNS Query Audit Logs: 8.6.

8.6. Collect DNS Query Audit Logs – Collect DNS query audit logs on enterprise assets, where appropriate and supported.

By enabling Sysmon (System Monitor) for Windows logging and integration with Blumira, you can track and analyze DNS traffic to help identify malicious remote access tools, security misconfigurations and command and control traffic. It’s easy to install using our Poshim script or manually – read how in How to Enable Sysmon for Windows Logging and Security. 

Collect URL Request Audit Logs: 8.7.

8.7. Collect URL Request Audit Logs – Collect URL request audit logs on enterprise assets, where appropriate and supported.

Blumira can track URL requests for standard web applications (email servers, web servers, and other internet-facing services), including the number of hits on one specific URL on a web server that could indicate something is being brute-forced or enumerated. Blumira can track other events that provide useful insight into adversaries performing attacks against certain hosts or performing reconnaissance, or discovery of a victim network. Learn more in What to Log in a SIEM.

Centralize Audit Logs: 8.9.

8.9. Centralize Audit Logs – Centralize, to the extent possible, audit log collection and retention across enterprise assets.

By integrating broadly with your entire tech stack, the Blumira platform collects and centralizes logs from your enterprise assets into one repository. It correlates events across firewalls, endpoint security, servers, identity management and authentication systems, databases and more to quickly identify, notify, and provide playbooks for response to critical security findings. Blumira offers up to one year of on-demand, hot storage data retention, ideal for cybersecurity insurance, compliance requirements and investigation. 

Retain Audit Logs: 8.10.

8.10. Retain Audit Logs – Retain audit logs across enterprise assets for a minimum of 90 days.

Blumira SIEM retains an audit log history for 30 days to one year, depending on the edition you purchase, to help your organization with investigation and forensics.

Conduct Audit Log Reviews: 8.11.

8.11. Conduct Audit Log Reviews – Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

After integrating with your third-party services and applications, Blumira’s platform automatically applies detection rules to your account to rapidly review your logs and detect anomalies or suspicious activity that could indicate potential threats in your environment. With Blumira, there’s no need for security analysts or IT teams to manually review logs for threats, bringing you an affordable and scalable solution to replace a costly and inefficient SOC (security operations center). If you need more assistance, Blumira’s security operations team is available to provide guided support for any critical priority issues.

Collect Service Provider Logs: 8.12.

8.12. Collect Service Provider Logs – Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.

Blumira collects many third-party service provider logs. Our platform notifies you and provides response options for events related to authentication and authorization, data creation and exposal, and user management.

Malware Defenses: 10.0.

10.0. Malware Defenses – Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Blumira can help control the spread of malware by detecting a number of common malware behaviors, including malicious applications, scripts, unauthorized programs, compromised processes, PUPs and more. Then, Blumira provides actionable information to IT and IR teams, who can then use this data to isolate infected systems. Blumira can also detect precursors of ransomware, enabling IT teams to stop an attack before ransomware is introduced into a network. 

Data Recovery: 11.0.

11.0. Data Recovery – Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Blumira collects security event logs and retains them for up to one year, providing an audit trail for investigation and reporting. Blumira also enables you to review original event logs that are encrypted at rest and in transit to ensure data integrity, safe from attackers that may alter logs after an incident to cover their tracks.

Network Infrastructure Management: 12.0.

12.0. Network Infrastructure Management – Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

Blumira monitors network infrastructure via the logs that are generated by these devices. By monitoring the inbound and outbound traffic from firewalls as well as connection attempts to servers, Blumira can detect early signs of an attacker attempting to leverage an open port, vulnerability, or other method of access. Blumira often detects these behaviors before an endpoint protection product can, enabling organizations to respond faster and limit the impact of an attack in progress.

Centralize Security Event Alerting: 13.1.

13.1. Centralize Security Event Alerting – Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.

Blumira helps by centralizing logs through our cloud SIEM platform, and correlating event logs and data across many different systems for threat analysis. We reduce alert fatigue by sending prioritized, contextual alerts about only the most critical findings. The Blumira team of incident detection engineers constantly rolls out new alerts to keep up with the latest attack methods and vulnerabilities.

Intrusion Detection: 13.2. & 13.3.

13.2. Deploy a Host-Based Intrusion Detection Solution – Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

3.3. Deploy a Network Intrusion Detection Solution – Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

Blumira monitors system log (syslog) records of OS events to identify attacker behavior, including initial entry into a network, to help IT admins identify and stop an intruder before it impacts an organization. Blumira also integrates with many endpoint protection solutions, firewalls and more to pull log data from a variety of sources.

Collect Network Traffic Flow Logs: 13.6.

13.6. Collect Network Traffic Flow Logs – Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

Blumira collects network traffic logs and reviews them for suspicious behavior. Then, we notify you with findings accompanied with context, sending alerts only for activity that matters to prevent alert fatigue. Each finding is accompanied by step-by-step playbooks, enabling you to easily and quickly remediate a threat.

Tune Security Event Alerting Thresholds: 13.11.

13.11. Tune Security Event Alerting Thresholds – Tune security event alerting thresholds monthly, or more frequently.

The Blumira incident detection engineering team tests and tunes detection rules regularly in a lab, eliminating the need for manual configuration and fine-tuning. We update our platform every two weeks with improvements and new detection rules, adjusting threshold-based detection rules to reduce noise based on customer feedback and ongoing monitoring. Our new detection rule management feature enables you to toggle rules on and off to further reduce noise and suit your organization’s specific needs.

Incident Response Management: 17.0.

17.0. Incident Response Management – Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Blumira helps by collecting and collating logs from multiple sources, assisting incident responders in targeting compromised systems quickly and remediating, or isolating them to prevent further escalation. Blumira is also a logging source that is “out of band” from a customer’s environment, which puts it out of the reach of attackers that would attempt to clear logs to cover their tracks.

The Blumira security team has worked closely with incident response companies to provide log data to help them contain and recover after a ransomware incident. The Blumira SecOps team provides 24/7 support for critical priority issues to help customers with security questions, and provide guided response and recommendations.