The Center for Internet Security (CIS) is a nonprofit with the mission of protecting organizations against cyber threats. CIS developed a set of high-priority recommendations, or critical security controls, that organizations can use as a framework for achieving greater security maturity.
CIS controls provide a starting point for organizations with no formal strategies or security baselines. Even implementing a few of these controls can significantly improve an organization’s security posture.
What Is CIS Top 18?
Formerly the SANS Critical Security Controls or SANS Top 20, the CIS Top 18 refers to Version 8 of CIS Controls. These are recommended practices for securing systems and devices, informed by an international community that has shared attack insights, identified root causes and translated it into classes of defensive action. As the importance of physical devices and fixed boundaries lessens, CIS consolidated the controls in Version 8 by activities rather than by who manages the devices.
The CIS controls are also mapped to regulatory and compliance frameworks to ensure alignment.
How Blumira Can Help
Blumira’s cloud SIEM platform helps your organization easily meet and exceed CIS framework requirements for logging, monitoring, threat detection and response.
Below is a full detailed list of the different capabilities and controls that align with them, and how Blumira meets the control or can help you meet them.
Blumira’s free edition secures your Microsoft 365 environment; setup takes a matter of minutes. For more coverage and support, you can easily upgrade to a paid version.
For questions or to learn more on how we can help with compliance, contact us.
Blumira can help organizations with the following CIS controls:
1.0. Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
How Blumira Helps: As part of security operations support, Blumira provides an initial network attack surface assessment for all Advanced users to help identify assets that need to be monitored and protected. We recommend you use an asset inventory solution for ongoing discovery and control of your assets.
2.0. Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
How Blumira Helps: Blumira can identify software running on your network, including previously installed and forgotten programs to help you discover unknown software. The platform can notify you of unauthorized or suspicious software attempting to install or execute that may indicate the presence of malware and help guide you through resolution.
3.0. Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
3.14. Log Sensitive Data Access
Log sensitive data access, including modification and disposal.
How Blumira Helps: Blumira can track user access to applications and services integrated with Blumira’s platform for log monitoring, collection, detection and response. Blumira also keeps historical log records of any file modifications or disposal, notifying you of user activity at the time of detection and providing all relevant information to help with further investigation and response.
4.0. Secure Configuration of Enterprise Assets and Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
How Blumira Helps: Blumira provides guidance for the systems we monitor to ensure that proper logging policies are enabled, and all logs with security value are being generated. Some systems, including firewalls and Microsoft Windows, have some logging functions disabled by default. Our documentation and setup scripts provide assistance in enabling additional logging to enhance our visibility into systems.
5.0. Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
How Blumira Helps: Blumira tracks user account activity, as well as provides reporting on an on-demand or scheduled basis for user account administration activities such as new user and administrative account creation, user/admin account deletions, security group modifications, elevation of user account privileges and more.
6.0. Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
How Blumira Helps: Blumira can help by providing reporting of user account administration activities, based on logs that Blumira stores.
7.0. Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
How Blumira Helps: Blumira can help with application vulnerabilities on assets by providing your organization with insight into attacker behavior, including in cases where an attacker leverages an unpatched or undiscovered vulnerability. Blumira notifies all impacted customers via email whenever a high-severity vulnerability is reported by a third-party vendor (such as a firewall provider) that Blumira integrates with.
8.0. Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
How Blumira Helps: Blumira’s platform integrates with an organization’s systems and applications to collect, centralize, and retain audit logs. It automatically reviews events for suspicious or threat activity that could indicate an attack in progress, then alerts you on how to respond quickly to limit impact and damage.
See the broad variety of both on-premises and cloud services Blumira integrates with for log monitoring, detection and response.
8.2. Collect Audit Logs
Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
How Blumira Helps: By offering a wide range of integrations across an enterprise’s on-premises and cloud-based assets, Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.
8.5. Collect Detailed Audit Logs
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
How Blumira Helps: Blumira provides stacked matched evidence, which means the platform gathers and correlates all related data across your entire environment that is set up for logging and populates it with every finding (alert). That includes detailed audit logging information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations. Blumira’s reporting functionality also provides a log retention history of up to a year of hot storage, meaning the logs are readily available for investigation whenever needed.
8.6. Collect DNS Query Audit Logs
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
How Blumira Helps: By enabling Sysmon (System Monitor) for Windows logging and integration with Blumira, you can track and analyze DNS traffic to help identify malicious remote access tools, security misconfigurations and command and control traffic. It’s easy to install using our Poshim script or manually – see how in How to Enable Sysmon for Windows Logging and Security.
8.7. Collect URL Request Audit Logs
Collect URL request audit logs on enterprise assets, where appropriate and supported.
How Blumira Helps: Blumira can track URL requests for standard web applications (email servers, web servers, and other internet-facing services), including the number of hits on one specific URL on a web server that could indicate something is being brute-forced or enumerated. Blumira can track other events that provide useful insight into adversaries performing attacks against certain hosts or performing reconnaissance, or discovery of a victim network. Learn more in What to Log in a SIEM.
8.8. Collect Command-Line Audit Logs
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.
How Blumira Helps: Blumira can collect and analyze command-line audit logs for security, including PowerShell execution policy bypasses and other executions that could indicate an attacker attempting to download or execute malicious code, move laterally within your environment and escalate an attack. Our platform notifies you and provides playbooks to help guide you through resolution.
8.9. Centralize Audit Logs
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
How Blumira Helps: By integrating broadly with your entire tech stack, Blumira’s platform collects and centralizes logs from your enterprise assets into one repository. It correlates events across firewalls, endpoint security, servers, identity management and authentication systems, databases and more to quickly identify, notify and provide playbooks for response to critical security findings. Blumira offers up to one year of (on-demand, hot storage) data retention, ideal for cybersecurity insurance, compliance requirements and investigation.
8.11. Conduct Audit Log Reviews
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
How Blumira Helps: After integrating with your third-party services and applications, Blumira’s platform automatically applies detection rules to your account to rapidly review your logs and detect anomalies or suspicious activity that could indicate potential threats in your environment. With Blumira, there’s no need for security analysts or IT teams to manually review logs for threats; providing an affordable and scalable solution to replace a costly and inefficient SOC (security operations center). If you need more assistance, Blumira’s security operations team is available to provide guided support for any critical priority issues.
8.12. Collect Service Provider Logs
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.
How Blumira Helps: Blumira collects many third-party service provider logs – see our list of integrations. Our platform notifies you and provides response options for events related to authentication and authorization, data creation and exposal, and user management.
9.0. Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
How Blumira Helps: While the CIS sub-controls for 9.1-9.7 mainly refer to protective measures for email and web browsers, Blumira can help detect common attacker behaviors that indicate compromised email accounts through its integration with Microsoft 365 and other third-party web and email applications.
10.0. Malware Defenses
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
How Blumira Helps: Blumira can help control the spread of malware by detecting a number of common malware behaviors, including malicious applications, scripts, unauthorized programs, compromised processes, PUPs and more. Then, Blumira provides actionable information to IT and IR teams, who can then use this data to isolate infected systems. Blumira can also detect precursors of ransomware, enabling IT teams to stop an attack before ransomware is introduced into a network.
11.0. Data Recovery
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
How Blumira Helps: Blumira collects security event logs and retains them for up to one year, providing an audit trail for investigation and reporting. Blumira also enables you to review original event logs that are encrypted at rest and in transit to ensure data integrity, safe from attackers that may alter logs after an incident to cover their tracks.
12.0. Network Infrastructure Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
How Blumira Helps: Blumira monitors network infrastructure via the logs that are generated by these devices. By monitoring the inbound and outbound traffic from firewalls as well as connection attempts to servers, Blumira can detect early signs of an attacker attempting to leverage an open port, vulnerability, or other method of access. Blumira often detects these behaviors before an endpoint protection product can, enabling organizations to respond faster and limit the impact of an attack in progress.
13.0. Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
How Blumira Helps: Blumira helps by ingesting logs from almost any device that is compatible with syslog. Blumira stores these logs for one year, and uses detection rules to find signs of attacker behavior. Blumira often detects an attacker upon their initial entry into the network before any malicious activity has begun, which allows administrators to stop attacker behavior before damage has been done.
13.1. Centralize Security Event Alerting
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this safeguard.
How Blumira Helps: Blumira helps by centralizing logs through our cloud SIEM platform, and correlating event logs and data across many different systems for threat analysis. We reduce alert fatigue by sending prioritized, contextual alerts about only the most critical findings. Blumira’s team of incident detection engineers constantly rolls out new alerts to keep up with the latest attack methods and vulnerabilities.
13.2. Deploy a Host-Based Intrusion Detection Solution
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
13.3. Deploy a Network Intrusion Detection Solution
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
How Blumira Helps: Blumira monitors system log (syslog) records of OS events to identify attacker behavior, including initial entry into a network, to help IT admins identify and stop an intruder before it impacts an organization. Blumira also integrates with many endpoint protection solutions, firewalls and more to pull log data from a variety of sources.
13.6. Collect Network Traffic Flow Logs
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
How Blumira Helps: Blumira collects network traffic logs and reviews them for suspicious behavior. Then, we notify you with findings accompanied with context, sending alerts only for activity that matters to prevent alert fatigue. Each finding is accompanied by step-by-step playbooks, enabling you to easily and quickly remediate a threat.
13.11. Tune Security Event Alerting Thresholds
Tune security event alerting thresholds monthly, or more frequently.
How Blumira Helps: Blumira’s incident detection engineering team tests and tunes detection rules regularly in a lab, eliminating the need for manual configuration and fine-tuning. We update our platform every two weeks with improvements and new detection rules, adjusting threshold-based detection rules to reduce noise based on customer feedback and ongoing monitoring. Our new detection rule management feature enables you to toggle rules on and off to further reduce noise and suit your organization’s specific needs.
15.0. Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
How Blumira Helps: Blumira can help by providing auditing of actions by any user, including dates/times of logon activities. This can help to audit the actions of third-party service providers that have access to the customer’s environment.
17.0. Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
How Blumira Helps: Blumira can help by collecting and collating logs from multiple sources, assisting incident responders in targeting compromised systems quickly and remediating, or isolating them to prevent further escalation. Blumira is also a logging source that is “out of band” from a customer’s environment, which puts it out of the reach of attackers that would attempt to clear logs to cover their tracks.
Blumira’s security team has worked closely with incident response companies to provide log data to help them contain and recover after a ransomware incident. Blumira’s SecOps team provides 24/7 support for critical priority issues to help customers with security questions, and provide guided response and recommendations.
18.0. Penetration Test
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
18.3 Remediate Penetration Test Findings
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
18.4 Validate Security Measures
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.
How Blumira Helps: While Blumira does not provide penetration testing services, Blumira’s platform helps your organization successfully pass a pentest by alerting you about attempts to exploit weaknesses and simulate an attacker’s actions. Blumira detects many pentest behaviors that other SIEM platforms miss, including AS-REP roasting, wdigest registry change, and kerberoasting.
To help prepare for a pentest, you can also test the effectiveness of Blumira’s detection rules using our instructions on how to conduct a test. Blumira has also helped many organizations after a failed pentest to remediate pentest findings and detect techniques used during the test.
Learn more about Blumira alerts you can expect during a pentest.
Get Started With Blumira’s Free SIEM
Blumira is a cloud SIEM with threat detection and response that alerts your team about critical cyber threats in real-time and provides automated and actionable response capabilities that reduce the overhead associated with traditional SIEM products.
With Blumira’s free edition, secure your Microsoft 365 environment in seconds with coverage for unlimited data and users. With our free edition, you can:
- Detect unusual activity, attacker behavior and threats in Microsoft 365
- Use guided security playbooks to easily respond to threats
- View summary dashboard and reports
- Set up in seconds using Cloud Connectors
For more coverage and support, you can easily upgrade to a paid version that fits your needs.
For questions or to learn more on how we can help with compliance, contact us.