As a portion of security compliance, one of the board members used SANS security controls at a former business and was very pleased with its outcomes. Based on this knowledge and to meet the needs of the board members, you have decided on implementing a few monitoring rules to help meet the requirements of five of the SANS Top 20 Controls.
For this part of your project, you will be addressing the following SANS Security Controls:
Asset Inventory of Authorized and Unauthorized Devices
Software Inventory of Authorized and Unauthorized Devices
Malware Defenses
Boundary Defense
Controlled use of Administrative Privileges
For each of these controls below, create a document that details the following information for each monitoring rule:
Brief description of the monitoring used and the alerting processes
Devices to pull log data from in order to satisfy the monitoring rule.
Frequency of the log data collection: (Real-Time, Hourly, Weekly, Monthly, Annually)
At least two ways this monitor could be tested to validate any false positives or negatives
Please find below the information required for each of the five SANS control as asked.
(Put the following in document 1)
Asset Inventory of Authorized and Unauthorized Devices
Brief description of the monitoring used and the alerting processes:
This control is used to actively manage all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. This includes keeping an inventory of devices on the network, track their access timings, and correct if any unauthorised device found.
To make use of this control, an automated asset inventory discovery tool is deployed in the network (can be an organization's public or private). It is used to build a preliminary inventory of systems connected to the network. Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.
One can make use of tools such as SCCM, KACE, Munki, and SolarWinds effectively for this control.
Devices to pull log data from in order to satisfy the monitoring rule:
Logs from the server on which the automated asset inventory tool is deployed can be used to control and satisfy the authorized and unauthorized devices.
Frequency of the log data collection: (Real-Time, Hourly, Weekly, Monthly, Annually):
The frequency of log data collection depends on the sensitivity of network. Generally, real-time or hourly log data can be collected depending on the security needs of network.
At least two ways this monitor could be tested to validate any false positives or negatives:
To validate any false negatives, one should regularly, say weekly, take a heads up from the users on the network just to ensure there is no false negative.
(Put the following in document 2)
Software Inventory of Authorized and Unauthorized Devices
Brief description of the monitoring used and the alerting processes:
This control is used to actively manage all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. But this focuses on the software side of maintaining the access. This includes keeping an inventory of devices on the network, track their access timings, and correct if any unauthorised device found.
To make use of this control, the organization can dynamically assigning addresses using DHCP, and then dynamic host configuration protocol (DHCP) server logging can be deployed, and this logging information can be used to improve the asset inventory and help detect unknown systems.
One can make use of DHCP server and tools such as SCCM effectively for this control.
Devices to pull log data from in order to satisfy the monitoring rule:
Logs from the DHCP server deployed can be used to control and satisfy the authorized and unauthorized devices.
Frequency of the log data collection: (Real-Time, Hourly, Weekly, Monthly, Annually):
The frequency of log data collection depends on the sensitivity of network. Generally, real-time or hourly log data can be collected depending on the security needs of network.
At least two ways this monitor could be tested to validate any false positives or negatives:
To validate any false negatives, one should regularly, say weekly, take a heads up from the users on the network just to ensure there is no false negative.
(Put the following in document 3)
Malware Defense
Brief description of the monitoring used and the alerting processes:
This control is used to check the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
To make use of this control, automated tools can be employed to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. Also, anti-malware software can be employed that offer a centralized infrastructure that compiles information on file reputations or have administrators manually push updates to all machines. After applying an update, automated systems should verify that each system has received its signature update.
One can make use of intrusion and detection systems and advanced malware detection systems from vendors such as Kaspersky and Avast to implement this control effectively.
Devices to pull log data from in order to satisfy the monitoring rule:
Logs from the server on which the automated intrusion and detection systems tool is deployed can be used to control malwares. Detailed reports from the tools in use can also be used to pull the necessary data required to satisfy the monitoring tool.
Frequency of the log data collection: (Real-Time, Hourly, Weekly, Monthly, Annually):
Generally, hourly or weekly log data can be collected depending on the security needs of network.
At least two ways this monitor could be tested to validate any false positives or negatives:
To validate any false positives or negatives, one can sanity check the software affected. One can also reproduce the error and test for malware on separate systems.
(Put the following in document 4)
Boundary Defense
Brief description of the monitoring used and the alerting processes:
This control is used to detect, prevent and correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
To make use of this control, deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists). Lists of bogon addresses are publicly available on the Internet from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet.
On DMZ networks, one can configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Information Event Management (SIEM) or log analytics system so that events can be correlated from all devices on the network.
One can make use of next-generation firewalls to implement this control effectively.
Devices to pull log data from in order to satisfy the monitoring rule:
Logs from the firewall and other securtity tools deployed such as advanced honeypots can be used to pull the necessary data required to satisfy the monitoring tool.
Frequency of the log data collection: (Real-Time, Hourly, Weekly, Monthly, Annually):
Generally, real-time or hourly log data can be collected depending on the security needs of network.
At least two ways this monitor could be tested to validate any false positives or negatives:
To validate any false positives or negatives, one can perform tests periodically by sending packets from bogon source IP addresses (non routable or otherwise unused IP addresses) into the network to verify that they are not transmitted through network perimeters.
(Put the following in document 5)
Controlled use of Administrative Privileges
Brief description of the monitoring used and the alerting processes:
This control is about the processes and tools used to track, control, prevent and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
To implement this control effectively, one should minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. One should use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.
Devices to pull log data from in order to satisfy the monitoring rule:
Logs from the servers deploying the automated tools can be used to pull the necessary data required to satisfy the monitoring tool.
Frequency of the log data collection: (Real-Time, Hourly, Weekly, Monthly, Annually):
Generally, real-time log data can be collected to check the misuse of administrative privileges in the network.
At least two ways this monitor could be tested to validate any false positives or negatives:
To validate any false positives or negatives, one can perform tests periodically by enquiring users on any suspicious use of administrative privileges in the network.
As a portion of security compliance, one of the board members used SANS security controls at...