Critical Controls and SIEM

 Critical Control 1: Inventory of Authorized and Unauthorized Devices

SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.

Critical Control 2: Inventory of Authorized and Unauthorized Software

SIEM should be used as the inventory database of authorized software
products for correlation with network and application activity.

Critical Control 3: Secure Conjurations for Hardware and Software on Laptops, Workstations, and Servers

Known vulnerabilities are still a leading avenue for successful exploits. If an automated
device scanning tool discovers a mis configured network system during a Common
Configuration Enumeration (CCE) scan, that misconfiguration should be reported to the
SIEM as a central source for these alerts. This helps with troubleshooting incidents as
well as improving overall security posture.

Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers,and Switches

Any misconfiguration on network devices should also be reported to the SIEM for consolidated analysis

Critical Control 5: Boundary Defense

Network rule violations, like CCE discoveries, should also be reported to one central
source (a SIEM) for correlation with authorized inventory data stored in the SIEM
solution

Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Control 6 is basically a control about SIEMs, which are a leading means for collecting
and centralizing critical log data; in fact, there is even a subcontrol for analysis that
studies SIEM specifically. SIEMs are the core analysis engine that can analyze log events
as they occur.

Critical Control 7: Application Software Security

Like CCE scan results, vulnerabilities that are discovered in software applications should
also be reported to a central source where these vulnerabilities can be correlated with
other events concerning a particular system. SIEMs are a good place to store these scan
results and correlate the information with network data, captured through logs, to
determine whether vulnerabilities are being exploited in real time.

Critical Control 8: Controlled Use of Administrative Privileges

When the principles of this control are not met (such as an administrator running a
web browser or unnecessary use of administrator accounts), SIEM can correlate access
logs to detect the violation and generate an alert.

Critical Control 9: Controlled Access Based on Need to Know

SIEM can correlate user activity with user rights and roles to detect violations of least
privilege enforcement, which is required by this control.

Critical Control 10: Continuous Critical Control

SIEM can correlate vulnerability context with actual system activity to determine
whether vulnerabilities are being exploited.

Critical Control 11: Account Monitoring and Control

Abnormal account activity can only be detected when compared to a baseline of
known good activity. The baseline to meet this control should be recorded by the
SIEM; and, as future snapshots or baselines are recorded, they can be compared to the
approved baseline in the SIEM.

Critical Control 12: Malware Defenses

Malware that is discovered should be recorded according to this control. Centralized
anti-malware tools should report their findings to a SIEM, which correlates against
system and vulnerability data to determine which systems pose a greater risk due to the
malware discovered on that system

Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services

if a system has a running port, protocol, or service that has not been authorized, it should also be reported to a central source where these vulnerabilities can be correlated with other events concerning a particular system. SIEMs can monitor log data to detect traffic over restricted ports, protocols, and services. Organizations can use these controls to decide which ports and services are useful for business, which are not, and which types of traffic and ports to limit

Critical Control 14: Wireless Device Control

Device misconfigurations and wireless intrusions should be reported to a central
database for incident handling purposes. A SIEM is a perfect candidate to consolidate
this information and use it for correlation or detection of threats to wireless
infrastructure

Critical Control 15: Data Loss Prevention

data loss rule violations, like CCE discoveries, should also be reported to one central source such as a SIEM, which can correlate data loss events with inventory or asset information as well as other system and user activity to detect complex breaches of sensitive data.

Critical Control 15: Data Loss Prevention

 

data loss rule violations, like CCE discoveries, should also be reported to one central source such as a SIEM, which can correlate data loss events with inventory or asset information as well as other system and user activity to detect complex breaches of sensitive data.