Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CSF Network Defense (PR.AC and PR.PT)

by Sharon Everson
February 26, 2016

Ensuring adequate protection against intrusions, attacks, and advance persistent threats requires continuous real-time monitoring of access control and protection technologies. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of objectives that allow an organization to build a comprehensive security plan to protect against security threats. The CSF Network Defense Assurance Report Card (ARC) aligns with the access control (PR.AC) and protective technology (PR.PT) categories of the NIST Cybersecurity Framework, which can provide clear visibility into the status of an organization’s network defense capabilities.

Employing a multi layered defense in depth strategy across all endpoints provides the best protection against intrusions or attacks. Internet facing assets including web servers and VPNs need to be monitored to ensure that unauthorized users do not gain access to network resources. Systems must be adequately protected by firewall policy and antivirus, so that critical systems are not left vulnerable to intrusions or attacks. Wireless and mobile device vulnerabilities must be addressed so that additional security risks are not introduced into the network. Organizations that do not continuously monitor and secure network defenses will not be able to respond or defend network assets appropriately.

This ARC assists organizations in improving security and network defense controls. Policy statements included within this ARC report on systems that are sending logs to the Log Correlation Engine (LCE), systems that are covered by firewall and antivirus policies, and systems that have detected intrusion or botnet activity. Additional policy statements report on VPN, wireless, and mobile devices with exploitable vulnerabilities. Having complete visibility of network security allows organizations to proactively respond to threats, mitigate vulnerabilities, and take preventative measures before any serious damage occurs.

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's information security policies and whether the current policies being enforced are effective. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Feed under the category Compliance. The ARC requirements are:

  • Tenable.sc 5.2.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Nessus Network Monitor (NNM), as well as log correlation with Tenable's Log Correlation Engine (LCE). Tenable.sc CV can help an organization continuously monitor and measure the effectiveness of security controls. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network defense posture.

ARC Policy Statements:

At least 95% of systems are sending logs: This policy statement compares the number of systems that are sending logs to the Log Correlation Engine to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Logs can provide valuable information on network, application, and security events from multiple devices across a network. To get the clearest picture of network status and security, all systems on the network should be sending logs to LCE.

At least 95% of Internet facing systems are sending logs: This policy statement compares the number of Internet facing systems that are sending logs to the Log Correlation Engine to total Internet facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems that face the Internet should especially be sending logs to LCE. Logs can provide valuable information on network, application, and security events from multiple devices, which can help to identify possible intrusions or attacks. To get the clearest picture of network status and security, all systems on the network should be sending logs to LCE.

At least 90% of systems are protected by a firewall policy: This policy statement compares the number of systems that are protected by a firewall policy to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Firewall policies may be applied to workstations, servers, and other devices, which can filter both inbound and outbound traffic. When properly configured, firewalls can help to improve network security and reduce risk to network devices by filtering access to ports and services. Systems that are not covered by a firewall policy should be investigated immediately by the organization, as this could indicate a possible unauthorized or unknown host on the network, or a host vulnerable to attack.

At least 90% of Windows and Mac OS systems have active up-to-date antivirus protection: This policy statement compares the number of systems with active and up-to-date antivirus protection to total systems, for Windows and Mac OS systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. All systems should have active and up-to-date antivirus software installed to protect against malware infections. Organization can use this information to identify and resolve antivirus software issues on systems.

Less than 15% of systems have detected intrusion activity: This policy statement compares the number of systems that have detected intrusion activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Intrusion events include password guessing, IDS events, and network sweeps, among other things. Intrusion events could indicate ongoing attacks or hosts that have been compromised. Organizations should investigate intrusion events to determine the scope, impact, and actions needed for remediation.

No systems have been detected interacting with known botnets: This policy statement compares the number of systems detected interacting with known botnets to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Tenable.sc receives a daily updated list of IP addresses and domains that are participating in known botnets. Using this information, systems on the network that interact with known botnets can be detected. Any systems interacting with known botnets should be investigated immediately by the organization to minimize security risks.

No unusual VPN activity has been detected: This policy statement compares the number of systems that have detected unusual VPN activity to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. This policy statement utilizes the LCE event “VPN_Login_From_Unusual_Source”. This event triggers when a VPN login originates from a source IP address that is not part of the same class B address space as what is normal for the login user ID. Systems that detect unusual VPN activity should be investigated immediately by the organization, as this could indicate possible unauthorized activity.

No systems with VPN access have exploitable vulnerabilities: This policy statement compares the number of systems that have exploitable vulnerabilities to total systems, for systems with VPN access. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. VPN access provides secure access over an insecure connection to an organization’s network. Reducing the number of exploitable vulnerabilities can greatly help to reduce the risk to the network. Systems with VPN access that have exploitable vulnerabilities should be remediated immediately.

No mobile devices have exploitable vulnerabilities: This policy statement compares the number of devices that have exploitable vulnerabilities to total devices, for voice and mobile devices. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Exploitable vulnerabilities on mobile devices increase the network’s potential exposure to malicious activity and should be remediated if possible.

No systems have wireless vulnerabilities: This policy statement compares the number of systems with wireless vulnerabilities to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Systems with detected wireless vulnerabilities should be investigated immediately to minimize potential security risks. This information can also assist the organization in finding authorized and unauthorized wireless access points.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training