For a link to the Discussion Forum topic on the SANS Top 20, click here.
Updated May 1, 2013
This dashboard displays many of the SANS Top 20 Critical Controls.
• Security Center 4.6 or higher is required
• Required Tools – LCE, PVS, Nessus Scanner
As published by SANS, the goal of the Top 20 Critical Controls is to protect assets, infrastructure, and information by strengthening your organizations defensive posture through continuous automated protection and monitoring. This Security Center Dashboard is comprised of: One dashboard with 15 individual components that provide insight to nearly 50 items that directly correlate to the SANS Top 20 Critical Controls.
The dashboard is laid out in an easy to read and browse, colored coded series of 15 tables and indicators displayed on one dashboard tab, within two columns. A quick scan from the top level gives a rapid overview, while selecting or clicking on an individual indicator takes you to into a deep dive analysis of the triggered events or vulnerabilities.
In addition, the requirements of having Nessus, PVS, and LCE are required to enable functionality of certain compliance indicators, such as CIS, HIPAA, PCI, or DISA. These can be left to the organizations preference and regulatory requirements that need to be fulfilled and are fully customizable within the component itself.
Depending on organizational requirements and/or needs, all component sections are easily and highly configurable to be used in any environment with basic knowledge of Security Center. The following is brief description of each component and the associated control.
Critical Control 1 – New Device Detection
This component utilizes Nessus and PVS plugins (active and passive) to report new hosts found in the configured network range over the last 48 hours by recording the network address and machine names.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
Critical Control 3 – Secure Configurations
The results for this component are defined by keywords in vulnerability text that match text contained in several plugins. Indicators alert for compliance data against PCI, DISA, CIS, and HIPAA checks.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6
Critical Control 4 – Continuous Vulnerability Scanning
This component displays the total number of known systems within the specified range, the number that have been observed over the last 30 days, and the percentage of systems that have had a credentialed scan completed over the last 30 days. It allows you to determine if vulnerability scanning is occurring against all the systems in the specified range.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)
Critical Control 5 – Malware Controls
This component displays indicator type results from the Tenable Malicious Process Detection plugin, as well as provides details on large virus anomalies, and active virus detection on the specified network range.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)
Critical Control 6 – Web Application Security
This component utilizes PVS and a wide variety of plugins to passively identify application vulnerabilities within web applications, even detecting unsupported or vulnerable software versions. Included tests are: SQL injections, CGI abuses, Backdoors, XSS, DNS and FTP checks, IMAP, SMTP, and POP checks, Internet Service Checks, and Web Server checks, sorted by severity.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10
Critical Control 7 – Wireless Device Control
This component utilizes Active and Passive checks for Wireless Access Point Detection to report on the total number of WAP devices found, as well as a check to report the number that have appeared over the last 7 days, and if they have any known vulnerabilities. This component will also report on Advanced Web Scanning.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15)
Critical Control 10 - Secure Configurations for Network Devices.
The results for this component are defined by keywords in vulnerability text that match text contained in several plugins. Indicators alert for compliance data against Cisco IOS and Juniper devices.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9
Critical Control 11 – Control of Ports/Protocols/Services
This component utilizes Nessus to identify open ports over the last 24 hours in an indicator fashion. The total number of hosts on the defined network as well as the total number of services found active are displayed.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)
Control 12 – Controlled Use of Administrator Privileges
This component provides an indication of change in user's accounts by utilizing LCE’s ability to trend user creation, modification, and removals over the last 72 hours. Various deployments of software often include the creation of, and many times the subsequent removal of temporary accounts, all of which will also be detected. Other items under SANS Critical Control 12, such as the password requirements are bundled in Control-16, which covers Account Monitoring.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)
Control 13 – Boundary Defense
This component focuses on common anomalies that may indicate unwanted activity against internal systems. The indicators display devices that are identified as remote hosts listed in public botnet databases, websites that contain links that are listed in public malware databases, threat-list intrusion events and threat-list statistics. Also indicated are spikes in large firewall statistical anomalies, connections, denial of access events as well as authentication failures.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18, SI-4 (c, 1, 4, 5, 11), PM-7
Control 14 – Monitoring and Analysis of Logs
This component displays indications in several areas. First it displays the number of Normalized Events that where triggered over the last 24 hours. A null value here would indicate an error with logging. Four indicators are displayed which will trigger on stored LCE events, which may indicate that malicious activity is present. Those include, Long Term Intrusion Activity, and System Errors as well as Host Scanning and Net Sweeps.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12 (2), SI-4 (8)
Control 15 - Controlled Access/Sensitive Information
This component focuses on Nessus vulnerability data, sorted by severity, that may lead to the exfiltration of sensitive data, as well as utilizing PVS’s ability to capture sensitive data in transit. A handful of the triggers are: Peer to Peer File Sharing, IM, FTP, and PVS’s Data Leakage plugins.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)
Control 16 – Account Monitoring and Control
This is an indicator style component that displays four different account event anomalies that have appeared on the defined network over the last 48 hours, such as login failures, account lockout events password guessing and successful password guessing. Also displayed are indicators showing account related settings found by active scanning such as, passwords that are set to never expire, have never been changed, are blank and that are set to default.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
Control 17 – Data Loss Prevention
From PVS’s Data Leakage family of plugins to Nessus active scanning plugins that report USB device usage, this indicator style component triggers on events that could potentially be data leakage events. Dropbox usage and BitTorrent activity are also reported.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
Control 20 – Penetration Testing
Just as penetration testing seeks out vulnerabilities and attempts exploits, this component focuses on exploitable vulnerabilities found by active and passive scanning. Active scan results based on patching levels are analyzed and if any active exploits exist against the vulnerabilities this indicator is triggered. Mobile devices and web clients are passively monitored by PVS and a wide variety of active and passive plugins are used to trigger a general indicator. Ports that have been found to be exploitable are broken down into 4 ranges (1-1024, 1025-5000, 5000-10000 and 10000+) and are displayed in an indicator fashion below the services. Allowing you to rapidly locate and identify newly opened or vulnerable ports.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)