Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CIS CSC: Data Protection (CSC 13,14)

by David Schwalenberg
June 20, 2016

Data leakage can happen when organizations lose track of where sensitive data is stored, who has access to that data, and how sensitive data traverses the network. Financial information, credit card numbers, and personally identifiable information (PII) can be leaked both unintentionally and intentionally. Security incidents can increase the risk of identity theft, stolen account information, and exfiltration of sensitive internal data, which can be costly and damaging to an organization’s reputation and business. This dashboard can assist the organization in reducing data leakage, protecting sensitive data, and monitoring for related suspicious activity. 

As defined by the Center for Internet Security (CIS), the Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. Developed based on specific knowledge of the threat environment and currently available technologies, the Controls are informed by actual attacks and effective defenses and reflect the combined knowledge of many experts. This dashboard aligns with CIS Critical Security Controls 13, Data Protection, and 14, Controlled Access Based on the Need to Know, which address securing sensitive data, monitoring the network for data exfiltration, and detecting activity on the network that could lead to data leakage.

The Passive Vulnerability Scanner (PVS) analyzes data in motion and can detect sensitive data such as credit card numbers and Social Security numbers traversing the network. These PVS events as well as events from Data Loss Prevention (DLP) systems are forwarded to the Log Correlation Engine (LCE). Nessus scans can identify vulnerabilities that could lead to data leakage. The dashboard presents all this information to assist the organization in detecting data exfiltration and securing sensitive data. Analysts can also use this dashboard to easily drill down and gain more detailed information.

This dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends. The dashboard requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.4
  • PVS 5.0.0
  • LCE 4.8.0

Tenable SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with the Tenable Passive Vulnerability Scanner (PVS), as well as log correlation with the Tenable Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

The following components are included in this dashboard:

  • Data Leakage Monitoring - Indicators: This component presents warning indicators to draw attention to types of data that may have been leaked and methods whereby data may be leaking. These indicators make use of both passive detections and events logged within the last 72 hours. A purple indicator highlights a vulnerability/event detection. In two cases (Credit Card Number and Social Security Number), there are two indicators: one to highlight data leakage detected passively and one to highlight data leakage detected through logged events. Clicking on a highlighted indicator will bring up the analysis screen to display details on the vulnerabilities/events. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities/events are present. This component can be used to further investigate any data leakage.
  • Data Leakage Monitoring - Top 10 Subnets with the Most Passive Detections: This table presents the top 10 Class C subnets with the most passive detections of data leakage. These passive detections are vulnerabilities reported by PVS in the 'Data Leakage' plugin family. The list is ordered so that the subnet with the worst data leakage is at the top. A count of detections and a bar graph indicating the severity of the detections are given for each subnet.
  • Data Leakage Monitoring - Top 10 Most Prevalent Passive Detections: This table presents the top 10 most prevalent passive detections of data leakage. These passive detections are vulnerabilities reported by PVS in the 'Data Leakage' plugin family. A count of detections is given for each vulnerability; the list is ordered so that the vulnerability with the greatest number of detections is at the top. The severity of the vulnerability and a count of hosts on which the vulnerability was observed are also given for each vulnerability.
  • Data Leakage Monitoring - Top 10 Most Prevalent Events (Last 72 Hours): This table presents the most prevalent logged data leakage events in the last 72 hours. The logged events are reported by LCE under the 'data-leak' event type, and include events forwarded via syslog from PVS. A count of occurrences is given for each logged event; the list is ordered so that the event that occurred most often is at the top. A trend graph is also given for each event.
  • Data Leakage Monitoring - Vulnerabilities that Could Lead to Data Leakage: This component presents indicators by keyword for actively and passively detected vulnerabilities that could lead to data leakage. Vulnerabilities at all severity levels except Informational are included. The keywords cover disclosures, cryptographic issues, man-in-the-middle vulnerabilities, and weak authentication concerns. A purple indicator means that one or more vulnerabilities contain the keyword. Clicking on the indicator will bring up the analysis screen to display details on the vulnerabilities. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities are present. This component can be used to investigate vulnerabilities that could lead to data leakage.
  • Data Leakage Monitoring - Activity with Potential for Data Leakage: This component presents indicators for activity detected on the network that has the potential for data leakage. The indicators are based on events logged in the last 72 hours and on actively and passively detected vulnerabilities. Indicators are included for such things as cloud interaction, outbound traffic to external IP addresses, peer-to-peer file sharing vulnerabilities, and USB usage. A purple indicator highlights a vulnerability/event detection. Clicking on a highlighted indicator will bring up the analysis screen to display details on the vulnerabilities/events. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities/events are present. This component can be used to investigate the potential for data leakage.