CIS Control 13 Explained: Network Monitoring and Defense

CIS Control 13 involves network monitoring and defense – meaning to use processes and tools to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

The Importance of Control 13

Enterprises often remain compromised for weeks, months or even years before detection. Comprehensive situational awareness allows for quicker detection and response, which is vital for minimizing the impact of malware, credential theft or data breaches.

Effective situational awareness, supported by robust security operations, helps enterprises identify and catalog attackers’ Tactics, Techniques and Procedures (TTPs) and their Indicators of Compromise (IOCs). This proactive approach enables better anticipation of future threats. Moreover, having complete information about the environment and enterprise structure accelerates recovery and allows for the development of efficient response strategies.

Implementation Groups (IGs)

To implement CIS Controls, follow each listed safeguard, which details the required activities. Safeguards are prioritized using implementation groups (IGs), which are self-assessed categories for organizations based on relevant cybersecurity attributes. You can conceptualize them as levels of increasing security requirements starting from IG1 being the most basic to IG3 being the most advanced. The higher level groups are included in the lower ones.

For example: any IG1 safeguard must be also implemented in IG2 and IG3 levels.

The Safeguards of Control 13

There are eleven safeguards in CIS Control 13. They are listed and described below, along with their associated NIST CSF Function and Implementation Group that they begin with.

Safeguard NumberSafeguard TitleNIST Security FunctionStartingImplementation Group
Safeguard 13.1Ensure Network Infrastructure is Up-to-DateDetectIG2
Safeguard 13.2Deploy a Host-Based Intrusion Detection SolutionDetectIG2
Safeguard 13.3Deploy a Network Intrusion Detection SolutionDetectIG2
Safeguard 13.4Perform Traffic Filtering Between Network SegmentsProtectIG2
Safeguard 13.5Manage Access Control for Remote AssetsProtectIG2
Safeguard 13.6Collect Network Traffic Flow LogsDetectIG2
Safeguard 13.7Deploy a Host-Based Intrusion Prevention SolutionProtectIG3
Safeguard 13.8Deploy a Network Intrusion Prevention SolutionProtectIG3
Safeguard 13.9Deploy Port-Level Access ControlProtectIG3
Safeguard 13.10Perform Application Layer FilteringProtectIG3
Safeguard 13.11Tune Security Event Alerting ThresholdsDetectIG3