CIS Controls and Azure Benchmark Echo Our Security Drum-Beat

Yesterday we watched an interview with white-hat hackers and how and why your organization finds itself in the cross-hairs (it’s not you, it’s them, and by “them”, we mean it’s mostly just unattended bots on the Internet). There’s some good stuff in the video, but their key takeaways for ensuring your assets are safe are to:
  1. Ensure strong passwords are in place

  2. Enable multi-factor authentication

  3. Patch your systems

As an adjunct of that last one, one of the panelists stressed the importance of properly inventorying your systems.

We’ve been beating a security drum for the past few months that might sound fairly similar to those salient points: enable multi-factor authentication! protect mailbox users with anti-phishing & credential theft controls! patch patch patch!

It may also sound fairly similar to the center for Internet Security’s top 5 most important security controls (paraphrased):

  1. Inventory your devices

  2. Inventory your software

  3. Secure your configurations

  4. Perform continuous vulnerability assessments

  5. Control use of admin rights

It is absolutely critical for modern connected organizations to understand the current threat landscape, and as we pointed out to attendees at the Microsoft Tech Summit in Atlanta, it’s a heck of a lot easier to get users to compromise your security than it is to brute force through your perimeter defenses. Recent attacks like the Winter Olympics counter-terrorism message and pivoted financial attacks on payroll systems show that attackers are still constantly evolving their methods.

If you haven’t looked at the top 20 CIS controls recently, or need a refresher, here are the other 15 (again, paraphrased):

  1. Maintenance, monitoring, analysis of audit logs

  2. Email & browser protections

  3. Malware defenses

  4. Limitation & control of network ports

  5. Data recovery capability

  6. Secure Configurations for network devices

  7. Perimeter defense

  8. Data protection

  9. Just enough & just-in-time access

  10. Wireless access control

  11. Account monitoring & control

  12. Security skills assessment & training

  13. App security

  14. Incident response & management

  15. Penetration testing

What is interesting here is that, with the exception of configuring the actual network devices, Microsoft 365 actually has a solution for every single control on the list. That’s pretty crazy to think that you can knock out 18 of 20 critical controls with one tool.

And that would be pretty cool even if that were the extent of it, but honestly, it’s not. Take malware defenses & analysis of audit logs: with integrations between Windows Defender ATP, Azure ATP for Users, and Office 365 ATP, we can see an attack across multiple vectors and drill down from one control surface to the next with 1:1 incident correlation. Tack on the recently-announced Office 365 Attack Simulator, and you’re armed with powerful tools to not just respond, but to assess and fill gaps in your security training & configurations.

And if we’re feeling particularly frisky, we can activate Azure Log Analytics and the Azure Security Center (both at free tiers) to monitor for update compliance, best practices, application compatibility, and threat management across our deployments. If you haven’t looked at using Log Analytics to get insights into your Windows 10 deployments, you should consider it. It’s totally 100% free to use, and now deployable without a big cumbersome script.

Before we veer too far off the subject of the CIS, on Tuesday they released their Microsoft Azure Foundations Benchmark. It’s free, and if you are or are considering using Azure, we strongly recommend downloading a copy (free registration required). At 200+ pages, it’s not a quick read, but it gives some great standardized best practices guidelines to secure your Azure environment, with guidance from identity to SQL instances to VM’s to tying it all together with Azure Security Center.

For every recommendation, it provides a description, rationale, remediation, impact, default value, reference(s), and how that setting corresponds to those same 20 guiding controls for system security.

Just like with the Office 365 Secure Score, some of the recommendations just won’t work well with your particular installation. And that’s ok. The goal is to align your security practices with the 20 CIS controls where practical, and meet at least the first 5 controls where possible.