“Cybersecurity today seems like an arms race”, says Dirk Schrader, a Resident CISO (EMEA) and VP of Security Research at Netwrix. “Enterprises implement more and more security tools to try to defend their networks against increasingly frequent and sophisticated attacks. But simply increasing the number of tools in your arsenal is not an effective cybersecurity strategy.”

A 25-year veteran in IT security, Mr. Schrader emphasizes the importance of a framework that provides organizations with proven guidelines for secure management of their digital resources so they can implement tools and processes that actually protect their business, customers and partners.

The Center for Internet Security (CIS) provides a framework of proven guidelines for the secure management of digital resources allowing companies to implement tools and processes that actually protect their business, customers, and partners.

The Center for Internet Security (CIS) provides just such a framework — the CIS Critical Security Controls. Implementing these controls can help you protect your infrastructure, software applications, services and data, effectively and efficiently.

The CIS Controls framework is periodically updated to meet evolving threats. In particular, the world has changed dramatically since version 7 was released in 2019, thanks to the widespread adoption of remote and hybrid work during the pandemic. Accordingly, CIS released version 8 in 2021. It includes an important new control, Network Monitoring and Defense, and drops three others, including Boundary Defense. Let’s look into this change and what it means for your cybersecurity strategy.

CIS Control 13: Network Monitoring and Defense

There was a time in which a strong boundary defense was the main priority in a cybersecurity strategy. Today, however, traffic flows to and from a multitude of sites outside the traditional network perimeter. Therefore, it’s essential to know what devices are connected to your network at any given time and to continually monitor attempts to access sensitive data and other high-value resources. The goal is to quickly identify suspicious traffic patterns or events so you can detect threats before they result in a data breach or disrupt operations.

Control 13 in version 8 of the CIS Control shifts the strategic approach away from ‘fencing’ the organization towards a ‘meshed’ approach to monitoring and defense that adopts to modern processes used in supply chain connections, for example the data exchange established with them.

To help organizations achieve this goal, CIS Control 13 recommends the following 11 safeguards:

1. Centralize security event alerting

Manual threat monitoring is insufficient in the face of modern attack methodologies. For example, ransomware can encrypt data at machine speed, and spotting sophisticated cyberattacks involves correlating data across multiple systems. Fortunately, there are advanced tools that use automation and artificial intelligence to quickly analyze data across complex hybrid networks. CIS Control 13 recommends using a SIEM solution to aggregate, correlate and analyze event log data from multiple systems and alert the right personnel about threats in real time.

2. Deploy a host-based intrusion detection solution

Software application that is installed locally on the computer infrastructure that it will analyze. Its job is to detect, log and alert on suspicious behavior, malicious traffic and policy violations.

3. Deploy a network intrusion detection solution.

A network intrusion detection (NID) solution is a security appliance that analyzes inbound and outbound network traffic to identify anomalies, suspicious traffic patterns and potential packet threats. A NID can be a licensed component within a next-generation firewall (NGFW) appliance, or it can utilize sensors or application agents placed strategically across the network.

4. Perform traffic filtering between network segments

Traffic filtering restricts the flow of traffic between network segments according to source, destination or traffic type. For instance, all HR machines can be segmented from the rest of organization to ensure that only traffic originating from prescribed users can go to HR machines. You can use routers or firewalls to segment areas; a router will filter using access control lists (ACLs) while a firewall will use policies to filter.

5. Manage access control for remote assets

Remote access should be granted only to user accounts that absolutely need it, in accordance with the principle of least privilege. Remote access policies should also align with any required industry or government regulations.

6. Collect network traffic flow logs

Network traffic flow logs can be used to troubleshoot connectivity issues and determine whether traffic flows work as anticipated. They are also used to investigate suspicious traffic and resource access in the event of a cybersecurity incident.

7. Deploy a host-based intrusion prevention solution

An intrusion prevention solution (IPS) is like an intrusion detection system (IDS) in that they both look for suspicious traffic and malicious code. However, while an IDS strictly analyzes the traffic and issues an alert, a local IPS can proactively prevent the identified packets from accessing the local device by dropping them.

8. Deploy a network intrusion prevention solution

A network IPS resides on a network appliance and will drop traffic it deems a threat before it can enter or exit a particular network segment. 

9. Deploy port-level access control

Port-level access control utilizes 802.1x or similar protocols to ensure that only authorized devices can connect to the network. For instance, it can prevent a visitor from connecting a portable computer to a network using an ethernet cable, thus forcing them to use the provided wireless network.  Access can be granted by using certificates, MAC addresses or user authentication.

10. Perform application layer filtering

Application layer filtering ensures that users cannot communicate using applications that don’t comply with corporate policies. For instance, some organizations may prevent users from using certain social media, streaming media or proxy applications.

11. Tune security event alerting thresholds

If IT or security personnel are inundated with alerts, they will begin to ignore them. One way to prevent this is to assign thresholds to various event types so that an alert is triggered only when a threshold has been exceeded. Events can be automatically cleared using thresholds as well.

How Netwrix Can Help

Netwrix provides solutions that can help you implement many of the safeguards in CIS Control 13, quickly and effectively. Netwrix security solutions empower you to identify and correct gaps in your security posture, and well as spot threats in their early stages and respond promptly. In particular, our insider threat detection capabilities alerts you to anomalous behavior across your environment so you can defend your network against both malicious insiders and attackers who take over their accounts.


If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more


Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

2 + 12 =