ESP SANS 20 Controls
ESP support for SANS/CIS 20 controls
Basic Controls - CBC
CBC-01: Inventory and Control of Hardware Assets
ESP provides with detailed asset inventory by being able to recognize managed (running an ESP Agent) and non-managed hosts on the network.
Every host running an ESP agent can be tracked with configuration attributes and compliance details.
CBC-02: Inventory and Control of Software Assets
ESP produces a list of installed applications and running services of any managed host.
ESP has the ability to block services from running and also to quarantine hosts with unauthorized applications.
CBC-03: Continuous Vulnerability Management
ESP detects system vulnerabilities highlighted by security configuration policy violations.
ESP is able to check for specific updates and block access to unpatched systems.
CBC-04: Controlled Use of Administrative Privileges
ESP has the ability to check for user access rights and privileges.
ESP checks and ensures that logging systems are in place and working. Different user roles and privileges are also monitored.
CBC-05: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
ESP continuously monitors security configuration and reports on detailed compliance metrics about required security configuration standards.
ESP has the ability to maintain security configurations, alert when changes have been made and go a step further by isolating out of compliant hosts.
CBC-06: Maintenance, Monitoring and Analysis of Audit Logs
ESP ensures that logging systems are turned on and running on managed hosts.
Foundational Controls - CFC
CFC-07: Email and Web Browser Protections
ESP gathers specific application metadata relative to email and web browser protection parameters and deploys policies to block non-compliant clients from accessing specific resources.
CFC-08: Malware Defenses
ESP is not an anti-malware system. But ESP can ensure that the correct version of security application is running and it can also check for a predefined list of known malware that might run on any managed host.
ESP can check that any of the available OS security systems are activated and can prevent access if not.
Elemental recommends that you ensure automatic anti-malware scans of removable media, disable auto run content from removable media, enable Data Execution Prevention and Address Space Layout Randomization on Windows systems among others.
CFC-09: Limitation and Control of Network Ports, Protocols and Services
CFC-10: Data Recovery Capabilities
ESP is not a backup management system.
Elemental recommends regular complete system backups. Ensure that you are imaging key systems for a speedy network recovery from ransomware and using a diverse backup policy with at least one full backup per week. Test backups regularly to ensure the process runs smoothly in the event of a hack. Ensure that backups are properly protected physically and from encryption. Ensure you have backups stored remotely to prevent hackers from targeting backup files. Store backups offline and disconnected from the online network.
CFC-11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
ESP only manages endpoint systems, not network connectivity systems like firewalls, routers, switches, etc.
CFC-12: Boundary Defense
ESP can deny communication with certain IP address groups based on specific network parameters and other host attributes.
ESP capable adaptive micro-segmentation enables you to create logical trust or security zones completely independent of the underlying network infrastructure.
CFC-13: Data Protection
ESP can limit endpoint traffic inside and outside the network for all managed hosts.
ESP can block access to USB port function and can also do it based on a certain type of USB device.
CFC-14: Controlled Access Based on the Need to Know
ESP provides adaptive micro-segmentation enabling a highly granular and flexible way to segment a network.
ESP can check that specific encryption mechanisms are activated and running on hosts running ESP agents.
CFC-15: Wireless Access Control
ESP supports access control to and from wireless networks and systems through micro-segmentation.
CFC-16: Account Monitoring and Control
ESP provides security policies for account monitoring and control.
ESP can help discovering illegitimate accounts.
Organizational Controls - COC
COC-17: Implement a Security Awareness and Training Program
Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.
COC-18: Application Software Security
Establish secure coding practices appropriate to the programming language and development environment being used.
Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software.
COC-19: Incident Response and Management
Ensure that there are written incident response plans that define roles of personnel as well as phases of incident handling and management.
Assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners.
COC-20: Penetration Tests and Red Team Exercises
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks.
Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.