Implement CIS Controls in Microsoft Cloud Products

Secure your cloud environment with all 20 CIS controls.

The Center for Internet Security (CIS) is a major player in information security controls. Cybersecurity Administrators at CyberMSI went over CIS controls version 7.1 to ensure that the organization had all aspects of their cloud environment secured. By the end of the project, we were able to implement all 20 controls and each of their sub-controls.

In this blog, we discuss how our organization went through the CIS controls and implemented security controls based on their recommendations. We will also discuss the specific tools cloud security administrators can use to secure their Microsoft cloud environment.

Basic

1. Inventory and Control of Hardware Assets: The physical assets that connect to the cloud are monitored and controlled using Endpoint Manager. Conditional access policies are used to enforce security controls on hardware before it will be allowed to access cloud resources.
2. Inventory and Control of Software Assets: Software assets within Azure are monitored and audited using resource groups. Software assets outside Azure are monitored and controlled using MCAS.
3. Continuous Vulnerability Management: Continuous vulnerability management is achieved using TVM to discover vulnerabilities and Endpoint Manager to automatically update connected endpoints.
4. Controlled Use of Administrative Privileges: Administrative account access is controlled by multi-factor authentication and privileged roles in Azure are controlled using PIM.
5. Secure Configurations for All Endpoint Types: Endpoint Manager implements secure configurations for endpoints connected to the cloud and cloud resources are deployed using ARM templates that have secure configurations.
6. Maintenance, Monitoring, and Analysis of Logs: MDE monitors logs for endpoints and Microsoft Defender for Cloud monitors logs for Azure resources. Both tools import log data into Microsoft Sentinel so that the logs can be analyzed further.

Foundational

7. Email and Web Browser Protections: Defender for Office 365 protects email and all other communications done through O365 apps. Browser protection is implemented using MDE to monitor activity on the endpoint.
8. Malware Defenses: Defender Anti-Malware and MDE are both used on endpoints to monitor for and respond to malware.
9. Control Network Ports, Protocols, and Services: Network Security Groups are used to control access and communications between resources in the cloud. Firewalls are also implemented at both the resource and Network Security Group level to control what type of traffic can come through.
10. Data Recovery Capabilities: Data stored in the cloud can be restored easily because of geo-redundant storage. Data stored on endpoints is either be backed up conventionally or by using shared storage like OneDrive and SharePoint.
11. Secure Configuration for Network Devices: Network activity between resources in the cloud is recorded by the Azure Activity Log and is monitored by sending the log data to Microsoft Sentinel.
12. Boundary Defense: Azure Firewall is filters traffic at the border of the organization’s cloud resources. Azure Firewall is also connected to Microsoft Sentinel for boundary traffic monitoring.
13. Data Protection: Cloud resources that process data have restrictions placed on them using DLP policies and data labeling.
14. Controlled Access Based on Need to Know: Access to resources is controlled using Azure Active Directory RBAC roles. The RBAC roles can be assigned at the resource group or individual resource level depending on what the user needs access to so that they can do their job.
15. Wireless Access Control: Secure configurations like AES are required for any wireless connection used to connect to the organization’s cloud resources.
16. Account Monitoring and Control: Account activity is monitored by connecting Azure Active Directory logs to Microsoft Sentinel. Account access is controlled using routine access reviews.

Organizational

17. Implement a Security Awareness and Training Program: Security awareness training is updated and implemented routinely within the organization.
18. Application Software Security: Software developers follow a secure development lifecycle. Applications in Azure are secured using Microsoft Defender for Cloud and applications outside of Azure are secured using MCAS.
19. Incident Response and Management: Incident response for endpoints is done with MDE Live Response and incident response for cloud resources is done manually by analysts or with Microsoft Sentinel Playbooks.
20. Penetration Tests and Red Team Exercises: Penetration testing is done on at least a weekly basis to test security controls in Microsoft Sentinel. Formal red team exercises are performed throughout the organization routinely to test the organization’s security controls holistically.

We will continue to share best practices and lessons learned in future posts on implementing security controls in our environment and customer environments. The CIS controls are an effective way of organizing security controls and we plan to continue using their controls to secure our cloud environment.

In closing, consider these three questions when using CIS controls in your organization:

1. How can we assess the CIS controls and implement them in our environment?
2. Are there any cloud security products that we need to make room for in the budget to implement these controls?
3. How best do we demonstrate the benefits of implementing the CIS cybersecurity controls to management?