With the evolving threat landscape, security and compliance are becoming more important for businesses of all sizes. While security has always been a priority for large enterprise customers, such as Banks, ISPs, Healthcare or critical infrastructure, today we see adoption on every business size, as everything is connected, so it has to be protected. While most technicians see security as tied to the security products, like NDR, XDR, EDR, SIEM, Firewalls etc. this is only a part of what is required for most organizations. Security must be closely aligned with the business needs and the risks the business is facing. An organization has to implement a security strategy before implementing any security.
How do we solve this complex task?
Well, it's not as hard as it seems. There are many different security standards out there, where some are more technical than others, but all of them have a very good description of what needs to be done, from describing the internal procedures and policies, to outlining the individual technical solutions that need to be implemented. Some of the standards I've been focusing on over the years are CISv8, NIST, ISO27001 and recently NIS2. The rest of this post with focus on the technical aspect of these standards, describing a strategy to implement some of the controls on some of the best MSP network solutions on the market: Cisco Meraki.
Fig. 1 Cisco Meraki CIS Audit
Can a NaaS solution like Cisco Meraki be used?
While Cisco Meraki is mainly tied to networking rather than security, there are a lot of integrations to other products that are more security focused, like Umbrella, XDR, Duo, Cisco+ Secure Connect etc. Our post will not focus on these integrations, but rather try to find out which components of Meraki equipment and the Dashboard cover security controls from different standards. The beauty with the standards is that there are a lot of mappings available, so one control in one of them will automatically cover controls in other standards.
Where do we start from?
As part of my CMSS journey, I've reviewed many documents in the Meraki self-learning guide, but there is very little focus on compliance. Even though most technical solutions can be mapped to compliance controls, the only document that is pure compliance oriented is the one related to PCI DSS (Payment Card Industry) standard. You can find a link to the document in the references. There is also a built-in tool into the Dashboard to generate a PCI DSS 3.0 Compliance Report, which you can find under Wireless -> PCI Report.
Fig. 2 PCI DSS 3.0 Wireless Compliance Report
As mentioned before, the very first step is to pick a security standard. While PCI DSS is a great standard, it's focus on the payment card industry makes it less appropriate for other industries. If we were to select PCI DSS, we would want to go with PCI DSS 4.0 (2022), instead of 3.0 that is built into the platform. PCI DSS 3.0 is from 2013, and many things have changed since then. The American standard NIST is another great standard, with numerous publications focused on different areas, making it too complex for our purpose. ISO27001 is great for compliance and risk, but not as detailed when we talk about the technical aspect, making it a bit more difficult to translate to a specific line of products, like the ones from Meraki.
And the winner is...
What's left is CIS Controls. CIS is very detailed on the technical aspect, making it a great fit for our scope. There are several benchmarks available for other Cisco products, but unfortunately nothing specific for Cisco Meraki yet. The full list of CIS Cisco benchmarks includes the following:
Fig. 3 CIS Benchmarks for Cisco
Ideally, we would want to build another CIS Benchmark with focus on Meraki. While this will probably happen at some point in the future, we need to have a solution handy already today. So, how do we solve our compliance issue? CIS is grouped in 18 controls, each with several safeguards. Let's look at the first ones and try to address them with Cisco Meraki products and solutions.
CIS Control 1 - Inventory and Control of Enterprise Assets
We need to establish a detailed, up-to-date inventory of all our assets. This is one of the very first steps in every compliance standard. Without a clear list of our assets, it's impossible to protect our company. Any asset can pose a risk in today's threat landscape, so we have to make sure that only the ones we know are connecting to our environment.
How would Meraki solve this issue?
While the Meraki dashboard is not a dedicated asset management tool, it does collect info from all the network assets that are present in our network. The inventory, located under the Organization tab, contains most relevant info like asset name, serial number, claim date, order number etc. This can be supplemented by using tags under the individual assets, for all the other required fields.
Furthermore, the discovery that happens via LLDP, ARP, DHCP etc., can provide visibility into other assets not included in inventory. The client list includes more fields than the inventory, and can also be supplemented with tags.
Mapping to other standards: ISO 27001:2022 5.9, 8.8. NIST SP 800-171 3.1.1.8,3.1.20,3.12.4 etc.
CIS Control 2 - Inventory and Control of Software Assets
Once we have a full list of all our assets, we need to examine the software installed on them. If we limit our scope to the network built on Cisco Meraki, we would want to document the software version running on every device. Easy right? The firmware upgrade tool in the dashboard shows the current version on each network, as well as gives the possibility to schedule and perform upgrades. Safeguard 2.2 under this control requires that authorized software is still supported, and the tool is doing exactly that.
Fig. 4 Firmware Upgrade Tool
Mapping to other standards: ISO 27001:2022 5.9, NIST SP 800-53 CM-8, PCI v4.0 1.2.5, 6.3.2 etc.
CIS Control 3 - Data Protection
This control is specifically related to the data protection and management. While Meraki doesn't address directly the specific safeguards of this control, it does help with some of them. Let's look as an example at the encryption of sensitive data in transit. We need to protect data from out of band attacks, things like packet capture. The best way to protect them is by using encryption. Now when we think about encryption, one of the first things that come in mind is the Auto-VPN. Whether we are transmitting data between our locations, or towards the public cloud, we have the option to built encrypted tunnels to avoid man in the middle attacks.
Fig. 5 VPN Status Page
More goodies?
The purpose of this post is to give an idea on how to handle compliance with Meraki equipment. There are 18 controls and 153 safeguards in CISv8.1, and we could go through all of them. But to keep the post to a reasonable length, let's just point other the last 2 ones.
CIS Control 6 - Safeguard 6.5 Require MFA for Administrative Access
According to Microsoft statistics, about 99.9% of compromised accounts don't have MFA. Considering how critical this control is, in relation to the risk posed to the organization, it would be unwise to use a product that doesn't support natively MFA. The Meraki Dashboard has the possibility to activate 2FA with the Duo Mobile app. It's also possible to provide external authentication by using SAML, in case the organization is using some third party identity provider with MFA.
CIS Control 12 / CIS Control 13
CIS Controls 12 and 13 focus exclusively on network infrastructure management, monitoring and defense. There is a ton of Meraki features to comply with these controls, from IPS, centralized authentication, authorization and auditing, segmentation with VLAN's, ACL's, SGT, port level access control like 802.1x etc. While we will not go through them, you can read about the individual elements on the Meraki documentation.
Conclusion
With the increasing threat landscape, it's important to implement security measures accross organizations of all sizes. The right way to implement security is by starting with compliance, and the first step is to pick a security standard. While performing the internal audit, we will be able to check our current policies as procedures, as well as all the technical aspects. If the organization has already invested in a NaaS solution like Cisco Meraki, many of the controls will already be covered. However, it's important to make sure that what's available in the platform has been implemented, as a vast amount of controls is not specifically related to security products.