Some Thoughts on The SANS 20 Critical Security Controls

As I transitioned from the weekend to the work week last night, I settled down to review the 20 Critical Security Controls (v3) published by the SANS Institute. If you haven’t seen this list, you really should take a look as it’s an extremely focused, well written, metrics-based strategy for protecting your organization against the most likely security risks. The first two controls are:1. Inventory of authorized and unauthorized devices.2. Inventory of authorized and unauthorized software. These two controls state that you should know everything about all the devices connected to your network (i.e. what they are, where they are, etc.) and the entire catalogue of software resident on these devices (i.e. operating systems, revision levels, patches, applications, etc.). Since these things are in a constant state of change, you need to have some type of automated tools to detect and react to new or changing assets as soon as possible.File this requirement under the old axiom, “you can’t manage what you can’t measure.” That said; think about how difficult it is to enforce these two controls. Employees are bringing mobile devices to work and demanding network access. Virtual desktops and servers are easy to provision, deploy, and change while physical device changes are now automated to keep up all this other activity. What about software? Employees are constantly accessing social networks or downloading the latest viral application. While these issues are extremely challenging, the SANS 20 Critical Security Controls document contains great advice on implementing and automating each control. Here are a few of my thoughts based upon the SANS recommendation and my personal experience:• Security processes and tools need to be integrated with other activities around asset, change, and configuration management. For example, lots of organizations use CMDBs to capture this information but many security tools don’t integrate with CMDBs and lots of security professionals have no exposure to CMDBs or IT frameworks like ITIL and COBIT. These systemic and technology issues need to be addressed up front to avoid visibility gaps or redundant processes.• To ensure that only approved devices gain access to the network, SANS recommends the use of 802.1X. This brought me back to 2007 when I worked with several organizations (Identity Engines, Aruba Networks, Symantec, etc.) to establish an Open Source 802.1X supplicant, but few networking or endpoint vendors highlight 802.1X in their products. This has to change – 802.1X (or some other type of device authentication) should be part of the default configuration of physical and virtual devices.• It 802.1X does happen; large organizations will need a new type of network identity server beyond basic RADIUS. My friends at Identity Engines nailed this concept until some ill-informed VC fat cat pulled the plug on the company (note: The technology was acquired by Nortel and now thrives at Avaya). Cisco’s Identity Services Engine is perfect for this growing requirement.• Browser virtualization/sandboxing is also a growing requirement. I know there are lots of technologies but Check Point offers a great solution here.• I know white listing/black listing is a pain but this has to be part of a full-featured solution. Grey listing is also important for those fringe use cases. When an unknown application shows up, it has to automatically trigger some kind of approval cycle, sandboxing, or other policies and controls.• Why isn’t the private sector embracing the U.S. Federal government’s Secure Content Automation Protocol (SCAP) or something similar. Device security vendors like McAfee, Symantec, and Trend Micro should come together, line up behind SCAP, and push it to their customers.• Look for virtualization to be used more extensively for security purposes. Virtualized desktops with specific applications/workloads that run in a container.