How to use critical security controls to prioritize action

Security is important. Companies and organizations of all sizes know that. It consumes boardroom discussions and captures headlines. There is no dispute.

The challenge (and friction) centers on what to do about it. Where do we start? And why?

Have you considered or adopted the CIS Critical Security Controls?

The controls aren’t new. Often cited, I wanted to explore their value in helping us bring people together and guide action. To learn more, I spoke with Tony Sager, Senior Vice President & Chief Evangelist Center for Internet Security (Company LinkedIn, @cisecurity).

Tony leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Tony’s experience includes 34 years in Information Assurance at the (U.S.) National Security Agency. In 2001, Tony championed the release of NSA’s security guidance to the public. He also expanded NSA’s role in the development of open standards for security.

I met Tony a few years ago on a broad-ranging security panel. Immediately impressed with his knowledge and approach then, our recent conversation was a delight. If you get the chance to learn from or speak with him, take it. You’ll be better as a result. In the meantime, check out the insights he shared in our five questions together.

You point out that companies care, but they have a few struggles we need to collectively address. What’s going on?

As a career-long defender, today’s situation seems very odd to me. We have more security tools and technology, training and certifications, vulnerability and threat intelligence feeds, security frameworks, etc. than ever in our history. Yet we seem to be getting worse, or at least improving more slowly than the Bad Guys are improving.  And the problem is getting more complex. New technology means that our data and applications are not under our direct control, and complicated (and changeable) business relationships mean that our risk is shared across many parties.    

I think most of us are overwhelmed by what I’ve called the security “Fog of More”: more guidance, warnings, advice, products, marketing, training, certifications, and so forth than we can usefully absorb – often conflicting and all delivered in specialized techno-speak.  And coming up fast are regulators, lawmakers, insurers, auditors, lawyers – all the social forces trying to bring order to chaos.  

In such a world, every enterprise has more in common than is different, and we should use that approach to identify and drive collective action. We all face a common “soup” of vulnerabilities, threats, and attacks, whether we know it or not, either directly, or thru one of our supply chain partners. Therefore we’re better off sharing insight, labor and action on solutions to these problems. That’s the philosophy behind the CIS Critical Security Controls, and all of the programs at the Center for Internet Security.

Where did the Top 20 Controls get started?

I spent the first 35 years of my career at NSA in the business of security testing for defense, from cryptography, through design, product, and operational testing (e.g., Red and Blue Teams). This gave me the chance to see a LOT of failures – to observe how things break, or can be made to break. In the very late 1990’s, our teams started to translate this knowledge into documented security guidance for our DoD and Intelligence Community customer base, in the form of the NSA Security Guides.

But it was becoming very clear that the DoD was moving to a more powerful but complex model of “coalition” warfighting as well as dependency on many commercial suppliers, shippers, and other partners. In other words, there was no simple “network perimeter” to be defended, only a complex set of fast-changing mission and business partnerships. In other words, DoD security could not improve without improvement by many others. So in 2001, we got permission to release the NSA Security Guides to the public through www.nsa.gov. My basic pitch to management? We will create more positive change by “giving stuff away” than by trying to be in charge.

What became the Top 20 Critical Security Controls flowed from that same approach – how can we prioritize and help enterprises focus on the most important and effective steps to stop attacks? In about 2008, a handful of us created a simple 2 page list for some key friends in the DoD  – “if you don’t know what to do, here’s where to start”. Security professionals love to brainstorm all the bad things that MIGHT happen, we chose to focus on what we KNEW was happening and how to prevent it. The list was picked up by the SANS Institute and turned a world-wide community volunteer project.  After I retired from NSA in 2012, I wound up taking over the project, and with the support of SANS and several other companies moved it into an independent, non-profit home, now the Center for Internet Security.

Most recognize the controls as solid guidance, but then struggle with getting started. Where do we start?

“Where do we start?” is one of the most frequent questions I heard when I began speaking in public in 2001. For me, the answer was always about “visibility”- what devices are in your enterprise, what software is running, how is it being operated (patched and configured)?  If you don’t know what you have, it is hard to defend it. These kinds of things provide the basic operational foundation for understanding your environment and where it is vulnerable, spotting the Bad Guys, deploying defenses, and even recovering from the inevitable problems. There’s a lot more to do for effective defense, but these are the best starting points. More recently, we have emphasized management of the people who can change or bypass your security controls (“administrative privilege”).  We have codified these ideas in the Top 5 of the CIS Controls.  Also note that these ideas are not unique to security, but are just good operational IT management practices.

In a recent survey of adopters of the CIS Controls, we found that enterprises overwhelmingly endorsed the first few Controls as the most valuable for defense. But they also highlighted them as very challenging to implement, and so we’re working to provide more specific help on implementing and prioritizing action. We’re also reaching out to solution vendors so that their products and services are “tuned” to the CIS Controls and the most important problems to be solved.

The controls aren’t new. People like them, but then struggle to get them implemented. Do we have evidence they work?

There aren’t any straightforward algorithmic answers in cyber defense, but there’s lots of evidence. For example, any large scale data-driven study of Internet attacks reaches a similar conclusion:  the vast majority of attacks (in the 80-90% range) are enabled by the failure or lack of basic defenses. This is why we work with numerous companies in the threat intelligence marketplace to map summaries of what they are tracking (like the Symantec Internet Security Threat Report, the Verizon Data Breach Investigations Report) directly into the CIS Controls.  Similarly, the US-CERT attributes 85% of the security incidents they manage to the absence or failure of the same 5 defensive actions. You’ll find similar data and thinking behind projects like the DHS Continuous Diagnostics and Mitigation (CDM) Program, the Australian government’s “Top 35” list, and the NSA “Top 10 Information Assurance Mitigations”.   

What can a security leader do to get started down the path of encouraging their organization to move in this direction?

“It’s not about the list.”  

I often say this about the CIS Controls. You can find great lists of things to do on every virtual cybersecurity street corner, from abstract to specific, from simple to overwhelmingly large and complex, and from every possible source. Most of them are just repeating the same ideas over and over.  In fact, we provide cross-mappings from the CIS Controls to every framework we can find, like ISO, COBIT, PCI, NIST, etc. We’re not trying to create another competing regulatory or compliance framework. We’re trying to help you succeed in a very complex problem.

In my experience, it’s hard to have an original thought or a unique problem in security. So a foundational part of the CIS model is to create and sustain communities that allow security leaders to help each other identify problems, barriers, and solutions together. There’s a rapidly growing ecosystem of references, resources, tools, and consultants building up around the CIS Controls. For example, you’ll find them referenced in the NIST Cybersecurity Framework, and recommended by the California Attorney General’s 2015 Data Breach Report, the National Governor’s Association, and numerous other places. Over the next few months, we’ll also be providing you with more help to prioritize and measure your implementation of the CIS Controls, new complementary content to help you implement them, a collaborative workspace for sharing ideas, and better pointers to resources and working aids (like mappings, tools, use cases, etc.).

So the CIS Controls are more of a “movement” than a list – one that you can join, contribute to and learn from. And to be successful, a security leader must also be a corporate leader – executive leadership, HR, legal, IT Operations, etc. all have vital roles and the CIS Controls provide you with an opportunity to bring all of their actions into alignment.