In this episode, Curtis Dukes, executive vice president and general manager of the Center for Internet Security (CIS), explains the need for their Community Defense Model. He also details their process for designing their models as a non-profit organization.
Every cybersecurity practitioner knows that there are some guidelines that are “required reading” in the profession. Advice that is freely offered by organizations such as the National Institute of Standards and Technology (NIST), the Open Web Application Security Project (OWASP), and the Center for Internet Security (CIS) is part of every information security library. When we think of CIS, our minds are often drawn to the most popular publications, The Critical Security Controls and the CIS Benchmarks. However, CIS has also recently released version 2.0 of the Community Defense Model (CDM).
I recently had the opportunity to speak with Curtis Dukes about the CDM. Curt is the Executive Vice President and General Manager of the Center of Internet Security. He offered some interesting insights into the origins of the Critical Controls, the application of the Controls and Benchmarks, and how the CDM expands on all the good work of the CIS.
Tim Erlin: Curtis, thank you for taking the time to be here today.
Curtis Dukes: Thank you for inviting me.
TE: I wasn't familiar with the Community Defense Model prior to our initial conversations, but I think it's pretty interesting. Could you explain a little bit about the CDM?
CD: Yeah, I'd love to. The Community Defense Model has been in existence for a little over a year. The general theory behind the CDM is that we'd like to be able to use one or more publicly available authoritative summaries of attacks that would help us to identify the most important types of attacks that organizations have to deal with on a regular basis. The second part of this really is around describing the atomic elements of those attacks using a framework. In this case, we actually use the MITRE ATT&CK framework, and then we create an attack pattern that consists of using that terminology, tactics, and techniques.
We analyze the elements of those patterns against individual CIS controls and the underlying safeguards in order to establish a specific security value of each of those safeguards within that attack pattern. You can also more clearly state the impact of not applying any individual safeguard. In essence, does it have any value against the step in an important attack? The model is driven by real-life data and is much more clearly defined by the use of data as well as bounds the judgement and opinions of individuals. It also helps us move from a model where every company needs to read these reports separately to a central shared labor of translation, from attacks to action. The Center for Internet Security does that on behalf of the community.
TE: One of the things I always liked about the Critical Security Controls and borderline safeguards is that I always felt like they were based in real-world data from their initial introduction. That is a major advantage. How does the Community Defense Model differ from how the security controls are generated, defined, and prioritized?
CD: Historically, the Critical Security Controls were formed through community involvement. We would get together within a community, and each person brought their stories of cyber threats based on the data they had available to them. That helped us form the Critical Security Controls. As we noticed many organizations creating annual threat summaries, what we wanted to do was to take that data and synthesize it into what we would call the top five attack types. From there, we would be able to measure the effectiveness of the Controls.
TE: It must be pretty satisfying to see that the data really proves out and the conclusions about which controls were most important connect to the work that CIS has doing all along.
CD: Yeah, that's exactly right. We are actually backing up our choices for actions that we want organizations to take to protect themselves from cyberattacks with actual data. It was the community that was bringing that forth, but now we can cite data sources, and that's what we've done within the Community Defense Model. We make that very open and transparent. Everyone can see what data sources we're using and what recommendations we're making based off of the attack techniques that we've identified through the MITRE framework.
TE: Yeah. So that's interesting. It makes me think about how you you expect organizations to use the CDM. I understand how they look at the Controls themselves, but you've created this artifact that provides evidence.
CD: Yeah. The way I would describe it is that the Community Defense Model exists to provide the data behind the prioritization of the Controls, and in particular, in the set of safeguards that that can be described as essential cyber hygiene. What we've done is taken those data sources, and from those, we measure back what the effective preventative measures are for good cybersecurity. Just to be clear, these are preventative measures, and what we've done is not perfect, but it really supports the choices and actions an organization needs to take to protect itself.
TE: That's actually an important point to make, that what we're talking about with CIS, with the Controls, and with CDM is a way to prioritize the implementation of preventive controls. There is a lot of conversation in the industry today about detective controls. Folks who have been in the industry for a long time and seen this pendulum swing back and forth a couple of times from detection to prevention may think that prevention is a hopeless cause and that organizations' effort should all be about detection and response. It seems like the CDM and its associated evidence provides really strong data to reject the premise that prevention is a hopeless call.
CD: I absolutely agree. Every time I've seen a large cyber-breach, I always try to go back to what the root cause was, and it always comes back to how just a little bit of prevention would have protected that organization from that attack. It goes back to what we call "essential cyber hygiene," which is a set of Controls and underlying Safeguards that we can now prove are effective in either mitigating or breaking up an attack pattern. It's an important step for us and within the community. It demonstrates the importance of how a few set of actions will save a company a lot of pain if they experience a cyber breach
TE: The CDM maps the most effective underlying Safeguards of the CIS Controls to the MITRE framework, essentially addressing those attack techniques. What were some of the conclusions that are most interesting or most valuable for organizations out of that work?
CD: The overarching conclusion from our analysis was that we verified that the CIS Controls are highly effective at defending against approximately 80% of the attack techniques found within the MITRE ATT&CK framework. More importantly, the Controls are really effective against the top five attack types measured against the 35 different industry threat data sources that we use for this analysis.
Specifically, what we call "Implementation Group 1," which is a set of 56 Safeguards, is a really a robust foundation for a cybersecurity program. We urge every organization to start with Implementation Group 1 and then implement the cybersecurity program around that set of Safeguards. The other key point was that our analysis obviously proved the importance of establishing and maintaining a secure configuration process as a safeguard for all five attack types. Configuration management truly does matter when it comes to protecting against various attack types.
TE: Yeah, that first Safeguard in CIS Control 4, which is "Secure Configuration of Enterprise Assets and Software." The analysis is that establishing and maintaining a secure configuration process moves that Safeguard up to the top as having the biggest impact of a single Safeguard on the number of tactics that it would protect against. I find that really interesting because we work in an industry where we talk about tools that are being developed in the market on a daily basis, but the reality is that just making sure that the environment is configured securely and that it stays that way is probably the most effective action a company can take in order to prevent successful attacks.
CD: That's exactly right. The Community Defense Model found that having a secure configuration is “job number one” – the most effective, primitive measure that can be used to mitigate against at least the five top attack tactics that we identified. A question folks will ask is, “Why is that?” Well, this is because many attacks occur due to misconfigurations. For example, many insider, and privileged misuse attacks occur because users have unnecessary access to data or applications. Additionally, many attacks occurred due to unnecessary open ports and protocols.
A secure configuration satisfies many security controls, not only within the CIS Critical Security Controls but also with the other frameworks such as the NIST Cybersecurity Framework and ISO 27001. That's really why we've been working on tighter mappings between our CIS Benchmarks and our CIS Critical Security Controls, just to show how implementing a Benchmark can satisfy not just a Control in our own framework but eventually controls and other frameworks.
TE: Yeah, I think this is a point that maybe people don't always intuitively understand, that the CIS Controls are relatively high-level technology-agnostic explanations that are important to put in place and prioritize. The CIS Benchmarks, on the other hand, are specific sets of configurations for specific platforms and technology. How do you think about the relationship between those two things?
CD: My easy way of thinking about it is, I say “Start secure.” How do you start secure? That is done with individual products or platforms. For example, if your environment is tied to Microsoft and Windows, then you want to secure those. In order to configure them, you need some type of secure configuration recommendations, and that is exactly what the CIS Benchmarks are. So, those are individual products within an environment.
Then, in order to stay secure, think about the larger environment. It's bigger than just individual products. That's where the set of Critical Security Controls and the underlying Safeguards come into action. That is where you would measure your cybersecurity program within your environment using the CIS Controls.
More succinctly stated: Product equals Benchmark, and environment equals Critical Security Controls.
TE: When we talk about the Critical Security Controls, the changes over time in the Controls have been relatively minimal. There are of a core set of Controls that have persisted. Why do you think this is a conversation we're still struggling to have? Given the evidence of implementation and the proven effectiveness of the Controls’ preventive success, why are organizations still failing to recognize this? What is the challenge that you see in the market?
CD: I think there are two reasons behind it. Number one is that there are varying or different frameworks, each one with a different set of controls and safeguards. Yes, there is a fair amount of overlap, but each one is slightly different, and the prioritization is different for each. What we at CIS tried to do was to not try to offer yet another framework. What we are offering is a prioritized set of actions that we want an organization to take. So, for example, if you happen to be implementing the NIST Cybersecurity Framework, you can implement it by using the CIS Critical Security Controls.
Over the history of the Critical Security Controls, we have re=prioritized to reflect changes in the attack frequencies. We moved Data Protection up to CIS Control 3 because it just made sense to us. Inventory of assets, inventory of software, and data protection. Fundamentally, that is the foundation for everything that we do in security. If you don't know your environment, how can you protect that environment?
A number of organization will tell us that creating and maintaining an inventory for hardware, software, and data is difficult for them. That's where organizations struggle. What I would tell you is that there have to be processes in place for any enterprise regarding how assets are acquired and how data is maintained.
In the latest version of the Controls, our 171 safeguards have been broken up into three Implementation Groups. We strongly believe that Implementation Group 1 should be the basis for essential cyber hygiene. Every organization should be implementing those actions first and then measuring themselves against those actions. One reason that it is difficult for organizations to implement these is because they just need to understand where to start. They need to just choose a framework, and then from that, be very diligent about some of the processes for knowing their environment, which involves knowing where the hardware, software, and data exists.
TE: With the Community Defense Model as well as the data and evidence included therein, they've got real information that justifies the prioritization of those Controls and Implementation Groups. These are controls for essential cyber hygiene that is based on actual data. CIS has the expertise of people in the industry. I think that makes a difference, because in the cybersecurity industry, there are lots of vendors who are pushing their solutions, and they present data and evidence that their solution is the best thing to implement. Having an independent group like CIS produce that kind of result is valuable for organizations to have something to look at it that isn't driven by vendor motivation to ultimately sell a product.
CD: That's exactly right, and that was one of the chief motivations why I came to the Center for Internet Security. I had spent my first career at the National Security Agency, but what really motivated me was being able to actually make a difference from the perch of a small nonprofit. The CIS is a global community of cybersecurity practitioners that come together with the belief that these are the set of actions that every organization should take. We promote a transparent process for how we come to our conclusions. It provides an opportunity for the public and private sector to rally around and give themselves the ability to actually protect themselves against today's real-world cyberattacks.
TE: The CDM is a detailed document that gives a clear picture of the great work of the CIS and that provides a government-independent and vendor-independent perspective, a viewpoint which occupies a unique space in this industry. Thank you for the time today. It was a really interesting conversation. I really appreciate what CIS is doing in this latest development. CIS adds even more value for the folks who are out there practicing cybersecurity these days.
CD: Thank you for speaking with me. After spending a lot of my career at the National Security Agency, where we didn't talk publicly about anything we did, I enjoyed talking about the Community Defense Model. It is an important contribution to the global cybersecurity community. I would also be remiss if I didn't point out that Tripwire, which sponsors these interviews, is also a mighty contributor to our community, and we support and appreciate what they do for a small nonprofit such as CIS.