In a time of limited resources, security programs are experiencing pressure to do more with less. The 20 Critical Security Controls (20 CSC) provide a baseline for implementing the necessary technical controls that are required to ensure a robust network security posture.
The controls were previously governed by SANS, but the ongoing development and advocacy for the standard are now the responsibility of the Council on CyberSecurity (@CouncilonCyber), an independent not-for-profit organization with a global scope which was formed to catalyze change and to accelerate the availability and adoption of effective security measures, best practices and policies.
We recently spoke with Tony Sager, Chief Technologist for the Council on CyberSecurity, who is responsible for leading the community in identifying promising best practices and leading projects that help validate, measure, scale and promote such practices for wider adoption. Sager was instrumental in developing the 20 CSC as part of a large-scale, grass-roots project that included participants and adopters from all sectors of the cyber ecosystem.
“The Council is essentially a means to mobilize and organize the talent and goodwill found in abundance in this industry,” Sager said. “Our operational model is to identify the kinds of problems that every enterprise faces in cyberdefense, and then gather and organize volunteers to identify issues in the workforce, technology, and policy that are working, then validate, share and support them for the community good.”
In an upcoming webinar (June 11, 2014 at 11:00 AM Pacific – 2:00 PM Eastern), Sager will discuss how organizations can implement a third-party-validated, authoritative framework called the 20 CSC to prioritize their efforts and make security practical, effective and aligned to the business.
“This notion really started with the 20 CSC, focused on a specific problem: Based on the information we have today about attacks and threats, what are the most important steps that enterprises should take now to secure systems and data?” Sager explained.
“This idea was not intended to replace comprehensive formal risk management frameworks like those found FISMA and others, but to complement them with a way to focus and prioritize actions, to take on the problem of translating vast amounts of information about threats and attacks into real action – a translation that most enterprises struggle to do on their own.”
The Council hosts an “Editorial Panel” of volunteer experts selected from across the industry to take public comment, revise the 20 CSC as appropriate, and advise the Council on how to evolve them. One example is the Verizon Data Breach Investigations Reports (DBIR) for both 2013 and 2014, where the Council organized a group of volunteers to work with the Verizon team and their draft report.
“We developed a simple mapping from the classes of problems identified by the Verizon data and analysis into the 20 CSC, which became part of the Verizon summary and conclusion section,” Sager said. “At the end of the day, we think this answers a fundamental question that every Enterprise struggles with: What action should I take to stop the attacks that are plaguing the community?”
Sager says the DBIR is an excellent and well-respected resource, but it only represents one set of data, so the Council is now working with numerous other vendors of threat intelligence to build a broad “community threat model” that any enterprise can use as a starting point for choosing defensive action.
“In today’s world, we are all on the same network, using the same technology, and locked into complex business partnerships that change constantly, therefore in order to have trust in our systems, information, partners, and transactions we must have an open and public way to express and negotiate confidence,” Sager said. “We believe that this implies a common set of expectations or actions in cyberdefense for various purposes and populations.”
Sager and the Council believe this is a universally applicable idea in that we are all “network neighbors” and we all need to be able to understand, talk about, negotiate, and take actions based on the confidence that we have in our partners, suppliers, and information. While different communities may face similar constraints, regulatory issues and threats, they may choose a different set of actions accordingly, but the basic idea of commonality applies.
“Of course, each of us are part of multiple communities, so we must be able to flexibly and dynamically manage and express our confidence or trust. The vast majority of problems we collectively face are in fact problems that no one of us should have to solve individually, like establishing common language and actions for defense, translating the current threat landscape into specific defensive choices, and establishing baselines for security behavior,” Sager continued.
“And we are better off banding together at a community, grass-roots level to solve such problems rather than wait for things to get better, or for the government to save us.”
All enterprises today operate in what Sager calls “The Fog of More” – too many choices, products, opinions, regulatory and compliance schemes, etc. – preventing us from taking the basic actions needed to both manage a vast majority of problems as well as establish the foundational infrastructure to manage more complex, advanced threats.
“In addition to establishing a strong, community-driven threat basis for the 20 CSC, we must also work to ensure alignment of the rest of the ecosystem – the view of senior corporate executives, the enforcers like auditors and regulators, the market forces like the insurance and liability frameworks, the policies that govern behavior and executive decisions, and the suppliers of solutions,” Sager said.
But that is an uphill battle, as Sager points out that the 20 CSC is only a grass roots initiative with no real authority other than that of the weight of the participants and the authority of those who choose to adopt. Nonetheless, the Controls have been adopted by a very large number of enterprises across all sectors and can be found in regular use around the world.
“Many consultants and integrators use them as a discussion framework with clients, as a well-vetted and supported community baseline or yardstick, and as a way to streamline and standardize their services,” Sager pointed out.
“They have received great support from solutions providers, with numerous products and services available specifically aimed at measuring or implementing the 20 CSCs, and they have fans and supporters in numerous government agencies, industry groups, and even among auditors.”
That is why the community-driven conversations are changing as lawyers, auditors, the insurance industry, regulatory agencies, and industry groups are seeking some notion of baseline expectations for due care, hygiene, and best practices.
“Whether it is the Critical Security Controls or not, this seems like an idea whose time has come,” Sager said. “But if we – the technical practitioners – don’t define sensible, meaningful actions then we will be left to the rest of the ‘system’ to sort this out.”
To that end, Sager will be delivering a talk at BlackHat 2014 titled From Attacks To Action – Building a Usable Threat Model To Drive Defensive Choices, and any day now the Council will be releasing extensive mapping spreadsheets correlating the Controls and essentially every similar list like the ASD 35 and NSA Top 10, every formal risk management framework like FISMA/800-53and ISO 27000, and other relevant programs or frameworks like the NIST EO CSF and the DHS CDM Program.
Register today for the upcoming webcast June 11, 2014 at 11:00 AM Pacific – 2:00 PM Eastern to hear more from Sager on how to translate security information into specific and scalable action, the remediation plan for the controls starting with the Top 5, how the Council on CyberSecurity uses a community approach to this translation problem to create and sustain the Critical Security Controls, and how the community can help advise and support your organization’s risk management efforts with a formalized framework.
- The Role of Security in Creating a Standard of Due Care
- Who Should Insure the Nation’s Critical Infrastructure?
- Attention General Counsel: Do You Know Your DDoS from Your APT?
- Target and the Security Liability Blame Game
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].