Defensible Tech TeamFebruary 8

Critical Security Controls: How to Implement the 18 Controls & Achieve Fundamental Security Hygiene

iStock-1338864382

At Defensible, we believe in the importance of doing the security fundamentals well. Many companies still struggle to implement the foundation of a security program properly. But, knowing the critical security controls that a business needs to have in place, and being able to prioritize implementing those controls, will help you both resist attacks and justify the value of your security program to stakeholders throughout the business. The CIS Controls lie at the heart of being able to do this.

What Are the CIS Critical Security Controls?

The CIS Controls are a respected, industry-standard framework consisting of eighteen critical security controls that lay out strong, industry-agnostic cybersecurity foundations. These controls are designed to help organizations understand their cybersecurity needs and make educated decisions. The CIS controls also connect well with regulatory frameworks that your business may also need to comply with, depending on your activities.

CIS controls are organized in logical groups that help decision-makers understand the controls they need and prioritize their decision making. Under each group of CIS controls are a detailed list of steps, called safeguards, to strengthen them, organized into three implementation groups. Those groups can help you both understand your current level of maturity and set priorities to build it:

  • IG1 includes basic steps that every organization needs at a minimum
  • IG2 builds another layer that will help protect a business against most threats
  • IG3 includes safeguards for organizations with more advanced maturity that can be selected based on which are most relevant for lowering risk in that environment or industry

In order to begin building or strengthening your security program and lowering your risk, learning the elements of the CIS controls is an excellent place to start. Read on to learn how each of the CIS controls relates to your organization and its security program, and to gain some insight around how to build or strengthen aspects of your security program to address the CIS controls. 

1. Inventory and Control of Enterprise Assets

To keep IT infrastructure secure, a company must know what it has. Accomplishing this goal requires active management and tracking of all enterprise assets including servers, endpoints, mobile devices, IoT devices, and cloud instances. It is critical because there is no way to have an accurate idea of your business’s attack surface, or to know what your security department needs to monitor, without an accurate inventory of assets. Implementing this control also prepares your business to identify and either remove or remediate shadow IT.

Asset inventory and control are complex. Many organizations use multiple asset inventory data sources including Active Directory, patch management systems, endpoint security and antivirus systems, virtualization platforms like vCenter, vulnerability scanners, and others. Since IT environments are dynamic, each of those sources gives a different view of the environment, and each source provides critical information. Defensible, with the help of asset intelligence and reconciliation tools from our partner Sevco Security, captures data from all of these sources and creates a unified, accurate asset inventory picture.

2. Inventory and Control of Software Assets

The need to track assets extends to software as well. Security requires careful management and tracking of software on the network, including operating systems and applications. It is integral for knowing the attack surface and level of risk for software attacks, as well as knowing what software the business needs to protect and patch.

Just as control of enterprise assets has gotten more complex, so has control of software assets. In the past, IT departments would control software by removing local administration rights from users, preventing them from installing programs. However, many businesses do not have enumerated lists of approved software. As part of addressing this control, Defensible helps clients define this list.

Furthermore, much software today requires no installation. With Software as a Service (SaaS) options, employees no longer have to install programs on their computers in order to put data at risk. With so many free or freemium solutions like Box, Dropbox, Asana, and Slack available, shadow IT is easy to stand up and more difficult than ever to root out. When we work with businesses to enumerate approved software, we work with them to include SaaS solutions alongside traditional software.

3. Data Protection

Data are your organization’s crown jewels: your financial assets, your trade secrets, the things your clients trust you to hold onto as part of doing business. Client trust is at stake, and often legal liability, if data is not properly protected. The European Union has unified and strengthened its data privacy regulations through the GDPR, and though the United States does not have a unified data protection law, California is leading the charge to stronger regulations. Furthermore, specific industries such as healthcare and finance are subject to specific regulations as well.

Taking care of the data with which your business is entrusted requires identification, classification, handling, retention, and disposal of data. This is a difficult control category for many businesses. With applications and databases integrated with others, and data reports emailed or exported in so many formats, determining and tracking the real risk to data becomes complex. CIS and its three implementation groups help prioritize measures to address this category by starting with a data inventory and then gradually adding layers such as data flow mapping, classification, encryption, and data loss prevention.

4. Secure Configuration of Enterprise Assets and Software

Businesses use a broad range of assets, and creation and maintenance of secure configurations for endpoints, mobile devices, servers, network devices, software, and cloud services are necessary. Though securely configuring systems and software can be difficult, configuration defaults or errors can lead to the compromise of accounts and data, as well as a way in for attackers. As new attacks are discovered, or software updates are applied, these configurations must be maintained.

Fortunately, there are often zero-cost, quick wins in this category. Many safeguards can be implemented with simple configuration changes to existing tools like Active Directory group policy, Windows and macOS, and system build tools.

5. Account Management

Every business must take measures to make sure only authorized users can gain access to an environment, including regular user, administrative, and service accounts. Account management is critical since poorly managed accounts are still the easiest way for many attackers to enter networks. Accounts with weak or reused passwords, hard-coded service accounts in publicly accessible scripts, and overused administrator accounts can lead to attacker access and data compromise.

Though many businesses still struggle with account management, we often find quick, impactful wins under this control. For example, many businesses give IT administrators privileges under their daily-use account. But, by splitting them (for example, steve@defensible.tech for daily use and admin-steve@defensible.tech for administrative use), they can help prevent extended access if the user makes an error under their daily-use account.

6. Access Control Management

Access credentials must be managed properly: they require strong authentication to access, only have access to the resources and data they need, and are deprovisioned when no longer needed. Each account with access to unnecessary data or systems means one more way an attacker can find a weakness, compromise an account, and get access. Thus, you need a well-developed process for managing access.

Though many organizations we work with have a good sense of how they want to grant access, not all have documented it and not all have put that vision into action. A key element of this control is multi-factor authentication (MFA). Though end users still push back against using MFA, businesses cannot expect to keep sensitive information secure without requiring MFA for accounts that access it. Defensible works with our partner Okta to help clients embrace MFA and strengthen this control.

7. Continuous Vulnerability Management

It is critical for every business to build a comprehensive vulnerability management program including vulnerability assessment and tracking, remediation, and ongoing tracking of new threats and vulnerabilities. Attackers are tracking vulnerabilities, and using them to identify targets and gain access to sensitive information. The only way to know whether the vulnerabilities that attackers are focusing on exist in your environment is to look for them; then, those findings must be remediated in a prompt, methodical, and prioritized manner based on the risk they pose to your organization.

This is a tablestake category. Every business must, at minimum, scan externally facing assets continuously and see their attack surface. Fortunately, vulnerability management offers a strong return on investment. It allows companies to identify and fix known vulnerabilities before attackers find them; many major breaches happen as a result of known vulnerabilities, meaning this is impactful. Furthermore, it also puts them in a close relationship with a partner who can rapidly address critical zero-day vulnerabilities like the recent log4j issue.

8. Audit Log Management

Though CIS calls this “audit log management”, this control fundamentally comes down to visibility. In healthcare, tools like CT scans, MRIs, and x-rays give doctors visibility under the skin to see how all components of someone’s body are working. This is the network equivalent. It encompasses the collection and retention of event logs, as well as the ability to alert on and review the contents of event logs.

Comprehensive logging and strong log management are crucial to being able to detect, triage, research, and respond to attacks. System logs, audit logs, and access control logs provide the data you need to know what is happening on the network, identify anomalies, and make sense of attacks. All of these are crucial to building the two necessary kinds of visibility: backward-looking and forward-looking. This means storing the logs necessary to investigate a significant security issue, as well as proactively detect issues in centralized log data. These are capabilities your business needs to have in place before a data breach, and Defensible works with CyFlare to offer comprehensive log collection and monitoring. CyFlare provides 24x7 SOC, XDR, and MDR services that build a solid foundation for knowing and defending your network.

9. Email and Web Browser Protections

Two of the major points for human contact with the network are web browsers and email clients. Email and web browsing are most people’s major ways of interacting with networks, meaning that vulnerabilities in such software, or malicious content accessed via such software, are effective avenues for compromise. This software should be approved, configured, updated, and hardened in order to make it as difficult as possible for malware or attackers to enter.

Fortunately, there are low-cost and impactful ways to improve controls in this category. Key safeguards include DNS filtering of known bad domains, implementing Defender ATP with Office 365, standardizing on a single web browser enterprise-wide, and implementing the Sender Policy Framework. We frequently recommend these to clients, assist them with implementation, and see meaningful security improvement.

10. Malware Defenses

Malware remains a large part of the threat landscape, and every business needs a plan for prevention and minimization of malware and its effects on a network. Malware is a constant in the threat landscape, and businesses have long known the need for an antivirus solution. But, it continues to evolve, and legacy antivirus has become less and less effective against current malware and ransomware campaigns. These current strains require EDR, Endpoint Detection and Response software, to detect and handle them more effectively.

EDR is one of the necessary security basics. However, many businesses have not shifted yet, and still find the market for EDR solutions cluttered and confusing. Defensible has experience with most of the vendors in the space, and can help clients define their requirements, evaluate the available solutions, and select the one that fits their needs best.

11. Data Recovery

No matter how strong a business’s security precautions are, it matters to be ready to recover from an attack. This includes establishing and maintaining processes to restore trusted assets such as data and configurations after an incident. Between ransomware, backdoors, and other threats, attackers compromise data, configurations, and accounts while on a network. Once an attack is identified, part of efficient incident response involves being able to not only access data, but return systems to a known and trusted point.

A sound foundational approach to this is the 3-2-1 strategy: keep three copies (production and two backups), on two different media sources (often physical disk and cloud), and make sure one copy resides offsite. You should also perform regular tests during which you restore from backup, to make sure that your backup and restore policies work in practice. With ransomware at the forefront of the threat landscape, these backups and tests are more critical than ever.

12. Network Infrastructure Management

The network is the backbone of IT infrastructure, and every business needs to plan for the design, implementation, and management of a secure enterprise network. Sensitive data exists on and travels over corporate networks, so corporate networks must be designed and configured securely. This requires ongoing review and improvement, as well, given the discovery of new threats and the likelihood that your configurations and technologies will change over time.

Though many network engineers understand the domain well and have some knowledge of security best practices, they often struggle with documentation. In practice, as devices are added, moved, or changed, documentation falls behind the technical alterations. However, when there is a security incident, one of the first documents an incident responder needs is an up-to-date network diagram. It is crucial for understanding the ramifications of an attack, and having that information makes the crucial first 24-72 hours of incident response easier and more fruitful.

13. Network Monitoring and Defense

In addition to a secure network design, every business needs to create and maintain robust network infrastructure monitoring and defense. In today’s threat landscape, network monitoring is a complex undertaking, requiring both technical tools and human expertise. However, well-developed processes, well-tuned technologies, and well-trained experts can minimize your time to detection — thus minimizing even a sophisticated attacker’s time in the network.

This category is closely related to Audit Log Management: server log data, application log data, and network context work well together to help build a useful picture of the environment. Though many network protection safeguards are complex and only practical at higher levels of security maturity, there are still some necessary fundamentals. Those include proper network segmentation and restricting outbound network traffic to necessary protocols like HTTP and HTTPS. They also include integration and automation of network-based threat intelligence, which we help implement for clients of all sizes alongside our partner Dark Cubed.

14. Security Awareness and Skills Training

Security is not only a technical problem, but also a human problem. A strong security program must include a security awareness program that prepares personnel to reduce security risk. After all, security is not merely a technical problem. Often the weak link is people: employees click on malicious links, download suspicious files, reuse passwords, or disclose data to unauthorized people. You need security awareness training to help reduce this risk.

Helping businesses perform security basics well is core to our approach, and this outlook shines when applied to security awareness. Many businesses have 20, 40, even 60+ page security policies with highly technical language. This does little to help employees understand either security threats or what they can practically do (or refrain from doing) to comply. To help our vCISO clients with awareness and training, Defensible maintains policies that are practical and actionable by employees at all levels, such as a one-page Acceptable Use Policy document that outlines responsibilities, acceptable behaviors, and prohibited behaviors.

15. Service Provider Management

Most businesses work with third parties to provide services; from cloud services to monitoring, not everything happens on-premises anymore. A security program needs processes for evaluating service providers who gain access to sensitive data or platforms. Third-party vendors often need access to your sensitive systems or data, but having a relationship with a third party does not lessen or remove your regulatory or contractual obligations to keep those secure. Before a third party gains access to data, and while the relationship is ongoing, you must do your diligence to ensure that third (and even fourth) parties satisfy security requirements.

From this point of view, we help companies assess and monitor their own security postures in light of their suppliers. From cloud platforms like AWS to SaaS offerings like Office 365, Google Apps, and Salesforce, to managed service providers, monitoring their security is part of keeping track of your own security. Defensible partners with SecurityScorecard to help clients incorporate service provider management.

Defensible also helps companies from the provider perspective. Many of our clients provide services to their own clients, and must comply with best practices and contractual requirements to deliver those services. For mid-sized SaaS providers, a Defensible vCISO can help you understand those requirements and keep customers who actively monitor their service providers informed.

16. Application Software Security

Anything that an enterprise develops, hosts, purchases, or implements within the environment needs to be subject to security review and testing. Virtually every business nowadays needs application software, but insecure, unpatched, or poorly configured applications open the door to attack. Software security is broad and complex, including elements of code review, configuration review, and dynamic testing, but it is crucial for today’s software-dependent enterprise.

Defensible has extensive experience securing companies that build software, including SaaS providers and on-premises software manufacturers, and we have worked with them to implement both static and dynamic testing. This testing includes composition analysis: security testing not only the software developed by the company, but also third-party and open-source code components. Businesses that were already composition testing put themselves in a stronger position to quickly address issues such as the recent critical log4j vulnerability, as they know the code they are using and will not have to rush to find that out.

17. Incident Response Management

Even the most careful business should be ready to respond to compromise. This readiness requires establishing and maintaining a program for preparing, detecting, and responding to attacks. Even though proactive security controls are designed to minimize the chance of attack, sometimes attackers succeed despite strong controls. You need a developed, documented, and practiced plan for incident response in order to minimize the effect of security incidents on your business and your customers.

Defensible brings a battle-tested backbone for an incident response plan, based on many years of experience in IR and investigation. We then customize the plan for each client, based on their infrastructure and priorities. The result is a practical plan that addresses technical, legal, and regulatory concerns.

18. Penetration Testing

Security controls are important, but there is no way to know for sure that controls are working unless they are actually tested. Penetration testing lets you know how well your controls are actually working, and the results can provide guidance for how to improve them. This includes testing how effective and resilient the security controls throughout the enterprise are, by identifying and exploiting weaknesses the way an attacker would.

Traditional penetration testing assesses this posture at a point in time. However, environments are not static. Defensible partners with FireCompass to offer continuous attack surface discovery and red team as a service. This way, businesses can see their attack surface in real-time and test high-risk issues as they arise, instead of a few discrete times a year.

From Controls to Risk Information

Knowing the critical security controls is important, but they need to be used to paint a picture of real business risk. Therefore, a core part of a risk assessment is a controls gap analysis. After performing root cause analysis, policy and governance review, as well as technical and functional interviews, that information needs to be organized and analyzed based on a framework that helps you understand your security needs.

The CIS controls provide a sound foundation for making the results of a risk assessment and gap analysis actionable. As part of our controls gap analysis, we score the implementation of each safeguard as not implemented, slightly implemented, partially implemented, mostly implemented, or completely implemented. The comprehensive nature of the eighteen controls, as well as the safeguards and levels of implementation within each one, make them a logical and actionable framework for understanding weaknesses and prioritizing remediation. From this, you can make confident and informed choices about which security projects and changes will have the most impact on improving your security posture.

To learn more about critical security controls and how Defensible can put the CIS framework to work to help you address your cybersecurity risks in a practical, risk-informed way, get started with us today.