I recall seeing a TV ad a number of years back in which a lost tourist in a rental car is driving in a very rural area. He sees a farmer walking along the road and stops to ask for directions to the nearest town. The farmer stops walking and pauses to think for a minute, looks around at the surrounding wilderness and turns back to the tourist and says, “Well, if I were you, I wouldn’t start from here.”

I can’t recall what the ad was for, but I do remember the bemused expression on the tourist’s face. Implementing cybersecurity can be a bit like that. It is very rare that you get the chance to start over with a clean slate and design your ideal cybersecurity defense.

Defense-in-Depth or Expense-in-Breadth?

Invariably you will have a collection of different security technologies that will have been implemented over the years to address specific security needs or in response to specific security compliance issues or security breaches. Every time a new issue arises, you look to your existing security solutions to determine whether they can provide a solution or try to find something else to cover that gap. As you add each of these components, you start to ask yourself whether you’re really achieving defense-in-depth or just expense-in-breadth.

This is why I like the CIS Controls from the Center for Internet Security.

As outlined in the introduction to the latest 7.1 version, “The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.” Developed by a community of security experts, the CIS framework acknowledges the wealth of security tools and technology that are available to security practitioners and identifies the resulting “fog of more” that can be overwhelming and can distract organisations from taking the necessary decisions to achieve basic security fundamentals.

In total, there are 20 controls which are set out in a prioritized manner with the first six controls, known as the basic controls, providing cyber hygiene. The message from the CIS is that if you start at the top and work your way down, with each step along the way you are maximising your impact on improving your security posture. There is a very logical flow to the list and the top six in particular.

  1. The first control is the inventory and control of hardware assets. If you don’t know it exists, you can’t secure it. So, step 1, discover what’s in your environment. 
  2. The second control is the inventory and control of software assets. Once you know what hardware you’ve got, understand what software is running on this hardware. Is this software that you want to have running in your network? Technologies like application control or application whitelisting have a big part to play here.
  3. The third control is continuous vulnerability management. Once you have identified the software applications that exist, you know that these applications will have ongoing vulnerabilities, so you need to continuously scan and remediate these vulnerabilities.
  4. The fourth control is the controlled use of administrative privileges. Admin privileges provide attackers with a way to spread inside an enterprise. When an attacker gains access to a system, typically by exploiting an unpatched vulnerability, they can do a lot more damage and navigate more easily throughout the network if they have admin privileges. 
  5. The fifth control is to implement a Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. Default configurations for applications and operating systems are designed for ease-of-deployment and ease-of-use rather than for security. However, these configurations often make systems easier to exploit so the settings need to be adjusted to make them secure and systems need to be scanned regularly to ensure that they haven’t deviated from these secure configurations as new software is added and patches applied.

Originally, only the top five controls were required for cyber hygiene, but the sixth control, Maintenance, Monitoring, and Analysis of Audit Logs, is now also included in the set of basic controls in recognition of the need to capture information to help detect, understand, or recover from an attack.

Like the tourist in the TV ad, while it mightn’t be ideal to “start from here”, the CIS framework enables enterprises to evaluate their existing security infrastructure against this carefully thought out, prioritized set of controls to identify where they have coverage or where there are gaps that need to be filled. Armed with this knowledge, enterprises stand a much better chance of navigating the “fog of more” and getting to the destination of a solid security foundation.

David Murray is Principal Product Manager at Ivanti for Ivanti® Security Controls, a solution designed to deliver the basic controls outlined by the Center for Internet Security. Visit the Security Controls web page to learn more, request a demo, or to start your free trial.