An Educational Paper Contribution:
There are strategic benefits of complementing an organization’s existing security management model with the 20 Critical Security Controls, which is a threat-focused approach to improving the security environment. Today’s cyber attacks are increasing in sophistication and exposing gaps in current security models, which are not providing an effective blueprint for organizations to effectively prioritize on the security controls that are actually stopping and detecting cyber attacks. The 20 Critical Security Controls were developed by a consortium of experts from various governments, industry, and academic organizations to provide a blueprint for how to prevent, detect, and mitigate actual attacks impacting organizations worldwide.
The complexity and velocity of the threats organizations are facing are only escalating and there is a definite need for careful analysis of the attack trends to determine effective mitigations. According to a recent study by Verizon, 92% of data breaches in 2012 were perpetrated by outsiders and one-fifth of all data breaches were connected with state affiliated actors, which highlights that the sophistication and resources available to conduct attacks is growing. Furthermore, 69% of breaches were discovered by an external party and often went months before they were detected, offering a glimpse into the how little visibility organizations have into active attacks (Verizon, 2013, pp. 5-6). Of the top threat actions identified in 2012, which were tampering, spyware, backdoor, export data, use of stolen credentials, capture stored data, phishing, command and control, downloader, and brute force, there were seven threat actions related to malware. The analysis and recommendations by Verizon stated the Critical Security Controls, if implemented, could have directly limited the success of the top threat actions, leading to their recommendation that most organizations could benefit from implementing all of the Critical Security Controls to some level (Verizon, 2013, p. 58).
Of the organizations affected by data breaches in 2012, they are a cross section of small to large organizations, geographically spanning 27 countries and representing a diverse assortment of industries (Verizon, 2013, pp. 4-5). These organizations probably had reasonable security controls in place, such as firewalls, antivirus, and security policies, and given the widespread reference and adoption of various security management models, such as ISO 27000, COBIT, NIST, and other compliance frameworks, such as PCI DSS, these organizations undoubtedly had access to industry best practices and recommendations. However, even with all these good resources, organizations are increasingly finding themselves reacting to security breaches, often as a result of notification by outside parties, which have caused damage to the organizations reputation and actual economic losses of information and intellectual property.
John Pescatore, a seasoned security analyst formerly with Gartner and now with the SANS Institute noted, “Most of the Compliance regimes are invariably rigid, top-down structures, whereas the CSC effort is purposely bottomup” (Pescatore, 2013, p. 20). This characterization could point to the reason there is an apparent disconnect between many organizations attempts to maintain compliance with various security management models and the fact that they are not effectively stopping attacks. A recent report by the Center for Strategic and International Studies makes an interesting point about compliance frameworks:
“The older compliance and audit-based approach found in legislative mandates like the Health Information Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Financial Services Modernization Act (also known as Graham-Leach-Blilely, GLB) is both resource intensive and ineffective. Compliance is usually a good thing, but in cybersecurity it came to stand for a static, paper-driven method that was expensive without providing equivalent benefits” (Lewis, 2013, p. 7).
The new approach to cyber security is based on evaluation of attack data and what measures have effectively prevented attacks. The resulting analysis and recommendations are offering organizations a change to assess their security environment with a clear goal in mind.
The stated goal of the Critical Security Controls is to, “…protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.” The controls were developed by experts from various government agencies including the NSA, FBI, US Department of Defense, US Department of Homeland Security, the UK government’s Centre for the Protection of Critical Infrastructure, and the Australian Defence Signals Directorate, with the assistance of various other industry recognized professionals. Five principles of an effective cyber security defense are reflected in the Critical Security Controls:
- “Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics professionals” (Council on CyberSecurity, 2013, pp. 2-3).
The Critical Security Controls represent controls that are already found in many of the security management models in use today and are not meant to replace these models, but to focus and prioritize the controls that are implemented to achieve significant reductions in attack success. Simply put, the Critical Security Controls represent the controls most likely to enhance an organization’s security posture, and provide a guide to management to know where to focus their attention and resources first. One reason that makes the Critical Security Controls so valuable to smaller organizations, is they allow an organization to leverage the expertise of government, industry, and academia in determining what threats and vulnerabilities they are likely to face and should therefore allocate their resources to defend (Sager, 2013, p. 1).
The consensus based risk assessment approach essentially allows for a risk assessment based on what the community of experts are seeing, rather than only relying on the expertise internal to one organization to determine the right responses. Tony Sager, the former chief of the information assurance directorate at the NSA, asserts the Critical Security Controls are a “foundational risk assessment” that allows an organization to use it to determine where to start taking action. The case for why the Critical Security Controls are relevant is simply that organizations today use common technologies and face common threats in an increasingly interconnected environment where organizations are linked to each other, so a common baseline of Critical Security Controls is applicable to many organizations. Additionally, organizations may not have access to the resources and expertise to produce the results of the Critical Security Controls, so by leveraging the power of the community, they are in a better position to quickly assess and implement a baseline of defenses to thwart most attacks and then can concentrate their focus on specific threats to their business to further enhance their security posture (Sager, 2013, pp. 1-2).
Expanding on the concept of using the Critical Security Controls as a foundational risk assessment is the goal of implementing continuous monitoring. Given the dynamic nature of risks organizations face, there is an incentive to consider the move to continuous monitoring as a way to ensure risks are being managed effectively. Risk assessment should not be a periodic activity, but should be integrated with the continuous monitoring approach used to manage risks based on the constant stream of new information available. The Critical Security Controls offer another key advantage in this space as they provide an organization with a prioritized list of the most important elements to target for continuous monitoring (Sager, 2013, p. 3).
Automation of the continuous monitoring process is also key in leveraging the ability of the controls to quickly provide value to an organization. A central philosophy in the design of the Critical Security Controls is that, “…any defenses that can be automated, should be automated,” enabling rapid detection and mitigation of attacks to an organization’s network, with the goal of minimizing the damage (Tarala, 2012, p. 1). Today’s organizations are up against some very sophisticated attacks, including malware that have the potential to avoid signature-based detection and also have the ability to disable antivirus and other security tools. This stresses the importance of having automated controls such as application whitelisting, intrusion detection systems, and asset tracking systems that run and report automatically (Tarala, 2012, p. 5). The principle way to accomplish automation and continuous monitoring is by deploying sensors to collect threat data from inbound and outbound network traffic and report it for correlation and further analysis. The Critical Security Controls outline 45 different sensors that can be put into use by organizations. These include asset tracking, vulnerability management systems, patch management systems, intrusion detection systems, authentication systems, and file integrity systems (Tarala, 2012, pp. 6-7). Automation does not eliminate the need for intelligent people to analyze the information and determine how to respond, though it does maximize their efficiency and effectiveness by knowing when and where attacks are happening so they can focus their time remediating any issues that arise.
The Critical Security Controls offer a compelling incentive to organizations to align their security environment with these effective mitigations and reduce their potential for successful attacks. As organizations implement these controls, it is likely they will realize cost savings through automation, increased visibility into the actual threats they face through continuous monitoring, and an overall lower risk of cyber attack, espionage, and theft, which can be a competitive advantage for any organization in today’s increasingly connected world.