How to Measure Controls Effectively
The Center for Internet Security (CIS) Critical Security Controls present the 20 most effective actions an organization can take to protect its data, employees and customers from the majority of today’s threats – not just one single threat. A security control is a safeguard or countermeasure to avoid, detect, counteract or minimize “security” risks to a company’s assets. Examples of security controls include the separation of duties in Accounting, role-based access control and least-privilege or wearing a badge to enter a building.
There are 3 types of security controls:
- Preventative controls attempt to prevent a security incident before it occurs
- Detective controls identify a security incident while it’s occurring or shortly after
- Corrective controls limit the damage after a security incident and help an organization get back on track
Implementing Security Controls – The Struggle is Real
The implementation of security controls generally requires a comprehensive strategy and an investment of time, resources, and money. Despite clear controls and descriptions, many organizations still struggle to achieve basic security. Today’s security professionals need to ensure that they can effectively analyze their investments and that the controls that they have in place are in fact reducing risk to a level that is acceptable to the organization. When it comes to implementing and evaluating the CIS controls for effective cyber defense, many organizations are at a loss of where to start because security is still not a major business decision.
In our jointly hosted webinar with the SANS Institute “Are You in Control? Managing the CIS Critical Security Controls within your Enterprise”, Matt Bromiley explained which controls are the most important, how to evaluate their effectiveness and what tools can help assess an organization’s security posture easily and at a glance. We’ve gathered the main takeaways that have been discussed during the Q&A portion of the webinar down below.
Why are the 20 Critical Security Controls important?
The 20 Critical Security Controls are important because they help organizations improve their current security posture by protecting organizations from a variety of today’s most harmful threats. Unlike popular belief, these controls are so much more than simple check boxes – they are guidelines for long-term improvements of your security posture and can cut off a lot of mechanisms that today’s most advanced cyber attackers use.
At the same time, a failing control also provides an opportunity for growth. If you fix a control that is not working properly, you increase your chances of withstanding a future cyber attack more effectively.
Important Critical Controls Highlighted by Matt
Generally speaking, all 20 Critical Security Controls are important to safeguard an organization against data breaches and cyber threats, the first 5 controls being often mentioned. However, there are several specific controls that we would like to highlight in this article.
- Control #4
Control #4 is about conducting “continuous vulnerability assessments and remediation” – an activity that is crucial to evaluate your security posture and monitor the health of your environment. Vulnerability assessments, for example, are a first step towards finding out where your environment may be weak. Of course, vulnerability assessments are only useful if the results are leveraged to fix your vulnerabilities.
- Control #5
One of the most important controls is control #5, “the controlled use of administrative privileges”. Most hackers leverage accounts with administrative privileges to gain deeper access into a corporate network and perform malicious activities. By controlling administrative privileges more severely, organizations can strengthen their defenses against cyber attacks.
- Control #6
This control is an equally important control that refers to “the maintenance, monitoring and analysis of audit logs”. It is extremely important to not only generate logs, but also to analyze logs in order to capture what is actually happening in the network and whether and where potential security incidents occur. Even today, audit logs remain one of the best sources of evidence for deterring and tracing the activity of an attacker. Although many organizations collect logs with solutions or other means, most of them don’t actively use the intelligence contained in the audit logs and miss out for opportunities to protect themselves better. A Managed Security Service Provider (MSSP) can help address this specific security control.
- Control #19
Another critical control is control #19, “Incident Response and Management”. With cyber attacks on the rise, organizations need to have defined processes and procedures in place to detect incidents, respond accurately and mitigate the incidents to prevent considerable damage to their data, financial standing or reputation. Ideally, organizations should have a dedicated team in place to monitor logs on a 24/7 basis or outsource their incident response management to a trusted security provider.
How can the 20 Critical Security Controls help deal with ransomware?
Ransomware is one of today’s most hotly-debated malwares and has turned out to be the problem that everyone is facing. Ransomware attacks usually involve encrypting or even destroying an organization’s data. Implementing control #10 “Data Recovery Capability” and adopting data recovery strategies can help organizations access their data even if it has been affected by a ransomware attack.
How are the CIS Critical Controls usually tracked within organizations? What are the limitations of such tools?
Unfortunately, most organizations still use good old Excel spreadsheets when implementing the 20 Critical Security Controls. While Excel spreadsheets are an easy way to list the security controls and include action items, targets and other details, such manual updates complicate tracking and can create confusion if more than one employee is using the spreadsheet to perform a gap analysis.
A more effective way to perform a mapping to the CIS Critical Security Controls is using a cybersecurity analytic tool that can offer visibility of an organization’s security posture in accordance with the 20 Critical Security Controls, such as the Governance Module. Easily accessible at all times through the ArkAngel platform, the Governance Module dashboard focuses on the asset properties of your organization and the vulnerabilities that are discovered continuously. It helps you understand what your current security posture is, how it can evolve over time and how you can lower your cybersecurity risk in line with your business objectives.
Interested in learning more about how your organization can strengthen its security posture with the 20 CIS Critical Security Controls? Watch our webinar recording here or contact us directly to request more information about our Governance Module.