25
A SANS Analyst Survey Written by James Tarala Advisor: Tony Sager September 2014 Sponsored by Qualys Critical Security Controls: From Adoption to Implementation ©2014 SANS™ Institute

Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

A SANS Analyst SurveyWritten by James Tarala

Advisor: Tony Sager

September 2014

Sponsored by Qualys

Critical Security Controls: From Adoption to Implementation

©2014 SANS™ Institute

Page 2: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

This Country may be turning the corner on cybersecurity! The National Governors Association, the Atlantic Council, Zurich Insurance, the Center for Internet Security, the MS-ISAC, and other major nationwide institutions are all calling for basic cybersecurity

hygiene, specifically using the Critical Security Controls. And 14 of the 20 leading security vendors have aligned part or all of their product offerings with the Critical

Security Controls. Clearly we are witnessing the beginning of a movement.

The honorable Jane holl luTe, recenTly DepuTy SecreTary of The u.S. DeparTmenT of homelanD SecuriTy anD chair of The council on cyberSecuriTy.1

SANS has worked with the security community on the Critical Security Controls (CSCs) for several years and has published several papers on the subject, including a 2013 survey.2 Over the past year we have seen three major reasons why the CSCs are being adopted:

• Implementing the CSCs is the fastest and most cost-effective way to focus security staffs and budgets on the high payback areas that achieve meaningful and measurable cyber risk reduction

• They facilitate cooperation between IT security and audit staffs because the controls reflect a broad consensus on the security processes and tools that are absolutely necessary to prevent or mitigate actual cyberthreats.

• The controls approach has proven to boost security managers’ careers and budgets because they provide the focus and clarity needed to gain top management support and budget approval.

As part of the SANS commitment to support this growing effort, in 2014 we conducted a second Critical Controls survey. More than 300 cybersecurity professionals answered a series of questions about the adoption and value of the Critical Security Controls. Nearly 40% were from government and financial enterprises, with the remaining participants representing a wide variety of industries and not-for-profits. This paper provides the results of that survey and documents previously conducted case studies around adoption and implementation of the CSCs.

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation1

Executive Summary

1 Personal communication with Alan Paller, September 14, 20142 Go to www.sans.org/reading-room/whitepapers/analyst/2013-critical-security-controls-survey-moving-awareness-action-35065

to download a copy of “SANS 2013 Critical Security Controls Survey: Moving from Awareness to Action.”

Highlights of the 2014 Survey

1. High levels of support for adoption •26%oforganizationsadoptingtheCSCssaytheirtopexecutives

outside of IT are actively supporting adoption •61%ofthoseorganizationssayITmanagementabovetheCISOis

providing support for adoption of the controls •66%saytheCISO,CSOorInfoSecmanageristhekeysourceof

support

2. Barriers to adoption remain •54%citebudgetissues,and63%citestaffingshortages •36%noteoperationalsilos,while32%pointtoincompatiblelegacy

systems

3. Most and least widely adopted controls •Mostfullyadopted:malwaredefenses(96%)andboundarydefense

(94%) •Leastfullyadopted:applicationsoftwaresecurity(73%),effective

securityskillsassessmentandtraining(73%)andpenetrationtesting(64%)

4. Need to quantify improvements enabled by the CSCs •25%reporttheyareabletoquantifyresultsandreportthoseto

management •52%havenotedimprovements,buthavenotquantifiedthem

5. Sharing of information needed to accelerate implementing the CSCs •68%requestedusablecasestudiesofsuccessfulimplementations •58%wouldlikebetteroperationalbestpracticesandsupport •54%wouldliketoseeadirectoryofapplicabletools •53%wouldlikesector-specificguidelines

Page 3: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Why the Critical Security Controls?

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation2

Over the years, the information assurance industry has developed best practices and

frameworks, but many times implementing these frameworks became cumbersome and

served only to provide information for compliance reports—instead of being used to

block attacks against information systems.

The Critical Security Controls (CSCs) took a different route. A team of experts on offensive

and defensive techniques from the NSA Red and Blue Teams, US CERT, DOD Cyber Crime

Center, DoE Nuclear Labs and commercial forensics and incident response organizations

came together to identify all known attacks and to specify what organizations needed to

do to block or mitigate damage from those attacks. An expanded team of professionals

from key government agencies and various industries around the world has periodically

updated both the threats and the corresponding mitigations (controls) to reflect

changing technology and changing attack patterns. Version 5.0 of the CSCs was released

in February 2014.

The thinking behind the controls is that nearly every organization faces a set of common

threats, as well as some unique threats. By pooling resources to determine the best ways

to mitigate the most common and damaging threats, enterprises could have a cost-

effective and consistent set of prioritized controls to defend against the common attacks

that are doing great damage.

The CSCs are prioritized, with the first four controls being the most widespread and

effective actions to block malicious attacks from the Internet. Interestingly, this is not the

order in which these controls are being adopted, which we will discuss later in the paper.

Figure 1 provides a list of the CSCs in priority order, with the first four providing adopters

with quick security wins.

More information on the

history,backgroundand

values that have gone into

the Critical Security Controls

can be found on the Council

on CyberSecurity’s website at

www.counciloncybersecurity.

org/critical-controls.

Page 4: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers3

Data Recovery Capability8

Boundary Defense13

Incident Response and Management18

Inventory of Authorized and Unauthorized Software 2

Wireless Access Control7

Controlled Use of Administrative Privileges12

Data Protection17

Continuous Vulnerability Assessment and Remediation4

Security Skills Assessment and Appropriate Training to Fill Gaps9

Maintenance, Monitoring, and Analysis of Audit Logs14

Secure Network Engineering19

Malware Defenses5

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches10

Controlled Access Based on the Need to Know15

Penetration Tests and Red Team Exercises20

Inventory of Authorized and Unauthorized Devices 1

Application Software Security6

Limitation and Control of Network Ports, Protocols, and Services11

Account Monitoring and Control16

Why the Critical Security Controls? (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation3

20 Critical Security Controls for Effective Cyber Defense

Figure 1. The Critical Security Controls

Page 5: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

In this year’s survey, 328 people from a variety of businesses and government entities

completed the survey. The largest group represented was the financial services

industry (22%), with the government sector contributing an additional 18%. Other

industry verticals were also well represented, with high-tech (8%), energy/utilities (7%),

education (7%), health care/pharmaceuticals (6%), telecommunications carriers and

service providers (6%), and manufacturing (6%) also making strong showings. Figure 2

illustrates the makeup of the survey sample.

In 2013, 17% of those who took the survey were from financial agencies, with 20%

hailing from the government sector. We would expect government agencies to be

primary adopters of the controls, given their struggles with Federal Information Security

Management Act (FISMA) compliance and the heavy federal influence on the CSCs. In

both the 2013 and 2014 surveys, the financial services and government sectors were

most highly represented in their respective samples. Based on these results and follow-

up interviews with IT professionals in each of the sectors, private sector interest in the

controls is growing. It also appears that US government interest in the CSCs is holding

steady. This may be due, in part, to the new guidance published by the Department of

Homeland Security (DHS) on Continuous Diagnostics and Mitigation (CDM), which has

been highly influenced by and aligned with the CSC project,3 and to the inclusion of the

CSCs as “reference” in the February 2014 Cybersecurity Framework announced by the

White House.4

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation4

Who Took the Survey

3 DepartmentofHomelandSecurity(DHS)ContinuousDiagnosticsandMitigation(CDM), www.dhs.gov/cdm4 www.nist.gov/cyberframework

What is your organization’s primary industry?

Figure 2. Industries Represented

Fina

ncia

l

Oth

er

Ener

gy/U

tiliti

es

Hea

lth c

are/

Phar

mac

eutic

al

Man

ufac

turin

g

Reta

il

Gov

ernm

ent

Hig

h te

ch

Educ

atio

n

Tele

com

mun

icat

ions

ca

rrie

rs/S

ervi

ce p

rovi

der

Hos

ting/

Serv

ice

prov

ider

Engi

neer

ing/

Cons

truc

tion

Percentage of respondents from the financialservicesandgovernment sectors

40%

FormoreinformationonCDM

implementation, download

the SANS survey “Continuous

DiagnosticsandMitigation”

at www.sans.org/reading-

room/whitepapers/analyst/

continuous-diagnostics-

mitigation-making-work-

35317.

Page 6: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Who Took the Survey (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation5

Organization Size

Based on survey respondents, CSC adoption and awareness also spreads across

organizations of various sizes: 21% represented organizations with workforces larger

than 15,000; 24% represented organizations between 1,001–5,000; and 22% said their

workforces were between 100–1,000. Even very small organizations, those with fewer

than 100 employees, participated (15%). Representation from all sizes of organizations

points to a common interest in using the CSCs to ensure security (see Figure 3).

These results are similar to the 2013 survey results, in which respondents were

predominantly (40%) from organizations larger than 2,000 employees, with 13% coming

from companies with fewer than 100 employees.

What is the size of your organization’s workforce, including both employees and full-time contractors?

Figure 3. Organization Size

Mor

e th

an 1

5,00

0

10,0

01–1

5,00

0

5,00

1–10

,000

1,00

1–5,

000

100–

1,00

0

Few

er th

an 1

00

Page 7: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Who Took the Survey (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation6

Respondent Roles

It also appears that a wide range of job roles within organizations has expressed interest

in utilizing the CSCs. The majority of respondents were in the role of security analyst

(25%), followed by those in an information assurance management role, such as chief

information security officer (CISO), chief security officer (CSO) and security manager or

director (23%). Given that compliance is generally cited as a reason for security efforts in

general, it is interesting that only 5% of respondents reported filling a compliance role in

their organization. Figure 4 shows the range of roles represented.

Taking all the demographic results together, the survey sample provides a good cross-

section of industries, job roles and organizational sizes from which we can extrapolate

trends within the SANS audience with regard to the adoption and implementation of

the CSCs.

Percentage of respondents in the role

of security analyst, security manager or director,CSOorCISO

48%

What is your primary role in the organization, whether as staff or consultant? Select the most appropriate.

Figure 4. Respondent Roles

Secu

rity

anal

yst

Secu

rity

adm

inis

trat

or

Net

wor

k/Sy

stem

ad

min

istr

atio

n or

ope

ratio

ns

Fore

nsic

s an

alys

t

Soft

war

e en

gine

er/

Arc

hite

ct

Com

plia

nce

office

r/Au

dito

r

Frau

d in

vest

igat

or

CISO

/CSO

/Sec

urity

m

anag

er/D

irect

or

CIO

/IT m

anag

er/D

irect

or

Oth

er

Soft

war

e de

velo

per

Risk

man

ager

Func

tiona

l bus

ines

s-un

it m

anag

er

Page 8: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Reports of cyber attacks appear almost every day. However, there have also been many

reports about how the CSCs can help prioritize risk reduction functions and improve

resiliency.5 In this section, we examine who is aware of, who is supporting and who is

adopting which controls.

Awareness of the CSCs Within Organizations

Cybersecurity awareness has skyrocketed in the last few years due to some very

public data breaches across multiple vectors and pervasive vulnerabilities, such as the

Heartbleed bug. Press coverage has taken the problem from the primary purview of

technologists and engineers to involve those with general management responsibilities.

Once these executives take notice, they search out practical, prioritized, authoritative

guidance to tell them what needs to be done and how to measure their internal IT

security teams.

This SANS survey reinforces the strength of the CSCs among management. Of those

organizations aware of and adopting the controls, 26% report support from leaders

outside IT, including chief operating officers and CEOs. This level of top management

awareness and support for a specific security initiative is very rare. Business unit

managers and directors were not far behind, also providing support to 26% of

responding organizations. In addition, more than 60% of adopters report support from

IT management above the CISO, while CISO support was cited in 66% of the adopting

organizations, as shown in Figure 5.

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation7

Awareness and Adoption

5 www.counciloncybersecurity.org/critical-controls/case-studies

Percentage of respondents indicating

support for the CSCs at the highest level of decisionmaking

26%

Who in your organization is aware of and supportive of adopting the Critical Security Controls? Check all that apply.

Figure 5. Leaders with Awareness and Support of the CSC Effort

CIO

/CTO

/IT m

anag

er

Secu

rity

adm

inis

trat

or

IT a

dmin

istr

ator

Hig

hest

-leve

l dec

isio

n m

aker

s, su

ch a

s CE

O, C

OO

Busi

ness

-uni

t dire

ctor

s or

man

ager

s

Com

plia

nce

office

r

Priv

acy

office

r

Oth

er

CSO

/CIS

O/

Info

sec

man

ager

Page 9: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Awareness and Adoption (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation8

CaSESTUDy: Reality Check

anewsecuritymanageratamid-sizedutilitylearnedabouttheCSCsandsawtheirimplementationasa way of getting his arms around the challenges and opportunities he would face in his new position. Hefirstmeasuredandmappedtheutility’scurrentpostureineachofthe20controls,producedanimplementation score for each and charted the scores on a red/yellow/green satellite chart. He thenworkedouta3-yearplantoimprovethosescoressubstantially.HisCIOaskedhimtobrieftheChairmanoftheBoardandtheExecutiveCommitteeonthecurrentstatuschartandthe3-yearplan.TheChairman’sreactionwasremarkable;hesaid,“Thisisthefirsttimeasecuritypersonhasmadesense to me.”

Adoption Rates

Acknowledging that we are studying a group predisposed to adopt and implement

the CSCs, the results indicate 72% of respondents have implemented at least some of

the controls in their organization. Another 10% plan to adopt more controls within the

next 12 months, with an additional 8% planning implementations in the next 12 to 24

months. Only 4% have no plans to adopt the controls, and just 6% are not aware of the

CSCs and were directed to exit the survey without answering any more questions (see

Figure 6).

Have you or are you planning on adopting any of the Critical Security Controls?

Figure 6. State of CSC Adoption

Yes, we have implemented all of the controls in our organization.

Yes, we have implemented some of the controls in our organization.

Yes, although we have not adopted any controls at this time, we plan to within 12 months.

Yes, we plan to adopt controls within 12-24 months.

No, we have no plans to adopt the controls.

No, we are not aware of the CSCs.

Page 10: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Awareness and Adoption (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation9

CSCs as a Benchmark

In addition to implementing the CSCs, many organizations represented in this survey are

choosing to use the CSCs as a benchmark against which to assess their organization’s

defensive posture. Of the respondents, 81% indicated that they had either completely

or partially assessed their organization’s cybersecurity capabilities through the lens

of the CSCs, and another 17% noted they were planning to do so in the upcoming 12

to 24 months. Only 3% reported their organization had no plans to use the CSCs as a

benchmark in the near future, as shown in Figure 7.

Have you assessed your security architecture against the Critical Security Controls?

Figure 7. Use of the CSCs as a Benchmark of Security

Yes, we’ve fully assessed our architecture against the controls.

Partially, we’ve assessed some of our architecture against the controls.

Not yet, but we plan to within the next 12-24 months.

No, we have no plans to do so.

Page 11: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation10

CSCs 1–4 are thought to be the quick hits to garner security improvements. Interestingly,

though, they were not even among the top five controls already being implemented by

respondents. Their most implemented controls include:

• 5: Malware Defenses (47% partially implemented, 50% fully implemented)

• 13: Boundary Defense (45% partially implemented, 49% fully implemented)

• 10: Secure Configurations for Network Devices such as Firewalls, Routers, and

Switches (51% partially implemented, 41% fully implemented)

• 12: Controlled Use of Administrative Privileges (57% partially implemented, 34%

fully implemented)

• 8: Data Recovery Capability (52% partially implemented, 39% fully implemented)

See Table 1 for the level of respondent implementations across all controls.

Implementation Progress, Barriers and Drivers

Table 1. CSC Implementation6

CSC

1: Inventory of Authorized and Unauthorized Devices

2: Inventory of Authorized and Unauthorized Software

3: Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers

4: Continuous Vulnerability Assessment and Remediation

5: Malware Defenses

6: Application Software Security

7: Wireless Access Control

8: Data Recovery Capability

9: Security Skills Assessment and Appropriate Training to Fill Gaps

10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11: Limitation and Control of Network Ports, Protocols, and Services

12: Controlled Use of Administrative Privileges

13: Boundary Defense

14: Maintenance, Monitoring, and Analysis of Audit Logs

15: Controlled Access Based on the Need to Know

16: Account Monitoring and Control

17: Data Protection

18: Incident Response and Management

19: Secure Network Engineering

20: Penetration Tests and Red Team Exercises

Partial

60%

64%

62%

58%

47%

55%

45%

52%

54%

51%

53%

57%

45%

63%

57%

58%

58%

62%

59%

43%

Full

27%

22%

27%

28%

50%

18%

43%

39%

18%

41%

36%

34%

49%

19%

29%

26%

24%

23%

25%

21%

None

12%

13%

10%

14%

4%

26%

12%

7%

26%

8%

9%

8%

4%

16%

13%

15%

16%

15%

15%

35%

6 Totalsdonotaddupto100%duetoroundingerror.

Page 12: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Implementation Progress, Barriers and Drivers (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation11

It makes sense that malware and perimeter defenses top the list, given that antivirus,

firewalls and IDS/IPS have historically been the first line of defense for organizations.

The top five controls being implemented within responding organizations today are the

same as in the 2013 survey, indicating little movement in the first four controls that are

recommended by the CSCs as the quick hits for better protection.

This is likely due to barriers in skills and staffing. The first indication of these barriers is

revealed when looking at what the respondents were least interested in implementing:

• 9: Security Skills Assessment and Appropriate Training to Fill Gaps (26%)

• 6: Application Software Security (26%)

• 20: Penetration Tests and Red Team Exercises (35%)

Barriers to Implementing the Controls

Lack of staff/skills and resources are directly implicated as the main reasons organizations

are having trouble implementing some of the controls, according to 63% of survey

respondents who highlighted insufficient staffing or personnel resources and 54% who

cited lack of budget as the major barriers to adoption. The next group (36%) points to

ongoing disconnect among operational and security silos, as shown in Figure 8.

What barriers inhibit your adoption of the Critical Security Controls? Check all that apply.

Insufficient staffing or personal resources

Lack of strategic or tactical planning

Unsure of how to prioritize CSC implementation

Disconnect between IT/Operational silos

Lack of management support

Other

Lack of budget

Lack of means to integrate and comprehensively manage the controls

Mergers/Acquisitions/Changing operations

Incompatible legacy systems

Inability to align with business goals

Unclear, confusing or conflicting security requirements within the CSC framework

Figure 8. Barriers to CSC Adoption

Lack of staff/skills

and resources are

directly implicated

as the main reasons

organizations are

having trouble

implementing some

of the controls.

Page 13: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Implementation Progress, Barriers and Drivers (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation12

These are the same barriers cited in the 2013 survey, which selected operational silos

(43%), followed by personnel skills gap (41%) and confusion over which controls to

implement first (36%) as top the barriers.

Personnel and their skills, often affected by budgets, and concern over operational

silos definitely are key barriers to effective implementation. The lack of communication

among silos may, in fact, contribute to the difficulties in prioritizing which controls to

implement first.

These two-year results lend credence to the common belief that analysts know what

needs to be done to protect their information systems and reduce attack surfaces—and

they want to do it. However, a lack of resources is keeping them from achieving their goals.

The need to prioritize limited resources is one of the reasons the CSCs have become

so popular at the senior IT levels and even the executive and business operations

levels within organizations. If communication can be improved among the various

organizational silos, the CSCs can help organizations prioritize their limited resources

and focus on how to most efficiently augment what they lack—including skills.

Drivers for Adopting the Controls

In 2002 a number of regulatory groups published standards required by law or contract.

Regulations such as the Sarbanes-Oxley Act of 2002 and the Federal Information Systems

Management Act of 2002 are just two examples of such regulatory standards that were

released. Compliance became a driver for security spending, but only in limited terms

and only enough to satisfy the requirements of auditors or regulators.

Supporting compliance initiatives, then, might seem as if it would be a key driver for

adoption of the CSCs. However, based on both the 2013 and 2014 survey results for

this audience, supporting compliance and regulations, represented by the “Need to

reconcile/complement other security frameworks or compliance schemes” option are

much lower drivers (38% in 2013 and 42% in 2014) for implementing the CSCs than we

might expect.

Page 14: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Implementation Progress, Barriers and Drivers (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation13

Leading drivers for 2014 respondents include the need for a clearer way to present,

manage and report on security progress or risk posture (66%) and the need to prioritize

defensive actions (57%). Figure 9 presents the drivers respondents felt were most

important.

In 2013, 64% of respondents needed a clearer picture of their risk posture. In 2014,

66% (a slight improvement) need a clearer way to present their security progress or risk

posture to stakeholders, demonstrating the need to bridge the gap between silos and

draw business operations into the risk management framework.

What are the drivers for your adoption of the Critical Security Controls? Check all that apply.

Need for a clearer way to present, manage and report on security progress or risk posture

Belief that the broad community approach of the CSCs is a powerful model to drive defensive action

Need to prioritize our defensive actions

Need for a better means to detect advanced attacks/improve response

An increasing number of attacks attempted against our systems

The rising number of intrusions discovered within our environment

Need to reconcile/complement other security frameworks or compliance schemes (e.g., FISMA, PCI, ISO)

Response to internal group or agency directives (such as from DHS, OMB, headquarters

Other

Figure 9. Drivers for CSC Adoption

Page 15: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Because the majority of organizations represented in this survey have implemented

security perimeters to stop malware and intrusions, SANS recommends these

organizations and others like them turn their attention to Controls 1–4 for better

prevention and visibility. To do this, they need to focus on several core tenants of the

controls:

• Assessing and identifying gaps in security

• Tools and practices

• Auditing environments for adherence to control groups

• Reporting implementation progress

Assessing and Identifying the Security Gaps

The philosophy of the CSCs is that organizations should assess their environment

utilizing automated means to do so whenever possible. Unfortunately, especially

when organizations first begin this process, automated tools are not available to assist

organizations in performing gap analysis.

Most respondents are conducting gap assessments in accordance with some or all of the

controls. Of those implementing the controls, 83% performed some type of automated

or manual gap assessment—40% use a combination of automated and manual

processes in their analysis, only 3% use fully automated processes and 36% complete

their assessments manually (see Figure 10).

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation14

Where Are We Today?

How did you undertake your initial gap assessment of where to implement the Critical Security Controls in your enterprise?

Figure 10. Initial Gap Analysis Methodologies

A combination of automated discovery and many manual processes

Manually

No initial gap assessment was conducted

An external consulting firm did it all for us

Fully automated using multiple discovery tools

Other

Fully automated using a single discovery tool

The philosophy of

the CSCs is that

organizations

should assess their

environment utilizing

automated means

to do so whenever

possible.

Page 16: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Where Are We Today? (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation15

In the 2014 survey, fewer respondents reported their organizations were utilizing automated mechanisms either alone or in concert with manual efforts to perform this initial gap analysis of their organization’s alignment with the controls (43% used automated gap assessment in 2014 versus 47% in 2013). Similarly, more are using manual methods today (36% in 2014 versus 27% in 2013). A likely explanation for this perceived drop in automated assessment practices is that responding organizations have had additional time to dig into the details of the controls since 2013 and now have a more realistic view of their enterprise assessment capabilities. As a result, they are using manual assessments to supplement their automated tools.

Tools and Practices

The most commonly used technologies identified in the CSC implementations studied include endpoint malware protection (95%), network malware protection in the form of firewalls and IDS (94%), database or system access controls (82%), vulnerability assessment (82%), vulnerability management (77%) and SIEM or log management (76%). The least used technologies for respondents’ organizations include wireless intrusion detection systems (36%), software and application code analysis (38%), unified threat management devices (39%) and application whitelisting software (43%). See Table 2.

Table 2. Tools and Methodologies Used to Implement the CSCs7

Legacy

50%

39%

45%

30%

26%

23%

27%

23%

19%

24%

29%

15%

20%

13%

19%

14%

14%

12%

10%

17%

13%

Updated

33%

43%

27%

35%

32%

32%

25%

21%

23%

23%

19%

22%

19%

18%

28%

23%

14%

19%

18%

15%

14%

Added

12%

12%

10%

17%

19%

21%

9%

17%

15%

9%

7%

18%

10%

17%

11%

11%

16%

12%

11%

6%

9%

Total

95%

94%

82%

82%

77%

76%

61%

61%

57%

56%

55%

55%

49%

48%

48%

48%

44%

43%

39%

38%

36%

Not Attempted

5%

5%

16%

16%

21%

22%

37%

37%

40%

42%

43%

42%

48%

51%

40%

49%

53%

56%

57%

59%

61%

Answer Options

Endpoint malware protection

Network malware protection (firewalls, IDS)

Database or system access controls

Vulnerability assessment

Vulnerability management

SIEM/Log management

Application or database firewall

Data protections (DLP/Encryption/Masking)

Virtualization/Sandboxing

Network access control (NAC)

Public key infrastructure (PKI)

Threat intelligence

Other application protections

Network behavior analysis

Other endpoint protections

Security data analysis

Network forensics

Application whitelisting software

Unified threat management

Software/application code analysis

Wireless intrusion detection system (WIDS)

7 Totalsdonotaddupto100%duetoroundingerror.

Page 17: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Where Are We Today? (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation16

These results reflect that organizations are updating what they already have in place and

are beginning to augment with entirely new technologies and services. Tools that were

the most likely to be added by responding organizations include SIEM/log management

(21%), vulnerability management (19%) and threat intelligence (18%), followed by

vulnerability assessment, data protections and network behavior analysis, each at

(17%). With better ability to assess and manage vulnerabilities, we are likely to see more

emphasis on Controls 1–4 in the coming year.

Auditing the Environment

Many internal audit groups represented in this survey have come to realize the value of

the CSCs as a roadmap for which controls should most influence their audit planning

cycles. When asked how often they assessed their environments against the controls,

38% are auditing their own organizations on an annual basis, while 20% audit quarterly.

It is encouraging that 13% report continual monitoring and an additional 9% are

performing audits monthly or more frequently. This may be a sign that the idea of

automation is beginning to sink in to the audit process as well (see Figure 11).

Another 15% of respondents noted that at this point they are not performing any

audits using the CSCs as a baseline for meeting the controls. This is not a high

number, considering the relative newness of the controls. Still, it would be ideal for all

organizations to use the CSCs for audits.

How often do you audit your IT environment to ensure your organization is meeting the goals of the control?

Figure 11. Audit Frequency

We don’t audit

Yearly

Quarterly

Monthly

Weekly

Daily

Continually

Other

Percentage of respondents who report continuous monitoring

13%

Page 18: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Where Are We Today? (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation17

Reporting Implementation Progress

When it comes to assessing how their implementations of the CSCs made security

improvements, closed gaps or improved risk posture, the vast majority (77%) were able

to see improvements, but only 25% were able to quantify those improvements (see

Figure 12).

Perhaps with more emphasis on automating their controls, responding organizations

will begin to be able to quantify some of their advances. It is particularly essential

that the 23% who can’t assess and quantify improvements (or don’t know) gain this

capability. Such information is invaluable in securing upper management support and

financial buy-in for needed staff, training and equipment.

CaSESTUDy: Reality Check

TheU.S.DepartmentofState implementedameasurementandmonitoringsystemtogatherdataevery 72 hours on elements of the highest priority CSCs and ranked each embassy and office ontheir progress inmitigating risks.They shared the ratingswith the topmanagement at the StateDepartment.Over12months,themeasuredrisklevelsacrossall80,000systemsdeclinedby89%,andthesereductionswereextendedandimprovedinthesecondyear.TheCISOwasaskedtoimplementabroaderversionofhissolutionacrosstheentiregovernmentandwasgivenalargebudgettomakethat happen.

Can you assess how the implemented controls have made improvements, helped close gaps or improved your risk posture?

Figure 12. Respondents’ Ability to Quantify Improvements

Yes, we have quantified improvements that are reported to management.

Yes, we have seen some improvements but have not quantified them.

No

Unknown/Unsure

The ability to quantify

improvements

is invaluable in

securing upper

management

support and financial

buy-in for needed

staff, training and

equipment.

Page 19: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Where Are We Today? (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation18

Fortunately, 66% of respondents are able to provide reports on CSC implementation

progress to executive hallways and boardrooms, thus engaging leadership in the risk

responsibilities of managing information assets. They use a variety of methods to

communicate this progress, including detailed reports (23%), maturity scales (19%),

stoplight charts (13%) and trend lines (11%), as illustrated in Figure 13.

What is the primary method you used/use to present implementation progress to individuals in executive management/organizational governance?

Figure 13. Methods of Sharing Information

We don’t present this evidence

Detailed reports showing progress against a project or implementation plan

Current status against a maturity scale

Stoplight chart that allows visualization of progress

Risk reduction trend line

Other

Page 20: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Where Are We Today? (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation19

Unfortunately, the reports generated by sampled organizations are mostly manual:

47% still rely on the trusted spreadsheet —11% expect to continue to do so over the

next 12 months. An additional 28% use multiple reporting tools to cover each of the CSC

reporting sources, as shown in Figure 14.

Many respondents (54%) noted that they would like to move to a common, single

dashboard for reporting CSC-based information in the next 12 months, something only

29% currently do.

Are tools and technology integration vendors ready to meet this need? Additional

investments in business intelligence systems are necessary in order for organizations

to achieve greater automation in their reporting. The integration tools should cross

operational and security silos to meet the needs of all those consuming this information.

How do you currently aggregate, analyze and present evidence of Control effectiveness or compliance? What are your plans for the next 12 months?

Check all that apply.

Figure 14. Reporting Tools Used

Thro

ugh

man

ual a

nd

retr

ospe

ctiv

e pr

oces

ses

usin

g sp

read

shee

ts

Mul

tiple

repo

rtin

g to

ols

for e

ach

of o

ur C

SC

repo

rtin

g so

urce

s

Sing

le d

ashb

oard

, cus

tom

-de

velo

ped,

that

sho

ws

real

-tim

e eff

ectiv

enes

s ac

ross

all

cont

rols

Unk

now

n/N

ot s

ure

Sing

le d

ashb

oard

, co

mm

erci

ally

dev

elop

ed

Oth

er

Current Next 12 months

Percentage of respondents who want

a single dashboard reporting CSC-based

information

54%

Page 21: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

In both 2013 and 2014, our surveys show that responding organizations need to overcome the silo mentality and integrate the controls with automated processes for “full-picture” visibility. Survey results show respondents haven’t yet attained that, but do show, again, that they are attempting to fill the gaps with new technologies such as SIEM. When asked about their approach to integrating management of the controls into their operations, 66% of respondents to this year’s survey selected “Adding new technologies as gaps are identified” as their top means for integrating the controls, as illustrated in Figure 15.

In 2013, “Adding new technologies” was the fourth most selected answer, while “Focusing on the security controls that are most needed and make most sense” was the most selected answer. The answer options were updated for the 2014 survey, which explains this difference. Even with the different answer sets, some trends within this audience emerge:

• Organizations are moving beyond assessing controls to add new technologies based on gap assessments.

• IT security groups are reaching out to business units and breaking down silos. In the current survey, outreach to business units fell into third place, with 45% reaching out to business units; in 2013, this option placed second with 51%.

• Cloud-based CSC implementation/management is low but growing. In the 2014 survey, 13% selected cloud management of their CSCs, whereas only 8% chose this option in 2013.

• SIEM is catching on as a means to integrate and manage the control groups, with 37% selecting this option in the 2014 survey. (This answer option was not provided in the 2013 survey.)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation20

Integration Is Key

Percentage of respondents who say adding new

technologies as gaps areidentifiedis

their top means for integrating controls

66%

What is your approach to integrating the management of the controls into your IT/security operations? Check all that apply.

Figure 15. Integration Approaches

Addi

ng n

ew te

chno

logi

es

as g

aps

are

iden

tified

Reac

hing

out

to b

usin

ess

units

, IT

grou

ps a

nd

high

er-u

ps

Usi

ng a

SIE

M to

ce

ntra

lize

man

agem

ent,

wor

kflow

and

repo

rtin

g

Push

ing

thes

e co

ntro

ls

into

the

clou

d un

der

man

aged

ser

vice

s

Sett

ing

prio

ritie

s ba

sed

on

need

or r

equi

rem

ents

Sett

ing

prio

ritie

s ba

sed

on e

ase

or d

ifficu

lty o

f in

tegr

atio

n

Dev

elop

er o

r acq

uirin

g te

chno

logi

es s

uch

as

mid

dlew

are

and

agen

ts

Oth

er

Page 22: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Integration Is Key (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation21

On Their Wish Lists

To justify funding for the tools, skills and processes needed to improve risk posture,

organizations must be able to show improvement, reduce cost and complexity, and

seamlessly support new features or functions. This is why automation, integration and

the ability to report on improvements are key. It is our hope that, in the future, more of

those who are responsible for security and risk management of their business systems

can measure improvements through reduced attack surface, better prevention and more

automated, integrated processes that reduce overhead and complexity.

When asked to fill in their wish lists for 2015, respondents asked for a variety of changes

that could be enhanced with automation and integration across control groups. Some of

the common items repeated on their write-in wish lists include:

• Better communication with management and improved executive awareness

• More collaboration between educational and awareness organizations

• Ensuring control rankings and prioritization exactly match organizational needs

• Better means of managing controls across decentralized organizations

• Gap analysis templates

• Audit programs for the controls specific to various verticals such as financial

institutions or manufacturers

• Better categorization of controls

Automation,

integration and

the ability to report

on improvements

are key.

Page 23: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Integration Is Key (CONTINUED)

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation22

Are They Working?

The controls are a working framework that continues to be improved and updated,

thanks to the input of many top minds working together across government and private

sector agencies. Adopters of the controls represented in this survey already say they

are experiencing improvements in visibility, risk reduction and improved risk posture,

complying with mandates and regulations, and detecting attacks (see Figure 16).

Many of the write-in options were positive, with one respondent saying, “The security

controls have greatly helped our organization in managing risk, identifying gaps and,

overall, pointing our organization in the right direction for the future.”

Another respondent added, “Our company has just started using the CSCs to manage

various requirements from internal auditors. The controls have been extremely helpful in

assessing gaps, prioritizing actions and guiding our implementation.”

Where have the controls you implemented made the most improvement? Choose your top three improvements.

Figure 16. Reported Improvements by CSC Implementers

Risk

redu

ctio

n/Vu

lner

abili

ty m

itiga

tion

Clea

rer v

isib

ility

/Si

tuat

iona

l aw

aren

ess/

Gap

ana

lysi

s

Impr

oved

inci

dent

re

spon

se

Benc

hmar

king

sys

tem

ic

impr

ovem

ents

Impr

ovem

ents

to

over

all r

isk

post

ure

Com

plia

nce

to

man

date

s an

d re

gula

tions

Det

ectin

g ad

vanc

ed

atta

cks

Fast

er, m

ore

thor

ough

m

itiga

tion

Oth

er

First Second Third

Page 24: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

Within the SANS audience, more organizations of various types consider the CSCs a

reliable mechanism to reduce attack surfaces, increase visibility and improve protection

and response.

Results show that more such organizations are making progress implementing

technical systems for defense, and those that are progressing are experiencing reduced

risk, clearer visibility and compliance support. However, they are still struggling with

automation and integration across the controls. Product teams, integrators, IT and

operational staff members, along with the business units they support, will need to work

together to bring this level of automation to fruition.

As more organizations invest in CSC implementation, the industry is likely to see more

quantifiable, clear results of organizations being better able to defend themselves and

prove compliance and overall improvements through risk reduction.

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation23

Conclusion

Page 25: Critical Security Controls: From Adoption to Implementationdocs.media.bitpipe.com/io_12x/io_120987/item... · 2 Critical Security Controls: From Adoption to Implementation Over the

About the Author

Sponsors

SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation24

James Tarala is a principal consultant with Enclave Hosting, LLC and is based out of Venice, Florida.

He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author

and editor for many of its auditing and security courses. As a consultant he has spent the past few

years architecting large enterprise IT security and infrastructure architectures, specifically working

with many Microsoft-based directory services, email, terminal services and wireless technologies.

James has also spent a large amount of time consulting with organizations to assist them in their

security management, operational practices and regulatory compliance issues, and he often performs

independent security audits and assists internal audit groups to develop their internal audit programs.

James completed his undergraduate studies at Philadelphia Biblical University and his graduate work

at the University of Maryland. He holds numerous professional certifications.

SANS would like to thank this survey’s sponsors: