Tony Sager, the Center for Internet Security

Making Best Practice Common Practice: the CIS Controls

TheLongandWindingRoad….

SeismicShi:s

•  Communica=onsSecurityà“Cyber”•  Mathema=csàCS,Networking,OpsAnaly=cs•  TechnologyàInforma=on,Opera=ons•  Governmentmonopolyàuser/marketdriven•  Na=onalSecurityàeconomic/socialRisk

Afewcybersecuritylessons

•  Cybersecurityislike“GroundhogDay”,not“IndependenceDay”

•  Knowingaboutflawsdoesn’tgetthemfixed•  CyberDefense==Informa=onManagement

–  notInforma=onSharing,nottechnology–  themostimportantverbistranslate

•  TheBadGuydoesn’tperformmagic•  There’salargebutlimitednumberofdefensivechoices

–  priori=za=onisALWAYSrequired–  andthe80/20ruleapplies(TheParetoPrinciple)

“The ”

standards SDL

supply-chain security

securitybulletinsuser awareness training

browser isolationtwo-factor authentication

encryption

incident response

security controls

threat intelligence

whitelistingneed-to-know

SIEMvirtualizationsandbox

compliance

maturity model

anti-malware

penetration testing

audit logs

baseline configuration

risk management framework

continuous monitoring

DLP

threat feed

certification

assessmentbest practice

governance

TheDefender’sDilemma

1.  What’stherightthingtodo,andhowmuchdoIneedtodo?2.  HowdoIactuallydoit?3.  AndhowcanIdemonstratetoothersthatIhavedonethe

rightthing?

fromBestPrac=ceàCommonPrac=ce

•  Howdoweknowwhatis“best”?–  BasedonData?Solu=ontotheworstproblem?Trustedsource?

•  Whatisa“prac=ce”?–  Howspecific?HowdoIactuallydoit?WhatdoIneedtodothis?

•  Whatarethebarriers?–  Knowledge?Cost?Tools?Training?Enforcement?Misalignment?

Repeatability?

•  Ittakesmorethanalistofprac=ces–  Marketplaceoftools,training;community-building;sharingofideas;

alignmentofprac=ceswithoversight,audi=ng,compliance.

Howdidwegethere?

NSA/DoDProject(2008)

TheSANSIns=tute(2009)“TheSANSTop20Cri=calControls”

CouncilonCyberSecurity(2013;non-profit)“TheCri=calSecurityControls”

CenterforInternetSecurity(2015)“TheCISControls”

CenterforStrategicandInterna=onalStudies(2008)“TheConsensusAuditGuidelines”

CISCri=calSecurityControls(Version6)

RecentReferencestotheCISControls•  CaliforniaAiorneyGeneral’s2016DataBreachReport•  TheNISTCybersecurityFramework•  Symantec2016InternetSecurityThreatReport

–  andVerizonDBIR,HP,PaloAlto,Solu=onary…)•  Na=onalGovernor’sAssocia=on•  Na=onalConsor=umforAdvancedPolicing•  ConferenceofStateBankSupervisors•  ZurichInsurance•  UKCri=calProtec=onforNa=onalInfrastructure•  ENISA,ETSI

MakingBestPrac>ceCommonPrac>ce

TheCenterforInternetSecurity

Contact•  Website:www.cisecurity.org•  Email: contact@cisecurity.org•  Twiier: @CISecurity•  Facebook: CenterforInternetSecurity•  LinkedInGroups:

•  TheCenterforInternetSecurity•  20Cri=calSecurityControls