Tony Sager, the Center for Internet Security
Making Best Practice Common Practice: the CIS Controls
TheLongandWindingRoad….
SeismicShi:s
• Communica=onsSecurityà“Cyber”• Mathema=csàCS,Networking,OpsAnaly=cs• TechnologyàInforma=on,Opera=ons• Governmentmonopolyàuser/marketdriven• Na=onalSecurityàeconomic/socialRisk
Afewcybersecuritylessons
• Cybersecurityislike“GroundhogDay”,not“IndependenceDay”
• Knowingaboutflawsdoesn’tgetthemfixed• CyberDefense==Informa=onManagement
– notInforma=onSharing,nottechnology– themostimportantverbistranslate
• TheBadGuydoesn’tperformmagic• There’salargebutlimitednumberofdefensivechoices
– priori=za=onisALWAYSrequired– andthe80/20ruleapplies(TheParetoPrinciple)
“The ”
standards SDL
supply-chain security
securitybulletinsuser awareness training
browser isolationtwo-factor authentication
encryption
incident response
security controls
threat intelligence
whitelistingneed-to-know
SIEMvirtualizationsandbox
compliance
maturity model
anti-malware
penetration testing
audit logs
baseline configuration
risk management framework
continuous monitoring
DLP
threat feed
certification
assessmentbest practice
governance
TheDefender’sDilemma
1. What’stherightthingtodo,andhowmuchdoIneedtodo?2. HowdoIactuallydoit?3. AndhowcanIdemonstratetoothersthatIhavedonethe
rightthing?
fromBestPrac=ceàCommonPrac=ce
• Howdoweknowwhatis“best”?– BasedonData?Solu=ontotheworstproblem?Trustedsource?
• Whatisa“prac=ce”?– Howspecific?HowdoIactuallydoit?WhatdoIneedtodothis?
• Whatarethebarriers?– Knowledge?Cost?Tools?Training?Enforcement?Misalignment?
Repeatability?
• Ittakesmorethanalistofprac=ces– Marketplaceoftools,training;community-building;sharingofideas;
alignmentofprac=ceswithoversight,audi=ng,compliance.
Howdidwegethere?
NSA/DoDProject(2008)
TheSANSIns=tute(2009)“TheSANSTop20Cri=calControls”
CouncilonCyberSecurity(2013;non-profit)“TheCri=calSecurityControls”
CenterforInternetSecurity(2015)“TheCISControls”
CenterforStrategicandInterna=onalStudies(2008)“TheConsensusAuditGuidelines”
CISCri=calSecurityControls(Version6)
RecentReferencestotheCISControls• CaliforniaAiorneyGeneral’s2016DataBreachReport• TheNISTCybersecurityFramework• Symantec2016InternetSecurityThreatReport
– andVerizonDBIR,HP,PaloAlto,Solu=onary…)• Na=onalGovernor’sAssocia=on• Na=onalConsor=umforAdvancedPolicing• ConferenceofStateBankSupervisors• ZurichInsurance• UKCri=calProtec=onforNa=onalInfrastructure• ENISA,ETSI
MakingBestPrac>ceCommonPrac>ce
TheCenterforInternetSecurity
Contact• Website:www.cisecurity.org• Email: [email protected]• Twiier: @CISecurity• Facebook: CenterforInternetSecurity• LinkedInGroups:
• TheCenterforInternetSecurity• 20Cri=calSecurityControls