Critical Security Controls: From Adoption to...
Transcript of Critical Security Controls: From Adoption to...
A SANS Analyst SurveyWritten by James Tarala
Advisor: Tony Sager
September 2014
Sponsored by Qualys
Critical Security Controls: From Adoption to Implementation
©2014 SANS™ Institute
This Country may be turning the corner on cybersecurity! The National Governors Association, the Atlantic Council, Zurich Insurance, the Center for Internet Security, the MS-ISAC, and other major nationwide institutions are all calling for basic cybersecurity
hygiene, specifically using the Critical Security Controls. And 14 of the 20 leading security vendors have aligned part or all of their product offerings with the Critical
Security Controls. Clearly we are witnessing the beginning of a movement.
The honorable Jane holl luTe, recenTly DepuTy SecreTary of The u.S. DeparTmenT of homelanD SecuriTy anD chair of The council on cyberSecuriTy.1
SANS has worked with the security community on the Critical Security Controls (CSCs) for several years and has published several papers on the subject, including a 2013 survey.2 Over the past year we have seen three major reasons why the CSCs are being adopted:
• Implementing the CSCs is the fastest and most cost-effective way to focus security staffs and budgets on the high payback areas that achieve meaningful and measurable cyber risk reduction
• They facilitate cooperation between IT security and audit staffs because the controls reflect a broad consensus on the security processes and tools that are absolutely necessary to prevent or mitigate actual cyberthreats.
• The controls approach has proven to boost security managers’ careers and budgets because they provide the focus and clarity needed to gain top management support and budget approval.
As part of the SANS commitment to support this growing effort, in 2014 we conducted a second Critical Controls survey. More than 300 cybersecurity professionals answered a series of questions about the adoption and value of the Critical Security Controls. Nearly 40% were from government and financial enterprises, with the remaining participants representing a wide variety of industries and not-for-profits. This paper provides the results of that survey and documents previously conducted case studies around adoption and implementation of the CSCs.
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation1
Executive Summary
1 Personal communication with Alan Paller, September 14, 20142 Go to www.sans.org/reading-room/whitepapers/analyst/2013-critical-security-controls-survey-moving-awareness-action-35065
to download a copy of “SANS 2013 Critical Security Controls Survey: Moving from Awareness to Action.”
Highlights of the 2014 Survey
1. High levels of support for adoption •26%oforganizationsadoptingtheCSCssaytheirtopexecutives
outside of IT are actively supporting adoption •61%ofthoseorganizationssayITmanagementabovetheCISOis
providing support for adoption of the controls •66%saytheCISO,CSOorInfoSecmanageristhekeysourceof
support
2. Barriers to adoption remain •54%citebudgetissues,and63%citestaffingshortages •36%noteoperationalsilos,while32%pointtoincompatiblelegacy
systems
3. Most and least widely adopted controls •Mostfullyadopted:malwaredefenses(96%)andboundarydefense
(94%) •Leastfullyadopted:applicationsoftwaresecurity(73%),effective
securityskillsassessmentandtraining(73%)andpenetrationtesting(64%)
4. Need to quantify improvements enabled by the CSCs •25%reporttheyareabletoquantifyresultsandreportthoseto
management •52%havenotedimprovements,buthavenotquantifiedthem
5. Sharing of information needed to accelerate implementing the CSCs •68%requestedusablecasestudiesofsuccessfulimplementations •58%wouldlikebetteroperationalbestpracticesandsupport •54%wouldliketoseeadirectoryofapplicabletools •53%wouldlikesector-specificguidelines
Why the Critical Security Controls?
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation2
Over the years, the information assurance industry has developed best practices and
frameworks, but many times implementing these frameworks became cumbersome and
served only to provide information for compliance reports—instead of being used to
block attacks against information systems.
The Critical Security Controls (CSCs) took a different route. A team of experts on offensive
and defensive techniques from the NSA Red and Blue Teams, US CERT, DOD Cyber Crime
Center, DoE Nuclear Labs and commercial forensics and incident response organizations
came together to identify all known attacks and to specify what organizations needed to
do to block or mitigate damage from those attacks. An expanded team of professionals
from key government agencies and various industries around the world has periodically
updated both the threats and the corresponding mitigations (controls) to reflect
changing technology and changing attack patterns. Version 5.0 of the CSCs was released
in February 2014.
The thinking behind the controls is that nearly every organization faces a set of common
threats, as well as some unique threats. By pooling resources to determine the best ways
to mitigate the most common and damaging threats, enterprises could have a cost-
effective and consistent set of prioritized controls to defend against the common attacks
that are doing great damage.
The CSCs are prioritized, with the first four controls being the most widespread and
effective actions to block malicious attacks from the Internet. Interestingly, this is not the
order in which these controls are being adopted, which we will discuss later in the paper.
Figure 1 provides a list of the CSCs in priority order, with the first four providing adopters
with quick security wins.
More information on the
history,backgroundand
values that have gone into
the Critical Security Controls
can be found on the Council
on CyberSecurity’s website at
www.counciloncybersecurity.
org/critical-controls.
Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers3
Data Recovery Capability8
Boundary Defense13
Incident Response and Management18
Inventory of Authorized and Unauthorized Software 2
Wireless Access Control7
Controlled Use of Administrative Privileges12
Data Protection17
Continuous Vulnerability Assessment and Remediation4
Security Skills Assessment and Appropriate Training to Fill Gaps9
Maintenance, Monitoring, and Analysis of Audit Logs14
Secure Network Engineering19
Malware Defenses5
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches10
Controlled Access Based on the Need to Know15
Penetration Tests and Red Team Exercises20
Inventory of Authorized and Unauthorized Devices 1
Application Software Security6
Limitation and Control of Network Ports, Protocols, and Services11
Account Monitoring and Control16
Why the Critical Security Controls? (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation3
20 Critical Security Controls for Effective Cyber Defense
Figure 1. The Critical Security Controls
In this year’s survey, 328 people from a variety of businesses and government entities
completed the survey. The largest group represented was the financial services
industry (22%), with the government sector contributing an additional 18%. Other
industry verticals were also well represented, with high-tech (8%), energy/utilities (7%),
education (7%), health care/pharmaceuticals (6%), telecommunications carriers and
service providers (6%), and manufacturing (6%) also making strong showings. Figure 2
illustrates the makeup of the survey sample.
In 2013, 17% of those who took the survey were from financial agencies, with 20%
hailing from the government sector. We would expect government agencies to be
primary adopters of the controls, given their struggles with Federal Information Security
Management Act (FISMA) compliance and the heavy federal influence on the CSCs. In
both the 2013 and 2014 surveys, the financial services and government sectors were
most highly represented in their respective samples. Based on these results and follow-
up interviews with IT professionals in each of the sectors, private sector interest in the
controls is growing. It also appears that US government interest in the CSCs is holding
steady. This may be due, in part, to the new guidance published by the Department of
Homeland Security (DHS) on Continuous Diagnostics and Mitigation (CDM), which has
been highly influenced by and aligned with the CSC project,3 and to the inclusion of the
CSCs as “reference” in the February 2014 Cybersecurity Framework announced by the
White House.4
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation4
Who Took the Survey
3 DepartmentofHomelandSecurity(DHS)ContinuousDiagnosticsandMitigation(CDM), www.dhs.gov/cdm4 www.nist.gov/cyberframework
What is your organization’s primary industry?
Figure 2. Industries Represented
Fina
ncia
l
Oth
er
Ener
gy/U
tiliti
es
Hea
lth c
are/
Phar
mac
eutic
al
Man
ufac
turin
g
Reta
il
Gov
ernm
ent
Hig
h te
ch
Educ
atio
n
Tele
com
mun
icat
ions
ca
rrie
rs/S
ervi
ce p
rovi
der
Hos
ting/
Serv
ice
prov
ider
Engi
neer
ing/
Cons
truc
tion
Percentage of respondents from the financialservicesandgovernment sectors
40%
FormoreinformationonCDM
implementation, download
the SANS survey “Continuous
DiagnosticsandMitigation”
at www.sans.org/reading-
room/whitepapers/analyst/
continuous-diagnostics-
mitigation-making-work-
35317.
Who Took the Survey (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation5
Organization Size
Based on survey respondents, CSC adoption and awareness also spreads across
organizations of various sizes: 21% represented organizations with workforces larger
than 15,000; 24% represented organizations between 1,001–5,000; and 22% said their
workforces were between 100–1,000. Even very small organizations, those with fewer
than 100 employees, participated (15%). Representation from all sizes of organizations
points to a common interest in using the CSCs to ensure security (see Figure 3).
These results are similar to the 2013 survey results, in which respondents were
predominantly (40%) from organizations larger than 2,000 employees, with 13% coming
from companies with fewer than 100 employees.
What is the size of your organization’s workforce, including both employees and full-time contractors?
Figure 3. Organization Size
Mor
e th
an 1
5,00
0
10,0
01–1
5,00
0
5,00
1–10
,000
1,00
1–5,
000
100–
1,00
0
Few
er th
an 1
00
Who Took the Survey (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation6
Respondent Roles
It also appears that a wide range of job roles within organizations has expressed interest
in utilizing the CSCs. The majority of respondents were in the role of security analyst
(25%), followed by those in an information assurance management role, such as chief
information security officer (CISO), chief security officer (CSO) and security manager or
director (23%). Given that compliance is generally cited as a reason for security efforts in
general, it is interesting that only 5% of respondents reported filling a compliance role in
their organization. Figure 4 shows the range of roles represented.
Taking all the demographic results together, the survey sample provides a good cross-
section of industries, job roles and organizational sizes from which we can extrapolate
trends within the SANS audience with regard to the adoption and implementation of
the CSCs.
Percentage of respondents in the role
of security analyst, security manager or director,CSOorCISO
48%
What is your primary role in the organization, whether as staff or consultant? Select the most appropriate.
Figure 4. Respondent Roles
Secu
rity
anal
yst
Secu
rity
adm
inis
trat
or
Net
wor
k/Sy
stem
ad
min
istr
atio
n or
ope
ratio
ns
Fore
nsic
s an
alys
t
Soft
war
e en
gine
er/
Arc
hite
ct
Com
plia
nce
office
r/Au
dito
r
Frau
d in
vest
igat
or
CISO
/CSO
/Sec
urity
m
anag
er/D
irect
or
CIO
/IT m
anag
er/D
irect
or
Oth
er
Soft
war
e de
velo
per
Risk
man
ager
Func
tiona
l bus
ines
s-un
it m
anag
er
Reports of cyber attacks appear almost every day. However, there have also been many
reports about how the CSCs can help prioritize risk reduction functions and improve
resiliency.5 In this section, we examine who is aware of, who is supporting and who is
adopting which controls.
Awareness of the CSCs Within Organizations
Cybersecurity awareness has skyrocketed in the last few years due to some very
public data breaches across multiple vectors and pervasive vulnerabilities, such as the
Heartbleed bug. Press coverage has taken the problem from the primary purview of
technologists and engineers to involve those with general management responsibilities.
Once these executives take notice, they search out practical, prioritized, authoritative
guidance to tell them what needs to be done and how to measure their internal IT
security teams.
This SANS survey reinforces the strength of the CSCs among management. Of those
organizations aware of and adopting the controls, 26% report support from leaders
outside IT, including chief operating officers and CEOs. This level of top management
awareness and support for a specific security initiative is very rare. Business unit
managers and directors were not far behind, also providing support to 26% of
responding organizations. In addition, more than 60% of adopters report support from
IT management above the CISO, while CISO support was cited in 66% of the adopting
organizations, as shown in Figure 5.
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation7
Awareness and Adoption
5 www.counciloncybersecurity.org/critical-controls/case-studies
Percentage of respondents indicating
support for the CSCs at the highest level of decisionmaking
26%
Who in your organization is aware of and supportive of adopting the Critical Security Controls? Check all that apply.
Figure 5. Leaders with Awareness and Support of the CSC Effort
CIO
/CTO
/IT m
anag
er
Secu
rity
adm
inis
trat
or
IT a
dmin
istr
ator
Hig
hest
-leve
l dec
isio
n m
aker
s, su
ch a
s CE
O, C
OO
Busi
ness
-uni
t dire
ctor
s or
man
ager
s
Com
plia
nce
office
r
Priv
acy
office
r
Oth
er
CSO
/CIS
O/
Info
sec
man
ager
Awareness and Adoption (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation8
CaSESTUDy: Reality Check
anewsecuritymanageratamid-sizedutilitylearnedabouttheCSCsandsawtheirimplementationasa way of getting his arms around the challenges and opportunities he would face in his new position. Hefirstmeasuredandmappedtheutility’scurrentpostureineachofthe20controls,producedanimplementation score for each and charted the scores on a red/yellow/green satellite chart. He thenworkedouta3-yearplantoimprovethosescoressubstantially.HisCIOaskedhimtobrieftheChairmanoftheBoardandtheExecutiveCommitteeonthecurrentstatuschartandthe3-yearplan.TheChairman’sreactionwasremarkable;hesaid,“Thisisthefirsttimeasecuritypersonhasmadesense to me.”
Adoption Rates
Acknowledging that we are studying a group predisposed to adopt and implement
the CSCs, the results indicate 72% of respondents have implemented at least some of
the controls in their organization. Another 10% plan to adopt more controls within the
next 12 months, with an additional 8% planning implementations in the next 12 to 24
months. Only 4% have no plans to adopt the controls, and just 6% are not aware of the
CSCs and were directed to exit the survey without answering any more questions (see
Figure 6).
Have you or are you planning on adopting any of the Critical Security Controls?
Figure 6. State of CSC Adoption
Yes, we have implemented all of the controls in our organization.
Yes, we have implemented some of the controls in our organization.
Yes, although we have not adopted any controls at this time, we plan to within 12 months.
Yes, we plan to adopt controls within 12-24 months.
No, we have no plans to adopt the controls.
No, we are not aware of the CSCs.
Awareness and Adoption (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation9
CSCs as a Benchmark
In addition to implementing the CSCs, many organizations represented in this survey are
choosing to use the CSCs as a benchmark against which to assess their organization’s
defensive posture. Of the respondents, 81% indicated that they had either completely
or partially assessed their organization’s cybersecurity capabilities through the lens
of the CSCs, and another 17% noted they were planning to do so in the upcoming 12
to 24 months. Only 3% reported their organization had no plans to use the CSCs as a
benchmark in the near future, as shown in Figure 7.
Have you assessed your security architecture against the Critical Security Controls?
Figure 7. Use of the CSCs as a Benchmark of Security
Yes, we’ve fully assessed our architecture against the controls.
Partially, we’ve assessed some of our architecture against the controls.
Not yet, but we plan to within the next 12-24 months.
No, we have no plans to do so.
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation10
CSCs 1–4 are thought to be the quick hits to garner security improvements. Interestingly,
though, they were not even among the top five controls already being implemented by
respondents. Their most implemented controls include:
• 5: Malware Defenses (47% partially implemented, 50% fully implemented)
• 13: Boundary Defense (45% partially implemented, 49% fully implemented)
• 10: Secure Configurations for Network Devices such as Firewalls, Routers, and
Switches (51% partially implemented, 41% fully implemented)
• 12: Controlled Use of Administrative Privileges (57% partially implemented, 34%
fully implemented)
• 8: Data Recovery Capability (52% partially implemented, 39% fully implemented)
See Table 1 for the level of respondent implementations across all controls.
Implementation Progress, Barriers and Drivers
Table 1. CSC Implementation6
CSC
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Access Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Protection
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
Partial
60%
64%
62%
58%
47%
55%
45%
52%
54%
51%
53%
57%
45%
63%
57%
58%
58%
62%
59%
43%
Full
27%
22%
27%
28%
50%
18%
43%
39%
18%
41%
36%
34%
49%
19%
29%
26%
24%
23%
25%
21%
None
12%
13%
10%
14%
4%
26%
12%
7%
26%
8%
9%
8%
4%
16%
13%
15%
16%
15%
15%
35%
6 Totalsdonotaddupto100%duetoroundingerror.
Implementation Progress, Barriers and Drivers (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation11
It makes sense that malware and perimeter defenses top the list, given that antivirus,
firewalls and IDS/IPS have historically been the first line of defense for organizations.
The top five controls being implemented within responding organizations today are the
same as in the 2013 survey, indicating little movement in the first four controls that are
recommended by the CSCs as the quick hits for better protection.
This is likely due to barriers in skills and staffing. The first indication of these barriers is
revealed when looking at what the respondents were least interested in implementing:
• 9: Security Skills Assessment and Appropriate Training to Fill Gaps (26%)
• 6: Application Software Security (26%)
• 20: Penetration Tests and Red Team Exercises (35%)
Barriers to Implementing the Controls
Lack of staff/skills and resources are directly implicated as the main reasons organizations
are having trouble implementing some of the controls, according to 63% of survey
respondents who highlighted insufficient staffing or personnel resources and 54% who
cited lack of budget as the major barriers to adoption. The next group (36%) points to
ongoing disconnect among operational and security silos, as shown in Figure 8.
What barriers inhibit your adoption of the Critical Security Controls? Check all that apply.
Insufficient staffing or personal resources
Lack of strategic or tactical planning
Unsure of how to prioritize CSC implementation
Disconnect between IT/Operational silos
Lack of management support
Other
Lack of budget
Lack of means to integrate and comprehensively manage the controls
Mergers/Acquisitions/Changing operations
Incompatible legacy systems
Inability to align with business goals
Unclear, confusing or conflicting security requirements within the CSC framework
Figure 8. Barriers to CSC Adoption
Lack of staff/skills
and resources are
directly implicated
as the main reasons
organizations are
having trouble
implementing some
of the controls.
Implementation Progress, Barriers and Drivers (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation12
These are the same barriers cited in the 2013 survey, which selected operational silos
(43%), followed by personnel skills gap (41%) and confusion over which controls to
implement first (36%) as top the barriers.
Personnel and their skills, often affected by budgets, and concern over operational
silos definitely are key barriers to effective implementation. The lack of communication
among silos may, in fact, contribute to the difficulties in prioritizing which controls to
implement first.
These two-year results lend credence to the common belief that analysts know what
needs to be done to protect their information systems and reduce attack surfaces—and
they want to do it. However, a lack of resources is keeping them from achieving their goals.
The need to prioritize limited resources is one of the reasons the CSCs have become
so popular at the senior IT levels and even the executive and business operations
levels within organizations. If communication can be improved among the various
organizational silos, the CSCs can help organizations prioritize their limited resources
and focus on how to most efficiently augment what they lack—including skills.
Drivers for Adopting the Controls
In 2002 a number of regulatory groups published standards required by law or contract.
Regulations such as the Sarbanes-Oxley Act of 2002 and the Federal Information Systems
Management Act of 2002 are just two examples of such regulatory standards that were
released. Compliance became a driver for security spending, but only in limited terms
and only enough to satisfy the requirements of auditors or regulators.
Supporting compliance initiatives, then, might seem as if it would be a key driver for
adoption of the CSCs. However, based on both the 2013 and 2014 survey results for
this audience, supporting compliance and regulations, represented by the “Need to
reconcile/complement other security frameworks or compliance schemes” option are
much lower drivers (38% in 2013 and 42% in 2014) for implementing the CSCs than we
might expect.
Implementation Progress, Barriers and Drivers (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation13
Leading drivers for 2014 respondents include the need for a clearer way to present,
manage and report on security progress or risk posture (66%) and the need to prioritize
defensive actions (57%). Figure 9 presents the drivers respondents felt were most
important.
In 2013, 64% of respondents needed a clearer picture of their risk posture. In 2014,
66% (a slight improvement) need a clearer way to present their security progress or risk
posture to stakeholders, demonstrating the need to bridge the gap between silos and
draw business operations into the risk management framework.
What are the drivers for your adoption of the Critical Security Controls? Check all that apply.
Need for a clearer way to present, manage and report on security progress or risk posture
Belief that the broad community approach of the CSCs is a powerful model to drive defensive action
Need to prioritize our defensive actions
Need for a better means to detect advanced attacks/improve response
An increasing number of attacks attempted against our systems
The rising number of intrusions discovered within our environment
Need to reconcile/complement other security frameworks or compliance schemes (e.g., FISMA, PCI, ISO)
Response to internal group or agency directives (such as from DHS, OMB, headquarters
Other
Figure 9. Drivers for CSC Adoption
Because the majority of organizations represented in this survey have implemented
security perimeters to stop malware and intrusions, SANS recommends these
organizations and others like them turn their attention to Controls 1–4 for better
prevention and visibility. To do this, they need to focus on several core tenants of the
controls:
• Assessing and identifying gaps in security
• Tools and practices
• Auditing environments for adherence to control groups
• Reporting implementation progress
Assessing and Identifying the Security Gaps
The philosophy of the CSCs is that organizations should assess their environment
utilizing automated means to do so whenever possible. Unfortunately, especially
when organizations first begin this process, automated tools are not available to assist
organizations in performing gap analysis.
Most respondents are conducting gap assessments in accordance with some or all of the
controls. Of those implementing the controls, 83% performed some type of automated
or manual gap assessment—40% use a combination of automated and manual
processes in their analysis, only 3% use fully automated processes and 36% complete
their assessments manually (see Figure 10).
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation14
Where Are We Today?
How did you undertake your initial gap assessment of where to implement the Critical Security Controls in your enterprise?
Figure 10. Initial Gap Analysis Methodologies
A combination of automated discovery and many manual processes
Manually
No initial gap assessment was conducted
An external consulting firm did it all for us
Fully automated using multiple discovery tools
Other
Fully automated using a single discovery tool
The philosophy of
the CSCs is that
organizations
should assess their
environment utilizing
automated means
to do so whenever
possible.
Where Are We Today? (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation15
In the 2014 survey, fewer respondents reported their organizations were utilizing automated mechanisms either alone or in concert with manual efforts to perform this initial gap analysis of their organization’s alignment with the controls (43% used automated gap assessment in 2014 versus 47% in 2013). Similarly, more are using manual methods today (36% in 2014 versus 27% in 2013). A likely explanation for this perceived drop in automated assessment practices is that responding organizations have had additional time to dig into the details of the controls since 2013 and now have a more realistic view of their enterprise assessment capabilities. As a result, they are using manual assessments to supplement their automated tools.
Tools and Practices
The most commonly used technologies identified in the CSC implementations studied include endpoint malware protection (95%), network malware protection in the form of firewalls and IDS (94%), database or system access controls (82%), vulnerability assessment (82%), vulnerability management (77%) and SIEM or log management (76%). The least used technologies for respondents’ organizations include wireless intrusion detection systems (36%), software and application code analysis (38%), unified threat management devices (39%) and application whitelisting software (43%). See Table 2.
Table 2. Tools and Methodologies Used to Implement the CSCs7
Legacy
50%
39%
45%
30%
26%
23%
27%
23%
19%
24%
29%
15%
20%
13%
19%
14%
14%
12%
10%
17%
13%
Updated
33%
43%
27%
35%
32%
32%
25%
21%
23%
23%
19%
22%
19%
18%
28%
23%
14%
19%
18%
15%
14%
Added
12%
12%
10%
17%
19%
21%
9%
17%
15%
9%
7%
18%
10%
17%
11%
11%
16%
12%
11%
6%
9%
Total
95%
94%
82%
82%
77%
76%
61%
61%
57%
56%
55%
55%
49%
48%
48%
48%
44%
43%
39%
38%
36%
Not Attempted
5%
5%
16%
16%
21%
22%
37%
37%
40%
42%
43%
42%
48%
51%
40%
49%
53%
56%
57%
59%
61%
Answer Options
Endpoint malware protection
Network malware protection (firewalls, IDS)
Database or system access controls
Vulnerability assessment
Vulnerability management
SIEM/Log management
Application or database firewall
Data protections (DLP/Encryption/Masking)
Virtualization/Sandboxing
Network access control (NAC)
Public key infrastructure (PKI)
Threat intelligence
Other application protections
Network behavior analysis
Other endpoint protections
Security data analysis
Network forensics
Application whitelisting software
Unified threat management
Software/application code analysis
Wireless intrusion detection system (WIDS)
7 Totalsdonotaddupto100%duetoroundingerror.
Where Are We Today? (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation16
These results reflect that organizations are updating what they already have in place and
are beginning to augment with entirely new technologies and services. Tools that were
the most likely to be added by responding organizations include SIEM/log management
(21%), vulnerability management (19%) and threat intelligence (18%), followed by
vulnerability assessment, data protections and network behavior analysis, each at
(17%). With better ability to assess and manage vulnerabilities, we are likely to see more
emphasis on Controls 1–4 in the coming year.
Auditing the Environment
Many internal audit groups represented in this survey have come to realize the value of
the CSCs as a roadmap for which controls should most influence their audit planning
cycles. When asked how often they assessed their environments against the controls,
38% are auditing their own organizations on an annual basis, while 20% audit quarterly.
It is encouraging that 13% report continual monitoring and an additional 9% are
performing audits monthly or more frequently. This may be a sign that the idea of
automation is beginning to sink in to the audit process as well (see Figure 11).
Another 15% of respondents noted that at this point they are not performing any
audits using the CSCs as a baseline for meeting the controls. This is not a high
number, considering the relative newness of the controls. Still, it would be ideal for all
organizations to use the CSCs for audits.
How often do you audit your IT environment to ensure your organization is meeting the goals of the control?
Figure 11. Audit Frequency
We don’t audit
Yearly
Quarterly
Monthly
Weekly
Daily
Continually
Other
Percentage of respondents who report continuous monitoring
13%
Where Are We Today? (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation17
Reporting Implementation Progress
When it comes to assessing how their implementations of the CSCs made security
improvements, closed gaps or improved risk posture, the vast majority (77%) were able
to see improvements, but only 25% were able to quantify those improvements (see
Figure 12).
Perhaps with more emphasis on automating their controls, responding organizations
will begin to be able to quantify some of their advances. It is particularly essential
that the 23% who can’t assess and quantify improvements (or don’t know) gain this
capability. Such information is invaluable in securing upper management support and
financial buy-in for needed staff, training and equipment.
CaSESTUDy: Reality Check
TheU.S.DepartmentofState implementedameasurementandmonitoringsystemtogatherdataevery 72 hours on elements of the highest priority CSCs and ranked each embassy and office ontheir progress inmitigating risks.They shared the ratingswith the topmanagement at the StateDepartment.Over12months,themeasuredrisklevelsacrossall80,000systemsdeclinedby89%,andthesereductionswereextendedandimprovedinthesecondyear.TheCISOwasaskedtoimplementabroaderversionofhissolutionacrosstheentiregovernmentandwasgivenalargebudgettomakethat happen.
Can you assess how the implemented controls have made improvements, helped close gaps or improved your risk posture?
Figure 12. Respondents’ Ability to Quantify Improvements
Yes, we have quantified improvements that are reported to management.
Yes, we have seen some improvements but have not quantified them.
No
Unknown/Unsure
The ability to quantify
improvements
is invaluable in
securing upper
management
support and financial
buy-in for needed
staff, training and
equipment.
Where Are We Today? (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation18
Fortunately, 66% of respondents are able to provide reports on CSC implementation
progress to executive hallways and boardrooms, thus engaging leadership in the risk
responsibilities of managing information assets. They use a variety of methods to
communicate this progress, including detailed reports (23%), maturity scales (19%),
stoplight charts (13%) and trend lines (11%), as illustrated in Figure 13.
What is the primary method you used/use to present implementation progress to individuals in executive management/organizational governance?
Figure 13. Methods of Sharing Information
We don’t present this evidence
Detailed reports showing progress against a project or implementation plan
Current status against a maturity scale
Stoplight chart that allows visualization of progress
Risk reduction trend line
Other
Where Are We Today? (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation19
Unfortunately, the reports generated by sampled organizations are mostly manual:
47% still rely on the trusted spreadsheet —11% expect to continue to do so over the
next 12 months. An additional 28% use multiple reporting tools to cover each of the CSC
reporting sources, as shown in Figure 14.
Many respondents (54%) noted that they would like to move to a common, single
dashboard for reporting CSC-based information in the next 12 months, something only
29% currently do.
Are tools and technology integration vendors ready to meet this need? Additional
investments in business intelligence systems are necessary in order for organizations
to achieve greater automation in their reporting. The integration tools should cross
operational and security silos to meet the needs of all those consuming this information.
How do you currently aggregate, analyze and present evidence of Control effectiveness or compliance? What are your plans for the next 12 months?
Check all that apply.
Figure 14. Reporting Tools Used
Thro
ugh
man
ual a
nd
retr
ospe
ctiv
e pr
oces
ses
usin
g sp
read
shee
ts
Mul
tiple
repo
rtin
g to
ols
for e
ach
of o
ur C
SC
repo
rtin
g so
urce
s
Sing
le d
ashb
oard
, cus
tom
-de
velo
ped,
that
sho
ws
real
-tim
e eff
ectiv
enes
s ac
ross
all
cont
rols
Unk
now
n/N
ot s
ure
Sing
le d
ashb
oard
, co
mm
erci
ally
dev
elop
ed
Oth
er
Current Next 12 months
Percentage of respondents who want
a single dashboard reporting CSC-based
information
54%
In both 2013 and 2014, our surveys show that responding organizations need to overcome the silo mentality and integrate the controls with automated processes for “full-picture” visibility. Survey results show respondents haven’t yet attained that, but do show, again, that they are attempting to fill the gaps with new technologies such as SIEM. When asked about their approach to integrating management of the controls into their operations, 66% of respondents to this year’s survey selected “Adding new technologies as gaps are identified” as their top means for integrating the controls, as illustrated in Figure 15.
In 2013, “Adding new technologies” was the fourth most selected answer, while “Focusing on the security controls that are most needed and make most sense” was the most selected answer. The answer options were updated for the 2014 survey, which explains this difference. Even with the different answer sets, some trends within this audience emerge:
• Organizations are moving beyond assessing controls to add new technologies based on gap assessments.
• IT security groups are reaching out to business units and breaking down silos. In the current survey, outreach to business units fell into third place, with 45% reaching out to business units; in 2013, this option placed second with 51%.
• Cloud-based CSC implementation/management is low but growing. In the 2014 survey, 13% selected cloud management of their CSCs, whereas only 8% chose this option in 2013.
• SIEM is catching on as a means to integrate and manage the control groups, with 37% selecting this option in the 2014 survey. (This answer option was not provided in the 2013 survey.)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation20
Integration Is Key
Percentage of respondents who say adding new
technologies as gaps areidentifiedis
their top means for integrating controls
66%
What is your approach to integrating the management of the controls into your IT/security operations? Check all that apply.
Figure 15. Integration Approaches
Addi
ng n
ew te
chno
logi
es
as g
aps
are
iden
tified
Reac
hing
out
to b
usin
ess
units
, IT
grou
ps a
nd
high
er-u
ps
Usi
ng a
SIE
M to
ce
ntra
lize
man
agem
ent,
wor
kflow
and
repo
rtin
g
Push
ing
thes
e co
ntro
ls
into
the
clou
d un
der
man
aged
ser
vice
s
Sett
ing
prio
ritie
s ba
sed
on
need
or r
equi
rem
ents
Sett
ing
prio
ritie
s ba
sed
on e
ase
or d
ifficu
lty o
f in
tegr
atio
n
Dev
elop
er o
r acq
uirin
g te
chno
logi
es s
uch
as
mid
dlew
are
and
agen
ts
Oth
er
Integration Is Key (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation21
On Their Wish Lists
To justify funding for the tools, skills and processes needed to improve risk posture,
organizations must be able to show improvement, reduce cost and complexity, and
seamlessly support new features or functions. This is why automation, integration and
the ability to report on improvements are key. It is our hope that, in the future, more of
those who are responsible for security and risk management of their business systems
can measure improvements through reduced attack surface, better prevention and more
automated, integrated processes that reduce overhead and complexity.
When asked to fill in their wish lists for 2015, respondents asked for a variety of changes
that could be enhanced with automation and integration across control groups. Some of
the common items repeated on their write-in wish lists include:
• Better communication with management and improved executive awareness
• More collaboration between educational and awareness organizations
• Ensuring control rankings and prioritization exactly match organizational needs
• Better means of managing controls across decentralized organizations
• Gap analysis templates
• Audit programs for the controls specific to various verticals such as financial
institutions or manufacturers
• Better categorization of controls
Automation,
integration and
the ability to report
on improvements
are key.
Integration Is Key (CONTINUED)
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation22
Are They Working?
The controls are a working framework that continues to be improved and updated,
thanks to the input of many top minds working together across government and private
sector agencies. Adopters of the controls represented in this survey already say they
are experiencing improvements in visibility, risk reduction and improved risk posture,
complying with mandates and regulations, and detecting attacks (see Figure 16).
Many of the write-in options were positive, with one respondent saying, “The security
controls have greatly helped our organization in managing risk, identifying gaps and,
overall, pointing our organization in the right direction for the future.”
Another respondent added, “Our company has just started using the CSCs to manage
various requirements from internal auditors. The controls have been extremely helpful in
assessing gaps, prioritizing actions and guiding our implementation.”
Where have the controls you implemented made the most improvement? Choose your top three improvements.
Figure 16. Reported Improvements by CSC Implementers
Risk
redu
ctio
n/Vu
lner
abili
ty m
itiga
tion
Clea
rer v
isib
ility
/Si
tuat
iona
l aw
aren
ess/
Gap
ana
lysi
s
Impr
oved
inci
dent
re
spon
se
Benc
hmar
king
sys
tem
ic
impr
ovem
ents
Impr
ovem
ents
to
over
all r
isk
post
ure
Com
plia
nce
to
man
date
s an
d re
gula
tions
Det
ectin
g ad
vanc
ed
atta
cks
Fast
er, m
ore
thor
ough
m
itiga
tion
Oth
er
First Second Third
Within the SANS audience, more organizations of various types consider the CSCs a
reliable mechanism to reduce attack surfaces, increase visibility and improve protection
and response.
Results show that more such organizations are making progress implementing
technical systems for defense, and those that are progressing are experiencing reduced
risk, clearer visibility and compliance support. However, they are still struggling with
automation and integration across the controls. Product teams, integrators, IT and
operational staff members, along with the business units they support, will need to work
together to bring this level of automation to fruition.
As more organizations invest in CSC implementation, the industry is likely to see more
quantifiable, clear results of organizations being better able to defend themselves and
prove compliance and overall improvements through risk reduction.
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation23
Conclusion
About the Author
Sponsors
SANS ANALYST PROGRAMCritical Security Controls: From Adoption to Implementation24
James Tarala is a principal consultant with Enclave Hosting, LLC and is based out of Venice, Florida.
He is a regular speaker and senior instructor with the SANS Institute as well as a courseware author
and editor for many of its auditing and security courses. As a consultant he has spent the past few
years architecting large enterprise IT security and infrastructure architectures, specifically working
with many Microsoft-based directory services, email, terminal services and wireless technologies.
James has also spent a large amount of time consulting with organizations to assist them in their
security management, operational practices and regulatory compliance issues, and he often performs
independent security audits and assists internal audit groups to develop their internal audit programs.
James completed his undergraduate studies at Philadelphia Biblical University and his graduate work
at the University of Maryland. He holds numerous professional certifications.
SANS would like to thank this survey’s sponsors: