Implementing CIS Controls and Benchmarks
Jan Fri, 2019
Applying the First 5 CIS Controls and Benchmarks
The CIS controls and benchmarks can be best described as recommendations for configuration of a system (best practices). The benchmarks are created and agreed upon by IT and Cybersecurity professionals and are utilized in many technological areas, and by a variety of business sectors.
The first five CIS controls and benchmarks are considered basic controls but important, and a considered a great place to start!
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
The secure configuration profiles come in two levels. Level one is the base configuration or minimum requirement, and once implemented, shouldn’t have a significant impact on the environment. Application of a configuration profile is intended to reduce the available attack surface by a bad actor. Level two profiles equate to applying a ‘defense in depth’ approach for organizations that must be at an increased security posture, such as in government sectors. Implementation of level two profiles can cause issues and should be carefully applied and tested in a lab or test environment before rolling out in production. Each CIS control and benchmark is a recommendation, and is mapped to at least one of the two levels.
Adopting the CIS benchmarks and controls successfully requires an organizational mind shift – are you ready? Your current and possibly traditional approach to IT and cybersecurity will be CIS driven, galvanizing a cultural change through a more secure, hardened infrastructure. Once the fog has cleared, and cultural acceptance of change has occurred, discussions must center around implementation strategies and defining success criteria.
- Which controls can be mapped to compliance or coverage gaps identified during your audits or gap and risk assessments?
- Has the senior or executive management team signed off on the plan, budget, and are willing to support and evangelize the need and adoption, plus funding?
Your organization’s cyber defense and effectiveness to prevent cyber incidents, breaches, and the resulting harm to your brand should drive the adoption and application of security frameworks such as CIS. What controls have been determined or classified as foundational for improving your cyber defense and posture for 2019? CIS controls that are advisable, but categorized in the lower priority (bottom 20%) may be put on the back burner and rolled out later.
Successful adopters of CIS controls can be found continuously reviewing their cyber posture and working tirelessly to meet the objective. These companies are continually monitoring and performing vulnerability and penetration tests to improve and negate audit findings. Successful adopters remain current in the latest attacks, subscribing to many threat feeds and contributing to the sharing of attack vectors, IOCs, and intelligence sharing in general.
How long does it take? CIS implementation for the first five control areas often takes 1-3 years and comes with a financial cost. But what is the cost of a breach? What RPO and RTO are acceptable to your company, stakeholders, customers? Changing business practices and improving your cyber hygiene must have a place in your 2019 cybersecurity plan. If not CIS, what? Adoption and utilization of CIS, in parallel with a security framework such as NIST 800-53, and mapping SIEM alerts and use cases to MITRE, can not only improve your cyber security, but futureproof your threat detection & response, IT practices, change management, and flexibility in the adoption of security tools or solutions.
Questions for Implementing CIS Controls & Benchmarks
Here is an additional list of questions to discuss with your internal executive and IT team that will enhance your cybersecurity posture and determine whether implementation of CIS controls and benchmarks is a must in 2019.
- What tactics for cyber improvement has your organization discussed? CIS success for some has included devoting a project or SWAT team or creating a special organizational entity for spearheading the effort. Other successful adopters have rolled out full GRC (Governance, Risk, & Compliance) programs.
- How do the CIS controls and benchmarks map to your existing security framework? CIS mappings already exist for industry standard security frameworks such as NIST and ISO.
- Has your organization defined where the defensive controls can be best applied and adopted?
- How do the unique CIS controls and their technical application intimidate you or your security team? Implementation of CIS benchmarks can have an enormous work effort.
- Do you have the resources to adopt any of the CIS benchmarks right now? If not, when will you? A bad actor is just around the corner and may already be probing and scanning your environment looking for unhardened web servers and endpoints.
- Do you have time to waste doing piecemeal patching and hardening?
- Where can you make financial changes to allow for a CIS budget?
- Does performing an asset inventory (step 1) and the perceived ‘lift’ or scope become a non-starter for CIS launch? An up-to-date and organized system of inventory and asset management can only improve the IT and cyber financial outlook for most businesses.
- Is your business bound by audits such as PCI-DSS, HIPAA, SOC II? The CIS benchmarks can assist your org by reducing attack surfaces, hardening servers and increasing the likelihood of a smooth and semi-effortless audit. Determining whether a phased approach to CIS adoption is driven by gaps in your security posture or by creation of project team, the CIS benchmarks will drastically improve your cyber hygiene.
- Is that a company goal for 2019? Improved defenses through CIS adoption decreases the attack surface and can erase the possibility of negative audit findings. Application of level 1 profiles (to start) is more than worth the effort and cost in several ways.
- What (really) would it take (breach, failed audit, etc.) to begin a CIS implementation discussion or implementation of a security framework?
- Has your company tried and failed due to a lack of executive sponsorship?
- In reviewing the first five control categories, has your ambition been sapped by the work effort to complete? Most businesses have these challenges but are driven to further harden their environment to hackers and bad actors and CIS controls and benchmarks have laid the foundation.
Protecting your organization from a cyber-attack has become a necessary cost and a business risk, thanks to the accessibility and utilization of the internet. The CIS controls will continue to develop, and morph as cyber-attacks do and will continue to be effective in system hardening and application of agreed upon best practices. So, ask this question within your organization, “long-term, who will ultimately be responsible for maintaining your cyber defense posture?” If the answer is you, or your team, then download CIS controls and benchmarks and see where you can adapt and improve.
For more information on applying security frameworks like the CIS Controls or hardening your environment, contact our security professionals at firstname.lastname@example.org or 855-732-8826.