Reducing Threat Impact With CIS Controls

Lane Roush, vice-president of Presales Systems Engineering at Arctic Wolf Networks, discusses CIS roles, controls, and tools in this digital summit session. He opens with a startling statistic: the average total lifecycle of a data breach is 279 days. It takes an average of 206 days to detect a breach, and 73 days to contain it. Lane believes that average can be brought down to hours.

The Center for Internet Security (CIS), founded in 2000, was founded to identify, develop, validate, promote, and sustain best practice solutions for cyber defense. The different areas of focus and programs within the CIS work to crowdsource information for the sake of developing new capabilities for security. The CIS has identified key security controls which Lane buckets into basic, foundational, and organizational.

Within Lane’s client base, he observes that most of his customers are utilizing perimeter and prevention tools; endpoint prevention and firewalls; email security; and recovery plans. While that is a great start, the goal of an organization should be to continuously allocate resources and capabilities to increase security controls.

Before covering the top six controls, Lane suggests getting a pentest done in order to prioritize which controls get put in and in what order. That said, Lane contends that all a pentest will really tell you is to implement at least the first six controls of CIS and may need to be done to validate budget. He actually discourages customers from doing pentests UNTIL they have implemented basic controls. The order of what controls should be implemented should actually be calculated based on a risk analysis and assessment (which CIS has a CIS RAM to help companies walk through that). Next, Lane covers six of the 20 top CIS controls.

CIS Control 1 & 2

The first control is inventory and control of hardware assets. The second of inventory and control of software assets. These controls involve actively managing all hardware and software on the network so that only authorized software and hardware are installed and can execute, and that all unauthorized and unmanaged software and hardware are found and prevented from installation or execution.  

Lane gives an example of a time that an organization was able to track down a detected trick bot to an unowned asset and breaks down the discovery and mitigation process. He also discusses what tools could have been implemented to prevent such a breach.

CIS Control 3

Control three is continuous vulnerability management. An organization must continuously acquire, assess, prioritize, and act on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Lane sympathizes with the difficulty of control three due to the massive amount of touchpoints before emphasizing the importance of a holistic vulnerability management program to help mitigate and reduce the attack surface.

CIS Control 4

Control four is the controlled use of administrative privileges. This entails using processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

This entails changing default passwords on deployed devices, using multi-factor authentication for administrative access, setting up alerts, and more.

CIS Control 5

Control five is securing configuration for hardware and software. This control involves establishing, implementing, and actively managing the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process to prevent attackers to prevent attackers from exploiting vulnerable services and settings.

Lane explains Arctic Wolf’s secure config baselining that they map into the CIS hardening standards. He describes the baselining as a set of “golden images.”

CIS Control 6

Control six is the maintenance, monitoring, and analysis of audit logs. Collecting, managing, and analyzing audit logs of events helps future detection and recovery from attacks.

They can uncover gaps in security logging and analysis that open up opportunities for bad actors. The basic control covers a variety of areas, such as best practices for leveraging a SIEM for a consolidated view and action points, as well as advising how often to review reports for anomalies.

Final Notes

Lane wraps up by walking through Arctic Wolf’s services and how they enhance the CIS protocol. Arctic Wolf goes below the surface, making sure people, process, work together seamlessly to keep organizations safe.

Before answering audience questions, Lane reminds listeners, “It's not about being perfect. It's about making sure that you're closing that gap and getting better over time.”

To hear a detailed description and examples of the six controls and to learn more about what Arctic Wolf can do for you, please go to the Cyber Security Digital Summit page, register, and then follow the link sent to your inbox.