Cybersecurity is a rapidly evolving field in many ways. In others, practitioners must deal with age-old problems day after day. It’s often the mundane, repetitive tasks that are the most valuable to securing enterprise’s digital assets, even though they don’t hold the allure of using new tooling, engaging in active defense or threat hunting, or reading up on the most recent malware or zero-day threat to hit the headlines. The latter may be what Hollywood films are made of, but there are few spectacular special effects and no magic to speak of in the average enterprise security team.
At a recent MISTI conference, Tony Sager, Senior Vice President and Chief Evangelist for the Center for Internet Security, shared with Infosec Insider his thoughts on the current state of the security market and explained how and why the CIS Controls were created.
The CIS Controls, which are an invaluable refence for security practitioners, were created, he said, because he wanted to provide some basic and easy-to-use guidance for his friends in security who were struggling under the weight of their job responsibilities. Over the years the controls have been updated and have shifted based on trends, but the intent, he says, has remained the same: sharing resources and helping people.
Because the controls come in the form of a list, though, Sager said it’s not uncommon for people to misconstrue them as “just another checklist,” another set of recommendations that, if followed to the letter, will keep organizations secure.
Tackling big problems methodically
Nothing can promise absolute security, though.
“It takes a long time to codify knowledge,” Sager said, and organizations need to know where and how to prioritize: Where do I get started? What’s the smallest number of important things I need to do first so I can start to manage these problems?
Because businesses have many goals—and security is a supporting factor—security teams need to make good decisions that help incrementally improve the protection of the organization’s assets. This is why the controls were invented and continue to evolve—so that people in the field can collaborate with one another and learn from one another what has worked in the past and what might be a contributing factor in the future.
Sager is quick to point out that the controls are not some Holy Grail that should be sought at the expense of all else: “[Historically] Security has been the business of wizards,” he said, but we need to emerge from “technical wizardry to business machinery that helps people make decisions,” referring to the security industry’s propensity to put deep technical skills on a high pedestal.
Business decision-makers, in contrast, are often pragmatic in their approach to problem solving; they have shown that they’re willing to listen to auditors, regulators, and insurers, all disciplines that operate on a risk-based scale. Whereas security practitioners tend to want to eradicate any and all potential of intrusion, a steadier and more reliable approach is to examine the most likely points of exploitation, systematically place controls in front of them, and learn from them—hence, the CIS Controls.
Continuous processes are key
Community building and continuous learning are the true purposes of the controls, says Sager, adding that he hopes security practitioners have moved beyond the idea that if we—the good guys—openly exchange ideas and techniques we’re tipping our hands to adversaries. Adversaries, themselves, are very good at sharing, being patient, and continuously gathering new information. If this sounds a lot like the CIS Controls, it should, and that’s what Sager hopes people take from it, not, “If I don’t do this, I will fail,” or “If I do do that, I will win.”
It’s not about winning or losing, but about making incremental gains by “putting in place machinery for automation, for measurement, for reporting, and for synchronizing the view of managers with technicians,” he said. Referencing the Hollywood box office, Sager joked that cybersecurity practice should be more like the movie “Groundhog Day” than “Independence Day.”
The industry should be significantly less focused on inventing some all-in-one (a.k.a. “magical”) technology that eliminates the possibility of cyber attacks (i.e., “Our defenses are so hardened that no one will ever penetrate them!”) Rather, security teams need to systematically implement better machinery that allows them to continuously learn what is happening in the environment, then apply that knowledge to better decision making.
The CIS Controls are a starting point—a recording of collective wisdom—instead of an exhaustive list that dictates what tools and processes to use in any given environment. Sager hopes the controls instigate more knowledge sharing among practitioners: “We have to figure out how to take the important content of attacks and defense and codify it in a way that makes it usable.” The controls are one piece of this, but hopefully one that allows security practitioners to keep learning, keep growing, and keep adapting to the complex ecosystems that require security’s protection.