Making the Most of Technical ControlsTips on Putting SANS 20 Critical Security Controls Into Practice
A growing number of organizations are looking for ways to help make sure they're using the right security controls to prevent a data breach or speed up detection of a compromise. Many, including the University of Massachusetts, are relying on the SANS 20 Critical Security Controls guidance to improve how technology is configured within their networks and enhance their overall security.
Implementing the controls requires far more than just deploying systems, platforms or services, experts warn. A successful rollout requires winning management support, designing processes to support the technology and regularly assessing whether the controls are effective.
"It's not enough simply to throw a tool at it to identify the issue; that's only half the battle," says J.J. Thompson, CEO of Rook Consulting, which works with financial services and healthcare organizations.
Focus on Technology
The SANS Institute coordinated the development of the widely respected 20 CSC guidance, created in an effort that involved the U.S. National Security Agency, international agencies and private industry.
The 20 CSC guidance offers technical controls, rather than processes. It identifies 20 security areas, including wireless security, asset management, data leak prevention, automated patching and vulnerability assessment, and addresses how to apply appropriate controls to mitigate risks.
That focus on technology was the driving force for why the University of Massachusetts decided to implement the 20 CSC guidance to help secure its networks spread out over five campuses, says Larry Wilson, chief information security officer. UMass had already adopted controls based on ISO [International Standards Organization] frameworks, but was "never quite comfortable with using ISO for technology," he says. When Wilson stumbled upon the 20 CSC, "it was exactly what we were looking for," he says.
The university now uses a combination of ISO-27002 to define controls for management and processes, and 20 CSC for its technical controls, such as wireless security, an anti-malware strategy and data loss prevention, Wilson says. The IT team looked at the technology it already had in place, identified what the SANS controls required, and identified some "quick wins" to get started - and to win the support of upper management, he says.
For example, UMass identified that its existing wireless security implementation was "almost there" in terms of what 20 CSC recommended, and it just needed a few extra configurations settings, he says. Wilson was able to show senior executives how the university could reduce the risks of a network breach just by taking a few steps to complete the control.
Avoiding Breach Costs
Many organizations look at 20 CSC only after they've suffered a data breach.
"While it is generally easy to get management's attention at that point, we don't recommend you wait for [a breach]," says John Pescatore, a director at the SANS Institute.
A better way to get senior management support, he says, is to point out costly breaches that have affected similar organizations in the same business sector.
He points to, for example, a federal investigation of Idaho State University, which resulted in a $400,000 settlement tied to violations of HIPAA. Administrators determined that thousands of patient records were exposed after the network firewall at one of the university's clinics had been disabled.
This case points to the importance of configuration management, continuous vulnerability scanning and regular monitoring of audit logs, as called for under 20 CSC, which might have helped prevent this incident, Pescatore says.
Senior managers need to be made aware that the cost of acquiring and deploying security technologies can be far less than the costs associated with even a relatively small data breach, he contends.
Executive Support is Critical
Indeed, getting support from top management is critical when implementing technical controls. And the first step toward getting that support is to build a business case for how the controls would help mitigate the organization's risks.
Before an organization can determine what controls to implement, the security team has to perform an assessment of the network infrastructure. It's much easier to argue for a technology investment if a security professional can point to concrete examples of vulnerabilities, Pescatore says.
After an assessment, Pescatore says, "If you can say '30 percent of our servers are vulnerable to the attack that just hit the news,' then the business response invariably becomes, 'Let's change what we do so that we won't be vulnerable.'"
Wilson notes that getting management support for implementing 20 CSC guidance can be challenging in industries with heavy compliance requirements, such as financial services and healthcare.
For these sectors, the driving force for selecting controls comes from compliance regulations, not information security. For the most part, regulatory controls tend to emphasize process and management and focus less on technology, he contends. As a result, internal auditors have to be shown how improving the organization's overall security with technical controls can make the compliance process easier and more manageable, Wilson says.
A comprehensive network assessment, for example, usually results in the discovery of servers and endpoints on the network that the IT department didn't know about, Pescatore says. This, in turn, helps auditors recognize the risk of information on those devices not being adequately protected in compliance with regulations. And that makes it more likely auditors will support deploying an automated asset management system to maintain an up-to-date inventory, he says.
Not Just a Technical Question
A common mistake when utilizing 20 CSC is thinking that it's enough to just deploy the technology to implement a specific control without defining supported processes and fixing associated vulnerabilities, Thompson says.
For example, Control 4 recommends regularly scanning for vulnerabilities. In this case, just deploying a scanner is not enough; there needs to be a process in place to fix the vulnerabilities as they are found as well as other processes designed to reduce the risk of introducing new ones, Thompson says. Metrics need to be in place to ensure the control is effectively doing what it was designed to do.
The first four controls are considered the most important because they address basic security hygiene, Pescatore says. These controls provide IT staff with the tools to have a clear view of the organization's infrastructure and suggest areas for improvement. By deploying the top four, the IT department gains an up-to-date list of all the servers, endpoints and all the installed software, identifies what configurations and profiles are in use and pinpoints what vulnerabilities exist.
Some controls provide visibility, such as deploying an intrusion detection system as part of boundary defenses specified in Control 13, or improved log monitoring in Control 14. But even if the logs are being collected correctly, if there is no process in place to regularly monitor anomalies, then a breach won't be discovered until it is too late.
Pescatore also recommends collecting metrics to verify the controls are working. Some examples include tracking the number of incidents, calls to the help desk, or the number of resources that were compromised. He also recommends tracking whether breaches are being detected and mitigated sooner.
The SANS 20 CSC, while popular, is not the only source for insights on controls and strategies, says Tom August, director of information security at Sharp Healthcare. For example, the National Institute of Standards and Technology, HITRUST and ISO all offer guidance. Sharp Healthcare uses a combination of controls drawn from various standards that fit its needs, August says.
Other well-known cybersecurity frameworks and guidelines include COBIT, ITIL, FIPS and CIP.
The 20 CSC is not intended to be a one-size-fits-all checklist for everyone to follow in the exact same way, Pescatore points out. Whether an organization decides to go with 20 CSC or another framework, it's important to evaluate which elements are applicable and focus on those areas, he stresses.
The security tasks outlined in the 20 CSC may seem basic, but they can still be challenging. "Just like there is no easy way to lose weight, focusing on the controls is desirable, but hard to do," Pescatore says.