Cybersecurity in the era of controls

In an era of increasing threats to the IT infrastructure and reductions in resources to combat those threats, it’s time to look beyond traditional approaches to protecting government networks.

Traditional approaches focus on deploying network and endpoint security solutions in conjunction with the Defense Information System Agency’s configuration auditing methodology known as Security Technical Implementation Guide, or STIG.  While these solutions provide a measure of defense, they don’t provide a holistic view of an agency’s overall security posture.  A new movement in security is taking hold based on continuous monitoring of critical security controls. The SANS 20 Critical Security Controls were developed based on a pragmatic analysis of real world attacks.

The first control is called “Inventory of Authorized and Unauthorized Devices.”  While having an accurate view of the technology assets attached to your network is an obvious place to start an IT security program, automated asset discovery and tracking software is not universally implemented. A means for continuously monitoring assets and validation of the inventory is required to ensure rogue assets are not added to the network.  Asset tracking can be continuously enhanced by adding sources of asset information.  Vulnerability scanners, Security Information and Event Management solutions and DHCP servers are all sources of information about the devices attached to your network.

Two controls are related to vulnerability scanning and malware. Most organizations will have these defenses in place (at least for endpoints they know about) as part of a traditional security program. The key addition is continuous and automated tracking and remediation.  This step enables the listing of the percentage of your assets that have current defenses or, for example, malware issues.

Two controls are related to secure configuration of network devices, desktops and servers.  Implementation of DISA STIG auditing has long been a cornerstone of federal IT security programs.  Based on analysis of numerous breaches, SANs recommends continuous tracking of the configuration to ensure changes are not made from the baseline after deployment.

Among the benefits are:

• Proactive not reactive security. The cost of proactive defense is considerably less than post-breach remediation.
• Visibility. Continuous monitoring of SANS security controls provides “big picture” visibility to overall security posture rather than point views.
• Prioritize investments. The controls provide a context in which to prioritize investments based on analysis of real-world attacks.

Implementation of SANS Controls includes assessing the current state, implementing a framework for continuous monitoring and metrics and a plan for continuous improvement.

The simplest current-state assessment can be based on “Quick Wins” in the SANS controls. A spreadsheet where the rows are the controls and the columns are the systems or processes that implement the controls along with a grade will suffice as a starting point.

The next step is using the assessment. This could be as simple as periodic updating of the spreadsheet.  Given the requirement for continuous monitoring of the controls, tools are needed for automatically reporting on the state of each control.  As part of this step, your organization should align on metrics to track adherence and implementation progress.

Now that you have an operational structure around measuring and improving SANS controls, you can plan continuous improvement by adding new controls or automating existing controls.