8 Steps to Successfully Implement the CIS Top 20 Controls in Your Organization
If you saw the recent Top 10 Malware January 2020 post by the Center for Internet Security (CIS), you may be wondering how to better protect your organization. CIS’s Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) can help you map your current security protocols against a defined framework. We’ve assembled eight practical steps to help you implement key controls into both your tactical day-to-day practices, as well as your high-level strategic plans and decisions.
Step 1: Take inventory of your assets
This step provides an essential foundation—after all, you can’t implement any controls meant to protect devices and users if you don’t know what you’re protecting. This step maps to Critical Security Controls 1 and 2:
CSC 1: Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
CSC 2: Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
While you’re putting together the inventories, think about these key considerations:
- Identify target systems. Examples might include your domain controllers, DNS servers, or backup system.
- Catalog all systems in your organization. From InsightIDR, Rapid7’s SIEM, you can download a comma-separated file containing a list of assets with the agent installed. This is a great place to start! Remember to add any devices that are not included, such as Internet of Things (IoT), network and mobile devices. Periodically check your asset list against your master list and make any changes. Document processes for setting up new systems, network additions and deletions and change control, patching cycles and approvals, decommissioning and disposing of systems, and quarantining systems.
- Catalog installed software. Are any systems running unauthorized software? Should it be authorized and managed or removed? Do you have a documented process to add or deny software requests?
Step 2: Measure asset controls
Next, determine your baseline for what controls are already in place and where you have invested funds and effort. Make sure you understand how well you are (or aren’t) currently protected so you can make it clear to IT and upper management. This step maps to Critical Security Controls 3, 4, 5, 7, 8, 10, 13, and 18.
CSC 3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
CSC 4: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
CSC 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
CSC 7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.
CSC 8: Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
CSC 10: Data Recovery Capability
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
CSC 13: Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
CSC 18: Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
While you’re putting together these baseline controls, think about these key considerations:
- Which data assets are critical to your organization, and how do you secure them? Is your critical data mapped back to the hardware assets where it resides? Does your organization have those assets prioritized to get remediated first?
- Set up secure configurations for software and hardware, including mobile devices, desktops, and servers.
- Install and configure security products, such as data recovery, malware prevention, and whitelisting, to control the spread of malware.
- Use internal processes, like patching, and change and configuration management, to regulate your environment.
Step 3: Perimeter defenses
Now, determine what protections are implemented for network ingress and egress. An inventory of network boundaries will be helpful here. Then, minimize network ingress and egress and lock down access to your wireless local area networks to authorized users. This step maps to Critical Security Controls 9, 11, 12, and 15.
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
CSC 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
CSC 12: Boundary Defense
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
CSC 15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.
While you’re putting together boundary defense, think about these key considerations:
Secure configurations for network devices
Monitor and block unauthorized network traffic.
Segment the network.
Ensure that remote devices connecting to the internal network are subject to the same policies as local devices.
Internal processes, like patching, and change and configuration management, to regulate your environment.
Step 4: Detect and respond to incidents
It might be minor, it might be random, it might be targeted—you can’t know exactly how an attack will go down, but you can count on it happening. Be prepared with a plan of action, as well as a documented internal process that feeds back into your overall plan for improving security by implementing and maintaining controls. This step maps to: Critical Security Controls 6, 16, and 19.
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
CSC 16: Account Monitoring and Control
Actively manage the lifecycle of system and application accounts—their creation, use, dormancy, deletion—in order to minimize opportunities for attackers to leverage them.
CSC 19: Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
While you’re putting together an incident response plan, think about these key considerations:
- Detecting indicators of compromise or breach
- Performing forensics to investigate how it started
- Take action to stop the attack and prevent it from happening again
- Who will your key contacts be? Think executives, key vendors and employees.
Step 5: Evaluate the most critical gaps
You need to know where the gaps are to help you prioritize how to move your security program forward. But be ready: Determining which gaps are the most critical requires consensus across teams. While this step can take some time to get through, the extra effort pays dividends. This step maps to all Critical Security Controls (listed below) .
While you’re evaluating your organization’s critical gaps, think about these key considerations:
- Get buy-in from IT and management.
- Compare new vs. existing controls.
- Measure the value to the organization.
Step 6: Plan and implement your controls
Okay, so now you know how secure you are and where your most critical gaps are. Next up? Deciding how you’ll approach short-term and long-term maintenance and tracking over time. Remember, controls should be treated as a continuous process that’s maintained over time, not a one-off project. This step maps to all Critical Security Controls (listed below).
While you’re planning and implementing your organization’s controls, think about these key considerations:
- Each team — such as IT, Security, Management, and the Board of Directors — must define metrics and goals that are important to them for tracking progress.
- Coordinate efforts between security and IT.
- Communicate progress regularly with management.
Step 7. Train and monitor users
People—as much as we love them—are often the weakest link in the security chain. That’s why it’s essential to train and test users to make sure they understand what to look out for, as well as the importance of security. It’s also good to have a backup plan: Limiting privileges and monitoring user behavior for anomalies are both effective fail-safes. This step maps to Critical Security Controls 4, 7, 14, 16, and 17.
CSC 4: Controlled Use of Administrative Privileges
The processes and tools used to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
CSC 7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.
CSC 14: Controlled Access Based on the Need to Know
The processes and tools used to track, control, prevent, and correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
CSC 16: Account Monitoring and Control
Actively manage the lifecycle of system and application accounts—their creation, use, dormancy, deletion—in order to minimize opportunities for attackers to leverage them.
CSC 17: Implement a Security Awareness and Training Program
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
While you’re planning and implementing your organization’s training and monitoring of users, think about these key considerations:
- Conduct simulated phishing campaigns.
- Track web browsing traffic to malicious websites.
- Control the use of administrative privileges.
Step 8. Test your controls
Now that your controls are in place, use tools such as penetration testing and red team exercises to make sure they’re working. This exercise should be done regularly (and with enthusiasm), as knowing your efforts are paying off gives you both confidence and internal credibility.
CSC 20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
While you’re testing your organization’s controls, think about these key considerations:
- Test the effectiveness of your controls against attack.
- Explore how controls complement each other.
- Generate reports to share with stakeholders.For a full list of the Top 10 Critical Security Controls, check out our “Definitive Guide to Understanding and Meeting the CIS Critical Security Controls” whitepaper.
This blog is originally derived from Rapid7’s “7 Steps to Successfully Implement the Top 20 Controls in Your Organization” guide.