Introduction – Choosing the Right Security Controls Framework
The cyber threat landscape is evolving at an astronomical rate; we are living in the age where the four key pillars of cybersecurity – Confidentiality, Integrity, Availability and Assurance of Information systems are no longer considered a nice to have but are a metric for business resilience and operational existence of businesses across the globe.
In this blog we set out to see how choosing the correct security controls framework can go a long way in establishing a secure foundation, which then allows Enterprise security designers/decision makers to make more informed solution choices while selecting the controls and vendor architectures.
Organizations are increasingly finding themselves caught in the “security war of more” where Governance, Risk and Compliance regimes, compounded by vendor solution fragmentation, have resulted in tick-box security. At times this has left organizations with either overlapping security capabilities or completely missing critical security controls. Adversaries continue to take advantage of this industry predicament as depicted by the 4 billion records lost through data breaches and malware attacks in 2019 (Source: Verizon).
In order to win this battle, a structured and homogenous approach must be constructed across the industry. This is where security frameworks come into the picture. Security control frameworks plays a pivotal role that can sit as a foundation across multiple law and compliance regimes to provide key capabilities for an organization. The CIS (Center for Internet Security) CSC (Critical Security Control) framework provides just that — the fundamental underpinnings of a strong organizational cyber defense. This blog is a continuation of the CIS whitepaper published here where we introduce CIS Controls and McAfee product capabilities. CIS CSC provides a path for an organization to get started on its cyber defense program; it provides an option for organizations who do not know where to get started and organizations at mid-maturity level to augment their capabilities to “Optimize and Execute” on their Cybersecurity needs. CIS, provides a list of Critical Security Controls that have been cherry picked to be most effective against most common attacks. It offers layered protection via a defense in depth approach to cybersecurity and has been developed using firsthand experiences of cyber defenders across various industry verticals such as retail, manufacturing, healthcare, government, etc. The CIS CSC controls are based on a risk metric; each control is weighted based on the likelihood and impact of an incident posing a significant threat to an Enterprise. It draws from the foundational elements of risk management and continuous protection by not only protecting against the initial compromise but also looking into detecting and protecting against existing adversary activity within an environment. This offers flexibility for an organization to make a start on CIS CSC implementation irrespective of its security lifecycle.
Architecting Enterprise Cyber Defense with CIS
This section highlights how the CIS controls secure an Enterprise using its layered defense in depth approach moving from the basic controls, which are mostly focused on endpoints, to the Enterprise boundary and then combining it through the People, Process and Technology triad at the organizational level.
The full list of CIS CSC controls and detailed mapping of our products can be found here. A similar document showing the usage of McAfee products to support the NIST 800-53 security controls is available here.
CIS Implementation Groups and Organizational Maturity
The CIS control framework offers mature organizations the opportunity to further enhance and optimize their controls by implementing the CIS sub-controls. The full list of 148 sub-controls can be found here. The sub-controls are grouped into 3 implementation groups. The implementation groups allow organizations to tailor the framework based on self-evaluation of their security maturity and the resources available to them. The CIS framework breaks the sub-controls into 3 groups:
Figure: CIS Implementation Groups – Source CIS
Each group builds on the previous group’s capabilities, e.g. IG2 builds upon the controls in IG1. The mapping of the controls to the needs and wants can be loosely tied together as follows:
Implementation Group 1: This group is mainly aimed at small businesses using commercial off the shelf software, data sensitivity requirements are usually very low.
Implementation Group 2: This group is aimed at the Enterprise storing sensitive business information and having reasonable cybersecurity resources for implementation of the controls.
Implementation Group 3: This group is mainly aimed as a defense against sophisticated adversaries such as Nation State actors utilizing Zero-day vulnerabilities.
McAfee’s Solution Architecture Aligned with CIS CSC Principles
The CSC controls leverage 6 key principles and McAfee solutions & services address these principles effectively
- Offense Informs Defense – It considers real world adversary Tactics, Techniques and Procedures (TTP’s) such as the ones used in the MITRE ATT&CK Matrix and establishes controls that have successfully defended against such adversary TTP’s. Thus, each control offers tested capabilities that can be relied upon.
McAfee products such as MVISION EDR, ESM and common threat intelligence services such as GTI are continuously adapting to the latest adversarial tactics to detect and protect against both known and unknown threats and implement the MITRE ATT&CK matrix to analyze and apply context to detected IOC’s. MVISION Insights bring the Enterprise threat landscape into context by providing industry specific intelligence on existing or developing attack campaigns.
- Prioritization – Organizations are grappling with a wide variety of attack surfaces as well as challenges around resources, so it is important for any Enterprise to establish priority on its defensive efforts, aka – “We need to contain the fire which has the potential to burn down the house first before saving the garden”
McAfee solution architect teams have access to a wide variety of tools including CIS control assessment capabilities. This allows us to explore customer challenges within their Cloud, Endpoint or Enterprise perimeter and help identify gaps and risks in customer environments. The McAfee Professional Services team can deliver Security Operations (SecOps) maturity assessments and assist customers to develop, fine tune and build their SecOps capabilities. McAfee products also have built in assessment capabilities mapping your Enterprise security maturity to similar industry peers, i.e. the Cloud Security Advisor (CSA) within MVISION Cloud. The CSA allows you to map your cloud security maturity journey with guided recommendations.
- Metrics – Any security effort needs to provide clear quantitative and qualitative benefits that allows for Business Owners to understand a business’s cyber risk profile and establishing clear needs and wants. The metrics establish linguistic homogeneity across Business Owners, System Owners and external entities. By scoring the missing and existing controls and processes within an organization a clear security baseline score can be calculated which, in turn, can establish the security maturity of the organization.
Several McAfee products allow customers to establish a consolidated view of their key security metrics, e.g.:
- McAfee ePO – Provides several security dashboards that collect metrics from various ePO extensions. ePO Protection Workspace, for example, gives a single pane of glass view across your device to cloud risk and threat metrics. Various built in dashboards further leverage ePO extensions such as Policy Auditor and Application Control for establishing metrics around your software inventory and endpoint system integrity, thus providing metrics around CIS Controls 2 and 5.
- McAfee ESM – Provides content packs that open normalized views of key metrics such as network or endpoint threat events and offers a way to easily visualize risk metrics associated with these assets and closely aligns to metric requirements around CIS 6, 16 and 19.
- McAfee MVISION Cloud – MVISION Cloud provides key metrics around risks across your cloud SaaS, PaaS, IaaS, CaaS , FaaS as well as risks originating from unsanctioned cloud services, thus closely aligning with metric requirements for CIS 1,2,16 and 18 (Refer to CIS and Cloud Infrastructure for further details)
- Continuous Diagnostics and Mitigation – Cyber threats are evolving continuously so Cybersecurity should be a continuous effort. Any implementation of security controls requires continuous validation in the context of the business processes, tools and people involved within the organization and CIS controls introduce mechanisms for effective continuous monitoring and risk reduction.
McAfee ePO, ESM, NSP and MVISION platforms, along with various SIA partner solutions, provide continuous monitoring, diagnostics and response capabilities for cyberthreats. For example, our integrated reference architecture for Shadow IT protection uses MVISION Cloud’s shadow IT cloud risk registry to discover potentially risky Enterprise Cloud services and then utilizes service groups to update network defense such as the McAfee Web Gateway, or other 3rd party web filtering solutions, to block and protect users against those services. Similarly, we have integrated reference architectures that provide continuous risk detection and mitigation for Industrial Control Systems (ICS), Phishing , Threat Intelligence based containment and many more, details of which are available through the Cyber Defense architecture workshops.
- Automation – Security automation is key in achieving scalability around threat detection, protection and response. Rapidly evolving IT environments such as Cloud and BYOD access require automated monitoring and continuous security event correlation and behavior analysis.
McAfee ESM, MVISION EDR, ATD and TIE, along with a combination of integrations with Threat intelligence platforms such as MISP, ThreatQ and Security orchestration tools such as Swimlane, provide an architecture that can provide adaptive security to a constantly evolving threat landscape.
- Continuous Risk Mitigation – The CIS controls can provide the pillars for supporting many of the well-known risk management frameworks such as the NIST RMF as documented in SP800-37. The example below outlines CIS controls as a foundation for NIST RMF.
Figure: NIST RMF as supported by CIS CSC
CIS Controls Within Cloud Infrastructure
This section highlights the mapping and use cases for CIS within the public cloud infrastructure. The CIS controls in context of public, private and hybrid cloud infrastructures are largely applicable; the challenges appear around the shared responsibility model within the public cloud infrastructure, where consumers must relinquish control over the underlying infrastructure and rely upon the Cloud Service Provider (CSP) for securing the infrastructure.
The following table maps the CIS controls against their applicability across the 4 key Cloud Infrastructure categories of IaaS, SaaS, PaaS and FaaS.
Table 1: CIS Controls Coverage across Cloud Infrastructure
CIS and System Hardening
CIS benchmarks provide guidance on hardening of assets from device to the Cloud across over 140 technologies. These best practice guidelines allow organizations to configure these devices in the most secure configuration possible. The benchmarks also provide several pre-configured tools for baseline configuration analysis and continuous monitoring of the baselines to track any deviations. The CIS CAT tool can be used to perform post implementation analysis for further confirmation and measurements against an organization’s implementation of the CIS controls.
More details about the benchmarks can be found here:
McAfee solutions such as ePO, application control and MVISION Cloud provide features that leverage the CIS benchmarks to evaluate the security posture and provide a measurable metric for a customer.
In summary, the CIS controls provide a comprehensive framework for adaptable security based on core security concepts of the following: –
Figure 3: CIS Continues Risk Mitigation Cycle
thus, delivering true security outcomes by focusing on business priorities, organizational resources and providing metrics for measurable risk reduction. By implementing the CIS controls Enterprises can easily align to other frameworks such as GDPR, CCPA, HIPAA, PCI-DSS, etc.
McAfee is part of the CIS alliance which allows us to use its frameworks within our products as well as offer our solutions through the CIS Cybermarket https://www.cisecurity.org/services/cis-cybermarket/software/
- https://www.cisecurity.org/controls/ – CIS Controls
- https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/ – CIS Cloud Companion Guide.
- https://Enterprise.verizon.com/en-gb/resources/reports/dbir/ – Verizon Data Breach Investigation Reports
About the Author