1. Provide defense against 62% of the techniques identified in the MITRE ATT&CK Framework
2. Provide defense against the top five attack patterns identified in the Verizon 2019 Data Breach Incident Report

Don’t take my word for it. CIS said this in a blog post. In other words, if you leverage the CIS Controls, even at just the basic level, you’ve set up a pretty solid security posture for your organization. OK. So how do you do it? Grab some popcorn and read on. (Side note: you’ll have to make your own. Free popcorn has been killed by the coronavirus pandemic.)

CIS Controls Start with Questions. Lots of Questions.

At CGNET, we start the process of leveraging the CIS Controls with a questionnaire. It’s a l o n g document; over a hundred questions. And not all the questions are of the “yes/no” variety. Here are some sample questions, from a section on application development.

• What secure coding practices do your developers employ?
• What explicit error checking is performed and documented?
• Do you ensure that all acquired software is still supported?

We tailor the questions to the customer’s situation. Once that is done, we get together with the customer to fill in the answers. Some questions are easy to answer. But others prompt other questions. So, we find it’s best to complete the questionnaire together with the customer.

Next Comes the Analysis

Once we have gathered the answers, we get to analyze the responses. Sometimes it’s easy. If the question is “do you have…” and you don’t, then the way to leverage the CIS Controls is to go get … With other answers, we must look at the context of the answer. For instance, one customer told us they didn’t want to tell their design agency what secure coding practices to employ. Rather, the customer said they wanted to specify an outcome (secure software) and leave it to the design agency to deliver. Makes sense to me.

Don’t Plan to Leverage the CIS Controls Completely

As someone said on a recent security panel, “security is a journey, not a destination”. What does this mean?

• You don’t live in a quantum state of either security or insecurity. You live in a state of more (or less) security.
• Whatever destination you set for yourself will only be temporary. You don’t arrive at “secure!” and then get to forget about security.
• You ultimately make security decisions based on relative cost and benefit. Do I need to spend that next $10,000 so I can achieve 4% more security? At some point, you decide that the organization is sufficiently secure.

With these points in mind, we look at the list of recommended actions and adapt it for the organization. Before we can leverage the CIS Controls, we must assign the customer to a CIS “Implementation Group”. CIS defines three of these.

• Implementation Group 1 is considered “basic cyber hygiene”. Organizations in this group have “limited resources and cybersecurity expertise”.
• Implementation Group 2 organizations have “moderate resources and cybersecurity expertise”.
• Implementation Group 2 organizations have “extensive resources and cybersecurity expertise”.

It’s OK to mix and match recommendations applicable to different Implementation Groups.

Now We’re Ready to Leverage the CIS Controls

We now have recommended actions that are sized to match the resources of the organization. From here, we put together a roadmap for the actions. We like to prioritize them based on estimated impact and implementation complexity. The idea is to first leverage the CIS Controls that provide the greatest benefit for the lowest investment. We typically spread these roadmaps out over two or three years. You can read another post about our process here.

This Road will Take You There

(With apologies to the Staple Sisters). You know the saying: “if you don’t know where you’re going, any road will take you there”. Well, this work to leverage the CIS Controls shows you the road you want to take. You may have substantial work still ahead of you as you leverage the CIS Controls. But at least you know you’re headed in the right direction.