Top 20 CIS Controls

Changes in the CIS controls and why you need to know

cliff turner / 04.24.18

Have you heard of the top 20 Controls from the Center for Internet Security (CIS)? These are also known as the CIS common controls and they’re my favorite list of controls. Sure, PCI, NIST, CSA, SOX, FERPA, NERC, and HIPAA are good controls as well, but I prefer the common controls. The common controls are community and industry reviewed – high-level enough for anyone to use, and they’re prioritized. I could easily build these into a dashboard for every application, business unit, and team, which would help normalize risk profiles across any business.

So, have you ever looked over these common controls?! If not, take just a minute to review them. This high-level list of 20 information security controls is designed, if implemented properly, to eliminate most of the risks in your business. To implement the controls, you must have the right people, the right processes, and the right technology. In this blog I’ll be delving into the controls. We can talk more about the people and the process and the technology another time.

So let’s compare and contrast the controls against all the industry news about all the crazy new cybersecurity technologies and companies. For example, artificial intelligence is the current hot topic. You’ll notice that it doesn’t appear on the CIS list because before you employ artificial intelligence in your cybersecurity strategy you need to first make sure to cover the top 20 controls. (Like any good basketball team, you need to master the fundamentals before moving onto trick shots like the Harlem Globetrotters.)

Recently the Center for Internet Security updated their controls in a push to keep them current with the latest cybersecurity technologies. The ordering has been updated to reflect the current threat landscape, and the sub-controls have been updated to be clearer and more precise, implementing a single “ask” per sub-control. As a quick aside if you’re not familiar with the AWS shared responsibility model, here’s the link to review.

If you’re running any of your applications in the cloud, what you’re responsible for changes drastically. For example, if you’re running an EC2 server in AWS, you’re not responsible for the inventory of the hardware itself (how much CPU and MEM it has. But as SPECTRE has shown us, you need to know what CPU architecture you’re running on; so CIS control one applies in a limited way.

Here’s what has specifically changed in the control order:

Control #4: Continuous Vulnerability Assessment and Remediation – moved up to #3

Control #5: Controlled Use of Administrative Privileges – moved up to # 4

Control #3: Secure Configurations for Hardware and Software – moved down to #5

These are all good changes, in my opinion. The controls keep getting better as they age just like any fine whisky.

Now one of the fundamental reasons organizations don’t implement the controls is that they simply don’t have enough people, strong enough processes, or the right tools. One way to overcome these limitations is by using an automation platform, such as CloudPassage Halo, that can automate security processes and encompass broad toolsets. The automation frees people up so that they can focus on responding to security issues, which will allow them to focus on higher-order work.

Additionally, the controls are focused on traditional enterprise environments; however the world has changed. We now have containers, cloud service accounts, DevOps pipelines, and other new agile technologies. And if you take a minute and think about the risks that these controls are trying to manage, it’s easy to see that these all still apply in the cloud and with containers. So, using a common set of processes and training people all on the same platform will make it easier to accomplish your goals.

Some organizations have spent years deploying tools, building processes, and integrating them into a single SOC operation. Notice I mentioned earlier that this takes years… so, many organizations are behind. And if you’re behind you need to be looking at an automation platform that can be deployed quickly to leapfrog up to the current controls.

CloudPassage Halo can help with this. So if you’re interested in learning more about how Halo can help you tackle the 20 critical CIS controls, reach out and request a demo.