Can following the CIS Critical Security Controls help organizations comply with other security frameworks? Watch Sevco's latest AMA With Brian Contos and Chris Strand where they dive into the ins and outs of these controls, their relation to other frameworks, and more.
Transcript
Chris, welcome back to the show. Brian, good to be back as always. Where are you in the world today? Not today. I'm sitting in not so sunny Orlando, FL, but always nice to be here being from the Northeast when the weather starts to turn in the fall. Well, that's for sure. Well, hey, today we're going to talk about the Center for Internet Security's critical security controls or CIS CSC. I'm just going to call it CSC. It's just too much of A mouthful, so you know. How? How have you used, you know with with your auditor head on Again how have you used CC, you know to help organizations meet compliance needs? With the subtext being, does CSC actually help organizations reach their compliance needs? Yeah for sure. It's and it's it's a very relative question but short answer is yes. So you know. I'm an advocate to say that I'm an advocate of security and compliance being one in the same thing or it should be one in the same thing. And that's a goal that I stretch for and the CSC definitely demonstrates that in the way that that framework has matured. So just Simply put. As an auditor, as an IT assessor, as a security assessor, I've used the CSC as a de facto industry standard for baselines. That much has been clear for years and years, actually over 20 years that I've been exposed to the the CSE. So for IT audit and security assessment, it helps enormously during the process of gap analysis, which is the very start of the audit cycle. So having a default standard like that, very prescriptive and laid out in. Simplistic form really helps enormously during during audit. But more importantly, what are you trying to do as an IT security auditor trying to guarantee security controls. So that is a road map. The CSC provides that road map to conduct best practices and guidelines that you would do as an auditor as you try to assess the system from a security perspective. It's a very prescriptive approach as well. So it provides that structured approach. IT and security assessors and security professionals like technical things. They like blueprints that are prescriptive and you know, not free of Gray areas, which is famous usually for compliance and auditors. We, you know, we talked in the Gray areas, but they provide that prescriptive guideline which is enormously helpful when you attempt to align your your business that you're assessing where the business that you're assessing with. Different regulatory alignments that they might be facing whether it be Nest, whether it be remember they're subscribing to ISO or industry and sector specific ones like HIPAA and GDPR and many others that we face. It provides that automatic regulatory alignment. And then the biggest thing is that risk reduction that that it enables you to have And last but not least and this is an industry theme and it's kind of outside. The idea of what we do from a a a monitoring perspective, but it provides a template for continuous monitoring and this is this. Again I say everything is huge, but that is one of the biggest things. Because as an assessor the best thing that you can have is a immediate and continuous feed on what your security or how your security controls look and how effective they are, what the state and presence of of those controls. And that's very clearly laid out within the CSC to to enable auditors to to again compare what they're finding back to a template in a continuous way. And the continuous aspect is promoted heavily within the CSC, which gives you that. Proof of security maturity that you need to assess as an auditor. But then for your customer or your business that you're auditing, it provides them that template to be able to give you that proof. So a lot of areas where the CSC fits into the idea of security assessment and audit. You know, you mentioned presence and state and and I can't tell you how much that is bubbling up into the lexicon for both audit and security. Wherever I travel, people are talking about it. Hey, I I want to know that I've got this thing, but I want to know if this thing is is working, is it up to date? Is it is it actually doing what it's supposed to do? Sort of a validation of those security controls And it makes intuitive sense, but I think historically it's one of those things where it wasn't really a great way to do it. An automated fashion, especially at scale. So we're just not gonna look at it. So, you know, keeping your auditor hat on and maybe also putting a security hat on top of that, which I know is generally what you do anyways. Are there any specific, you know, CC controls that really need prioritization if you're looking to go through preparedness for an audit? Yeah, there's there's a few that have been those sort of. De facto and de facto meaning ones that you're going to lean on as an auditor and you know from a security sense. And that's a very important part Brian, is that you, you, you sort of have to balance both worlds being a security assessor these days, but really right from the top, the CSE control #1 and for that matter control #2. So inventory of control, enterprise assets. That's the start of the audit process. As I mentioned earlier, one of them important in areas where it helps is that the very beginning stages of audit where you have to understand and control your enterprise or understand how your customer, your client is, is is maintaining control over their enterprise and if they understand where the security controls are and their gaps. So you need to be able to do this, those two controls. Set the benchmark of where the posture of the organization is right from the top. So extreme, again extremely important controls to focus on in the process of security assessment and audit. Then on top of that. You want to support the industry theme of active prioritization of your gaps. So once you understand all of this stuff, you understand exactly how it's related, the interrelationship between all of your assets and your enterprise, then you need to ensure that you can do this in a prioritized way. Or that for you know, I mentioned continuous monitoring before and that's, you know, this is the that's an industry theme and auditors and security professionals have no choice but to do that now because there's a lot of mandates that dictate. That well within the the CSC comes control #3, which is continuous vulnerability management and hence they have the word continuous in there. So they're emphasizing the need to do gap assessment in a continuous fashion, you know constantly or prioritize or close to real time. All those buzzwords that we say across the industry. But really this is a demonstration of how you can put your your framework into a process where you can attain obtain. That level of inspection and analysis of your environment. So for an auditor, there's a lot of focus. There's a lot of reason to focus on CSE Control 3, because you want to understand that shifting threat surface across your enterprise. And you also want to understand how those shifting vulnerabilities, which we've seen now more than ever these days, could suddenly be affecting your your infrastructure more than it did before. Because what you want as an auditor. Is what the heck is the level of risk within this organization How do I give them a sort of a score to say at the end of the day I've done your audit. I've assessed your systems and here's your score. You know you're you're an 8 out of 10. Well how do I prove that I need that evidence based data to be able to understand to alumni the business to understand where they sit. So control #3 is critical to to sort of connect the dots between your enterprise your assets everything that's happening within your. Environment and the gaps that you might be finding and that you should be finding in a continuous state. Yeah, well, you know, it's interesting that the CDC calls out, you know, asset inventory. It's it's right there. And in section one and Section 2, they call out continuous monitoring and it really feels like it's. It it it's purpose built or it's a it's a perfect fit with what we call asset intelligence or attack surface management. So how how do those types of solutions as intelligence and tax service management help to sort of enrich or enable organizations to embrace CSC? You know 3 words that I can think of off the top is visibility, risk and control. So and and those are really important words for security professional or an auditor and hence why I always claim that I sit right in the middle. I'm, I'm, I'm, I'm Switzerland. And in all of these situations, So really today into that a little bit more. So you know visibility in your assets, you can't have enough visibility into your assets and you can never be. Real time enough to understand what that is, but having a robust or real time light implementation Asset Intelligence solution that can give you that visibility when you need it allows you to again understand at any given time what the state and presence is of your assets and how they're triangulated they are, how they're, how they're related together and that's enormously fundable. So you know a good Asset Intelligence solution will provide that off the top because that's what it does. But then you know asset vulnerability assessment as we mentioned, you know that control #3 have the ability to quickly connect the dots between your gaps or your vulnerabilities and those enterprise assets will. Will be a great asset for you as as an auditor or again as a security professional. So you're going to get that out of the out of the out-of-the-box as well by having a decent asset. Control situation in in within your environment and you know it goes on from there as once you have that sort of the that's the top of the pyramid. But then you get all kinds of benefits as well Is you know going to be able to automatically identify how secure your configurations are. Because you know once you know everything you know who's who in the zoo, well now you can start to control it. Well you got to know what how those configurations are changing and that that you know that was the basis. Of the CSE from way back when you know there's more, there's AC controls, there's also the benchmarks. And so by having a solid asset intelligence, you can not only understand what the visibility, you don't, you not only have that visibility, but you also understand what the configurations look like. And then you can get into all kinds of good things from the standpoint of areas where you wouldn't think that Asset Intelligence would help like data protection even you know there's there's CSC #13 and 14 which deal with. Controlling your data protection policy and and protecting data and it's really about ensuring that you have the appropriate access controls built around your your data and what is protecting your data, your assets and those security controls, your software, your configurations. You're going to be able to see that and understand how well you're protecting data. And it's, you know, it's critical to everyone because data is the keys of the Kingdom and that's why we have data breaches. But hence that's what auditors focus on. They look at the data and they say what's your business need to know. For this data, do you understand that data and can you actually use a control such as CC and a solution to put two and two together and tell me how well you're protecting your data policy? Are you within those lines? And there's a lot of regulations and mandates now that unfortunately or fortunately from an orders perspective demand that we do this now as organization. So we're kind of held to that. So it's another great benefit of having. You know robust 40 Asset Intelligence working on your side. Awesome. Well Chris that was amazing as always. Thank you so much and thanks to everybody for spending some time with us today. We'll talk to you soon. Thanks.To view or add a comment, sign in