Tony Sager, the retired chief operation officer of NSA's Information Assurance Directorate and who is heading up CCA, says it's about prioritizing what organizations need to do to protect their computing environments and data. "A great deal of the challenge is the fog of more. Things are changing so quickly," Sager said during a teleconference today. "A lot of times, enterprises just don't know where and how, or what to do. Where's the next dollar best spent?"
The Top 20 Critical Security Controls provides a guide post, of sorts, for how specifically to go about prioritizing and locking down infrastructure. Rather than trying to deploy everything at once, an organization can focus on the little things first, for instance, such as gaining a comprehensive inventory of the authorized -- and unauthorized -- hardware and software in their environments.
CCA is basically a "volunteer army," Sager said, that identifies and prioritizes the most important things to do to prevent breaches. "We've seen their adoption by critical enterprises, and lots of vendors are standing up and saying, 'We can support these controls,'" he says.
Tom Kellermann, who served on The Commission on Cyber Security for the 44th Presidency, says the 20 Critical Controls list is a paradigm shift to basing security defenses on the actual threats and attacks occurring within organizations. "I am a huge proponent of the 20 Critical Controls. They represent a paradigm shift wherein offense truly will inform defense. The fact that they are dynamic ... [that they] are re-evaluated every year is a game changer," says Kellermann, who calls Sager "the Yoda of cybersecurity."
But given the rapidly changing threat landscape, can the list of controls truly keep up with the times? Kellermann, who is vice president of cybersecurity at Trend Micro, says the list will stay timely because it will be based on input from penetration testers and the NSA's red and blue teams. "They can understand what tactics are bypassing defense on depth stratagems," he says. "Threat intelligence must also evolve and become global in nature," as well, he says.
The common strategy of patching vulnerabilities and manually decoding and analyzing packets just isn't working, notes Eric Cole, founder and chief scientist at Secure Anchor. "We sat back and looked at what are the key things that are missing? Why are organizations failing and not being successful" at defense, Cole said during today's teleconference.
Part of the problem, he says, is that organizations are not using a single playbook for securing their infrastructure. IT, security, auditors, and executives all need to have a common set of metrics, he said. That's what the Top 20 Critical Controls list provides, he said.
[Strapped for cash and feeling pinched by the increase in targeted attacks, some federal agencies are coming up with their own solutions for better protecting their information. See Government Agencies Get Creative In APT Battle.]
Among the various updates to the list in Version 4 that reflect the changing attack landscape is running applications on the client side in a separate virtual machine to minimize the impact of an advanced attack, Cole told Dark Reading. "A lot of the additions we've [made in Version 4] focus on APT-style things."
William Pelgrin, president and CEO of the Center for Internet Security, and chair of the Multi-State Information Sharing and Analysis Center (MS-ISAC), says security has historically been too strategic. "It needs to be much more tactical," Pelgrin said in the teleconference today. "Take those areas where you have the highest risk and your critical components and deal with them first."
Organizations can't fight threats all alone anymore, he says. "The days of trying to do this alone are gone ... Anyone who says they can do it on their own is destined for failure."
But Pelgrin and other experts concede that the controls can't stop every determined attacker. "Some things are totally out of our control, like a zero-day exploit, for example," Pelgrin said. "But with the Top 20, you've solved the majority of issues facing your enterprise from being exploited. We really need to have these baseline standards."
While deploying the Top 20 may be the ideal, it's not realistic for all organizations, especially smaller ones with limited resources and budget.
Secure Anchor's Cole says implementing two or three of them can make a big difference. "The biggest problem we see is in asset management, controlling what devices are in your network with BYOD," he says. Automated asset management would be a good start, he says. And automating controls is key to keeping up with the newest threats, he says.
"If I had to pick one, it would be Critical Control #3, configuration management. If you have a secure configuration in hardening and locking down services and ports and software, you're really going to get the best payoff," Cole says. And getting #3 checked off the list would require the asset management pieces in Controls #1 and #2 for asset management of hardware and software, respectively, according to Cole.
So far, more than 13 states in the U.S. have adopted the Critical Controls, including Colorado, Ohio, Michigan, and New York.
Members of the CCA are American Express, Booz Allen Hamilton, Citibank, Core Security, U.K. Centre for the Protection of National Infrastructure, U.S. Department of Defense Cyber Crime Center, U.S. Department of Homeland Security, U.S. Defense Information Systems Agency, U.S. Department of Defense, Goldman Sachs, Mandiant, McAfee, Mitre, nCircle, NSA, Qualys, Symantec, and Tenable.
The full Top 20 Controls list is available here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.