Critical Security Controls for Effective Cyber Defense

this is a pretty great conference isn't it I was really impressed with the extemporaneous speaking last night so I asked a rogue clown to mess with my slide de deck just to see what would happen so we'll see what she did to me here but so I'm Ken Evans and yes I am a cissp and I know you're going to count that against me I tried to call Eve Adams to get a obey Ken license but I couldn't get a hold of her last night so I can't add it to my slide deck and some other contact information and as you know today's uh Defenders us were being overwhelmed by circumstances in our environment we' got

all these different forces coming at us we've got budget cuts uh we've got consumerization of it and as a small company practitioner or small company uh it Department I start to ask myself the question can we even do this can we even Supply effective information security so this is me uh you can tell the resemblance by the bald spot on the top and uh I'm in charge of an IT department a registered investment advisory firm an insurance group those are all code for regulations and I've got a lot of decisions to make my company's growing up we're growing up from a startup we're growing up into the U the kind of the middle Enterprise area and I know we

need to to have an effective security plan but basically I'm looking around I'm overwhelmed got the uh shiny new device syndrome that everybody gets even though I luckily made some good choices you know I've got Palo Alto I've got fire eye you I've got some Fair choices in there but still I was you know I was looking for that Silver Bullet I was looking for that one thing that's just going to come in there and fix everything for me and take care of everything and then I found oh well we need a framework okay no problem so I started doing some research on that and I found this n 853 holy crap so I'm sitting on

an airplane it's 253 Pages I'm trying to digest I'm coming back from San Francisco long flight and I hire an assistant named Jack that didn't work out too well as you can as you can probably uh uh imagine so here I am at the corner of lost and confused right I just need something simpler for my organization it's a small small business for God's sake I mean nist is great but like to go there someday can't go there right now so I needed something understandable like I said 253 Pages just not going to cut it for me I need something achievable in my lifetime before I you know pass away uh I need something affordable uh

some of these standards are excellent but are very expensive to get started in or even get access to the information ISO oh excuse me um need something real world in Security based not just uh compliance check mark based PCI excuse me I've got some allergies in here um you know I need something that's in line with other standards we might adopt later my boss thinks he's doing business in Europe at some point in time so that probably does mean ISO for me so in short I needed a miracle so I stumbled on the critical secur controls and so what exactly are these controls so they are a set of technical controls selected and prioritized by

consensus agreement let me back up for one second they are technical controls they are not physical and they are not process controls they are uh again prioritized by consensus agreement by government agencies many large companies and several large forensic firms which I am promised everyone will know the name of but no one will actually admit it because they don't want it to be a Target but I I speculate on some of the names that are in there and there there are some of the big ones so what are some of the benefits of a consensus of this group it's hard to get a consensus out of you know a couple hundred people for anything so as a smaller company IT

Supplies me with valuable security intelligence I don't have time to be watching everything that's going on but I'm effectively mult multiplied by the the effect of all of these organizations that do have a lot more resources than I do it keeps my programs current as the controls are looked at and revised year after year and it lets me know what my peers are doing it lets me know what they think is important so it helps keep me on track and and minimizes the amount of energy that I have to spend uh worrying about prioritizing certain things so some additional benefits are as I mentioned it's a solid platform to build other standards on like nist or

ISO or even PCI that can be used as a road map and it can be a starting point for those who are under assault and just don't know even where to begin so this is the CSC Bach or body of knowledge it just sounds so much more formal that way U it's largely contained in a 90 page PDF uh which includes pictures so I mean less than 90 pages of reading really and it's uh also encapsulated in the poster now I'm going to refer to this poster a couple times but I stole about 200 of them from Sans I have them at the edge of the room they're very cool if you are interested in in this project so

pick one up on your way out so some of the core principles of the security controls are first that the offense I'm sorry the offense informs the defense so we want to focus on actual attacks not theoreticals we're going to come back to each one of these in more detail automation you know attackers are using it we need to do it too metrics we have to measure what we're doing to make sure it's even effective and there it goes continuous monitoring are the controls really still in place and are they really functioning so let's talk about offense and forms defense we have all of this stuff we have years of experience policies and Frameworks firewalls

antivirus IPS vulnerability scans pen tests etc etc etc and we are still being owned so why is this well it could be that we're sometimes focused on just doing things instead of doing the right things or doing good things versus the right things so let let's look at that a little bit further so what is effective security I borrowed this slide from Dr Cole at Sans and you've probably all seen this formula before threats times vulnerabilities equals risk now you all know in multiplication if you bring either of these uh on the left side of the equation to zero your product of the equation is zero in other words your risk will be zero if you can eliminate

all threats you can eliminate all vulnerabilities you'll get zero risk but we really don't control threats threats are from the outside vulnerabilities are the only thing that we can control so we tend to focus on that part of the equation while ignoring the threats well while vulnerabilities like I mentioned do reduce risk it's really should be the threats that drive the risk calculation in other words if threat for a particular vulnerability is zero this equation is already at zero right so we want to we want to find real threats not theoreticals or long shot threats two more words to associate with this our threats equal offense and our defense centers around fixing vulnerability so there's your offense

informs defense so we really need to prioritize our threats because otherwise we'll just be running around doing the wrong thing let's cut let's compare to so take penetration testing versus application wh list in so penetration testing very sexy topic as Steve was just pointing out it's the thing everybody loves to do uh versus application Whit listing it's a big topic right now kind of difficult sometimes expensive to implement well on the scale of the critical controls this is rated as critical security control 20 so that's the that's the lowest level of priority an application wh listing is rated as two well why is that it's likely that if you are penetrated by a or if you're reached during a pent

test they're basically going to start to install some toolkits look around they're going to start to execute some code that doesn't belong in your environment as part of their uh process of moving around your system well if you have application wh listing installed you're going to basically stop them from executing code that you don't want running in your environment that you have not approved let's take another one data loss prevention versus vulnerability continuous vulnerability assessment and Remediation so DLP another big sexy product uh that you can be sold at conferences like RSA continuous vulnerability assessment that's generally product based too but you know unless you really have an Insider threat if your DLP program is

about data being exfiltrated out of your environment this is rated as critical security control 17 pretty high this is rated as number four well why is that it's because it's likely that a vulnerability is going to be exploited in the process of exfiltrating your data so why not just start with the core thing fixing the vulnerability that gave them access to the data and the ability to exfiltrate it in the first place so coming back around we want to do we do a lot and and reducing vulnerabilities is good but fixing the right vulnerabilities is really critical to our organization primarily because we all have limited time and resources and money so prioritization really is an

absolute requirement let's talk a minute about automation if this represents your manual process this would represent your automated process got a nice little Eng on the back there so the bad guys are using automated tools we should too right it doesn't matter how bright you are and there are a lot of bright people here but automation is always going to win imagine a race between these two things we don't have enough trained Defenders to support manual processes and manual just does not scale and that's probably all I need to say in this room about that topic there is a caveat emptor with regards to Automation and the critical security controls some controls do have a manual

validation component it's kind of hard to for example validate your backups with software I saw I've seen one company that's trying to get there but in essence obviously to validate your backup you're rebuilding an environment you're restoring it you're making sure everything there there's a lot involved U security skills Gap assessment number nine is a manual pen testing is obvious viously half artart and half science so you can't replace the art part incident response uh critical control number 18 and secure engine network engineering another one so some of your processes may also have manual components when you're getting started until you can actually improve them so let's talk for a minute about metrics it's really critical to measure

and audit what you're doing and you're basic basically need to a approve that you're focused properly and that your expenditures are effective that's the best way to get more money out of management frankly so what kind of metrics do we want well we want metrics that the security group can Define that it can actually Implement something that they've defined that Auditors can measure and that management can understand when you get all of that in sync I call it the circle of love only one girl there um okay well thank you for that observation let's talk about continuous monitoring we need to carry out continuous monitoring auditing and testing we need to test that the controls that are that we've uh put in

place are actually working not a critical security control but a related story we recently uh the electricians in our building needed to work on the power and they asked us if they could drop the power in the building they said we can do it hot but we'd prefer you know if we could drop the power and so okay we made the brave decision to throw the mains and go on battery right it's been a long time since we've done it ner kind of nervous about it through the mains on battery everything's great no problem except my pager is not going off so we accidentally discovered and you know we ended the the test and put

back online we accidentally just totally tripped on the fact that somewhere our notification system had been changed or broken down so that's a that's an example of continuous monitoring you got a control in place but how do you know it's working six months later it could have been broken or changed anywhere in that chain so it's important to do that and also to validate the effectiveness of the controls you've put in place so a lot of people when they say continuous monitoring this is what they think I got enough going on already but the truth is remember that automation thing this can be you after continuous monitoring check it from the beach so I've talked a lot about the

critical security controls but let's just walk through the list real quick so introducing the critical security controls so I broke them down into large text so we're going to have a couple screens of them and they are primarily you'll notice this column for the NSA mitigation attack uh I'm sorry attack mitigation assessment score that is the primary thing that controls the ranking remember that threat uh it's driven by threat so we start with our very highs we have U inventory of unauthorized and unauthorized devices inventory of authorized and unauthorized software software configuration for Hardware software laptops workstations continuous vulnerability assessment and Remediation and number five malware defenses continuing on we have application software security wireless

device control data recovery capability security skills assessment and appropriate training to fill the gaps that's an interesting one to tell management about secure configurations for network devices such as firewalls limitation and control of network ports protocols and services controlled use of administrative privileges how many XP boxes were still running out there as admin boundary defense maintenance monitoring and Analysis and that should have been continuous maintenance monitoring analysis of security audit logs controlled access based on need to know account monitoring and Control Data loss prevention incident response management secure network engineering and penetration tests and red team exercises so those are are 20 here's an interesting way to look at it it's going to be something like this on the poster

I break it down slightly differently but here's uh what the NSA will say that the are the actions that adversaries take during an attack to get into your systems so they start with reconnaissance then they get into your system then they take steps to stay in your system and then they execute the exploit the critical controls actually stack like this we got a couple that work in the reconnaissance bin got a couple that work in the get in Phase a couple that impact the Stayin phase and a couple that stack up in the exploitation phase so it's an interesting way to uh consider the controls in addition to just the straight up ordered list again that's

going to be on the poster here is another interesting way to look real quick at the critical security controls for the first time the Verizon uh threat report for 2013 has uh included a section on the critical controls and the threats as they classify them on this side here on the left and then they've built a grid that say which of the critical controls affect these particular threats that we have found so that's a new piece of information so I've been trying to bait you in there's only 20 critical controls how hard can it be right well I lied there are actually 198 subc controls each control has four to 17 subc controls however this is

actually good news because unlike PCI which just says You must have a firewall between untrusted zones of your network and they're done the subc controls actually literally Define tell you what you should be doing for each of the controls so it is actually more guidance it's actually more useful than some of the vager standards that don't commit sort of like finra and SEC so how are the sub controls categorized so we start with quick wins this is sort of your Paro principle 8020 you can do this fast it generally doesn't cost as much and it impacts a lot of uh it constit sus a lot of your defenses then we have improv improved visibility and attribution which is just

more monitoring and more information about your environment we have hardened configurations and improved uh hygiene and then we have advanced controls and these are basically going to be your more expensive high-end tools to to Really prevent the most determined attackers so what were those categories again well let me illust rate it like this say you've been put in charge of protecting a critical government installation so what might your first step be well the first thing you might do is just throw up a fence right this is your quick win this is going to stop the majority of the people that are trying to get into the area that you're going to protect so after that you might add some

visibility and attribution some lights and cameras so you can monitor your control and its Effectiveness and see how many people are approaching the fence and are turned away then you might need to maintain and configure the control properly so we added an access road here so we can drive along and look for holes in the fences and fix those or make sure the contractors installed it properly or whatever and then finally you have your Advanced control which is represented here by a second fence and some razor wire now notice in the analogy the complexity of the advanced control versus the quick wind they're both fences but the the advanced control has got a lot more going on here a lot more

complex probably a lot more expensive it's really there to stop the most determined attackers so let's do a deep dive through critical security control number one which is inventory of authorized and unauthorized devices and we're going to look at how the controls are structured in the documents and how each uh control is applied so each control is going to have an overview section in this case basically States the processes and tools uh used to track control and prevent network access basically with anything that has an IP address is what the controls after uh monitoring so first section uh after well after the overview we have a processes and tools for implementation discussion and it says in English what

you're at what you're needing to accomplish uh you want to do an active scan for Network assets you want to record IP and Mac addresses you want to determine the owner of the asset once you find it you want to create an asset database you want to implement 802.1x and Knack you want to scan for ports services and other things to fingerprint machines and finally you want to implement passive scanning for devices that you're not expecting on there so let's break that down again uh let's let's look at there's three quick wins listed in critical control number one remember the fence is our quick win analogy the 8020 uh thing that's not expensive to get in place and prevents a

lot so the quick wins for critical control number one are to create an asset inventory from both passive and active scans and put that into an asset database feed your DHCP logs into the asset database and uh make sure that new equipment adds itself into the asset database uh caveat you can also use a Change Control process here if you wish to now stop real quick and compare this versus some other standards that you've seen this is pretty straightforward set of steps that they're saying that you should be taking visibility visibility and attribution remember that those were our lights and cameras that we're watching the fence we have one in this for critical control one improve the asset inventory database

by adding additional information like the owner the name what the system does what its criticality is basically flesh out that asset database so that during an incident or something like that you have all that information at hand then we have our configuration and hygiene controls and again those were about making sure the controls are prop properly configured and those types of things so we have five of those protect and secure that asset data base that you built map critical data that's in your system to which Hardware pieces it actually lives on deploy 802.1x using the asset database deploy knack to isolate an yeah deploy neck and isolate unauthorized systems and use separate VLAN for BYOD and untrusted

systems and finally our Advanced control which we have one of use clients to our client certificates to identify first and then author or authenticate prior to private network connection so that is actually for those of you that play in this space is actually that in combination with Knack is about as high as you can get so what are the metrics for this particular control why are we doing this and what are we going to measure well we want to identify new unauthorized devices connect to the network within 24 hours we want to make sure an alert has gone out to the fact that a device has been connected and that alert should be repeated until the alert is resolved we

want to isolate that device from the network within one hour of detection we also want to notify that the isolation is accomplished how do we test that well we go in and periodically connect 10 devices to the network we want to spread it across different network segments if you have them you want you know you want some in the DMZ you want some out at the data center you want some back at the office and two of these devices should have never been seen by your asset database so you've got zero knowledge about at least two devices so you want to verify that they were noticed and that you got the the hey this device is connected email

within 24 hours and you want to verify that it was isolated into a VLAN within an hour now those are just starting metrics by the way uh the documentation will come right out and say 24 hours and our opinion is kind of loose you want to make that closer to an hour but you know this is a starting point to just get the program in place you also want to verify that you received the isolation notification email within an hour so this is an analogous to hey my pager didn't go off okay you put this control in place you actually got to test it to make sure you're literally getting these emails so how do we get started if

you're if this is interesting you and you want to look at implementing this in your environment so first you need to familiarize yourself with the controls and there's two primary methods of doing that uh one is to read them and they're hosted currently at sans.org or take a class as another method or I've just recently stood up a website uh called CSC hub.com and I'm basically just trying to collect all things that have to do with the critical security controls there and kind of a community public domain environment when you're looking at the controls start to look for overlaps and based on your environment and we'll go over that in more in a second and think

of tools and processes that you already have in place that you can leverage a lot of these things you may have going some things going already in these categories so let's talk about the overlaps for example that asset inventory database from control number one the inventory of Hardware assets that that same database can possibly be used for inventory of software assets so there's an overlap there another uh overlap is network access control the inventory for for from uh critical control 1 can also be used in critical control 7 for wireless device control because if you've got a limited number of wireless access devices you want attached to your environment when a new one shows up you

need to know it and maybe block it and that's part of critical control 7 the wireless access or wireless device control here is an example of an extreme example in my opinion of ma uh according to tripwire uh I personally am not sure I agree with this but this is a an example and you don't need to read everything just kind of eyeball it this is an example of how many overlaps across the multiple controls you may be able to find in your environment so how do you implement this stuff well of course the answer is always it depends it depends on your environment but here are a couple common paths for implementation first most pressing if

you're being owned If You Know You're vulnerable in a spot you know just go there pick out whichever controls deal with that particular spot and just fix the real problem Gap analysis is another method uh if you've got some this is useful if you've got some controls already in place and you want to know how or you want to decide how far they are from where they should be versus where they are some additional methods are go from the quick wins to the advanced and this is most useful to get a lot of stuff in place quickly maybe most useful for small environments small business environments where there's not a lot of budget but they want to get started with

infosec just start sweeping through all the quick winds and work your way up the stack and then tool influence you may have tools that you own that already deal with a lot of these things so that's another good place to start too uh since you've already spent the money speaking of that that's uh if you saw happen to see the article about the Colorado ciso that uh revamped the whole state infosec program for a mere $6,000 that's what he did he decided to bring in the critical security controls and First Step he did he inventory to his environment and he said we already own a bunch of this stuff we're not properly utilizing it so he stopped all

new acquisitions and basically made better use of what he had to implement the critical security controls and finally on on the poster you're going to see a new uh getting started part one and two section so let's review those real quick so they point out that controls 2 through four have five quick wins that have a huge payoff for anybody who might be uh familiar with the Australian 35 that came out about two years ago and they said these four things prevent 80% of attacks in our opinion this is kind of an analogous to that so application white listing huge one but kind of expensive sometimes uh use common secure configurations uh patch application software within 48 Hours patch system

software within 48 hours and reduce the number of users with administrative privileges now you may be doing a couple of these especially those patching ones but one of the things is are you measuring it do you can can you prove it to yourself can you prove it to someone else that you're actually doing are you doing all of your systems my favorite one to not patch is Oracle because oh my God what a pain in the butt to take a night or a weekend to take the whole system down and you know with Oracle things go wrong when you try and bring it back up Suddenly It's not working um so that's my favorite one to to leave

lagging well if there's a measurement system I get called out on that right the all the other CIS admins know that yeah Ken's not doing his job again so again that's on the poster then part two is uh start asking and answering key questions what are you in fact trying to protect this is sort of like a data Centric approach sort of like Steve was talking about he called it a a vector-based approach but what are you effectively trying to uh to protect what devices and data so what are your gaps on the protections for that particular set of things you're trying to protect and then what are your priorities amongst that group and then where can you automate

what tools do you already own that can just jump in there and help you also what tools from vendors uh might help a lot so again that's outlined on the poster so so I'm a small business environment and it actually makes me unhappy every time I want to go do anything and I need $50,000 right I just is just not going to happen all the time not to mention it's the it's the shiny toy syndrome it doesn't exactly fix all the problems it's it's basically often vendors selling you hype so I'm I'm very keen on what you can do in your environment with what you've already got so some controls can be implemented with what you have well

you've got AV already right so can you get it to report malware to you within a certain time period can you get it to quarantine the email to you and certain time period and then can you validate it that it's actually happening probably and that's control number five uh control number one you can run nmap against your devices you can diff the results every single day or every hour depending on how aggressive you want to be and you can email yourself the changes in other words you can build a Baseline and keep comparing against the Baseline how expensive is that of course don't try that on IPv6 I get you but uh Americans don't Implement IPv6 the

problem is it takes about a decade to scan a network range with IM with nmap rather and also um white listing uh there is a poor man's way to do white listing and NSA published it like two years ago and it's based on Windows SRP stuff that we all already own and probably are not touching so it's based on SRP and a couple proced procedures and you can have application white listing for not spending a dime another uh project that I was very excited to learn about uh is the poshek project you guys may have heard about it in some of the other uh other talks uh I'm a poshek groupy how many people have a poshek phone

nobody I do uh so you can see here uh that poshek is currently handling something thing on many of the security controls but they're planning if they keep to their schedule by Grand Rapids geran having something in place for 14 of the 20 critical security controls don't have to spend a dime you can get many of the controls underway with the Posh set code how cool is that so there's some more sources that are available uh I mentioned the CSC hub.com site uh literally finally got stood up at 4:30 in the morning my vendor apparently didn't know how to make a DNS record and I had to keep calling and hanging them uh so it looks like a two-year-old

designed it right now don't hold it against me I was just trying to get it in place um the forums are not out there right now but a lot of links to case studies and other resources are out there but basically with your help with anybody who's interested in this topic and implementing it in their environment I want to build a a Premier Community Resource and a community center to have a discussion about the critical security controls and how they can be implemented also I mentioned uh posek I'll throw that up again and I also have some contact information for myself at the CSC Hub class I am also a Sans mentor and in October I'm actually teaching the

critical security controls class in the Sans Mentor format now this is going to be a very cool class for one reason that's because we're going to take the critical controls across 10 weeks and meet one night a week and discuss one to three of the controls and there's going to be 10 or 12 of us sitting in a room and we're actually going to have the opportunity to discuss what we found in our environments when we went when we studied a control and then we went back and looked at our environment so what challenges did you find it's going to be 50% % learning 50% Consulting when it really comes down to it because you're

you're going to have access to your peers and how they're handling the same control in their environment and I was surprised to learn this there is actually an amazing 15% discount on that course in addition to the Early Bird pricing gets that price of that course down to about $2,600 anybody that's taken a Sans course before knows that is a great steal there's a brochure next to the uh post that has more information on the link to this course if you're interested so I went pretty fast so I have time for questions if uh anybody has any go ahead imple of EnV well I'm a little bit unique in that my FTE or full-time equivalent dedicated

to security is about 75 people okay so we got through a gap analysis we identified uh where where we wanted to focus and we are trying to start at the beginning and and Implement uh critical control number one that doesn't mean we don't have a lot of things in place but that that means we're trying to actually get the proper metrics feedback from control number one that's where we decided to start this is really depending on your environment it's a multi-month or a multi-year project for us it's a three to five year Endeavor just because of the small size of our environment but you know we need to start somewhere so I think you had a

question uh I yeah I I've heard and I'm not an expert in any of those so I can only tell you what I've heard I've heard PCI no problem uh there actually you'll find uh in some of the resources mappings to n Miss to PCI a couple I'm not sure about Hippa or some of the others did you have a comment on that or another okay I'll get to you in a second that's sorry um but yes uh because as you all know compliant when you're when you become compliant you don't necessarily become secure but when you become secure you almost certainly are compliant and that same effect is involved here so go ahead had the power issue

system ad have t of ourc hadu recently alerts haven't gone off it's like why that alert has been working for years why did it not work now what happen and going back and finding out made CH are kind of com when he question so I ask you with regard to how you started your process did you decide to go we're going CC one cc or did you go for the quick WIS quick to try and get at least as much as you Tak care across the whole you know in our environment what will probably end up happening is we will probably sweep the quick winds first uh we have a bunch of things in place I you know I name dropped firey

and Palo Alto so uh you know those some of those things are the only thing that has saved me from serious compromise so far so uh we just recently implemented Alien Vault which has the o o which you talked about um so we've got a lot of stuff laying around we're probably going to end up sweeping the quick winds and actually putting those tools that we already own into use and getting afficial metrics and monitoring out of them so in our case in a lot of areas the the thing that we need to add is the monitoring and testing components the a lot of the controls were already in place so

interesting the other thing sh folks really well for us is we do a circle bubble chart controlers don't have thinkology that

as that's kind of cool if you have one you could sanitize you wouldn't mind me posting on the site that'd be great

that might that probably makes sense in a lot of environments I can tell you like the state department took a totally different Tac they were the first ones to kind of prove the effectiveness of these controls and they decided uh oh crap it was number 10 I think uh and it might have changed numbers between the two versions so you're going to have to let me go with they they picked one control that was their it's I believe it's outlined on the poster that was their major uh problem across all of their embassies across the world and they implemented that one control and it reduced 85% of their uh problems and and they basically graphed it and uh all

that's explained on the chart also so yeah there's a bunch of different ways to handle it's whatever makes sense for your environment anybody else I'm standing between you and lunch but go ahead yes also if I'm not mistaken this uh YouTube is going to be available once I get the uh I don't know if I'll put the slide deck out I might put the um I I could um but certainly the link to the YouTube will be out there too okay oh great it's oh go ahead that's only one of the yes I lot more when you're Administration going okay so this is what is recommend okay you have the whole 800 series yeah if

you try and do all of it all of it you might as welling up a month of your life yeah same with ISO understand all yeah yeah I mean I don't know if I communicated it but I am really very excited about that the fact that this is doable for my organization this is achievable like I said in my lifetime you know before I die so great all right well great thanks guys [Applause]