Why Your Security Journey Begins but Doesn’t End with the CIS Controls

Why Your Security Journey Begins but Doesn’t End with the CIS Controls

Securing Against Insider Threats

Any significantly sized organization needs two things if they are to be successful in building a security program. They first need a list of defined outcomes for their security program; in other words, what do they expect to accomplish as part of their security efforts? Once that’s been answered, or at least discussed, they can then build a process by which they can meet those outcomes.

Sure, that’s really easy for us to say, but figuring out these two items can be difficult and complex. That explains why many of us end up turning to standardized frameworks such as NIST’s Cybersecurity Framework or the CIS Controls (among others). These measures help organizations effectively map out what their journey towards a robust security program could or should look like. Standards such as these particularly resonate with CISOs and CSOs, executives who are always looking for something to measure in support of the organization’s security processes… after all, they too need to report their results up the chain. With the CIS Controls, for instance, a CISO should be able to determine how far along they are in implementing one control before they begin focusing their attention on some of the others.

But this all begs the question: what kinds of protection do standardized security measures like the CIS Controls ultimately offer?

In this blog post, I’ll discuss how organizations are using three of these guidelines in particular—CIS Controls #7, #8 and #13—to harden their networks against cyber threats. I’ll take a moment to clarify how these security measures, along with others like it, don’t offer comprehensive protection to organizations. Responding to that reality, I’ll then discuss how network detection and response (NDR) can help fill in the gaps that may be present when working your way through the controls.

3 CIS Controls and What They Do

While there are 20 categories of controls published by the Center for Internet Security, let’s take a very quick look at three specific CIS controls to see what they are and what types of security functions they bring to organizations:

CIS Control #7

CIS Control #7 is often used as a guideline if we’re looking to minimize the attack surface in terms of cyber criminals manipulating email systems and web browsers. Towards this end, we can implement this control by allowing the use of only supported web browsers and email clients in the workplace. We should also implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification.

CIS Control #8

All of us have an incentive to not only block malware from spreading throughout the network but also prevent it from infecting one of our systems in the first place. For these objectives, CIS Control #8 is used. By deploying a centralized anti-malware solution to monitor all workstations and servers for behavior indicative of malware, you may be able to minimize some of the risk and damage caused by malware-based threats. Under this control, we may also look to bolster our protection by enabling Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) as well as deploying additional toolkits that help to protect applications and systems even further.

CIS Control #13

CIS Control #13 is all about helping us ensure the privacy and integrity of information stored on their systems. Under this guideline, it probably makes sense to deploy a data loss prevention (DLP) tool that can monitor for unauthorized transfers of sensitive information. Those of us who implement CIS Control #13 might also want to consider creating an inventory of USB devices that are allowed to connect to workstations and other network assets.

Where These Measures Fall Short, NDR Rises Up

There’s not one of us out there who wouldn’t see security gains from implementing CIS Controls 7, 8 and 13. Even so, there’s not a security professional in the world that would believe they’ve achieved complete and effective protection against digital threats from doing so.

So, what should organizations do?

One of the best options available today is to look into deploying a network detection and response (NDR) tool. These solutions are useful in that they provide a complete picture of what’s going on in your network environment after implementing fundamental measures like the CIS Controls discussed above. More specifically, NDR tools stitch together information collected across the entire security and network stack to give context about potential security incidents and other goings-on in the network.

Augmenting the CIS Controls Using Lastline

I bet you want to see this in practice. Don’t worry; I’ve got you covered. Let’s take a look at how Lastline Defender can specifically help us augment the security functions offered by CIS Controls 7, 8 and 13.

CIS Control #7

With this particular control, Lastline helps web and email security solutions by ingesting data and providing additional threat protection. Say Barracuda, Forcepoint, or one of the other providers with which we partner detects an incoming message with a suspicious attachment. Lastline is able to evaluate that attachment and send back detailed information about any malicious behaviors it attempts to perform so that the solution can make a more informed decision on whether to take action. By extension, this context helps web and email security solutions provide better protection for their customers.

CIS Control #8

Let’s just say Lastline is extremely familiar with advanced malware protection and general malware detection. Indeed, at the heart of Lastline lies the understanding that we all need more than just endpoint and antivirus solutions to defend against malware. The evolving threat landscape makes it so for two reasons. First, 65 percent of malware is unique these days, meaning these samples don’t have a signature that traditional security solutions can detect. Second, threats like WannaCry and Emotet are able to spread throughout entire networks using exploits such as ETERNALBLUE and other vulnerabilities. Such behavior makes it difficult for organizations to defend themselves against modern threats if they rely solely on deploying endpoint agents. Lastline’s unique ability to peer deep into malware allows us to fully understand and recognize abnormal or malicious behaviors and stop threats from spreading throughout your environment is a fantastic way to shore up your defenses and lock down this control.

CIS Control #13

Last but not least, Lastline can help defend the privacy and integrity of organizations’ information by watching for suspicious network activity. That includes a malicious insider (or an attacker using stolen privileged credentials) trying to move data out of the organization. Using AI, NTA and artifact analysis, Lastline can examine these data transfers across both your on-premise and cloud-based environments. It then compares these events to network activity baselined as normal. If it finds something out of place—for example, someone attempting to exfiltrate data who has never done so before—Lastline will flag this activity so that security personnel can respond.

Working with a framework like the CIS Controls is a fantastic starting point for any organization and their security journey. But also understanding that these frameworks are only that – a framework – is critical to customizing your security stack to ensure the unique security challenges inside your network are met.

Learn more about how Lastline can strengthen your existing security control implementations.

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson