Most people in information security have heard of the Critical Security Controls these days. The idea of a community risk assessment project that helps all prioritize our information security efforts is appealing to most of us. The sticking question everyone always comes back to though is “how do I start implementing an information security plan using the controls?”
There are a few different approaches to this question. One of the most common is to simply start at the first priority (#1) and work your way through the list. It’s designed to be simple to use.
Ideally though we would have a translation between business requirements and what technical sensors security analysts need to deploy in order to achieve all the goals defined in the controls. So we took it upon ourselves to answer that exact question. If someone would take every sub control in the Critical Security Controls (version 4.1) and map a corresponding sensor to each of the controls, what controls would be left.
This is the list that we came up with (in priority order):
- Hardware Inventory System
- Asset Inventory System
- Active Device Discovery Tool
- Passive Device Discovery Tool
- System Imaging & Cataloging System
- Authentication System
- Public Key Infrastructure (PKI)
- 802.1x Authentication System (RADIUS / TACACS+ / etc)
- Network Access Control (NAC) System
- Software Inventory System
- Software Whitelisting System
- SCAP Compliant Vulnerability Management System
- SCAP Compliant Configuration Scanning System
- Configuration Policy Enforcement System
- Patch Management System
- Vulnerability Intelligence Service
- File Integrity Assessment System
- Anti-Malware / Endpoint Protection System
- Email Anti-Malware System
- SPF DNS Record
- Web Based Anti-Malware System
- Web Application Firewall (WAF)
- Application Code Review / Vulnerability Scanning System
- Database Vulnerability Scanning System
- Application Specific Firewalls
- Wireless Network Device Management System
- Wireless Intrusion Detection System (WIDS)
- Backup / Recovery System
- Data Encryption System
- DHCP Server Logs
- Domain Name System (DNS) Monitoring System
- Host Based Data Loss Prevention (DLP) System
- Host Based Access Control Lists
- Host Based Firewalls / Endpoint Protection System
- Intrusion / Malware Detection System
- Log Management System / SIEM
- Network Based Data Loss Prevention (DLP) System
- Network Devices that Support VLANs & ACLs
- Network Proxy / Firewall / Monitoring System
- Password Assessment System
- Removable Media Control / Endpoint Protection System
- User Account Discovery / Inventory System
It certainly seems like a long list, but I would bet most companies already have many of these controls in place.
It seems to us if an organization would work their way through this list as a part of a gap analysis and then review the controls, they would find that they hand implemented the majority of the sub controls in the list simply by implementing these sensors. Certainly an organization will need to operationalize the controls too. But at least this might help a few organizations to get started in their efforts.