Most people in information security have heard of the Critical Security Controls these days. The idea of a community risk assessment project that helps all prioritize our information security efforts is appealing to most of us. The sticking question everyone always comes back to though is “how do I start implementing an information security plan using the controls?”

There are a few different approaches to this question. One of the most common is to simply start at the first priority (#1) and work your way through the list. It’s designed to be simple to use.

Ideally though we would have a translation between business requirements and what technical sensors security analysts need to deploy in order to achieve all the goals defined in the controls. So we took it upon ourselves to answer that exact question. If someone would take every sub control in the Critical Security Controls (version 4.1) and map a corresponding sensor to each of the controls, what controls would be left.

This is the list that we came up with (in priority order):

  1. Hardware Inventory System
  2. Asset Inventory System
  3. Active Device Discovery Tool
  4. Passive Device Discovery Tool
  5. System Imaging & Cataloging System
  6. Authentication System
  7. Public Key Infrastructure (PKI)
  8. 802.1x Authentication System (RADIUS / TACACS+ / etc)
  9. Network Access Control (NAC) System
  10. Software Inventory System
  11. Software Whitelisting System
  12. SCAP Compliant Vulnerability Management System
  13. SCAP Compliant Configuration Scanning System
  14. Configuration Policy Enforcement System
  15. Patch Management System
  16. Vulnerability Intelligence Service
  17. File Integrity Assessment System
  18. Anti-Malware / Endpoint Protection System
  19. Email Anti-Malware System
  20. SPF DNS Record
  21. Web Based Anti-Malware System
  22. Web Application Firewall (WAF)
  23. Application Code Review / Vulnerability Scanning System
  24. Database Vulnerability Scanning System
  25. Application Specific Firewalls
  26. Wireless Network Device Management System
  27. Wireless Intrusion Detection System (WIDS)
  28. Backup / Recovery System
  29. Data Encryption System
  30. DHCP Server Logs
  31. Domain Name System (DNS) Monitoring System
  32. Host Based Data Loss Prevention (DLP) System
  33. Host Based Access Control Lists
  34. Host Based Firewalls / Endpoint Protection System
  35. Intrusion / Malware Detection System
  36. Log Management System / SIEM
  37. Network Based Data Loss Prevention (DLP) System
  38. Network Devices that Support VLANs & ACLs
  39. Network Proxy / Firewall / Monitoring System
  40. Password Assessment System
  41. Removable Media Control / Endpoint Protection System
  42. User Account Discovery / Inventory System

It certainly seems like a long list, but I would bet most companies already have many of these controls in place.

It seems to us if an organization would work their way through this list as a part of a gap analysis and then review the controls, they would find that they hand implemented the majority of the sub controls in the list simply by implementing these sensors. Certainly an organization will need to operationalize the controls too. But at least this might help a few organizations to get started in their efforts.