Submit Search
Upload
The CIS Critical Security Controls the International Standard for Defense
•
8 likes
•
3,585 views
E
EnclaveSecurity
Follow
The CIS Critical Security Controls the International Standard for Defense
Read less
Read more
Technology
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 20
Recommended
Security Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
Governance of security operation centers
Governance of security operation centers
Brencil Kaimba
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
Recommended
Security Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
Governance of security operation centers
Governance of security operation centers
Brencil Kaimba
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
BCM Institute
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
IBM Security Strategy Overview
IBM Security Strategy Overview
xband
Vulnerability Management
Vulnerability Management
asherad
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
Cyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
Strategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
Information Security Awareness
Information Security Awareness
Net at Work
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
Roadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
Threat Intelligence
Threat Intelligence
Deepak Kumar (D3)
How to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
EnclaveSecurity
More Related Content
What's hot
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
IBM Security Strategy Overview
IBM Security Strategy Overview
xband
Vulnerability Management
Vulnerability Management
asherad
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
Cyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Shah Sheikh
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
Strategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH
Information Security Awareness
Information Security Awareness
Net at Work
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
Roadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
Threat Intelligence
Threat Intelligence
Deepak Kumar (D3)
How to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
What's hot
(20)
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
IBM Security Strategy Overview
IBM Security Strategy Overview
Vulnerability Management
Vulnerability Management
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
Cyber threat intelligence ppt
Cyber threat intelligence ppt
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Strategy considerations for building a security operations center
Strategy considerations for building a security operations center
Information Security Awareness
Information Security Awareness
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Roadmap to security operations excellence
Roadmap to security operations excellence
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
Threat Intelligence
Threat Intelligence
How to assess and manage cyber risk
How to assess and manage cyber risk
Viewers also liked
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
EnclaveSecurity
Overview of the 20 critical controls
Overview of the 20 critical controls
EnclaveSecurity
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
EnclaveSecurity
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
EnclaveSecurity
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CanSecWest
Viewers also liked
(10)
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
Overview of the 20 critical controls
Overview of the 20 critical controls
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
Similar to The CIS Critical Security Controls the International Standard for Defense
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
John Gilligan
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
More practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
John Gilligan
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
Lisa Niles
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
IT Governance Ltd
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Ivanti
Recent changes to the 20 critical controls
Recent changes to the 20 critical controls
EnclaveSecurity
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
randalje86
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Cameron Forbes Over
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
John Gilligan
Security metrics
Security metrics
PRAYAGRAJ11
Similar to The CIS Critical Security Controls the International Standard for Defense
(20)
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
More practical insights on the 20 critical controls
More practical insights on the 20 critical controls
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
Recent changes to the 20 critical controls
Recent changes to the 20 critical controls
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Leveraging Federal Procurement to Improve Cyber Security
Leveraging Federal Procurement to Improve Cyber Security
Security metrics
Security metrics
More from EnclaveSecurity
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
EnclaveSecurity
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
Governance fail security fail
Governance fail security fail
EnclaveSecurity
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
EnclaveSecurity
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
EnclaveSecurity
Cyber war or business as usual
Cyber war or business as usual
EnclaveSecurity
Benefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
More from EnclaveSecurity
(8)
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
Governance fail security fail
Governance fail security fail
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
Cyber war or business as usual
Cyber war or business as usual
Benefits of web application firewalls
Benefits of web application firewalls
Recently uploaded
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Antenna Manufacturer Coco
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Recently uploaded
(20)
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
The CIS Critical Security Controls the International Standard for Defense
1.
1 CIS Critical Security
Controls © Enclave Security 2015 The CIS Critical Security Controls: The International Standard for Defense James Tarala, The SANS Institute
2.
2 CIS Critical Security
Controls © Enclave Security 2015 Why are so many people implementing the CSC? • It’s 2015, and there are dozens of security standards to choose from internationally • CIOs & sysadmins have numerous choices • Auditors have numerous choices • Everyone has heard of standards such as: • ISO 27000, NIST 800-53, the NIST Core Framework • PCI DSS, NERC CIP, CoBIT, COSO, the ITAF, etc • So why are the Critical Security Controls quickly becoming the de facto standard for security standards?
3.
3 CIS Critical Security
Controls © Enclave Security 2015 Reason #1: Organizations Are Getting Breached • PrivacyRights.org maintains a chronology of data breaches since 2005 • Includes a searchable database of breaches by year / cause / industry • Some of the more notable recent breaches include (2015): – Anthem (80 million people) – Office of Personnel Management (21.5 million people) – UCLA Health System (4.5 million people) – Ashley Madison (37 million people) – Ubiquiti Networks ($46.7 million) – ICANN (unknown / all web users) – Excellus Blue Cross Blue Shield (10 million people) – Experian / T-Mobile (15 million people)
4.
4 CIS Critical Security
Controls © Enclave Security 2015 FBI Annual Internet Crime Complaints (cont) http://www.nw3c.org/docs/IC3-Annual-Reports/2014-ic3-internet-crime-report.pdf
5.
5 CIS Critical Security
Controls © Enclave Security 2015 Average Per Capita Cost of Data Breaches (2015) Ponemon Institute Report 2015: http://www.ibm.com/security/data-breach
6.
6 CIS Critical Security
Controls © Enclave Security 2015 Reason #2: Hundreds of Document Contributors • Blue team members inside the Department of Defense • Blue team members who provide services for non-DoD government agencies • Red & blue teams at the US National SecurityAgency • US-CERT and other non-military incident response teams • DoD Cyber Crime Center (DC3) • Military investigators who fight cyber crime • The FBI and other police organizations • US Department of Energy laboratories • US Department of State • Army Research Laboratory • US Department of Homeland Security • DoD and private forensics experts • Red team members in DoD • The SANS Institute • Civilian penetration testers • Federal CIOs and CISOs • Plus over 100 other collaborators
7.
7 CIS Critical Security
Controls © Enclave Security 2015 Reason #3: Comprehensive Guiding Principles 1. Defenses should focus on addressing the attack activities occurring today, 2. Enterprise must ensure consistent controls across to effectively negate attacks 3. Defenses should be automated where possible 4. Specific technical activities should be undertaken to produce a more consistent defense 5. Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks 6. Metrics should be established that facilitate common ground for measuring the effectiveness of security measures
8.
8 CIS Critical Security
Controls © Enclave Security 2015 Reason #4: Technical Practicality • The CIS Critical Security Controls were specifically designed to stop attacks • They provide specific, practical, technical recommendations • They do not leave it up to the reader to figure out what to do • It is possible to map known threats to these defenses • There’s a reason the Verizon Data Breach report, and many others make reference to these controls and how to use them • There’s a reason incident handlers & penetration testers recommend the CSCs to their clients after breaches
9.
9 CIS Critical Security
Controls © Enclave Security 2015 Case Study: 2013 Java Data Breaches
10.
10 CIS Critical Security
Controls © Enclave Security 2015 2013 Java Attacks & Intrusion Kill Chain 1. The attacker discovered a weakness in software commonly utilized by the victim (reconnaissance) 2. The attacker wrote attack code to exploit the discovered software weakness (weaponization) 3. The attacker posted the attack code on a “watering hole” website that would be trusted by the victim (delivery) 4. The victim was lured into visiting the “watering hole” website hosting the attack code (exploitation) 5. The victim downloaded and executed the malicious code (installation) 5. The malicious code compromised the victim’s computer and connected to the attacker’s command and control servers to allow the attacker access (command and control) 6. The attacker performed his or her desired objectives on the victim’s computers (actions on objectives)
11.
11 CIS Critical Security
Controls © Enclave Security 2015 2013 Java Attacks – Defensive Tools • Software whitelisting solution • Automated patch management system • Security ContentAutomation Protocol (SCAP) compliant vulnerability management solution (CVEs & CCEs)
12.
12 CIS Critical Security
Controls © Enclave Security 2015 Proof of Concept: Mimikatz
13.
13 CIS Critical Security
Controls © Enclave Security 2015 The CSCs that would Stop this Attack • If an organization implements the Critical Security Controls, could they stop Mimikatz (v1 or v2) from working? – YES • Some of the CSCs that would stop this attack: – CSC #2: Inventory of Authorized and Unauthorized Software – CSC #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 15 – CSC #4: Continuous Vulnerability Assessment and Remediation – CSC #5: Controlled Use of Administrative Privileges – CSC #8: Malware Defenses – CSC #12: Boundary Defense
14.
14 CIS Critical Security
Controls © Enclave Security 2015 Reason #5: Defined Business Measures • The CSCs also define specific measures that organizations can use to track their risk and defensive capabilities • These are not generic, but rather specific measures • All measures are not simply paperwork reviews • All measures define defensive capabilities an organization may have • Measures utilize time based or Boolean measures to define risk • Help an organization to define both control and event based risk measures • These have been especially useful to the audit and insurance industries
15.
15 CIS Critical Security
Controls © Enclave Security 2015 Examples of Defined Measures 1. How many unauthorized / unknown computers are currently connected to the organization’s network? 2. How many unauthorized software packages are running on the organization’s computers? 3. What percentage of the organization’s computers are running software whitelisting defenses which blocks unauthorized software programs from running? 4. What is percentage of the organization’s computers that have been configured (operating system and applications) according to the organization’s documented standards? 5. What is the comprehensive Common Vulnerability Scoring System (CVSS) vulnerability rating for each of the organization’s systems?
16.
16 CIS Critical Security
Controls © Enclave Security 2015 Measures lead to Business Dashboards
17.
17 CIS Critical Security
Controls © Enclave Security 2015 Reason #6: CSCs are Based on Known Threats • The CSCs are based on current, observable threats to information systems, not theories • Hundreds of organizations have contributed • One of the latest efforts is the release of a community threat model, the Open Threat Taxonomy (v1.1), which will be used to document and prioritize threats • OTT will be used to define threats to define controls • Will help standardize risk assessments, make one less paperwork step for organizations to complete
18.
18 CIS Critical Security
Controls © Enclave Security 2015 Reason #7: CSC Are an “On Ramp” to Compliance • The primary goal of the Critical Security Controls is defense • However, by prioritizing these controls, an organization is also making steps towards compliance with other standards • There doesn’t have to be a choice • Mappings currently exist between the CSCs and: – NIST 800-53 rev4 – ISO 27002 Control Catalog – NERC CIPv5 – FFIEX Inherent Risk Controls & Examiner’s Handbook – HIPAA / HITECH Act
19.
19 CIS Critical Security
Controls © Enclave Security 2015 In Summary • Regardless if you follow the Critical Security Controls, each organization needs a strategy for defense • Be aware of the changing threat landscape and have a plan for preventing future attacks • Organizations need to set priorities for system and data defense, this is one good option • Most importantly, the controls are only useful if they are implemented • Watch for more changes to come & stay vigilant
20.
20 CIS Critical Security
Controls © Enclave Security 2015 Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit – Blog: http://www.auditscripts.com/ • Resources for further study: – The CIS Critical Security Controls Courses – SEC 440 / 566 – The CIS Critical Security Controls Project – AuditScripts.com Resources