Growing Up In Cyber…

but is Cyber Growing Up?

Tony Sager
Senior VP & Chief Evangelist
CIS (the Center for Internet Security)
Today’s Cyber Learning Model ?
 Classic Risk Equation

Risk = f { Vulnerability, Threat, Consequence }

controls
The Long and Winding Road….
 Seismic Shifts

• Communications Security  “Cyber”

• Mathematics  CS, Networking, Opns, Analytics

• Technology  Information, Operations

• Government monopoly  user/market driven

• “Control Model” of security  open market

• National Security  economic/social Risk

 A few cybersecurity lessons

• Knowing about flaws doesn’t get them fixed

• Cyber Defense => Information Management
– when you see “share”, replace with “translate” and “execute”
• The Bad Guy doesn’t perform magic
• There’s a large but limited number of defensive choices
– and the 80/20 rule applies (The Pareto Principle)
• Cybersecurity is more like “Groundhog Day” than
“Independence Day”
 anti-malware DLP
governance certification
continuous monitoring penetration testing

baseline configuration threat feed

assessment
best practice
standards SDL audit logs SIEM
virtualization
risk management framework sandbox
compliance
encryption threat intelligence security bulletins
user awareness training incident response
two-factor authentication browser isolation
security controls maturity model
need-to-know supply-chain security
whitelisting

“The ”
 The Defender’s Dilemma

1. What’s the right thing to do?

• and how much do I need to do?
2. How do I actually do it?
3. And how can I demonstrate to others (many others)
that I have done the right thing?
 A Cyberdefense OODA Loop
(“patch Tuesday”)
OBSERVE
Track security
bulletins,
advisories
ACT
Rollout, Monitor,
Manage “breakage”
ORIENT
Assess applicability,
operational issues,
DECIDE risk
Prioritize
remediation
 “Dueling OODAs”
(and the role of Threat Intelligence, Analytics)

• There are many loops, often connected

• “farther in space, earlier in time”
• The Bad Guy’s loop is an opportunity
OBSERVE OBSERV
E
OBSERV
E
ACT ACT ORIENT
O
ACT ORIENT
ORIENT DECIDE A O

DECIDE
DECIDE D
An Effective Cyberdefense “info machine” should be…

• based on a model of Attacks, Attackers, and defensive

choices
– and focused on categories, types, patterns, templates, etc.
• driven by data
• managed within an open, standards-based framework
• account for “community risk”, but be tailorable
• repeatable, dynamic, feedback-driven
• demonstrable, negotiable for Real People
Evolution of the CIS Controls

The CIS Controls™️

 The Original Controls Principles

• Prioritize:
– “Offense Informs Defense”
• Implement:
– ” Action today beats elegance tomorrow (or someday. Or never.)”
• Sustain:
– “It’s not about the list"
• Align:
– “ To win the cyberwar, we need peaceful co-existence”
CIS Best Practice Workflow
CIS Controls Version 7
 Ecosystem of Resources

• Mappings to other Frameworks

– Special focus on NIST CSF [updated!]
• CIS Risk Assessment Method (CIS-RAM) [new]
• ICS Companion Guide to the Controls [drafted]
• Measures and Metrics [updated]
• SME Implementation Guide
• CIS Community Attack Model
• Privacy and the Controls
 Recent References to the CIS Controls
• California Attorney General’s 2015 Data Breach Report
• The NIST Cybersecurity Framework
• Symantec 2016 Internet Security Threat Report
– and Verizon DBIR, HP, Palo Alto, Solutionary…)
• National Governor’s Association
• National Consortium for Advanced Policing
• Conference of State Bank Supervisors
• UK Critical Protection for National Infrastructure
• Zurich Insurance
• ENISA, ETSI
• Website: www.cisecurity.org
• Email: Controlsinfo@cisecurity.org
• Twitter: @CISecurity
• Facebook: Center for Internet Security
• LinkedIn Groups:
• Center for Internet Security
• 20 Critical Security Controls