Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore did a deep dive into the Center for Internet Security’s Critical Security Controls during a recent webcast, and answered questions from audience members about these 20 foundational security practices, and about the importance of maintaining basic security hygiene.
In this blog post, we’re providing edited transcripts of their answers to all the questions, including those that they didn’t have time to address during the one-hour webcast, which was titled “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.” We hope you find their explanations insightful and useful.
In addition, if you didn’t catch the webcast live, we invite you to listen to the CIS controls webcast recording. We also encourage you to download a copy of a highly detailed guide that maps the CIS controls and sub-controls directly to specific features in Qualys apps.
What other approaches do organizations take for more granularly prioritizing remediation of misconfigurations?
Tim: Prioritizing is the most important piece of the puzzle. Choosing what to fix first can have a significant impact on whether or not you get breached. Most of the organizations I’ve worked with start with something like the Critical Security Controls or the CIS Benchmarks for technical controls for an operating system. Usually within those, you’ll have varying severity levels. Qualys ranks our vulnerability or our exposures from configuration by severity into buckets, depending on the potential impact of a breach. Qualys also helps our customers provide attention to those controls that have the biggest exposures associated with them. Similarly, with vulnerabilities, many customers use CVE and CVSS scoring to identify how big of an impact something could have, especially if you’re using CVSS environmental and temporal scoring to adjust those scores to fit your infrastructure and your risk profile.
Those are all great ways, but at the end of the day it’s important to look at all of the intelligence that you have at your fingertips to identify which things are going to have the biggest impact and then bucket those in a way that’s repeatable. That way, your reporting can drive trend improvements as opposed to presenting IT with a continuously shifting set of priorities.
John: Yeah, I would agree certainly for vulnerabilities. I mean, most vendors will list the patches with CVSS scores or things that are close to CVSS scores. Similarly, the good vulnerability discovery products that Tim mentioned do the same thing. There are a lot of CVSS spreadsheets available from the FIRST organization that you can use as a simple way to prioritize combinations of configurations and vulnerabilities and work on the most critical ones first. Typically systems that are misconfigured are also going to be missing patches. You’ve got to look at what are the worst ones.
Real key is also having that list of what are my critical systems from a business criticality point of view. That’s where you get to that environmental factoring side of things, so that you are working on fixing the configuration vulnerability problems on the servers or desktops that are most likely to cause the most business damage. In other words: Prioritizing from an exposure risk but also from an impact risk.
How important is it to supplement technical controls with procedural control assessment?
John: Let me jump in here Tim. One standard thing on the Critical Security Controls, if you go to CISecurity.org or the SANS pages on this, it’s always to start with a gap assessment around your processes and identify those gaps and processes. Then you should look at the effectiveness of your controls. Everybody spends about the same amount in security. It’s really how you spend your dollars that’s more important than just how much you buy. Quite often, fixing gaps in configuration management and patch management and the like can actually reduce costs, and you can apply [those savings] to more advanced things like application security or privilege management.
So, all the recommendations and best practices on how to proceed with the Critical Security Controls always start with that process gap assessment.
Tim: I think [John] hit the nail on the head there. You know, it’s also another area where I think a lot of organizations need to focus with regards to procedural control assessment is outside of their environment. Many times doing internal process reviews and so forth is one thing, but you have a lot of vendor risk and exposure. We are more and more open with our business partners these days. Making sure that they’re following good security practices as well is a really critical step. You can certainly use something like the Qualys Security Assessment Questionnaire (SAQ) tool to drive vendor risk assessments and make sure that the appropriate controls and expectations are being set with all of your partners as well.
How much overlap exists with other regulations and best practices?
Tim: There’s a ton of overlap. If you look, as John mentioned earlier, at a framework like NIST 800.53 or ISO 27001, there are plenty of things that it directs you to go out and fix. But there’s not a lot of guidance on which ones need to be prioritized first and that’s really where these Critical Security Controls come in and help.
We’ve done the exercise of taking these Critical Security Controls, mapping them back to different control objectives to help with that prioritization, and used that to help drive reporting and prioritization from a remediation perspective within our tools. But, just looking at that from a big picture, almost all organizations have PCI, HIPAA, some local or regional regulatory requirements, and we’re seeing more and more regulations. I expect after a lot of the recent attacks, we’re going to see even more. Regulators come in and start mandating that you implement certain security practices when it’s apparent that there’s not enough organizations taking things seriously.
So, failure to implement basic security controls and good security hygiene, results in expanded regulatory requirements. Inevitably, there’s going to be overlap between what the different regulating bodies feel you need to do. We certainly are seeing that the regulations are becoming more prescriptive. They are getting into more detail about what their expectations are around due diligence, patch management, vulnerability management and so forth.
John: Yeah, I want to point out that probably in over 99%, but let’s say 90% of the breaches that hit the press, where there was credit card number exposure, the companies were PCI compliant. In healthcare, they were HIPAA compliant and in finance they passed audits or government FISMA scores were saying, okay a few problems. So, you know, again, the regulations are very rarely what you really have to worry about if you are worrying about protecting critical business systems, critical business data, critical customer data and the like. Then, you map that out to every compliance regime and fill in the blanks.
The great thing to look at in the Payment Card Industry (PCI) standard is its prioritization guidelines. They have had them for years. They’re their equivalent of the Critical Security Controls and they say: “If you have deficiencies, work them off in this order. You’ll be non-compliant if you have these deficiencies, but if you work them off in this order, you’ll be the safest, and the qualified security assessors will have to say, okay, you are doing the right things.” So, bottom line is the Critical Security Controls really do represent sort of the common, critical overlap across all these regimes and if you’re putting that in place, you’re going be explaining why you’ve taken a risk management approach and you’ll be able to more easily justify that to auditors.
Do I need to focus on my critical and compliance regulated assets first?
Tim: Well, I think John actually just answered that question and I agree completely that systems that are in scope for compliance is not enough. There’s so many avenues for lateral attack, and implementing controls for the sake of doing compliance, really isn’t the right approach in the first place. Prioritizing a risk based approach to implementing secure configuration management practices, vulnerability management and all of the other aspects of the Critical Security Controls will certainly drive improved security and show that you are doing due diligence above and beyond the minimum things that the mandates require.
John: Yeah, I would say that one of the reasons we recommend that process gap assessment first is a lot of people don’t have a segmented network. They have a completely flat network. Everything can get to everything else. You have no separation between your critical systems and your non critical ones, or between your PCI zone and everything else. And then it’s hopeless. It doesn’t matter where you start, anything is compromised if bad guys can reach everything else. So, it’s real key to be able to say, “I do have an asset inventory. I do know which assets are tied to which critical business processes. I do have some sort of segmentation, whether it’s virtual environments or physical networks or whatever.” If you’ve got that in place, yeah, then it definitely makes sense to prioritize. If not, you might as well just throw darts and work them off randomly.
What is a business security analyst? Is it more of an individual who is assigned to process a security access request?
John: No, it’s not really that. It’s kind of related. In almost all companies, if a business unit has some new initiatives that are going to require IT systems, some project is formed. IT staff sit and there might be staffing from marketing and from other places. The business security analyst would be the person who becomes part of that team, evaluating the businesses needs, getting security baked in from day one, and recommending solutions or approaches as part of the overall IT solution.
In larger companies, the role can often be much more proactive than that. So, work with the Chief Technology Officer to say: “Hey, we’ve got this two-year strategic initiative to allow mobile commerce, where customers walk into our store with their own phones or tablets and can buy things right off the shelf. Or suppliers can stock things and do inventory automatically without us having to use our systems.” Then [the organization can] proactively say, “Oh, we’d better do something in security to be ready for that.”
So a business security analyst is a knowledgeable security person who understands the needs of the business, such as where it’s going, and connecting the business side with the security side. In small organizations, it might just be a liaison in the business unit or a part time job of a smaller security staff. In larger companies it’s often a full time role.
From your perspective, why aren’t IDS systems and point security platforms and SIEM tools capable of detecting cyber attack events?
John: Well, [I’ll give you] an example I used to use over the years at Gartner. Imagine, I was much younger then, and I had small children who would cry at night and wake me up and I would hear their cries and go in their room. My wife would sleep right through it. But imagine if I had no doors, no windows on my house and my house was full of squirrels and birds and raccoons chirping and making all kinds of noise, and I just couldn’t even hear the cries of my kids because of all the noise going on.
So, if you can’t even get the basic security hygiene, if you can’t get the simple vulnerabilities under control, those easy-to-stop attacks and the like … If you’re constantly filling up the SIEM with noise from those, or the SOC analysts’ time is spent trying to go through and work those off and try to figure out what’s going on, you’ll never get to your baby’s crying and the wolves carry your baby out the door. Then you just have all the animals crying in your house.
So without dealing with basic security hygiene, it’s impossible to triage. It’s impossible to get to the important things. And we end up trying to hire more people who basically get bored of doing this stuff and go on to other more higher paying jobs at other companies.
What is a process gap assessment?
John: Basically, doing, or paying someone else to do, an assessment of how effective your existing security processes are in implementing the Critical Security Controls. You identify gaps and then development work plans to close the gaps, prioritizing remedial efforts by Critical Control number (i.e., lower numbers are higher priority). SANS instructor James Tarala has a lot of information on this.
Are there tools that help me to automate certain controls? I mean on control level.
John: SANS has published a poster mapping monitoring products to the Critical Security Controls. We are not updating it since the Critical Controls are now managed by the Center for Internet Security (www.cisecurity.org) and they have taken over any such mapping. But you can find the poster here. There is also an older poster that mapped products for implementing (vs. just monitoring) the Controls.
Tim: Yes – Qualys Policy Compliance can provide automated assessment of the majority of the technical OS and application configuration controls. Qualys Security Assessment Questionnaire can automate the procedural control assessment aspects. Other CSCs are covered by other Qualys security apps. You can learn more in the recently published Qualys white paper Guide to Automating CIS 20 Critical Security Controls with Qualys Cloud Platform.
Can you give a few high level bullets on Automating Critical Security Controls? Would this reflect large integrated tools suites – or bash/powershell scripting?
John: The Center for Internet Security lists a number of case studies around implementing and automating the Critical Controls. There really isn’t any single vendor that has any single product or suite that implements all of the Controls in any truly meaningful or effective way, but there are several vendors with products that span multiple controls (see answer to question 2 above) and there are also organizations that use homegrown tools and scripts to glue things together or automate related sets of controls. You can see the CIS case studies here.
Does the solution provide a real time view of the security posture with regards to configuration, patch, antivirus, etc?
Tim: The combination of the Qualys solutions provides data in near-real time if you’re using the Qualys Cloud Agent, or at the configured scan interval if using remote assessment.
Can you provide an example of how you might automate or integrate the WAS functionality into the development process? We want to make security easy to adopt for the development process.
Tim: In a typical build process, developers check code into a continuous integration/continuous delivery (CI/CD) tool, such as Jenkins, TFS, or Bamboo. The CI/CD tool automatically picks up the changes, compiles and builds the code, then deploys it to various environments such as DEV, QA, or STAGE. This is where a web app vulnerability scan by Qualys WAS makes sense. Let’s say we want to scan the DEV site. After deploying the new build, the CI/CD tool invokes the WAS API — an HTTPS call to Qualys — to request a scan against the DEV site, which was set up earlier with the appropriate URL/settings in the WAS UI. A Qualys scanner appliance, deployed internal to the organization, receives the request, and the appliance launches a scan against the DEV site. When the scan is complete, results are uploaded automatically to Qualys and can be pulled down via the API as well. Any findings with status of “new” could be emailed to the dev team, for example. All of this workflow can be automated.
Can you give a few high level bullets on automating Critical Security Controls?
Tim: We recommend reading our Guide to Automating CIS 20 Critical Security Controls for more details on automating the CSCs with Qualys security and compliance apps.