The SANS 20 Critical Security Controls for Effective Cyber Defense (SANS 20 CCs) is an effective, phased method for improving Information Security and meeting regulatory compliance requirements.
The SANS 20 CCs is based on “knowledge of actual attacks that have compromised systems” and “provides the essential foundation on which to construct effective defenses.” The SANS 20 CCs was developed by answering the following questions:
- Who are the attackers?
- What are their objectives?
- What attack vectors do they use?
- What target systems did they use to gain entry?
- What types of protection could have stopped them?
The goal of the SANS 20 Critical Security Controls, in response to limited resources, is to “establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.” Furthermore, sub-controls within each control are categorized in a type of security capability maturity model to enable organizations to “achieve a sound baseline of security and them improve beyond the baseline.”
There are several important advantages to the SANS 20CC:
- Security/Compliance integration – Quoting from SANS, “These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer.”
- Comprehensive – All critical IT Security and Compliance functions are covered.
- Credentials – The document was generated by a strong group of experienced security professionals from government and industry. SANS quote, “These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.”
- Concreteness – The document provides very specific recommendations.
- Automation – Fifteen of the twenty security controls are readily automated. From SANS, “The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 80% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.”
- Phases - Each control has sub-controls that are prioritized. This reduces the potentially overwhelming nature of other security models. You can approach each control in phases. The categories are as follows:
- Quick Wins (QW): Fundamental aspects of information security which can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to the environment.”
- Improved Visibility and Attribution (Vis/Attrib): Subcontrols which focus on improving the process, architecture, and technical capabilities of organizations so that organizations can monitor their networks and computer systems, gaining better visibility into the IT operations.
- Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene): These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems.
- Advanced: These items are designed to further improve the security of an organization beyond the other three categories.
- Metrics - One or more simple, specific, measurable tests are provided to assess the effectiveness of each recommended control.
- Brevity - The whole document is only 58 pages as compared to other approaches which are spread over multiple books.
- Price - The document is free.
If there is any weakness to the 20CC, it’s the consensus nature of it. However, in our opinion this weakness is only reflected in its understandable unwillingness to explicitly or even implicitly recommend a solution-type that would inure to the benefit of a single manufacturer.
Here at Cymbel, it is our mission specifically to find and recommend the best solutions for each of the fifteen controls which lend themselves to automation, and provide the services you need to implement them, and support the other five.
You can view the latest version of the SANS 20 Critical Security Controls for Effective Cyber Defense here.
Here are the 15 of the SANS 20 Critical Security Controls which lend themselves to automated solutions:
1. Inventory of Authorized and Unauthorized Devices
“An accurate and up-to-date inventory, controlled by active monitoring and configuration management, can reduce the chance of attackers finding unauthorized and unprotected systems to exploit.”
In order to meet the strictest service level agreement, i.e. device discovery in seconds, a Layer 2 network, passive discovery functionality is required like that found in ForeScout.
The SANS 20 Critical Security Controls do not address mapping software and devices to business processes. While this has not been considered part of the IT Security domain, we believe that “IT alignment to business needs” must be part of the IT Security domain. At this point in time, it’s hard to imagine a new business initiative that does not require the use of Information Technology which, if not addressed by security controls, will increase the organization’s risk exposure.
2. Inventory of Authorized and Unauthorized Software
“Without the ability to inventory and control which programs are installed and allowed to run on their machines, organizations make their systems more vulnerable.” Again, this is something covered by ForeScout.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
“On both the Internet and internal networks that attackers have already compromised, automated computer attack programs constantly search target networks looking for systems that were configured with vulnerable software installed the way it was delivered from manufacturers and resellers, thereby being immediately vulnerable to exploitation. Default configurations are often geared to ease-of-deployment and ease-of-use and not security.”
Cymbel recommends ForeScout, a solution which detects and alerts on configuration changes.
4. Continuous Vulnerability Assessment and Remediation
“Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest. Any significant delays in finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain. Organizations that do not scan for vulnerabilities and address discovered flaws proactively face a significant likelihood of having their computer systems compromised.”
Cymbel recommends BigFix because it combines device discovery, configuration vulnerability as well as software “bug” vulnerability assessment, and patch management in one integrated solution.
5. Malware Defenses
“Malicious software is an integral and dangerous aspect of Internet threats, targeting end-users and organizations via web browsing, email attachments, mobile devices, and other vectors. Malicious code may tamper with the system’s contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system. Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by attempting to detect malware and block its execution.”
Cymbel recommends Palo Alto Networks IPS because it received the highest rating from independent lab, NSS Labs.
Cymbel recommends FireEye for its ability to block 0-day and unknown malware using a combination of heuristic algorithms to detect potentially malicious code and virtual sandboxes to test the code before blocking and alerting. This second step practically eliminates false positives.
Cymbel recommends Zscaler, a cloud-based web and email security solution specifically designed to block malware entering the organization through web browsing and email.
6. Application Software Security
“Attacks against vulnerabilities in web-based and other application software have been a top priority for criminal organizations in recent years. Application software that does not properly check the size of user input, fails to sanitize user input by filtering out unneeded but potentially malicious character sequences, or does not initialize and clear variables properly could be vulnerable to remote compromise.”
“Organizations should protect web applications by deploying web application firewalls that inspect all traffic flowing to the web application for common web application attacks, including but not limited to Cross-Site Scripting, SQL injection, command injection, and directory traversal attacks. For applications that are not web based, deploy specific application firewalls if such tools are available for the given application type.”
7. Wireless Device Control
“Major data thefts have been initiated by attackers who have gained wireless access to organizations from nearby parking lots, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes.”
Cymbel recommends Motorola AirDefense Solutions.
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
“Attackers take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, the exceptions are deployed, and those exceptions are not undone when the business need is no longer applicable. Making matters worse, in some cases, the security risk of the exception is never properly analyzed, nor the risk measured against the associated business need.
For network security devices like firewalls, we recommend Tufin.
11. Limitation and Control of Network Ports, Protocols, and Services
Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and DNS servers installed by default on a variety of different device types, often without a business need for the given service.
While this control is focused on hosts, it suffers from the same problems as trying to implement boundary controls via network ports, protocols, and services. In the current age of applications which use port hopping and other evasion techniques, the recommendations of this control are completely inadequate. What is needed is a next-generation firewall like Palo Alto Networks, where you can apply a positive application security model, i.e. define which applications are allowed and deny the rest.
12. Controlled Use of Administrative Privileges
“According to some Blue Team personnel as well as investigators of large-scale Personally Identifiable Information (PII) breaches, the misuse of administrator privileges is the number one method for attackers to spread inside a target enterprise. The second common technique used by attackers is elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine. If administrative privileges are loosely and widely distributed, the attacker has a much easier time gaining full control of systems, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges.”
Cymbel recommends Centrify.
13. Boundary Defense
“Attackers focus on exploiting systems that they can reach across the Internet, which include not only DMZ systems, but also workstation and laptop computers that pull content from the Internet through network boundaries. Threats such as organized crime groups and nation states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organization. Then, with a base of operations on these machines, attackers often pivot to get deeper inside the boundary to steal or change information or to set up a persistent presence for later attacks against internal hosts. Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems on extranet perimeters.”
While Cymbel agrees with the need for boundary defenses including internal network segmentation, unfortunately the SANS 20 Critical Security Controls takes the traditional approach of stateful inspection firewalls and the series of firewall helpers including Intrusion Prevention Systems, Proxies, and URL Filtering. SANS 20 Critical Security Controls totally ignores “Next Generation” Firewalls like Palo Alto Networks which, at a minimum, combine the firewall and IPS function in a single appliance, and more importantly enable policies built around applications and users rather than just IP addresses, ports, and protocols.
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
“Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems were compromised, without protected and complete logging records, the victim is blind to the details of the attack and to the subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.”
As comprehensive as the SANS 20 Critical Control #6 is, including the Advanced recommendation for SIEM (Security Information and Event Management), it ignores several key requirements that Cymbel believes is essential. They are as follows:
- Ability to tie users to IP addresses. Log analysis based on IP addresses alone is inadequate because in our mobile world, people’s IP addresses can change rapidly, many times per day. Complete user activity visibility requires correlation between traditional user oriented logs from authentication and authorization systems plus user-oriented application usage from next-generation firewall logs
- Integration with directory services such as Active Directory – Group and User-oriented compliance requirements are heavily dependent on reports generated from logs.
- Integration with Business/IT Service Management in order to contextualize and prioritize anomalous log events.
- Integration with Health and Performance capabilities to quickly identify the root cause of an Incident.
In summary, the days of a standalone log management system are passed. The value of logs increases exponentially with the degree of context that can be provided. We recommend Q1 Labs.
15. Controlled Access Based on Need to Know
“Some organizations do not carefully identify and separate their most sensitive data from less sensitive, publicly available information on their internal networks. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. In several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.”
16. Account Monitoring and Control
“Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated have often been misused in this way. Additionally, some malicious insiders or former employees have accessed accounts left behind in a system long after contract expiration, maintaining their access to an organization’s computing system and sensitive data for unauthorized and sometimes malicious purposes.”
17. Data Loss Prevention
“In recent years, attackers have exfiltrated more than 20 terabytes of often sensitive data from Department of Defense and Defense Industrial Base organizations (e.g., contractors doing business with the DoD), as well as civilian government organizations. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet, in most cases, the victims were not aware that significant amounts of sensitive data were leaving their systems because they were not monitoring data outflows.”
Please note the much broader definition of Data Loss Prevention that SANS uses compared to the “product category” definition of Data Loss Prevention. Companies that offer DLP products generally have a far narrower definition, i.e. focused on preventing users from disclosing sensitive or confidential information via email or web applications. We will refer to these as DLP solutions in an effort to reduce miscommunication.
For data-at-rest encryption, SafeNet provides a broad product line ranging from IBM mainframes and servers to laptops and mobile devices.
Firewalls provide traditional Layer 3 wide area network data-in-motion encryption using the traditional IPSec VPN approach. We partner with Palo Alto Networks.
Certes Networks provides a very innovative alternative to traditional IPSec VPNs. While IPSec VPNs work at Layer 3, CipherOptics works at Layer 2 or Layer 4. This provides administrative/operational savings for organizations using IPSec VPNs among multiple locations and for organizations interested in encrypting Voice over IP (VoIP) and Video over IP.
Zscaler provides data-in-motion Date Loss Prevention product features as a component of its Secure Web Gateway cloud-based service, but no encryption. It focuses on monitoring for credit card data, personally identifiable information, and personal health information.
Service oriented SANS Critical Controls
The last five of the SANS Critical Security Controls for Effective Cyber Defense do not lend themselves to automated solutions. They are described in more detail in our Services section:
9. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Incident Response Capability