The 20 Controls That Arent – The Falcons View

The 20 Controls That Arent – The Falcons View.

I would like to respond to Ben Tomhave’s attack on the SANS 20 Critical Security Controls.

Ben says they are not actionable. They surely are actionable. While SANS refrains from specifying actual implementation recommendations, Cymbel does not. Also each control includes metrics to enable you to evaluate its effectiveness.

Ben says they are not scalable, i.e. they are only appropriate for large organizations with deep pockets. In reality the SANS 20CCs provide a maturity model with four levels, so you can start with the basics and mature over time.

Ben says they are designed to sell products. Sure, 15 of 20 are technical controls. As the SANS 20CCs document says, the attackers are automated so the defenders must be as well. And while technical controls without well trained people and good process are useless, the inverse is also true. And SANS surely covers this in the 20CCs document. I’ve seen too many really good security people forced to waste their time with poor tools.

Most importantly, I would contend that the SANS 20CCs were developed from a threat perspective, while the IT UCF which Ben favors (and is the basis of the GRC product Ben’s employer, LockPath sells) is more compliance oriented. In fact, UCF stands for “Unified Compliance Framework.”

While I surely don’t agree with every aspect of the SANS 20CCs, there is a lot of value there.

For example, the first four controls relate to discovering devices and the adherence of their configurations to policies. How can you argue with that? If you don’t know what’s connected to your network, how can you assure the devices are configured properly?

How many organizations can actually demonstrate that all network-attached devices are known and properly configured? Who would attempt to do this manually? How many organizations perform the recommended metric, i.e. add several new devices and see how long it takes to discover them – minutes, hours, days, months?

In closing, I find SANS to be a great organization and I applaud their efforts at developing a set of threat-oriented controls. In fact, I post a summary of the 20 Critical Security Controls on our web site.

About Cymbel

Specialists in information security. Helping organizations secure their networks and mitigate the risks of modern threats.


  1. Actually, Bill, the author is correct and you are incorrect in your statements when you look at this in a strict sense.

    The author is correct in that the “controls” as stated aren’t controls. They aren’t even full sentences.

    Take, for instance, “control 1” which states “Inventory of Authorized and Unauthorized Devices”. If it were written “establish and maintain blah blah blah”, you’d have a control.

    Because to control is to take action (or subvert an action from taking place, or mitigation against an action from taking place) on something or someone. The prepositional phrase stated is without action. Therefore, it isn’t a control.

    The easiest way to tell if something is or is not a control is to ask it as a question. It would be absurd to ask “did you Inventory of Authorized and Unauthorized Devices?” You “could* ask if the person created, established, maintains, destroys, or any other action relating to the topic.

    If someone were to teach the people at SANS a lesson in English, they might re-write those controls this way:

    Critical Control 1: Establish and Maintain an Inventory of Authorized and Unauthorized Devices.
    Critical Control 2: Establish and Maintain an Inventory of Authorized and Unauthorized Software.
    Critical Control 3: Implement Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
    Critical Control 4: Implement Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.
    Critical Control 5: Initiate and maintain a Boundary Defense program.
    Critical Control 6: Establish, maintain, monitor, and analyze Security Audit Logs.
    Critical Control 7: Establish and Maintain an Application Software Security program.
    Critical Control 8: Control the Use of Administrative Privileges.
    Critical Control 9: Establish and Maintain Access Based on the Need to Know.
    Critical Control 10: Perform Continuous Vulnerability Assessment and Remediation.
    Critical Control 11: Establish and Maintain Account Monitoring and Control program.
    Critical Control 12: Establish and Maintain a Malware Defenses program.
    Critical Control 13: Limit and control the use of Network Ports, Protocols, and Services.
    Critical Control 14: Establish and Maintain Wireless Device Controls
    Critical Control 15: Establish and Maintain a Data Loss Prevention program.
    Critical Control 16: Follow Secure Network Engineering practices.
    Critical Control 17: Perform Penetration Tests and Red Team Exercises.
    Critical Control 18: Establish and Maintain an Incident Response Capability.
    Critical Control 19: Establish and Maintain an Data Recovery Capability.
    Critical Control 20: Perform Security Skills Assessments and Appropriate Training to Fill Gaps.

  2. Your point is well taken in the sense that the high level list of the SANS 20 is actually just a set of headings or topics. However, I would recommend you take a look at the actual “recommendations” within each topic. Those seem to be a closer fit to your definition of a control.

    Here is the actual first control under Critical Control 1: Inventory of Authorized and Unauthorized Devices:

    1. Quick wins: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the enterprise network. Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.

  3. Okay, that’s a great example. So let’s look at that one. Now, mind you, a control is *AN* action taken on a single, or sample of, people or assets.

    That first “quick win” has several controls in it, some of which are subservient to the original.

    1. Deploy an automated asset inventory discovery tool
    1.1 Use the automated asset inventory tool to build a preliminary asset inventory of systems connected to the network.
    1.2 Use active tools as appropriate to continuously scan the network to identify hosts based on analyzing their traffic.
    1.3 Use passive tools as appropriate to continuously scan the network to identify hosts based on analyzing their traffic.

    The reason that this quick win has to be split into several controls is simple – each task shown here can be independently tested and answered “yes we’ve done it”, “no we haven’t done it”, “this doesn’t apply.” You can’t do that when the “control” is written as a compound/complex sentence. One of the best things to do is think about going to court and having to answer yes/no/na to a question without telling a lie. Could you answer yes/no/na to the quick win as originally stated if you did part of it, didn’t do another part, and the rest wasn’t applicable? You couldn’t.

    So that’s why we have to break each of these compound/complex paragraphs into the “perform *an* action on this person or asset” format.

  4. BTW, I absolutely love the people at SANS. I think their work is great. In need of a good controls editor, but great.

  5. I appreciate your feedback. I understand the level of granularity needed in order to measure compliance with a control. Thank you.

Speak Your Mind