The Center for Internet Security Making Best Practice Common Practice

1. The Center for Internet SecurityMaking Best Practice Common Practice Tony Sager Center for Internet Security (CIS) INFOLOCK Healthcare Leaders’ Security Summit, August 2018

2. Classic Risk Equation

3. How Much Should I Care? Weakness Flaw Vulnerability Exploit Attack

4. How Much Should I Care? Operations Weakness Flaw Infrastructure Vulnerability Architectures Exploit Devices, Protocols Attack Designs, Architectures

5. Cyberdefense as an Information Management Challenge The optimal place to solve a security problem is … …never where you found it. If it is happening to you today, then ... …it happened to someone else yesterday, and it will happen to someone else tomorrow. After you figured out what happened, there were... …plenty of signs that could have told you it was coming.

6. A Lifetime of Cybersecurity Lessons • Knowing about vulnerabilities doesn’t get them fixed • The Bad Guy doesn’t perform magic • There’s a large but limited number of defensive choices • the 80/20 rule applies (The Pareto Principle) • Cybersecurity => Information Management (not Threat Sharing) • when you hear “share”, think “translate” and “execute” • Few people/enterprises make security decisions • they make economic and social decisions • Cybersecurity is more like Groundhog Day than Independence Day

7. "The reason for collecting, analyzing and disseminating information on a disease is to control that disease. Collection and analysis should not be allowed to consume resources if action does not follow.” --Foege WH, et al. International Journal Of Epidemiology 1976; 5:29-37

8. (“patch Tuesday”) A Cyberdefense OODA Loop

9. “Dueling OODAs” • There are many loops, often connected • “farther in space, earlier in time” • The Bad Guy’s loop is an opportunity

10. Plumbing or Content?

11. An Effective Cyberdefense Machine should be… • powered by information: collected, moved, translated, acted on • based on a model of Attacks, Attackers, and defensive choices • driven by open, standards-based “plumbing” • focused on “community risk”, but be tailorable • repeatable, dynamic, feedback-driven • demonstrable, negotiable for Real People

12. The Defender’s Dilemma • What’s the right thing to do? • and how much do I need to do? • How do I actually do it? • And how can I demonstrate to others that I have done the right thing?

13. Evolution of the CIS Controls NSA/DoD Project The Consensus Audit Guidelines (CSIS) “The SANS Top 20” (the SANS Institute) The Critical Security Controls (CCS/CIS) The CIS Controls™️

14. CIS Best Practice Workflow

15. CIS Controls Version 7

16. Health & Human Services - Best Practices

17. CIS Programs

18. Managing the Risk Equation • Focus first on… • Vulnerability management • Consequence management • Accept that we have more in common than different in cyberspace • Aim for an 80/20 Rule approach • Look for “pre-translation” of vulnerability into action • Put in place the “plumbing” for execution/action

19. In Development at CIS • SME Guide: outsourcing • CIS Controls “Tiering” to support baseline implementations • More hardened images for cloud service providers • The CIS Controls Cloud Companion • The CIS Controls IoT Companion • SMB Toolkit (in partnership with the Global Cyber Alliance) “It’s not about the list”

20. Getting Involved As a non-profit driven by its volunteers, we are always looking for new topics and assistance in creating cybersecurity guidance. If you are interested in volunteering and/or have questions or comments, please write us at controlsinfo@cisecurity.org and join a CIS Control Community.

21. Website: www.cisecurity.org Email: Controlsinfo@cisecurity.org Twitter: @CISecurity Facebook: Center for Internet Security LinkedIn Groups: • Center for Internet Security • 20 Critical Security Controls