CIS Controls Version 7 Launch Event | March 19th 2018

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

my name is Jane lute I'm a member of the board of the Center for Internet Security and it's my privilege to welcome you here this morning for the release of the seventh version controls 7.0 it's something that a lot of people in this room know a lot about and my job this after this morning is to welcome you as I said and to turn the floor over to Tony Sager but before I do I want to say a word about Tony and the work that he's done not single-handedly anymore because he's had tremendous help from John Gilligan Kirk Dukes and James Kelly and the number of you in this room again whom you know but Tony has been the driving force behind the controls keeping it moving and keeping it developing always and those of us who are here represent I think through our presence our commitment to joining him in this effort it's only through widespread adoption of basic cyber hygiene and the controls represents the finest example of that that we're really going to change the game when it comes to cyber security so Tony on behalf of all of us let me thank you and offer you the floor well after that introduction I hate to correct Jane but I will I'm one of those folks who has spent an entire career never doing anything by myself so there's no there's no project no paper no invention nothing that I ever did that was on my own so so thank you all for coming in and welcome thank you also to our host here at new America for the part of this project is all the great friends and partners and colleagues that we made along the way so we really appreciate that so and I'm particularly thrilled and I'm not kidding when I say thrilled to introduce version 7 of the CIA's controls to everybody here because I was there on day zero and day zero was a handful of friends sitting around a table literally a handful of friends and thinking about the problem of how do we help people improve themselves in cybersecurity and at that time I spent 35 years at the National Center agency all of it in defense and all of it in security testing and what what's really starting to bug me was hey security testing is great work right penetration testing red teaming finding zero days it is amazing work it draws great people it's great fun it's full of clever ideas and the best part is at least the way we did it traditionally you had no responsibility to fix anything right that is like great work but after it's been probably a third of my career kind of learning the craft and there was no better place at that time in history then there's the curry agency the middle of third of my career moving into management jobs which is often considered punishment at NSA and then the last third thinking about what in the world is going on out there why are we seeing the same problems over and over again why are highly sensitive systems being undone by what seemed to be pretty uninteresting mundane problems is it because people don't care they're lazy or where are we failing well my experience in dealing with operators across the entire DoD and intelligence community and lots of the private sector there's a lot of great people out there but they're overwhelmed the problem was not the lack of tools and technology and training and resources and attention and professionalism it's that everyone's overwhelmed by the job right we've gone from a world that I grew up in where we conceptually only had one enemy and you want to remember those quaint days to where everybody is your friend and your adversary and your rival at the same time on the same network using the same technology it's a really different problem and so the opportunity was there to think differently about defense and I led a campaign in about 2001 to release the NSA security guidance to the public that brought us a lot of attention a lot of great feedback and what's really intended to be a message about the role that energy should play and the government should play in helping everyone defend themselves and when you put something out there you get a lot of feedback and I like great questions and people would say things and some of you are in the audience would say that's great information thank you but where do I start what do you mean where do I start I can only keep my boss's attention on three things I can only afford to do two things what should I do in the next month next quarter where should I spend my first dollar so can tell you I never had responsibility for that because I never thought of that question to be honest I thought you know what that's for real that makes sense right if you're gonna solve a problem you have to start and it's overwhelming to try and figure out where to begin so a handful of people in the room and the challenge was this let's come up with a small number of things that we think all our friends should do not to solve world hunger because you get enough security people in the room and you know what happens right you come up with these thousand action item lists these gigantic incredibly impressive unusable catalogs of things to do it's overwhelming so people you know get this business is really clever people and so they come up with these great ideas and they are professionally trained to poke holes in every idea that you have so it's not surprising you get these giant lists so I said small number small to me meant five to seven human beings who work at NSA being what they are they wouldn't agree to less than ten and a two-page letter or so left NSA to a few friends to the CIO the airforce to the Joint Staff and a few friends like that it was just another afternoons project I would love to tell you that I had this grand vision that was gonna bring us to here today right a worldwide community effect across the entire industry a uncountable number of supporters volunteers but I did not I wasn't that clever it was a two-page letter it was an afternoon's work it was one of dozens of things that we were doing and a few weeks later a dear friend the late Paul Bartok who worked with me at NSA just one of the unsung heroes of this business he leans into my doorway looks in and he says I just got a phone call from Alan pallor of sands they have our list and he wants to know can he can he take this list and build a project around it and I said of course I can't stop him when we put it out to be unclassified where there's nothing sensitive about this well one thing led to another and the role of CSIS the Center for Strategic and International Studies here in DC the SANS Institute John Gilligan as a project leader created it's the essential format of what we know today is the sea is control all right so we had and it went from you know five friends in a room conceptually to five thousand friends on a mailing list right a big community if you've worked with the SANS Institute you know that they're not capable of doing anything at small scale so it's got to be big so it was big and it built the notion of a community contributing to this common good right this idea is a really important idea it's to recognize not just in a you know rah rah kind of a way but we're all in this together right we're all connected using the same technology facing the same kinds of problems yeah everyone's got something to worry about but if we treat every enterprise in the industry as the special snowflake right your problem is so unique you can possibly do anything to you figure out all the threats and all the attacks then we're paralyzed forever and to recognize that we actually have more in common than we do that's different and so let's take action right let's share ideas resources none of us has enough trained people to deal with this problem on their own none of us has enough technology none of us has access to enough information so that simple idea of five friends talking turns into a big idea so you've heard some of the earlier names for the project the consensus audit guidelines it's kind of a popular name of the sans top 20 for a while so fast forward I retired in 2012 from NSA went to work to do some special projects at Sands took this back over and with the grace and support of sands spun it out into a non-profit here we are today as part of the Center for Internet Security really a super institution that is the perfect home for the kinds of things that we're trying to do here today and what I will remind everybody and what we're going to see today so five friends two pages to an incredible industry wide world wide community that creates this and believe me there is no giant think tank that is CIS right you're most of the staff is right here that works on this project is right here in this room and not many of them it's really about volunteerism right we are a mechanism to bring together the talent across this industry focus on the problem that we have in common think about the potential solutions to that problem create and sustain products that will allow everyone to deal with it at some level and then distribute them as well ideally as freely as we can okay and still have a viable company that's the big idea that really drives me every day and the way we think about this so in its and it's not a never been about is our list of 20 better than their list of 10 better than the catalogue that's over here that is not it all right if you want a great list you can go to any virtual street corner in this business right lots of places government agencies magazine articles different nonprofits their lists everywhere and if you look at them carefully at some level of abstraction they're 80 90 percent the same right some are cosmic and a highfalutin and some are very granular and super specific but there really is not much difference and so to me that was another great lesson well then why don't we share our labor upfront why don't we figure this out together and so that's what we're really about and the sustainment of the idea is a really important one also right I've been around this for 40-plus years now seen many great ideas in computer security information security COMSEC etc etc fall by the wayside because no one planned to sustain it over time right you come up with a great idea great paper great list great tool is it gonna be there in a year to five years from now when you really need it okay you have to create a mechanism to manage this through time so it's really what CIS is all about we are the the home of this kind of work we are made powerful not by what we do but by our ability to corral all the talent that's out there that's one of the great unappreciated aspects of this business it's full of really talented clever people right representatives in this room but they're also people of goodwill that really believe there's something bigger than all of us here and so they'll be great examples of that so welcome to version 7 so much since sorry immersion 7 we really are starting 6 on party October 2015 we really started I'll call it the formalization of the infrastructure of the controls so it went from me sitting in the room with a cat and the dog and a cup of coffee all day to really the mechanism that's here today right the sustainment through CIS we just passed a hundred thousand downloads of version 6 an incredible achievement for all of us here and we now have more for version 7 we have more feedback than ever managed more cleverly much more people involved in the documents themselves and what's happened again it's not about the list right a whole ecosystem has started to develop around the controls it's not just the document it's not just the adopters but the support from industry the creation of new content that's coming into our world or work with different industries from power generation to you know sort of all these verticals that have latched onto the controls it's something important and we're also very conscious of our role in the ecosystem right we're not you know we have no government authority we have no legislative power we have power that people like you grant us right the choose to do what we do we are founded in this framework you know we're aligned with all the different things that are out there we'll help you we are now entering what I call the multi framework world our surveys and I think your experience will tell you right you're a lucky enterprise if you only have to deal with one set of eyes looking over your shoulder most now are in the 2 3 4 or 5 or more regulatory Geographic oriented you know industry specific everyone wants to know what you're doing and you cannot afford to spend 80% of your time and money proving to others you've done the right thing you really want to spend that on doing the right thing right we need to prove to others that we've done the right thing in the most cost efficient way possible so that's the role that we play here so the agenda today it'll be quick because it's not about the event even or even the tasty snacks out there Phil lengua about the process that we use we'll have some discussion about sort of behind the scenes some of the key issues that we're trying to deal with in version 7 we have one of our flagship adopters to talk about what's happening in the state of Virginia and then we'll have a panel to talk about some of the key issues and questions that you might have so think of this as a start of a conversation for the future versions of the controls I always tell people I don't have a priority list right our priorities are driven by the community's needs and we get that because people talk to us and we're out there trying to figure out what the need is what do we have in common what can we create that will help you and how do we build a community that will create sustained that over time so with that I'm going to bring up Phil I won't even joke about how better organized Phil has been in doing very and seven and I was with such thank you so much all right good morning so I hope everyone has their their coffee because we're gonna go through the control one by one for the next hour and a half all right no all joking aside my name is Philip Lane well I'm the technical control product manager for the CIA's controls this is kind of my first experience in terms of developing the controls content it has been an amazing experience not because the content is really well written but because the process is very innovative I think it's it's very unique process and depends heavily upon the volunteers that we use and rely upon that's kind of the core part of the CIS mission is leveraging this army of volunteers to help us create this guidance for everyone the idea is let us raise all ships let's work together to address similar problems that we're all facing on a regular basis you know problems like how do we deal with cloud infrastructure I'm a small medium business how do i implement cybersecurity with limited resources or expertise I'm in lending controls where the privacy implications I'm interested in terms of how we can manage my risks what's the process I need to help kind of manage different expectations from businesses so instead of each of us come together our own answer let's bring in the expertise and let's collectively come up with an answer it may not be the best answer may not be applicable to everyone but least let's get 90% of the way there and we can only do that through the great volunteers we have within our community and we go a little bit in terms of the process that we went through so we started with some very core principles we wanted to imply for version 7 the biggest part was we wanted to simplify the language we want to made easier for everyone to know when they achieved the specific sub control so he would did a first cut we call that our simplified version James and Kelly were really kind of the large and main editors they really kind of helped provide that structure and we start from there you know what took us a few months back and forth we felt really good about it like awesome we're gonna start bringing in some more community members you know we've got friends and family so we created an online collaboration website that we've used for work for benchmarks for many many years we brought our friends and family on their group of 73 so we went over another two three months by control by control Wow we got a really good thing going you know feel really confident let's open it up so then we open it up to think we emailed 81 thousand people or something like that about the controls and then we were able to get more feedback so a little community of 75 people grew almost overnight over 200 and as part of version 7 we had to integrate over 600 individual recommendations I mean we tried as much as we could have addressed them you know we're like Tony mentioned we're we're a small staff but we're really supplemented by a large army of volunteers spanning the globe including some friends in New Zealand I know they'd start because their mornings are when we're done at night so when his comments start coming around but we were able to go and really create I think a much better document and I think this is something that we're all very proud of and we're gonna help grow and this is really just a step one for us this is part of a new process this is a new experience for us and we're going to keep building upon it so we're gonna be looking as part of version 7 to roll out additional communities to start addressing some of these difficult problems that we're all facing I mean this has only be done through volunteers with an organisation and other organizations around so if you're you know an expert or you think you're an expert or you want to learn more about cybersecurity absolutely feel free to join one of our communities and they're there's no there's no threshold in terms of expertise that come in and contribute also if you're a manager and you have staff that want to grow and they want to learn encourage them and also give them the opportunities to participate within their communities this is really the benefit everyone we give back pretty much everything we write up and everything we do to our community so this is a actually more or less my time already but once again you know this is really all right so one of the other things just kind of want to touch up on that we can get a chance to as part of the initial was some of the core principles so I mentioned two of them from the onset which was the simplification the language being more concise with it you know the controls have gone through a lot of revisions and they've grown over the years and you actually have a chart that has every single control mapped and now you know you noticed in the language was added when there's a specific new edge case okay let's add this language let's add this concept so we've done kind of what I like to call a controlled brushfire so we've burned a lot of the explanatory language where we have or really the core language and the core requirements set down I'm as part of that since now we have a core requirements identified it's easier to work with measures and metrics to really know when you're achieving a specific sub control because now there's one ask for sub control the language is very prescriptive it tells you exactly where you can find the information so we're really focused more in terms of providing a way to have objective measures to know whether or not you're achieving the specific sub controls part of is we're also looking at more of a collaborative environment we want to have more controls more communities this is once again this is really a step one and our first or first take at this I have to just double check because I don't have them memorized unfortunately my apologies but the oh yeah and this is really big one the there's a big structural change we did so everyone who's got the fact sheet right now will notice that we don't have a wheel anymore we've kind of broken it down into three major categories the basic the foundation on the organizational and part of that is we wanted to help once again prioritize organizations efforts in implementing the controls and we've always said that first five controls and now it's the first five and six we're kind of part of this first step organizations really need to take because if you don't have that down you're gonna have a large amount of difficulty implementing the rest of the controls and the foundational or these are the practices that we recommend every organization do then the organizational controls are much more non-technical in their nature and they provide a little bit more kind of higher level guidance we're not that's so the experts in terms of these controls we really focus in in terms of pointing direction as to where can organizations get better guidance for these last controls and we're hopefully gonna be building off of that within the future into maybe additional guidance we're very flexible we're very driven by our volunteers so the direction and what you guys need within your implementation and we will take that seriously to heart we're very happy to kind of help build and address these complex problems I'm gonna pass it back to you Tony thankfully he understates the the kind of intensity of the discussions that go on during all these things this is the the visual that we now use I'm sorry I missed that and as Phil talked about you know it's a complicated business right lots of opinions coming together in a in a industry that's full of opinionated people so part of the job is to guess is reminding us all of this common problem that we have and we don't operate like the I Triple E we don't operate you know we we consensus to me means that everyone gets to leave the room that we're gonna support the outcome but we're probably unhappy that some pet rock of ours did not make it onto the table and that's a fair thing right again in this industry it's easy to come up with lists of thousands there's things to do we are trained to do that the difficulty is always in cutting back right prioritizing because that's the challenge that folks like you face and that's the challenge that we really started with last point to echo on Phil's is that as he said we're a lot of what we did this time was setting the foundation for future generations of the controls right less sort of wordy narrative stuff more clarity so that we know what to test so we can point to technology so that we can build automated mappings to other frameworks and tools and workflows and things like that so we're really excited that there's a lot of great under the hood change is also here and next up I'll bring James tralala from Enclave security who was also one of our so either my name is James stralla and I've had opportunity over the last ten years or so to participate in the project and it's been great it's been an awesome opportunity to work with folks like Tony and Phil and Kelly and others too to see where the controls have come over the last ten years and one of the more the great opportunities I've had has been now me working with CIS but spending a great deal of time with the SANS Institute and we're a lot of my time actually ends up getting spent is with people who are actually doing these implementations and whether it be us assessing organizations are actually sitting with organizations trying to answer questions the the thing we've observed over the last ten years or so has just been to watch the evolution the document itself and it's it's been interesting because every version we see that gets released it feels like it's just that much better than what was before and you know whether it been version 2 or 3 or where we are now there's always a little bit of cringing I think on our part sort of being that the people are writing words and putting the actual words on paper and and we see some of the things that get written and I have to say I know every version we say this but I really feel like with the version 7 release some of those things that maybe nagged at us or that we just weren't quite sure of in previous versions it really has cleaned up but it really feels like Phil is saying that things have gotten to a place of stability and it's hoping to be that much easier for organizations to implement the clear guidance that that's been released as we look at the documentation itself one of the things I know that's been brought up already said you have this one ask concept one of the things that we look at the content if I could give me just a couple pieces of overview some of the things we wanted to focus on at this this latest release was this one ask concept not just for the sake of just clarity or one ask I mean there certainly was this clarity aspect I know a lot of times and talking to organizations you say well ok you say in this control that we should address devices but you say in this other control that we should deal with systems and then this other control we should do with assets what's what's the difference what's the difference between a device and an asset in a system and you having to wrestle with those kind of things and try to bring clarity the language so I think a big part of what we tried to accomplish in this version which is simply to bring that clarity and that understanding make it simple one of the things I worry about is when we read these compliance in the regulatory it's that there has to be a lot of times almost an interpreter that you have to find that wizard that can meet with you interpret what does this phrase really mean and I think one of the things we really tried to work hard on in this version was trying to remove that need for an interpreter that it should be clear enough by itself to explain what that means now that was certainly a big part of it and and I would certainly say if you have opportunity and have a chance to look a little deeper into the controls a couple of things that would maybe have you look at look at the statements themselves look at the measures and the new measure guide that was released with the current version again I feel like this is something that's come light-years from where we were in version 6 not only is it a one ask for control but it's one measure per control and I think what you're gonna see more and more is that those measures hopefully will be even that much easier to automate and build into more technical components dashboards and such that organizations can use to track this risk over time the other thing I guess that I would highlight is you're looking at the new version one of the things I know is is that the transition was made as a sans sort of handed over some of the documentation as Tony had mentioned earlier a CIS took responsibility for the future development of the controls remember one of the things that Alan Pollard's had sort of always sticks in my mind is he said to a group of us just standing in a hallway when you released new versions he said don't be afraid to ask for the things that are hard and I remember him saying that over and over again and he said there's gonna be a lot of things that come out that you want to put into these documents that that aren't gonna be easy or that there might not be a technical solution for today but don't be afraid to ask for those if you really feel like that's gonna make a difference for the community going forward and I think one of the focuses you're gonna see in this version the controls is around that you have a couple things that may be considered well frankly just a little bit hard but helpful overall the cybersecurity efforts certainly you see all of the structural changes we've made and if you were to ask you know are there giants changes brand new controls or asking for in this version that just weren't there a year ago I don't know that there are but I think we've clarified the language and we've clarified a couple specific asks in fact I'd like a draw your attention to just a couple the couple the ones that I would probably focus on the most number one would be application whitelisting application whitelisting has been there for for quite some time this is not a new control it's not something that it's sort of new to everyone's radar certainly you can go back to other studies beyond this look at what the Australians are released in their essential aid and others over the years certainly we are not the only ones to talk about this particular control but I think one of the things you'll see in version 7 is more clarity around what that actually means not only are we asking specifically for things like application binaries to be addressed but you're going to see some specific language around application libraries dll's ocx as things like this I'm having more detail around there more and more conversation about scripting languages I know more and more organizations are seeing attacks looking at PowerShell oriented attacks and those sorts of issues you'll see a number of controls specifically addressing not only white listing of application binaries but of scripts code siding related to those scripts and some of the defenses PowerShell has to offer um specifically because of those threats we've observed the other area that I have you probably focus on as well would be multi-factor authentication that's been an area that I know it's been in the controls for a number of years again this is not a new thing one of the debates that we had quite a bit as we looked at this current version was even back as far as version 6 and 6.1 you probably remember seeing some of those statements around multi-factor and there's almost this is the split personality within the controls we sort of said to everyone we want you to do multi-factor we know it's the right thing to do but we also know it's hard and we don't expect everyone to be able to do that right away and it seems like slowly over the last probably three years or so we've been maybe turning up the temperature of the water just a little bit getting too used to the idea that this is where we're coming from and what we wanted to do is make you make you aware of the control and in version seven now hopefully what we've done is we've started to eliminate some of those conversations about passwords I know there's a lot of really good guidance out there right now I know 863 has been very popular and Nyssa has had some really good conversations around that and what password strength really means but I like what we've done with version seven is sort of specifically looking at multi-factor from a lot of different angles not just from an end-user standpoint but for what we're seeing on the administrator side certainly corresponding what you're seeing with the state of New York the state of get PCI 3.2 a lot of that sort of is correlating now at this point you're seeing it for remote users you're seeing it for service accounts being mentioned computers joining a network those were of things so I think you're seeing a lot more focus on those areas as well so I think those would be two areas I would probably point out immediately to have everybody take a couple minutes make sure you look at those technical controls the other thing in the last thing that have you look at as you're looking at just some of the content changes is the use of quality management programs I know we have practice aids you'll see released here over the coming months as we have more opportunity to talk about what this really means but one of the changes we wanted to make with this new release was the outcome of the measures themselves we talked about one asked for control which again you hear a lot of us talk about today but we have one ask for control we have one measure per ask or per control and that leads to a very specific set of measurements in fact if you look at data types and the way the measurements will take place you'll see two primary measures we're gonna make boolean in other words are you doing something good yes or no right sort of this true/false statement and then pretty much every other measure will be a percent based measure and that wasn't by accident one of the things we tried to integrate more with was quality management and you're going to see a lot of references to Six Sigma and some of the practice aids looking at maturity levels one of the things you're going to see again over the coming months will be again this idea of tools and some of the different toolkits we have in practice a it's around measurement and maturity levels specifically so I just want to draw your attention to these and you certainly I expect that everyone is gonna take some time and look through the document itself but these are some other things the core changes may be some of the harder changes that want you to be aware of a lot of the sphere of the controls has been consistent I think one of the things you've seen from Kony since the very early days is that there's a certain consistency and I don't expect when version 10 comes out that you're gonna see a wholesale you know rewrite of the controls but there are certain hygiene concepts that keep coming out over and over again and there's just more and more refinement of those in those current versions so again hopefully that's a useful tool everybody and we're looking forward to more feedback of the future releases as well a little bit of an inside baseball into how we come out with a finished product but also the last point James made about measurement and so forth you know we have since starting with version six we're now collecting lots more feedback about how people use the controls how the industry supports the controls right again it's not about the list what we're doing is putting in place a lot of content measurement infrastructure these these kinds of tools are really decision support tools right how do we make company decisions or mission decisions and the challenge for us in the future in cyber is about putting what the expertise that we all have into decision making frameworks not trying to impress people both how clever we are right then we can come up with lists of things to do so that's a little bit of what's going on there I mentioned CIS has been just a super home for the work here and I'm really pleased to be part of the team at CIS one thing that really distinguishes CIS in this space is that we also have an operational mission we are also the home of the multi-state I sac all right the information sharing and analysis Center for state and local governments in the u.s. so when we brought all this together see when I when I ran those operations at NSA we were giving to the public and I say security guides and all this great content I had pretty high confidence in what was coming out of there because we had an operational mission the red team's the blue teams right the people seeing and living and cleaning up after problems every day and that really brings a certain perspective to the content that you create right to make you much more conscious of the trade-offs between sort of pure security and and supporting operations and you know I always just say when we make a mistake in the NSA security guide I get a phone call from a multi star human being who's not in a happy mood because we brought something down that we did not intend to bring down and that did happen more than once so being part of a CIS also gives us this role with the state you know with the with the nation across state local tribal territorial entities and so so that also gives us kind of a natural customer base so I'm going to pleased to bring up to the podium Kathy bordel from the state of Virginia one of our flagship adopters and she'll talk a little bit about the ROI the way that Virginia sees the controls and how they're using them in their management of their enterprises thank you good morning I'd like to thank CIS for allowing me to come here and share the Commonwealth of Virginia's experience implementing the C is critical controls so let's start at the beginning in 2003 legislation was passed that created Virginia as a centralized IT organization for the Commonwealth as part of this legislation Vita was given a responsibility not only for IT governance but also for providing infrastructure services for executive branch agencies this can be thought of as as taking 80 individual companies and trying to merge them together into one how in the world was Vida ever going to provide infrastructure services when each agency had been going their own direction for years the agencies would not take well if we just dictated the change to them but somehow we had to merge them in order to get our hands around this new environment we needed to learn the business needs of all of our customer agencies and the citizens that they served during meetings with the agencies Vita learned that they had a different variety of hardware and software at each one of them in addition everybody had their own special configurations to meet their business needs in 2006 Vita published the first version of the Commonwealth of Virginia IT security standard this standard was based on best practices so that the agencies would have a common framework to use to secure their systems and their data using the information we gathered from the agencies we developed an asset management system that we record the hardware software and maintenance agreements being used across the Commonwealth the implementation of this system allowed us to complete the first two C is critical controls the inventory of authorized on that authorized devices and software in 2008 we published our IT security guideline this document provide guidance for agencies to use in creating their security baselines for their systems referencing NIST and the CIS bench works as examples of baselines that they could leverage over the next four years v2 worked with agencies to get them transitioned into a homogeneous infrastructure by 2012 the majority of executive branch agencies have been connected to the CoV air Price Network providing an air prize network meant that we could put enterprise level security controls in place using a defense in-depth approach this can be thought of as layers of an onion where the layers are trying to protect the core of its of its purpose for from any outside threats so let's start at our boundary levels and see what Virginia did our boundary defenses are provided through firewalls IDs and IPS email and web security gateways and secure VPN devices enterprise firewalls are configured to filter on authorized traffic and create a separate DMZ and secure zone that segment six systems and applications based on the principle of least privilege email messages are scanned from our and spam before being delivered to the enterprise mail system remote access is provided by utilizing the VPN with multi-factor authentication and posture assessment as we pull back the layers of the onion we find the network layer next let's take a look at what protections we implemented at this layer network defense added web proxy filtering to block access to no malicious sites and examine web traffic for malicious payloads our wireless networks are configured to utilize multi-factor authentication for access policies were updated to require all unused network ports to be disabled by default until we allow one connection per port now when we move to the next layer we encounter the internal network this is where our mission critical assets and data resides so let's examine the multiple types of Defense's that we need to apply to these resources to protect the crown jewels our first type of defense will be endpoint protection our endpoint defenses are applied not only to the endpoint devices but also to our servers as well so it covers the servers and the users antivirus host space intrusion protection and threat intelligence software is installed web browsers are configured to use a web box to send all traffic through the web proxy any files the user downloads are all Mike Lee scanned for malware before they're presented to them an email clients are configured to scan messages for malware before sending or receiving them endpoint devices receive monthly vulnerability scans to identify missing patches and configuration errors these devices receive software updates through a centralized patch management system and receive configuration updates via central policy management servers to keep them in compliance with the Commonwealth's security baselines ok now that we have secured our devices let's take a look our applications applications software defenses include web application firewalls and application control the web application firewall serves to protect connections to your applications and associated databases by monitoring the traffic for security flaws or malicious content such as sequel injection cross-site scripting the application control client is a required control for any device ring end-of-life software this control offers the agency an additional layer of protection by only permitting authorized applications to execute I believe this is what James was referring to with the application whitelisting ok now how do we put this all together to meet our legislative mandate of providing governance and infrastructure services in order to fulfill its requirements to provide governance Veta provides the policy standards guidelines for how the Commonwealth's IT security program will function these documents are reviewed and updated on an annual basis to adjust defenses and controls based on the current threat landscape some examples of the types of controls mandated include access grant on the principle of least privilege administrative credentials must be approved by the agency head and must be provisioned through a separate account remote access to sensitive data requires two-factor authentication and sensitive systems must be audited once every three years the CoV IT security standard details data production requirements vita worked with the agencies to define dayit classification data owner and data custodian for the data sets the each agency utilizes the standard mandates that sense if data be encrypted at rest and only accessed remotely using multi-factor authentication our data is backed up at specific intervals determined by the criticality of the data that needs to be protected and the maximum recovery time before mission essential functions will be impacted by an event in order to maintain secure infrastructure services IT security operations provides the day-to-day monitoring of the log files being received by the sim they investigate any events that fall outside normal activity performance it responds for ability skiing and forensics analysis and maintains a situational awareness on the changing threat landscape so that defenses can be adjusted as needed to maintain the security posture of the Commonwealth's Enterprise IT environment when spiking into incidents is detected the incidents are to examine to determine the security control that failed allowing the attack to be successful how has the Commonwealth benefit from implementing the controls in 2013 after a spike in malware incidents Vita identified that many users were using their stray accounts for routine access as a result we launched a project to reduce the number of accounts with local administrative rights as soon as we got through the project and had reduced the number of accounts out there we saw the malware incidence dropped the malware still stayed our number one attack vector so we took a number of those infected devices and ran them through forensics analysis to figure out what was happening and what we determined was that the malware was exploiting a number of known vulnerabilities in Java as a result as a result we launched another project to update Java on a quarterly basis but it wasn't as simple as pushing the patches through our patch management system because our agencies all use different versions with different applications so what we did was we worked with the agencies to test their applications with the new versions of Java for things that would not work with the new version of Java we had to look for alternate solutions for them we also worked with them to get the old end of life Java off of their devices because even though they would get new patches there was no mechanisms in place to remove the old version so we addressed that as well once we got through patching Java we set up a pilot group in every agency so that as new versions are released they will pilot it test it and then we'll push it out once a quarter after we started pushing out Java updates quarterly our number of malware incidents continued to drop and has remained low since then in 2016 v2 determined that the majority of attack traffic was targeting our web applications while Vita had set up a web application scanning service back in 2013 most the agencies didn't have funding to take advantage of it so we went to our legislature and if we could provide this service to the executive branch agencies for free and they agreed so the revised service was went live the fourth quarter of 2016 vita now performs quarterly web application vulnerability scans on 1408 urls the first round of scans identified 30 thousand six hundred and fourteen findings of which ten percent were considered high-risk this was a good indication of how vulnerable our web applications actually were vita worked diligently with agencies to remediate these findings and the second set of scans saw an 18% reduction in the overall findings and twenty three percent reduction in hai findings in today's environment vita has found that the greatest risk is the employees or the insider threat our employees are required to take security awareness training every year however this is not always sufficient so as a result we have set up customized simulated phishing campaigns to assist agencies with educating their employees against phishing attacks agencies are seeing a drop in the number of users that respond to the simulated phishing messages with each succeeding campaign after a long journey implementing the CIS controls the Commonwealth now has a mature IT security program that leverages defense-in-depth provides granular insight into the environment and facilitates a quick response to the changing threat landscape [Applause] all right thanks very much I appreciate that okay next up we're gonna be a quick discussion panel hosted by my friend Curt Dukes a long-standing professional friend colleague and the fellow bike rider and we'll be joined by Greg Johnson from the Federal Reserve Chris Cronin from Haylock Security Labs and Kelly Tarawih okay as a tony indicated Curt Dukes former NSA a senior senior official there spent 33 years in information assurance and cyber defense and blessed to be able to come to the Center for Internet security for two reasons the first one really is around security benchmarks you know I was at NSA actually came up with its concept of a security configuration for that it's now home at the center for internet security and then the second opportunity was around the critical controls and again what we were trying to do at that point time was try to disrupt the attackers life cycle founded that at NSA in a sense transition to to the center for internet security for that so what I thought I'd do is maybe allow each panelist to a brief introduction and what organization you represent and maybe just a short sentence around why the what the controls mean to you in my role we we provide IT audit Assurance to basically anything that's been consolidated them across the feds you know based on based on risk so that you know the the big financial systems that the Fed supports and we provide a really good consolidated assurance kind of services for that infrastructure we have been leveraging on our assurance framework using the CIS controls for about six years now I think it's probably good as birdy yeah hi everybody I'm Kelly tralala yes James and I have the same last name we're married I work with enclave security I'm working with the controls for about ten years now and I've had the opportunity to work with sans James and I write courseware together helping folks understand the importance of the controls how to implement them and also how to tie them into their strategic programs and their their governance programs Chris yeah I am Chris Ronan I'm a partner at hey lock security labs hey lock is a Chicago based information security organization that helps organizations get get their security controls in line respond to incidents and and help represent their regulatory and sometimes judicial needs will use the consensus consensus out of guidelines Wow that goes back the critical security controls the controls versions seven we can go through the entire history I worked with a James and Eric hall to build some of the original courseware with the sense Institute for consensus audit guidelines control you heard enough for me yeah perfect so what I thought I would do is I start off with one question for each panelist and then we'll take a brief pause and see what questions we may have online and then we'll follow up with additional questions from the moderator so first question goes to Greg so Greg what drew you to the CIS controls in the first place you know the conversation around what are you what do you do we do about cyber so you know organizations we're asking that question and you know the auditors were asking the question what do we do about sovereign security assurance work and so really I just sitting here looking at James probably six years ago I went to the sans class that he teaches and really to evaluate how applicable such an approach might be and doing our assurance work and well I just came back just really really enthusiastic about here is a prioritized way to provide cyber security audit coverage and then you know I wasn't necessarily expecting this to be a benefit but it really helped us in conversations with management so we could actually rationalize you here's what we're doing and why instead of you know the typical audit well you know we're looking at 300 controls and you know we can't really explain why but we we have to and all this the the conversation around the CIS controls made it a very real conversation something that the management could could dig into manator that that part of the message has or the benefit had just it has not gone away and it just strengthens a nano you know with the opportunity to have a more you know even more prioritization more simplification so that we can you know explain our audit process but again to have these these great engaged conversations with management very good thank you or Kelly so what complementary products are content do you think CIS should develop these further support the CIS controls well I think with the community we have going now the opportunity to use practice aids and tools that we can share with each other we have organizations that are small medium sized we have organizations that are huge so the ability to say I found this great tool I have a scorecard some of the things we're seeing is some renewed attention from vendors there's a couple great GRC tools we've got Archer we've got ServiceNow who are really taking a paying attention to the controls and saying hey want that in our dashboard and we want a specific dashboard to focus on these and I also think another thing is not being afraid to share lessons learned we have an opportunity to talk to different organizations and they'll say you know some of these controls are really hard and they don't want to sound whiny but at least to hear other organizations say yeah I had a hard time understanding really what was in my inventory - you kind of feel like you're you're part of a team and you're working towards something a little better so Chris how can organizations integrate the controls into their organizational risk management process yeah a good question of the first thing people need to do is really figure out what they mean by risk right and this has been something that's been sort of vexing for organizations but what I use for risk there a lot of risk assessment standards and guidelines out there and what we what we try to do is help people think through what is the what is the likelihood of an impact and what could that impact be but having a systematic way to do to think that through and to have a consistent way to think it through not just to think about the impact to you your organization but the impact to others or we're when we're working with systems and information we can hurt others right so we had to think about what could hurt us what could hurt others do that systematically but if we also do it in a way what we realized that the risk is not just about the kind of harm that can come from a system or hacker or malware or data being leaked there's a lot of harm that can come from regulators a lot of are they can come from judges and juries a lot of harm that can come from executives and what we mean by that is that we have to figure out are the safeguards that were applying provably in balance with the risk that we're trying to protect against so that's when we talk about risk analysis we want to be sure that people have a consistent way to to think through what could happen to multiple parties including ourselves and our safeguards and balance what we liked about the CIA's controls is you start by saying let's look at the let's look at the the basic and fundamental issues that are going to be really important to to addressing those issues that we know to be common causes and then further risk analysis which we'll be able to talk about a little bit more just gets you to figure out how to make that fit in your organization for your particular risk perfect thank you and Tony this question always comes up about the CIS controls in the context of the NIST cybersecurity framework so you know the question for you as you know can you describe how the controls help complement an organizational organizations effort to implement the NIST cybersecurity framework or other yeah the CIS has always been directly involved with and supportive of the development of the new cybersecurity framework right and it's the closest thing we have to I will call a universal language at a high level of risk you know in terms of the functions and categories and a consistent way to describe that problem but it was it wasn't designed as an implementation framework right so it it then points to things like the CIS controls like ISO like the FISMA catalog etc as a way to get a handle on the specific action items that you should you should take so that that's a sensible way you know kind of makes sense with the Mis Charter and it's a way to sort of hand off the the business of prioritization and actions to something that's already developed and already common in the industry and that was by design from the NIST framework so we're part of that we map of course we're within the NIST documentation as one of the informative references we map back to it so we can tell anyone who adopts our work you know here's how to present yourself in terms of the NIST framework and lots of other frameworks do that also but we don't speak of sea-ice controls as a framework at all we're really more of like a priority scheme or a management scheme you know how do i how do i assign action items what's the most important thing to do is greg noted that is intended to be consistent with all these I mentioned earlier and we've done surveys jointly with some companies and many of you are living this now right there's multi framework era so if we accept that you know everyone wants to look over your shoulder to see if you're doing the right thing right let's see yes we could argue well we're the best right thing there is out there it's a play attention to us or we can acknowledge that our adopters have to live in this world so we're very focused on how do we make it easy for them to use our work yet report it you know in like those world that Greg lives or to the legal system you know the way Chris talks about it or to this framework if your management believes that that's the right way to have that conversation with key partners about risk then we want to help our adopters make that as easy as possible right so that means by agreement we have to say then we have to be able to speak the right language and part of our language simplification was to use consistent terms particularly from this wherever possible and to be able to present our work in those terms so again this this whole like notion of a prove to others I've done the right thing I think it's really a driving theme for the future of this business and you know we believe strongly it's AI yes in peaceful coexistence right we're going to support our adopters make it easy for them to do these things and so we have an agreement with this for example in the future that this is a handshake agreement at this stage all of our information will be cross-referenced between the other right there'll be an authoritative statement between us it says when you do this in the controls that's what it means and in this framework this is what means to FISMA and back again and that way no one has to dream this up on their own right there's no individual convincing an individual order this is the right thing this is what we say is the right thing so that's kind of a statement of our philosophy relative to this but also these other frameworks yeah so bottom line is we really have a strong partnership with witnessed and there is a complement between what we're doing with the the CIA's controls and also with the frame working also with 853 for that so I'm gonna go ahead and ask one more question since you guys are so brief and succinct with it the first question I'm not for the questions I go to Kelly and in your opinion what is the most common pitfall you see organizations taking when trying to implement controllers well Curt there's a couple things we've been seeing the first one is not making it a community-wide or company-wide effort and a lot of times we see some very earnest hardworking IT folks compliance folks who believe in the controls and they spend hours and hours putting together ideas plans talk to other technical people and they don't go and they talk to the executive team or they don't go on talk to other departments and I feel kind of bad I feel sad that that they're doing all this fabulous work and we really try and encourage people to set up a committee and get other departments involved because believe it or not if an organization implements the controls there are fabulous benefits to other departments Human Resources now has a better idea of what employees are where they're working what they're using probably we can clean up payroll systems insurance systems by sort of knowing what's in our inventory where devices are located where people are working for the day especially in this sort of virtualized world we work in and so we really encourage people to set up a committee and have a charter um you probably have a project management office in your organization you probably have a project manager and become friends with them they can help make life a whole lot easier they know how to set up work breakdown structures set up charters set up a plan that will sort of kind of ease into the controls and also spread communications about the good work that's gonna happening the other thing we've seen organizations do is because it's a prioritized list they start with number one and they said well we're not going to do anything until we're number one is 80% complete or an idea 100 percent complete we are encouraging organizations first of all to read through all the controls not if you're a workstation member read the networking stuff if you're a data classification specialist look at the inventory information and sort of understand the whole overview of the controls but then get together within your departments and break up the controls there's no just because it's a prioritized list doesn't mean you can't have multiple work efforts happening at the same time we've had some customers say boy this is taking forever and we said well why can't you give controls you know 15 and 16 over to your networking group or why can't you sort of segment this off and segment that off they're like well but you said it was prioritized it is prioritized in importance but you can have multiple priorities thank you very much Chris so we've talked about this concept of due care and we talked about you know risk assessment risk assessment methodologies maybe put it put it together from not only a hayloft but also from a good partner we have Hubble's as well as from one's perspective yeah yeah good so so I'll say that Haylock has done information security work but we're generally keeping like a lot of practitioners do keeping an eye on what is down the road what what do we expect will happen positive negative what have you and one of the things that we know when helping people with working with regulators is that a regulator will eventually come into an organization and will have a checklist of things to ask and if the if the if the organization doesn't know how to answer the question the way the regulator is prepared to ask the question then they're going to be told by the regulator what to do with our organization well you know you're a bank so other banks are doing this to do exactly what these other banks are doing or you're a grocer so do all these things that the grocers do and and that puts the organization in a really bad spot this is part of what I meant by saying you know think about the bad thing that could happen and sometimes it's a visit from a regulator it isn't because regulators will get you in trouble it's that they'll tell you what to do and they might not know exactly how you function that's why you see risk analysis and so many standards and requirements and why it's so important to the cybersecurity framework and then we've done litigation support where a judge will I don't know if if you've been involved in in situations like this during litigation when one party is suing another the judge will have two experts and they sort of fight it out in front of the judge now the judge and the attorney is present don't know what the experts are saying they just know that they're saying things against each other according to the role that they serve and one of the best things you can do in a situation like that is turn to the turn to the judge and say you know you've got this thing that you call a duty of care balance test or a multi-factor balance test and it has the following factors and then you describe what the factors are and you know what it is it's a risk assessment did they foresee the threat they think about the likelihood did they think about the impact do they think about alternative safeguards did they think about how the safeguards we're going to not just protect the system but where the safeguards providing what they call a reasonable burden where the safeguards more burdensome than the risk you're trying to protect and if you've got a systematic way to describe that and and all of us in the nerd just takes the sword away from their opponent nerd but super pricing to the judge you've got a duty of care balance test we do too it's called a risk assessment and the risk assessment looks like this and we've been able to demonstrate do you care but the phrase do care meaning that you were able to demonstrate that the likelihood of the impact of the threat that you were foreseeing and you were thinking about the cia's control for inventory there are some things I'm just not gonna be able to keep track of let's say in a in a cloud environment where servers come up and down and you can't keep track of what is the likelihood and the impact of a threat that I'm concerned about well Your Honor I took a look at that order regulator I took dear regulator works by the way dear regulator I thought about the likelihood and the impact of that I used the same criteria for that analysis that I used for every other threat I thought about what was going to be acceptable and not acceptable to the public and to us I looked at the way I would apply the CIS control and I evaluated the CIS control the same way I applied my risk and I checked to see if they were in balance and if they're in balance I got reasonable and appropriate we've seen that conversation work over and over and over again in regulatory issues and in litigation we've seen it work in the boardroom all a lot because when you're doing that you're saying hey by the way board I'm not telling you I need a lot of money because DLP is basically regular expression evaluation of packets that go through an unencrypted Network no I said the likelihood in the impact of a data breach through our firewall is intolerable high but the cost of the DLP is way lower than the impact we could create oh okay yeah put that in your budget that's a much better conversation to have right so we were very interested in working with CIS because I'm sure we've all read a lot of security standards is there anything better to read than the CIS controls you know what you're being advised to do it's really understandable and if you're going to show someone risk analysis and we've been working with with C is to develop a risk assessment method it has to be it has to be very specific and guideline e and a lot of examples a lot of a lot of instruction very basic just the way we see the C is controls written so that they're intelligible to the audience so cat out of the bag we've got C is RAM coming out soon a risk assessment method that C is is is working on it tells you exactly how you do that risk analysis using the C is controls so that if things can't exactly work the way you need them to it by applying a control to an asset you've gotta wait at least analyze the risk to determine whether it whether or not what you ending up with is safe in your opinion what do you think the importance of regularly updating the controls we're now on version 7 yeah well how do you tell what regular is you know when this when we really started to I'll call formalized or institutionalize this project I always thought of it as we're trying to walk a line here right everyone was says they're aiming for the sweet spot here's the sweet spot we're aiming for you know you can make yourself crazy by trying to keep up with a thread of the day actually the thread of the hour or the threads of the minute right you're flooded with alerts bulletins advisories IO sees and so forth and that is just overwhelming it doesn't help you you know people believe that it boy the government would just tell me what it knows I could defend myself right just bought the right threat feed I'd be okay it's just a myth you know you would overwhelm your defenders right who are already working almost non-stop to defend yourself well the other end of the spectrum you know sort of large-scale frameworks right by design they're carefully thought through every edge case is considered years to develop you know formal processes to get public comment you know kind of at the other end of the spectrum and frameworks or any of these documents range from the sort of cosmic you know do good and write me a paper that says you did good to you know buy this thing and put this thing in everything in between so we've always aimed at the sweet spot of current enough right and current in the eyes controls worth is about attacks the thing that Kurt and I share you know lifelong defenders who've spent our lives inside an intelligence agency and that's a great education occasionally painful education but to understand live with be part of cross train people in attack and defense and that's what drives us the way we think about the control so it's about making sense of millions and millions of data points of badness right the tax io sees and so forth at the end the day it's not about sharing all that it's about translating that into the action into action in your enterprise what are you gonna do about it I don't take millions of negative things translated to a relatively small number of positive constructive things I can do convince the boss worth doing right make a case for purchase train etc and so that's really the work of both the CIS benchmarks and the sea-ice controls it's not the sharing it's the translation right think of that it's the key verb in your life do you have enough people in your enterprise to do that on your own with the right skill with the right feed I guarantee you not except for a few exceptions in this business that's a job where look I looked at that and go you know what we share that problem why don't we share the labor to figure out what that translation ought to look like at the 8090 percent level that's really what the controls are about right and again benchmarks by extension how do we help people it's in effect we don't use the term but how do we crowdsource that activity and make that translation there so that part of it now you so you cannot do that every day and you can't do it every week and probably not every month but you can't wait four years either right so part of our exercise both with the staff at CIS and with our volunteers is you know we're close with folks like the Verizon data breach folks and the people who do the semantics annual report and the Palo Alto and all these great companies right that massive sensor networks massive amounts of data and many of them publish it right they give it to you every year for free I still can't get over that right why would they do that it's marketing stuff for them I'm a little government guy we think oh my gosh I'm up with a much would it cost us to do that analysis right a beautiful document with charts and so forth and published well people do that to prove that they know more about the the problem and there predator right so they're willing to give it to you for free I look at I go what can we do with that and so we approached up now all those kinds of companies not to get all their data but to look at the summary the trend the pattern of attack they're seeing the templates because as defenders right it's great to read those reports they're really interesting exciting occasionally I go oh my gosh that could have been me or maybe that was you but the reason you would spend your time as a defender to read them is to translate them in action that's the bottom line so why don't we do that as a group that's the way we think of that problem area so translating that so we have to have some currency right and we tracked this stuff very regularly and we talked to those companies fairly regularly but so the pace of update then is never been fixed right this has turned out to be two and a half years I think it is as as James mentioned you know there aren't radical changes for the last couple rounds of the controls right guess what there haven't been radical changes in the TAC methods either right there's millions of repeats of the same thing over and over again because they work there are different targets there are different objectives like ransomware denial of service you know you see these things come and go theft of intellectual property but if you look at the patterns of attack you're not seeing dramatic changes month by month even year by year all right so the key is Curt inted with this can we collectively right if we can't build perfect defense and history says we cannot then our goal is to understand the sort of classes of attacks the vast majority of things and as defenders make rational responsible choices that's Kurt Christian did about where can I spend my money and my scarce people time and my management attention right and I can't do with it one layer I got to it more than one but I can't do it at every layer and I do not have an infinite budget so I've got to have a rational way to make this translation from from knowledge about attacks into defenses so that is really kind of the philosophy that underlies our best practice work at CIS right so what has turned out to be you know a couple years is sort of about right some things do change in our world right the technology of business right the way businesses of use technology the demands of the business on technology the complexity of connections the instantiations like the cloud and you know and so forth have really changed a lot of the sort of underlying mechanisms and we have to keep rethinking because of that but it's not attacks themselves you know I feel like we have a pretty good handle on and we track them and that really what represents the major contribution that we have here good so perfect so to take away from that offense informs defense right and the second piece is really around a set of prioritized actions because when you when you balance often some defense typically a defense is not as well resourced as offense and so at least now we have a set of prioritize actions for that so the final question goes to Greg before we open it up to the audience and that really is around you know what key advice do you have to give to an organization embarking on implementing the controls for the first time we're good we start by thanking you for asking me the first question because typically the auditor doesn't get asked the first question in a panel so much much more comfortable answering the last question and you know I think the people sitting in this room are people that are very well well-versed and how this goes but you know I'd go back to to how the the original consensus thought of guidelines were developed it really gets down to getting the right people in the room and I'm not talking about you know 50 people but 6 to 10 people and literally go through the controls in a very judgmental intuitive kind of way how do we think as an organization we're doing with this and just kind of you know gather perspectives that way it will give you very quickly a heat map on where you ought to be applying emphasis so that's really how I get started perfect ok questions from the audience or from remote so yep maybe please go ahead sir there you go I my name is John hall but and I have a question about the control that pertains to fundamentally software development because we all know that if you can sell the problems in software development then all these other things kind of go away and I'm aware of some work that was done by a group called digital and garen grah developed a model called building in security maturity model and I'm wondering how that dovetails with what you're recommending with respect to control that pertains to the original model the basic model of the sea-ice controls has really been about operational practice right what things can we do in terms of technology and processes and training and so forth in our environment to manage this problem but there's still a root cause issue here right the flaws in software for example poor architectures I mean there's some more complicated sort of foundational problems that often force you to try and deal with them in the operational environment right so managing certain things could be made a lot easier if we didn't have we'd have to worry so much about zero-days and software for example so besom one things we did starting a couple versions ago my goal has been to keep the CIS control sort of tightly focused and again don't don't boil the ocean don't try to solve world hunger don't don't create a thousand item action list here so we made a decision a couple versions ago to say you know there are other groups particularly nonprofit groups or sort of associations that have looked at some of these problems in more detail and so for versions 6 & 7 we are doing much more work in reaching out to these other groups to point to them as opposed to try and recreate what they've done within the control so you'll see specific references do with the work of a wast the open web application security projects safe code BCM we did not put in there for a number of reasons I'll be had to talk about but there's some great work you know I know I know that some of the principles that what we are doing is actively within the control saying you know we really know software development support we're not going to solve that problem within the kind of model that we have over controls what we'll do instead is we'll talk about what we think are a few key critical important things to deal with within the controls and then point to others and when I say point to others that means we our discussions are about synchronizing the release of products may be issuing joint statements about the role of software development in this case relative to the controls about the sort of connection point between better software and the management and configuration of better you know software that we can address more directly in the controls so we're looking for those kinds of things again to try and not recreate great work that's being done by other nonprofits or other independent groups so if you have a favorite and again we're glad to discuss any of them with you we are looking for those kinds of things again that allows us to focus our community really where it needs to be but also acknowledge great work that's happening elsewhere this is really good an ecosystem problem right not about us having the best list it's about how do we help people achieve the really good intentions behind these lists hi my name is Jason I have a team of folks that are working in a five state area in the south doing applying CIS for a cell link for link for Telecom and one of the things that they're concerned about with v7 is mapping from v6 to v7 specifically as James have mentioned you guys are I think the phrase that was used was spirit of the control is the same so I write questions for assessments for energy companies and insurance companies that's what I do for a living one of the things that I pay a lot of attention to is a phrase called scope expanding conjunctions right so yeah so one of my principles of writing a question is it can't be a scope expand can't contain a scope expanding conjunction my question for this specifically is through that simplification process or is there an inverse to scope expanding conjunctions for your control mapping where the control might have simplified down and left something out and secondly one of the things that I look at when we look at rewriting a question in your case at control is context shifting so when you create a control and I know there's 20 but then there's the underlying 149 that are there in that simplification is there any context shifting that would have happened so not context versus non context changing of a control that would then can the spirit of the control through that simplification that would then cause us to have to go back to hundreds of assessments and remap or realign actually leave may be the best I'll tell you the the intent was one thing we did this time and Phil can speak to it we create a much better change log we call it but a mapping of what was in version 7 I mean and what the discussion was what was changed where it went what was the lead what was added I mean down to pretty pretty fine detail so that was intended and that will be part of the release of the version 7 to make it easy to move to these other things we I'm not sure I can answer the context question I will say that we what we found was we got a lot of feedback that said this is an interesting subcontrol but you're really asking for three different things and one that was easy when I'm hard one is impossible or you know something like that and and I'd measure one this way and another that way so the real goal was this what I gave to the group was a philosophy of one asked for some control so we attempted not to lose any meaning unless we intended to right so you'll see that I think in any change vlog item but the idea was to make that as straightforward as possible I will get four right now that is founded basically an Excel spreadsheet right so it's kind of a manual mapping to this we're looking at I'll say more exciting possibilities for the future where that is really available to you in technology so if you have like a workflow management tool where you make these assignments you'll be able to push in the changes but anything else fell from the change record if you're interested in excruciating details you can hop on workbench in the community and every single change is recorded for each sub control so in terms of the scope and me most one of the big principles when we were reeling simplifying the language is to make sure there wasn't significant changes to the scope unless it was intended and that comes with clarifying assets systems hardware devices so as part of being more consistent in our language and we've really firmed up what the scope is for the controls yeah the benefit and you know we're we're available to kind of help you know with that information that the changelog doesn't provide sufficient detail you know we're happy to kind of work through and figure out what detail do you really need for take on does a hood issue which Phil mentioned right we we run this discussion that I'd be embarrassed to tell you how primitive our previous discussions were managed in my email queue you know on the word document but the the we are now within CIS in house platform that we call workbench right which has open to people to join it allows us to both manage the discussion manage the creation of a document but also recreate the discussion about every point that was made if you attempted to do that email you you know you're getting messages constantly that you're over your email limit from a system so you we needed a way to be able to recreate the discussion sort of it a low-cost way so we can always go back to look at what what we said because I'm convinced by the way we don't do it this way but you know the discussions are really the fascinating part why do we say you ought to do this well because I'm aware of a particular type of attack that if I knew that this was a configuration setting in this part of the system you know this could be part of a five step process allow me to view that stuff is gold right it's hard to capture if I'm a systems engineer trying to design solutions I want every detail so that I can decide should I worry about that either here or some other place in the system so so it says it's a great question we attempted in a much better detail this time to help manage the transition we don't expect everyone to sort of overnight change by the way right lots of people have built workflow tools and so forth around that's great but we wanted to make easy for those that were going to transition good yep there was some implications and the controls before one of the big discussion points I remember us having is we talked about unauthorized an authorized machine that's a assets assets devices that whole conversation and we never really said are you aware of unauthorized devices so we we went through and things that were sort of assumed we very plainly said hey of course you're gonna look at authorized but you need to also have an inventory of unauthorized as strange as that sounds one that sticks out in my head may be a scope increase is NTP servers we upped it from two to three based on some of the stories we've been seeing on the attacks on tick and talk that that's one I know as a scope increase is there anything yes yes you're correct oh no that it somebody else has another idea those are the two that kind of popped up in my head okay now I'm kind of thinking of your question as well because you know we've got some some remapping or redoing wherever you want to call it you know within our own assurance frameworks that works got to be done but the hope is that we ultimately have a more concise assurance map and and maybe even less to do but we'll really focusing on one of the good stuff because I think over time some of the controls the way that they were written did introduce some some ambiguity you went on how you would measure how you would would assess it so I think we're moving in the right direction but it's still no fun to have to kind of start from zero okay how does this work in the new version with connect with fill we can have to get you involved roughly in are important in this workbench before that absolutely good maybe internet question certainly so we got one question regarding what improvements did not make it in version 7 I'm happy is that why you asked the question go ahead yeah but we weren't able to is identifying prioritization for the specific sub controls and that's something we'll be working diligently in the next few months or weeks I don't know I don't know it depends what Kirk gives us a timeline two weeks two weeks to work on and really identify you know kind of the six point one the advance of foundational or some form of prior is a scheme to help organizations really kind of set the direction for the controls and that's one thing that we're really going to work on in terms of developing and there's a lot of additional companion guides where we're looking at you haven't queue so ideas are absolutely always welcomed also if you're interested in contributing that's also things we're having made it to this point with the release of version seven we have a very long list of things that we'd like to do could do people have asked us to do so please jump into that will you know we're right now sort of making the roadmap for what these things will be bill I have one thing we I think we might be the only organization not talking about machine learning and AI right now okay so any other questions from on the floor seeing none any more from online really is a question when his sister am gonna be released I was gonna ask you [Laughter] so the by the way sis Ram the CIA s risk assessment method we're anticipating about two weeks or so to have a launch event a web-based launch event and the documents are prepared we're ready to go there's a nice framework document as well a sort of a workbook that all the templates and exercises you can do in the thing to get good practice we're expected about two weeks or so so keep your eye on the interwebs there will be announcements so anyone who's not the CIS mailing list I'm sure yes so key theme here is two weeks everything what we didn't want to do we didn't want to take away from the importance of the version seven launch but hopefully webinar within two weeks based off the launch of the CIS risk assessment risk assessment methodology for them so so we have another question of everyone's favorite topic mappings to the controls sorry so what are we planning or the plans for CIS or whoever helps develop the mappings to kind of support them in the future yeah oh I'm sorry Tony well well so even though it's March Madness we have been working on the mappings you know watching your brackets or a little bowl James and I have been working on the mappings for a while they are updated for controls version 7 on our audit scripts comm website the other nice thing I know we didn't really have a chance to talk about it in the the release of the controls the entity diagrams have also been updated for version 7 so if you're trying to see how different systems can help you implement the controls I have found those entity diagrams to be so incredibly helpful so that's another thing I'm excited about yep so yes we'll come out with a sort of a branded mapping to all these different framers again we are you know we're conscious of our role in this overall ecosystem and conscious of this problem of everyone has to deal with these different frameworks so we are fully committed to making that as easy for you as possible right now again the sort of form of that are these Excel spreadsheets you know sort of manually created mapped you know there's a lot of work behind the scenes to make these things useful any ideas you have we have had some very exciting ideas come into our inbox now for people who want to help us do that and much more automated much more powerful way so you'll see some changes in that pretty not within two weeks but okay so we're up slightly over time but we have time for one more question out of one other question so we have the big cybersecurity industry conference coming up in April RSA and I'm just wondering to what extent are the suppliers in that end in the industry fully aware of what the CIS is doing and where they fit in to this control framework that you've established you know the sea-ice controls have been embraced very broadly across the industry okay and the the sea-ice benchmarks also so there's sort of a membership model right that allows us that permits us to interact with these companies many of them have individuals who are part of our volunteer community so they decide to participate so they're part of the events the scheduling the content creation and so forth here I think you'll see you know so you can go to any number of them especially the big companies in this industry and get support for measurement against the CIS benchmark or see guys controls I'd say we're over the last year to two years we've been seeing an emergence of different types of tools really aimed at the controls and around the broader risk assessment problem Kelly mentioned the rising interest by GRC type vendors there are a lot of sort of standalone I'll call them risk assessment tools that have come in some of them are sort of you know based on a mix of us either survey data or technical measurements that they pull from tools that you might already own or or custom tools so there's very broad acceptance by the marketplace and this I'm not quite sure you know we're talking to all these vendors now about meetings and things that they're going to release our essay or references that they make many of them posted white papers that talked about how their product line maps to version six and I'm sure all those will be updated sometime in the next few weeks or maybe a little bit longer than that so if you state if you're on the sea-ice mailing this you whenever one thing we can do now that we could not do very well when we you know sort of prior to version six we actually have a pretty good handle on all this kind of stuff and we're writing use cases and we can adopt our cases from from folks who are willing to answer questions we survey people who download the controls we're much tighter bound to the vendors than we ever in the past so you can kind of keep up keep a handle on that just by staying in touch with CIS three or more normal means yep and I would just add to that and I think James talked to it and in his opening remarks was really was around that a measurement per control aspect of that so now we want to be able to get that and automate that that process as well and so we're we're talking with a number of security vendors on just how they do the implementation for that but Tony is absolutely right it's we've seen remarkable growth in control specific tools you know that components of tools and helping in that measurement for that so okay so I think I would like to thank the panel for your expert and very succinct answers to that and then I'm gonna have Tony come back up for some closing remarks [Applause] okay I'll keep the closing here brief as Kurt knows that that's not my nature so bear with me we have contact information up here for a CIS and again you're welcome to both be consumers of what we produce but also creators of what we produce you know I often tell people again there's no mystery think tank that is si is right it's we are a a mechanism to bring together the talent and goodwill that's found in abundance in across this industry here and to recognize that we have a common problem and we have to do some things together one of the most satisfying things that happens to me and this happens very regularly so Chris talked about sis ramree we're great companies in this industry are great individuals literally bump into me at a conference show up on my doorstep say we love what you're doing and we want to contribute this to the cause my gosh that is just an overwhelmingly positive thing and to me it gives us a great responsibility from C is to do right by that right to take these great ideas tools that people have content that they're creating that they're willing to give to the common good that we can then take generalize bring in other volunteers and create and sustain remember sustainment is really an important part of all this improvement in cybersecurity so we really treasure the role that CIS plays and we're very conscious of the responsibility that comes with that so thanks to all that contribute to that and again with a with an email you can be part of the inside family and contribute what you bring to the table and that's phil said you know we are we are all about bringing these ideas together creating things out of them so thanks thanks so much this has been an amazing ride as I said from a handful of friends to really a worldwide movement right a whole set of activities that cuts across the entire industry for folks like me and Curt and others of us who have prior government service in CIS this is an amazingly satisfying way to have a kind of a second act a second career right to take the knowledge the experience that was paid for frankly with your taxpayer dollars and translated the action for the community at large so thank you all very much for spending time with us today thank you [Applause]

Info

Channel: CIS

Views: 5,963

Rating: 4.8095236 out of 5

Keywords:

Id: eJ1qxgf26wk

Channel Id: undefined

Length: 99min 53sec (5993 seconds)

Published: Mon Mar 19 2018