I’ll be honest – my first reaction when I heard about the SANS Consensus Audit Guidelines (CAG), was that our industry didn’t really need yet another framework or standard. But when I read them, I realized this was put together by experienced security professionals who all too often were successful on multiple occasions in breaking into systems during a penetration test at the same customer, or had to perform incident response for the same customer a third or fourth time.
The SANS organization has since rebranded the “CAG” to the Critical Security Controls (CSC) and is supporting the creation of CSC working groups and events. They’ve recruited Tony Sager to run these working groups. Tony recently retired from the NSA and is someone I consider to be the father of the US government’s efforts at standardizing best practices for security automation testing. They’ve also recruited John Pescatore, a former senior Gartner analyst, who covered the vulnerability management and security information management spaces. Tony and John bring very deep enterprise industry expertise that allows them to craft a message that resonates with the CIOs and CSOs at both government agencies and Fortune 2000 companies.
SANS recently released the results of a CSC survey (*) of CIOs, system administrators, and compliance auditors. It indicates that not only is awareness of the CSC very high, but there are many organizations that are actively implementing all or parts of the controls. Highlights of the survey include:
- The majority of respondents (73%) are aware of the CSC and are planning to adopt them, while 15% are aware of the CSC and only 12% hadn’t heard of the CSC before
- The respondents’ primary driver for adoption is to reduce incidents due to advanced threats
- Operational silos within IT security and between IT and other business departments are still the biggest impediment to implementing repeatable processes based on the CSC
- Only 10% feel they’ve done a complete job of implementing the CSC
To read the full survey, please click here.
The CSCs are effective because they start with very basic audits that have a synergistic effect of dramatically increasing the true visibility of risk so it can be mitigated. There are 20 different controls that range from managing an inventory of network assets to ensuring that your systems are appropriately penetration tested.
Tenable is a strong supporter of the CSC program and feel there are many benefits that can help organizations improve their security posture. Our scanning, network monitoring, malware, and logging solutions help our customers implement the CSCs on a continuous basis and help them track improvement.
We’ve extensively documented how our solutions help organizations with a variety of content you can read or watch:
- SANS CSC Webinar - Jack Daniel and I discussed how Tenable’s scanning, sniffing, and logging solutions help with all 20 CSC controls.
- SANS CSC Whitepaper – This very detailed paper discusses each of the 20 CSC controls and how specifically, Tenable’s scanning, configuration auditing, sniffing, logging, malware, botnet, and other technologies can be used to monitor the controls.
- SANS CSC Dashboard – Tenable’s Research team spent considerable time creating a dashboard that covered a vast majority of the controls. Many of our customers who perform scanning, log analysis, and sniffing simply dropped this into their SecurityCenter and were able to see how well they were doing.
The SANS CSC also influenced the design of Tenable’s SecurityCenter Continuous View solution. This solution allows organizations of any size to deploy one vendor to audit their existing security and network infrastructure against the 20 controls. It includes unlimited scanners and sniffers, and enough log storage to perform real-time forensics, boundary monitoring, and log analysis.
If you have not read the SANS CSC yet, I encourage you to do so and provide feedback to them. I’ve found that the CSCs can help Information Security Managers not only justify budget and resources for security programs, but also remove barriers between organizations. If you are implementing the CSC inside your organization and can share your story, I encourage you to do so. SANS has a wide variety of formats where they can help you tell your story so others can learn from it and stay secure.
(*) Tenable sponsored the survey along with IBM, Symantec, and FireEye.