What is your organization’s approach to security events? For many organizations, each security alarm is treated with the same urgency as a fire. While a sense of urgency is good, the ensuing panic that occurs is not a recipe for longevity. The constant shifting of attention from one emergency to the next is fatiguing; it can often lead to mistakes that compound an event.
The “all hands on deck” approach is similar to an ineffective method of weeding a garden. If you have a team of gardeners who are dedicated to pulling up sprouting weeds, they will forever be chasing weed sprouts rather than attacking the main root, known as the taproot. Fortunately, there is a better way to handle security.
Attacking the taproot is not only more effective but also more cost effective. That sounds good, but it does not address a reliable approach to IT security. It has somewhat of a “boil the ocean” ring to it. What is needed is a more measured approach to a security program. In the accounting profession, personnel rely on a methodology known as Generally Accepted Accounting Principles (or GAAP). One of the purposes of GAAP is to protect an accounting organization from liability if something goes wrong. That is, and organization is less likely to be sued for negligence if it can be shown that the industry-recognized best practices were being followed.
But we do have the CIS Controls
Unfortunately, there isn't really a generally accepted set of IT security principles. How can organizations protect against lawsuits in the event of a security breach? One method that has advanced and matured over the years is to use the controls that are offered through the Center for Internet Security (collectively known as the CIS Controls).
Formerly a list of 20 controls, the newest CIS version has been reduced to 18 controls. This is deceptively attractive, as it has been a long-standing joke in the security community that achieving the controls is a life-long pursuit. However, it is one worth pursuing.
Why is the attainment of the CIS Controls goal so difficult? One of the main reasons is that from the very first control, an organization must take aim at nailing down a seemingly moving target: asset inventory. It is suggested that the Controls be fulfilled in the order that they are presented in the document, as they progress in a very logical way. If successful, the result is a comprehensive security strategy. However, considering that everything changes, not only from an attacker’s approach but also from the perspective of an organization's assets, is this ever attainable?
Where does Tripwire fit in?
Tools such as Tripwire Enterprise can help an organization to confront areas such as configuration and change management. Along with that, Tripwire Log Center meets the specifications for Audit Log management.
A major hurdle is to address all of the vulnerabilities in all of the discovered assets. It should be noted that vulnerability management falls almost midway on the control list, but the comparative lack of resources when tackling vulnerabilities makes this control one of the most daunting. Some of the tools to manage vulnerabilities do it in a manner that may not relieve the resource burden in the best way. This is where a tool such as Tripwire IP360 can make more sense by correctly setting priorities. Tripwire IP360 shows the riskiest vulnerabilities, for example, by displaying the machines that represent the greatest aggregate risk in an environment. The difference between Tripwire IP360 and other vulnerability scanners is that IP360 looks at how hard it is to take advantage of a vulnerability to actually exploit it. There are some vulnerabilities that have no known exploits, for instance, and there are other vulnerabilities that are freely exploitable by anybody regardless of a person’s programming knowledge just by downloading a tool from the internet.
The Tripwire IP360 algorithm uses a risk rating that distinguishes between a vulnerability that is not actively exploited such as “zero-day” threats and those that need to be immediately remediated. While both are important, the two extremes must be treated and prioritized differently. The heat map also analyses the severity of an exploit, meaning that it can examine if a compromise would be limited to a local event or an escalated compromise.
The fundamental Tripwire goal is to help an organization to target that taproot, not constantly pulling out the weed sprouts as they spread out throughout the yard. According to the IT Process Institute, foundational controls can help a company to detect or avoid the huge majority of all security breaches. The CIS Controls were not designed with a particular vertical in mind. The authors were looking at IT security and how to best succeed in the most cost-effective and actionable way. Whether the Controls are used in a bank or utility company, (Each has its own separate compliance requirements and audits.) if an industry best practice is used, compliance is much more likely to emerge as a result of that. IT security can be seen as a super-set of what can be found in terms of specific requirements in compliance initiatives.
Using “best practices” all makes the point similar to an organization’s legal standard of care for all of their business practices and transactions. Evidence that a general security principle or a recognized set of controls is followed is how a company can avoid being sued for negligence. In the case of the CIS Controls used in tandem with Tripwire products, it also has the benefit of creating a manageable security environment.
To learn more about Tripwire can help, download “The Executive’s Guide to the CIS Controls” today: https://www.tripwire.com/misc/executives-guide-cis-controls-register.
