We recently presented the webcast "Find Your Best Fit, Solving the Cybersecurity Framework Puzzle." Tyler Reguly, who is a senior manager of research and development at Fortra and a former professor at his alma mater, Fanshawe College, served as the host. Tyler offered his wisdom about integrating CIS Controls into a comprehensive cybersecurity plan for your organization.
Tyler examines the CIS Controls from the position of a person tasked with constructing a large puzzle. The hardest part of any puzzle is knowing where to start. When it comes to any cybersecurity framework, the first step is knowing what assets are in your environment. An asset inventory is part of the general discipline of Governance. It is similar to putting all the puzzle pieces onto the table to see what is there.
Tyler emphasizes the value of the mapping between the CIS Controls and the MITRE ATT&CK framework. These two tools work as partners; one shows what needs to be done to secure an environment, and the other shows the threats that are mitigated with the controls. Just as a puzzle starts to take shape with the placement of each piece, an organization becomes progressively more secure as it proceeds through the implementation groups of the CIS Controls.
Similar to the CIS Controls, the NIST Cybersecurity Framework (CSF) is a valuable guide for securing an organization. The NIST CSF is presented as tiers and offers general guidelines for getting started. The CIS Controls use implementation groups to help an organization achieve its security goals.
One of the true values of the security frameworks is their versatility. Regardless if your organization is subject to ITSG 33 in Canada, or PCI DSS because your organization processes payment card data, or you have to adhere to NERC CIP because you work in the energy sector, the CIS controls are going to give you a really good foundation to do that. CIS has benchmarks for hundreds of different types of systems.
When we think about sorting the pieces of a puzzle, we have to consider what we have and what we don't have. The CIS Controls offer a map of exactly what you have right now and what you want to get to. As most puzzlers know, one of the best ways to start is by first finding the edges. Once the edges are defined, you need to ask what tools do you need to start to fill in in the middle? What products are you missing? What vendors are out there that can help you? Of course, Fortra's Tripwire Enterprise can help with that. The ATT&CK Navigator is also a reliable tool for finding your edge vulnerabilities.
Once the edges are completed, the next step in filling in the rest of the puzzle is to find the gaps and slowly fill them in. Similarly, the gap analysis for your organization should consist of building the big picture; that is your roadmap development. Those gap goals must be achievable and sustainable. Review the gaps in the road map, asking if there is anything that has been left out. Your road map shouldn't be just a three or six-month projection. It should be a full three to five-year plan about how you are going to get to the point of securing the environment.
One of the most important aspects of maintaining a solid security posture is to prevent drift. While it is ideal to examine the environment, secure it, and manage the gaps, unlike the static nature of a physical puzzle, the organization will not sit idly while this is all being achieved. Changes in the business will introduce configuration drift, and this must continually be addressed.
As regulations become more attuned to the practical implementations of cybersecurity and as attacks against organizations become more widespread, it is imperative that organizations put together the cybersecurity puzzle using the best tools available.
On-Demand Webinar: Solving the Cybersecurity Framework Puzzle | Tripwire