Rethink Cyber: (NCSF+CSC)xCKC™ = BFD

It is time to rethink the way we go about protecting our assets and building our cybersecurity practices. As I wrote in a previous post, I find the Pareto principle applies to cyber defense: 20% of the controls can block 80% of the threats. Similarly, according to the Center for Internet Security, implementing the first five Critical Security Controls (CSC) can reduce the risk of attack by 85%.

As discussed below, the same logic applies on the threat side of the equation: focusing on the seven steps of the Lockheed Martin Cyber Kill Chain™ – versus trying to model every possible attack – addresses the majority of threats. Sure, the CKC™ is a malware-centric model, and as I have written previously, attacks are not linear, but I believe it is the most straightforward roadmap we have to address threats.

Like Peanut Butter and Banana

Mapping the CIS Critical Security Controls (CSC) against the CKC™generates a relatively short list of actions that (when taken) dramatically reduce risk. Of course, implementing controls in a governance/risk management vacuum is a short-sighted and short-lived approach. The good news is both the CIS controls and the CKC™ directly align with the NIST Cybersecurity Framework. Moreover, it dovetails exceptionally well with the NIST Cybersecurity Framework Controls Factory Model (NCSF-CFM)™, developed by UMass Lowell and itSM Solutions. Figure 1 shows the 20 Critical Security Controls and the CKC™. I have color-coded the CIS controls to map to the NIST CSF Core functions. In the next posts, I will map specific CIS controls to each CKC™ phase.

Figure 1 – Laying Out NIST CSF Core with CKC and CIS CSC

The Four Horsemen of the CKC™ Blockalypse

To start, all organizations should implement the first five CIS controls. However, my goal with this series of posts is distilling the direct relationship between the CKC™ phases and the individual CIS controls. With this in mind (as grouped in Figure 1), CSC1, CSC2, CSC3, and CSC6 are four controls directly relevant to almost every CKC™ phase. My rationale is as follows:

  • Organizations must not go past “Go” without doing CSC1- Inventory of authorized and unauthorized hardware and CSC2-Inventory of authorized and unauthorized software. These two are the foundation on which the others build since we can only protect what we know.
  • Likewise, CSC3 – Secure Configuration of Hardware and Software is a mandatory control, addressed in more detail in relevant sections of the CKC™ discussion.
  • CSC6 – Maintenance, Monitoring of Audit Logs is also mandatory across the CKC™ phases because the majority of artifacts and traces lay in the logs.

Yes, CSC4 – Continuous Vulnerability Assessment and Remediation and CSC-5 – Controlled Use of Administrator Privileges are critical controls that all organizations must implement and I discuss these at specific phases of the CKC™. However, I believe the above four are foundational to blocking the CKC™.

And, Away We Go!

This post is the first in a series of nine posts, aligning the CIS 20 Critical Security Controls (CSC) to the seven CKC™ phases. To make this as actionable and succinct as possible, I have done my best to distill best practices at each step while adding my own insights. Much of this analysis is based on a report from NTT/Dimension Data, but I also draw from excellent work done by multiple organizations, including the Australian Government’s Cyber Security Centre, CIS, Lockheed Martin, NIST, Optiv, SANS, Trend Micro, and Verizon.

With constructive feedback, I believe this series of posts may become an outline any organization may use to efficiently and effectively reduce its risk while following an 80/20 approach.

I welcome your comments. Next up is phase 1: Reconnaissance.