Managed Services

How (and why) you should implement CIS Critical Security Controls as an MSP

As your clients’ trusted technology advisor, it’s critical for managed service providers (MSPs) to keep up with the latest standards in cybersecurity and help protect clients’ assets from threats. To achieve robust cybersecurity defenses, MSPs can leverage the CIS Critical Security Controls (CIS Controls). Read on to learn more about the framework’s key controls, its importance for MSPs, and the implementation process.

What are the CIS Critical Security Controls?

The CIS Critical Security Controls provide a framework with simplified best practices designed to enhance an organization’s cybersecurity defenses. They help organizations simplify their approach to cybersecurity, comply with industry regulations such as HIPAA and GDPR, achieve essential cyber hygiene, act upon security threats, and abide by the law by demonstrating a reasonable level of cybersecurity.

Why we recommend the CIS Controls

Pax8 has made a strategic decision to partner with CIS for a couple of reasons:

  • Community: Through our partnership, CIS is getting deeply involved with the MSP community, and we are able to work hand-in-hand with them to bring sensible cyber controls to the channel.
  • Prescriptiveness: The CIS Controls are highly prescriptive (“do this to achieve that.”). This makes it easy for MSPs and, more importantly, their customers to understand the “what” and “why” of applying a framework.

The 18 CIS Controls

The CIS Controls consists of 18 controls, which are as follows.

1. CIS Control 1: Inventory and Control of Enterprise Assets

The first CIS Control focuses on actively managing all enterprise assets to gain an accurate understanding of them, enabling active monitoring and protection. Asset management encompasses inventorying, tracking, and correcting various assets such as end-user devices, network devices, Internet of Things (IoT) devices, servers, and all assets connected to the enterprise’s infrastructure, regardless of their virtual, physical, cloud, or remote nature.

This first control is the most critical, and you’ll often hear us call this the concept of “knowing thyself.” Put simply, you cannot secure assets you are unaware of; there are stories of catastrophic incidents being traced back to an unmanaged, non-approved asset having had access to corporate data.

2. CIS Control 2: Inventory and Control of Software Assets

This control emphasizes the importance of protecting software assets by updating and patching vulnerable software. A comprehensive inventory of software assets is crucial for successful implementation and preventing unauthorized software installation and execution.

Similar to the first control, the second control is all about taking stock of the client’s current security state. Care should be taken when allowing code to operate on their endpoints, and there needs to be an understanding of which applications serve a true business function. Vulnerable, unknown applications have led to serious consequences in the past.

3. CIS Control 3: Data Protection

The third control calls for a robust data management plan, including understanding what data the enterprise handles, who should access it, where it is stored, when it should be deleted, and why it needs protection. Implementing this control helps prevent sensitive information extraction during a breach.

Understanding your client’s data allows you to understand the risk to it and also often creates opportunities for trimming the data you collect and store. Much unnecessary risk is created simply by nature of not managing the data you take in.

4. CIS Control 4: Secure Configuration of Enterprise Assets and Software

Rather than use default pre-configurations for hardware and software, this control recommends configuring enterprise assets and software to adhere to your own security policy. Unfortunately, you can’t assume security is baked into every asset and piece of software your client uses. Taking extra care with configuration is essential to maintaining a defensible posture and ensuring both you and your clients are doing everything possible to reduce security risks.

5. CIS Control 5: Account Management

The fifth control emphasizes complete visibility of user accounts in the enterprise environment, including understanding who owns credentials, how they are assigned, and how they are used. The fifth control serves as a guidepost for mature identity and access management (IAM) and authentication assurance levels (AAL). Understanding and documenting the process of onboarding, change managing, offboarding, and securing your identities builds a critical foundation for success in cybersecurity.

6. CIS Control 6: Access Control Management

This control focuses on granting users the lowest level of access required for their role, following the principle of least privilege. It involves establishing processes for creating and revoking access, implementing multifactor authentication, and centralizing access control. Failure at this control can significantly increase the impact of an incident, as privilege creep can easily set in. This can lead to a single user compromise having far more drastic consequences if that user’s privileges aren’t properly managed.

7. CIS Control 7: Continuous Vulnerability Management

Vulnerability management is sometimes confused with software patching and is often missing in the SMB sector, but it’s important for organizations of all sizes. Put simply, a vulnerability management program involves identifying what known vulnerabilities an organization is exposed to and having a plan to remediate them. While implementing this control often includes patching, it may include other remedial actions. Improper vulnerability management comes with drastic consequences, as has recently happened with a security vulnerability in the file transfer tool MOVEit Transfer, which affected several government agencies.

8. CIS Control 8: Audit Log Management

This control encourages regular audit log reviews to identify activity baselines and detect abnormal system activity. At a high level, you need to create a central collection point for audit log data and create a procedure for regularly reviewing this data for abnormalities.

9. CIS Control 9: Email and Web Browser Protections

This control focuses on protecting web browsers and increasing email security to prevent social engineering attacks. This control attacks the concept of reducing the likelihood of successful compromise through email and web-borne threats through the application and management of DNS filtering and email security technology.

10. CIS Control 10: Malware Defenses

This is arguably the most over-introduced control in the space. As an industry, we often focus on the shiniest endpoint tool, to the detriment of other security domains (such as identity). Nonetheless, Control 10 is critical and calls for the implementation, standardization, and management of anti-malware and endpoint protection technologies.

11. CIS Control 11: Data Recovery

Whether it’s catastrophic ransomware or an innocent user mistake, data recoverability is one of the biggest key points of cybersecurity. Control 11 calls for the implementation and documentation of data recovery strategies with defined recovery point and time objectives. Furthermore, you should implement regular testing of backup data for integrity.

12. CIS Control 12: Network Infrastructure Management

This control focuses on securing the network infrastructure by updating it, securing the network architecture, and centralizing network authentication. It recommends utilizing VPN for remote devices and connecting them to the enterprise authentication system. In our ongoing collaboration with CIS, the Cloud Security Alliance, and our community, we look forward to integrating new and innovative concepts into this control.

13. CIS Control 13: Network Monitoring and Defense

Understanding what happens on your network has long been a challenge, but one that must be tackled. Implementing this control helps you set a baseline for network normalcy and isolate anomalies on your network so you can react to them. Intrusion detection systems (IDS), intrusion prevention systems (IPS), traffic management, segmentation, and audit logging all play vital roles towards this control.

14. CIS Control 14: Security Awareness and Skills Training

For this control, it’s important to establish security awareness programs to address human vulnerability. It recommends creating a comprehensive security awareness program and training employees to recognize social engineering attacks, handle data securely, and understand security best practices.

15. CIS Control 15: Service Provider Management

The key here is auditing and managing external partners with access to IT platforms or sensitive enterprise data. It recommends creating an inventory of service providers, developing a management policy, including security requirements in contracts, and regularly assessing and monitoring service providers.

16. CIS Control 16: Application Software Security

The 16th CIS Control offers recommendations for securing critical applications, including establishing a secure development process, inventorying third-party software components, performing root cause analysis for vulnerabilities, implementing code-level security checks, and providing training for secure coding and application security. This control is particularly valuable for in-house developed and hosted software, and the CIS suggests integrating additional frameworks like NIST SP 800-218 for comprehensive guidance on secure development processes.

17. CIS Control 17: Incident Response Management

It’s nearly certain that you will experience (or already have experienced) a significant security incident in your career. Proper incident response planning is key to survivability of any incident, and Control 17 generously tackles the need to have a proper incident response plan with the right players in the right seats.

18. CIS Control 18: Penetration Testing

The final control aims to identify vulnerabilities in enterprise networks to confirm the adequacy of defenses, identify and fix security gaps before exploitation, and use test results to advocate for improved security. The control recommends creating a testing program, conducting external and internal tests, and remediating vulnerabilities.

The implementation groups

Within these 18 controls are also 153 safeguards that are classified into three implementation groups (IG1, IG2, and IG3). Implementation of the CIS Controls should start with IG1, which comprises “essential cyber hygiene” to protect against common attacks. IG2 and IG3 follow sequentially, building upon the foundations set by IG1. Thus, each of the 18 controls isn’t meant to be implemented at once but rather in parts as set out by the three implementation groups.

Why the CIS Controls are important

The name of the game in today’s cyber world is defensibility. From our perspective, the legal landscape of cybersecurity (for now) falls on the “reasonable person” rule. This rule states that the liability is set by determining the reasonableness of one’s actions and decisions in pursuing the mission. Using a third-party security framework to govern your strategy doesn’t mean you’re trying to be the smartest person in the room. Instead, applying the industry norms that come from this framework allows you to leverage the collective thought power of the cyber community and build a layer of defensibility.

Implementing a framework like CIS takes the burden out of creating a true cybersecurity program and isn’t just another bag of tools. A properly implemented program helps you cover key security aspects in today’s cyber world, such as:

  • Achieving high standards of hygiene
  • Gaining an understanding of your attack surface
  • Undertaking proactive, thought-out remediation
  • Having resiliency in the inevitable event of an incident or breach

“Your job isn’t to protect your clients’ networks, it’s to be defensible in how you choose to do so.”
—Matt Lee, CISSP, CCSP, CFR, PNPT, Senior Director of Security and Compliance at Pax8

Implementing the CIS Controls intelligently

As an MSP or SMB, you can’t possibly implement a security framework overnight. Our advice? Start where you are. Take an inventory of your current cyber posture and build a plan of action and milestones (POAM). Your POAM serves as a list of challenges to solve and lays out a plan to solve them. In addition, and most importantly, it’s a tool you will use to document your progress towards cyber resiliency.

Complementary frameworks and considerations

While the CIS Controls provide a comprehensive and practical approach to cybersecurity, MSPs may also consider other guidelines, such as the NIST Cybersecurity Framework (created by the government agency the National Institute of Standards and Technology) to complement their cybersecurity efforts. In addition, certain industries will require adherence to certain frameworks. For example, the Defense Industrial Base in the US is moving towards CMMC, Level 2 of which requires adherence and alignment to NIST SP 800-171.

It’s also worth noting that CIS can be mapped to other various controls such as NIST CSF.

Getting started with the CIS Controls

Interested in implementing the CIS Controls for your organization and for your clients? Get started by taking the Pax8 Academy course on Applying CIS Controls, in which we will walk you through the CIS controls one by one.

In addition, be sure to look at the CIS Cloud Companion Guide, which is purpose-built to help you understand how the controls apply in different cloud adoption models.

Guest blog courtesy of Pax8.