Ted Ritter is a senior security analyst with TaaSera.
The harsh reality of today’s cyberwar is nine out of 10 organizations’ defenses are already compromised by malware and malicious insiders. And federal agencies cyber-incidents are increasing at a rate of 33 percent year over year.
To combat this reality, agency IT security teams are continually looking for new security products and services to get ahead of the threat. Vendors are more than happy to oblige, continually offering new products: existing product upgrades, repurposing current technologies, and completely new technologies and approaches.
This rapidly expanding solution landscape mapped against the constantly changing threat landscape is creating a “fog of more” scenario, where it’s increasingly difficult for agencies to focus on the greatest risk, the greatest threats and the most-effective means to address them.
For example, malware defense is just one critical component of every agency security architecture. It consists of a plethora of vendor products. Figuring out the best product with the right underlying technology to meet the current and future agency needs is a daunting task.
Agencies must find a way to cut through the fog and quickly project a new technology’s potential impact on the agency’s risk posture. Traditionally, this type of projection has involved extensive testing, bake-offs and simulations. Aside from the exorbitant costs, the results were only as good as the test methodology and they represented a fixed network environment and a moment in time; a moment that only represented a subset of real-world agency networks.
Evaluating New Security Product Effectiveness
Live test demos and bake-offs certainly have their place in agency procurement programs, but agencies don’t have to do this to project a potential security product or service’s effectiveness in the agency environment.
Instead, the agency can creatively use a standard set of security functional controls as their evaluation pivot point. As discussed below, this is far more cost effective than standing up a test lab and far more practical than lining up data sheets to compare -- often arbitrary -- performance characteristics. The best place to find these functional security controls is from a standards, research and educational organization such as the National Institute of Standards and Technology or SANS.
The genesis of the NIST cybersecurity framework comes from Executive Order 13636 “Improving Critical Infrastructure Cybersecurity.” The EO calls for development of a voluntary risk-based cybersecurity framework: a set of industry standards and best practices to help organizations manage cybersecurity risks.
The framework is a great starting point, but it does not provide the level of effectiveness measures necessary for our functional control evaluation pivot point. For this, we need to turn to SANS and the Council on Cyber Security.
Real-world Prescriptive Guidelines
First developed by SANS, the 20 Critical Security Controls provide a very pragmatic and practical guideline for implementing and continually improving cybersecurity best practices. The CSC-20 are real-world prescriptive guidelines for effective information security.
With the CSC-20, one can build a matrix to map both internal agency progress implementing the controls, and also to evaluate potential new security product or service effectiveness. This is only possible because of CSC-20 granularity, modularity and design for measuring continual effectiveness improvement.
As a reference point, the CSC-20 contains 20 controls made up of 184 sub controls. Essentially, the controls are already mapped out to facilitate a matrix for product or service effectiveness evaluation.
As an example, CSC-5 is the Malware Defenses control: “Control the installation, spread and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.”
The above example showed only one control from the CSC-20. Taking into account all 20 controls, federal agencies and commercial organizations can effectively evaluate almost any security product or service on the market. And they can easily connect the dots between the CSC-20 and agency directives including the NIST Cybersecurity Framework and FISMA.
Using the CSC-20 as a baseline matrix for security product effectiveness assessment cuts right through the “fog of more,” helping agencies and organizations focus on the greatest risk, the greatest threats and the most effective products and services to help mitigate them.
(Image via bluebay/ Shutterstock.com)