We recently noted an important anniversary at the Center for Internet Security (CIS). It's one that escaped the attention of most of the industry, but I wanted to share a little history and put it into context. We just celebrated 10 years of partnership with the team that produces the Verizon Data Breach Investigations Report. The output of that partnership is the direct involvement of the CIS Controls in the recommendations of the DBIR. I treasure the partnership with the Verizon Team - this connection helped put the CIS Controls "on the map" ten years ago, and it's a great example of partnership and how we can move from bumper stickers like "collaborate" to "creation" of unique content. And they are just great folks to work with.
After I retired from the National Security Agency in 2012, I went from government “insider” – a lifelong cyber defender working inside of an intelligence agency with lots of access to sensitive information about nation-state attacks – to someone developing security recommendations based on publicly available information. I found this to be a constructive and exciting challenge. I had been thinking for years about how to base security guidance more directly on real-life data about attacks, and retirement turned this from a thought-piece to a real-life problem.
In my second career, I took over what eventually became known as the CIS Critical Security Controls. This started as a simple 2-page list of recommendations from my team at NSA, roughly: “Based on our experience testing technology and systems, if you don’t know where to start in cyber defense, start here.” Alan Paller (the founder of SANS) turned the simple idea into an industry-wide volunteer project, originally known as the Consensus Audit Guidelines, later known as the Critical Security Controls for Effective Cyber Defense (“the Controls”).
Thanks to great people like Ed Skoudis, Eric Cole, and numerous other volunteers, it stayed true to the original purpose. Don’t try to solve the entire cyber problem in one bite. That overwhelms and paralyzes people. Instead, stay focused on attacks that are observed in real life, attacks that matter. Alan’s operating principle – if you make a recommendation for the list, you must point to a real-life attack that would have been thwarted by the recommendation, Otherwise, it’s just a nice conservative thing to do, and don’t include it. At some point, early versions of the CAG/Controls started featuring an Appendix with a standard list of attacks that were used to develop the recommendations.
Just a few years earlier, the Verizon Data Breach Investigations Report started to get a lot of notice. It was an excellent compilation and analysis of attacks that occurred during the preceding year. The input came from many sources and varied in type, detail, and quality. This was not some “Holy Cyber Grail”, but a straightforward and valuable attempt to use available data. The analysis itself was very good and was also very readable. But the real impact I noticed was that it changed the conversation about attacks.
I started to see it on the coffee table in waiting rooms and front offices, a signal that executives had access to readable summaries of the problem. (OK, maybe the binding was rarely cracked on those coffee table specimens.) And at least a couple of CISOs approached me with a story like this, “my boss handed me a copy of the DBIR and told me to read this thing and fix what it talks about.” That might have been weak strategic guidance, but it was an indicator of a psychological change in perception and a possible motivator for action. As I often say, no one wants to be the lonely antelope at the edge of the cyber herd.
And I also noticed that the recommendations at the end of the report were...OK. Standard stuff. That’s not meant as criticism – the summarization and analysis of attacks was excellent - but it was an opportunity for improvement of the recommendations through partnership.
I don't recall how the original connection was made between the Controls and the Verizon team, but I think it started with Marcus Sachs, who was a then executive at Verizon, and was an old friend and colleague from his government days and various volunteer projects through Alan Paller. Marcus connected me with Wade Baker, Chris Novak, and others (I’m sorry that I don’t have all the names!). We discussed many ideas, and it came down to sharing data using the Universal Cyber Defense Tool - Excel spreadsheets. The Verizon team did their first pass analysis and draft report, and over telephone conferences we mapped from their initial conclusions into the Controls (at the top level). The primary (and essential) volunteer contributor on the Controls end was James Tarala (Enclave Security).
The result? The Conclusions and Recommendations of the 2013 DBIR were based on the Controls. At that point, the Controls were homed in an “organization” known as the Consortium for Cybersecurity Action, which consisted of me and anyone that was willing to help. Yes, I still have a paper copy. No, I wasn’t clever enough to get everyone to autograph it.
That first attempt didn’t exactly re-vector the industry, but it got lots of attention, and opened many doors. For all of that, I am appreciative and thankful for the openness and partnership from the Verizon team. And so here we are, ten years later. We’ve gone from a simple high-level mapping to much more detailed and mature content.
For the Geek-Curious, I want to put this work into a broader context. If you really love details, I'll write a longer piece someday soon. But here's a start.
Shortly after that first exercise with Verizon, I was trying to visualize our path and the possibilities and came up with an early version of the diagram below. It’s not perfect, but it helped clean up my thinking and let me explain it to others. I’ve also used this in numerous presentations over the last decade. And please note the scale on the bottom, "Rigor, Scalability, Repeatability". That's the point I am trying to illustrate: how do we increase each of those properties?
If the format looks familiar, yes, this was “drawn” in Excel. I TOLD you it is the Universal Cyber Defense Tool.
“Five Geeks in a Room” – that’s literally the comic-book origin story that became the Controls. Five talented and trusted NSAers, representing tremendous experience and diverse mission jobs. The challenge I gave them “No one leaves the room until we all agree on a small number of things all of our friends should do to get started on defense.”
“Five thousand Geeks” - the power of SANS to reach a world-wide community for feedback and turn a 2-page list to an industry-wide “thing”.
“Mapping to authoritative problem summaries” – that’s the work with Verizon that started in 2013, and was extended to include the top half-dozen or so threat intelligence companies.
“Reinforce with manual analysis, honeypots, experimentation” – these were early ways that lots of people (like NSA, the Australian Signals Directorate, and others) established the “security value” of recommendations, individually and as “blocks” (like the ASD “Essential 8”).
“Mapping to/from standard language patterns, templates, formal expressions of attack data” – there are elements and seeds of this in earlier work like CWE, etc , but today we at CIS try to bring together the data about attacks (as represented by our work with Verizon) and a simple model using the MITRE ATT&ACK Framework. This is essentially what we call the CIS Community Defense Model.
“Tagging of attack summaries at the source” – this is not really a sequential step of abstraction, but a change in concept and workflow. If we have a concept of a defensive “machinery”, then we really should be making sure that every data source (sensors and human) are creating the data in a form that is designed for the machine. Lots of work and ideas have swirled around this, via topics like SCAP (and Security Automation broadly), and Security Orchestration.
“Basis for control prioritization, security value of alternatives, optimization, research, etc.” - again, not a sequential step, but some things that become possible as we achieve the rest.
If you've read this far, thanks for following me down this geeky cyber path!