Part of operating an effective security program is the ability to never rest upon any previous success. When guarding against an adversary, yesterday’s success is quickly eclipsed by the dynamic shift in the attacker’s tactics. Just as a doctor “rules out” a particular diagnosis, an effective attacker first searches for well-known vulnerabilities using catalogs of offensive exploits. These are part of the attacker’s playbook.

Thankfully, the Center for Internet Security (CIS) has always been and continues to be dedicated to offering some of the best guidance for those entrusted with protecting online systems. Similar to the necessity of continuous improvement for any security program, the CIS team devotes itself to improving upon its previous models. 

Initiated in 2008, The CIS Controls are now in version 8, undergoing changes not only over the course of its journey but also in regards to its stewardship and its name. Initially known as the “Top 20 Controls,” “The CIS Controls” are a vast and considerable undertaking for any organization, so the authors have endeavored to make the job easier for organizations of varying sizes. For example, Version 7 introduced three “Implementation Groups” (IG), which provide a categorized approach for achieving the security level that suits an organization’s capabilities. 

Over the last few years, and in further pursuit of the goal of offering the best practice guidelines for everyone, the CIS created the Community Defense Model (CDM). The model, now updated to version 2, serves a few purposes. One is stated in the executive summary:

Enterprises naturally want to know “How effective are the CIS Controls against the most prevalent types of attacks?”The CDM was created to help answer that and other questions about the value of the Controls based on currently available threat data from industry reports.

Other (Read more...)