Its recently released Community Defense Model (CDM) version 2.0 gives public and private entities a road map for upping their cyber postures that draws on research into the most pressing global cyber threats.
The CDM assesses how well the various cybersecurity practices and technologies that CIS recommends actually work at defending against common threats like ransomware and targeted intrusions. The goal of this is to help organizations decide which practices to prioritize adopting.
“When you can map it back to actual attack types that we're seeing globally as a community, it makes that decision logic a lot easier for organizations to say that, ‘Yes, we have to implement it or no,’” CIS Executive Vice President and General Manager Curtis Dukes told Government Technology.
According to the CDM v2 document, adopting the basic set of recommendations should defend an organization against 78 percent of the techniques and subtechniques that ransomware perpetrators have been observed using, while adopting all the recommendations defends against 92 percent.
CIS publishes a framework known as the CIS Critical Security Controls that lay out steps for boosting cyber defenses, but the nonprofit recognizes that not all organizations have the money or labor-power to implement them all.
The CDM v2 — an update over last year’s CDM version 1 — lists a smaller number of “essential cyber hygiene” steps that organizations can take to achieve important protections while keeping costs and effort relatively low.
CIS is calling this group of core practices Implementation Group 1 (IG1), while its Implementation Group 2 and Group 3 recommendations outline further steps for organizations that need to go beyond to protect more sensitive data and fend off more sophisticated threats.
CIS’s framework lists key cybersecurity categories or “controls” - such as data recovery or access control management – and within these, various specific actions, called safeguards.
“Instead of focusing on 153 safeguards, you now focus on 56 within Implementation Group 1,” Dukes said. “If you do that first, then based on a risk assessment that you do, you can decide whether or not you need to include additional controls and safeguards to further protect your organization.”
PUTTING ADVICE TO THE TEST
To create CDM v2, CIS first set out to identify the most pervasive kinds of attacks organizations face today. Examining global threat reports led researchers to home in on insider privilege, ransomware as well as other malware, targeted intrusion and web application hacking.
Researchers then turned to the MITRE ATT&CK Framework, a global database that lists cyber criminal techniques and attack methods. Using this as well as data from CIS’ Multi-State Information Sharing and Analysis Center (MS-ISAC) allowed the CIS team to identify tactics commonly used by perpetrators of those five key cyber attacks.
That, finally, let CIS map out which of its cybersecurity recommendations would help defend against which attacker techniques — enabling the nonprofit to spell out the added security value of each practice in a more concrete way.
For example, secure configurations, patch management, monitoring and limiting administrator access to accounts all proved to be basic steps that would obstruct some common ransomware methods Dukes said. Taking up these practices won’t guarantee an organization stays safe but is likely to reduce their risk.
“[CDM v2] is not a magic bullet or a perfect system, but it is driven by real-life data,” Dukes said.
PRICING SAFETY
The CDM v2 is just the next step toward CIS’ larger goal: being able to help organizations pin down more exactly the costs of implementing — or failing to implement — specific security practices.
“What you want to get down to is … what is the minimum set of safeguards that you need to implement, and what does that cost to you as an organization to implement those?” Dukes said.
That’s no easy task, Dukes acknowledges. It would require CIS to address both investments in training and technology and explore detailed questions about security offerings and options. That could include helping organizations determine when their operating system’s default security is good enough for their needs versus when they should acquire a third-party solution and weigh how different kinds of solutions match up against the needs of their specific sector.
“We need to look at the range of options available to an organization and actually talk through, ‘If you went with the open-source model, here's what it would cost in terms of resources to implement, but then [here’s] where it may not be as effective as a third-party screening tool.’”
