Tom Schneider
Like many cybersecurity vendors, we like to keep an eye out for the publication of the Verizon Data Breach Investigations Report (DBIR) each year. It’s been a reliable way to track the actors, tactics and targets that have forced the need for a cybersecurity industry and to see how these threats vary from year to year. This information can be helpful as organizations develop or update their security strategy and approaches.
All of the key attack patterns reported on in the DBIR have been mapped to the Critical Security Controls (CSC) put out by the Center for Internet Security (CIS), a community-driven non-profit that provides best practices and benchmarks designed to strengthen the security posture of organizations. According to the CIS, these Controls “are a prescriptive, prioritized and simplified set of best practices that you can use to strengthen your cybersecurity posture.”
Many organizations rely on the Controls and Safeguards described in the CIS CSC document to guide how they build and measure their security program. Understanding this, we thought it might be useful to map the Incident Classification Patterns described in the 2024 DBIR report, to the guidance provided in the CIS Critical Security Controls, Version 8.1, and then to the CSC Controls and Safeguards that DataBee for Continuous Controls Monitoring (CCM) reports on. As you’ll see, CCM – whether from DataBee or another vendor (😢) – is a highly useful way to measure progress toward effective controls implementation.
The problem, proposed solutions, and how to measure their effectiveness
The 2024 DBIR identifies a set of eight patterns for classifying security incidents, with categories such as System Intrusion, Social Engineering, and Basic Web Application Attacks leading the charge. Included in the write-up of each incident classification is a list of the Safeguards from the CIS Critical Security Controls that describe “specific actions that enterprises should take to implement the control.” These controls are recommended for blocking, mitigating, or identifying that specific incident type. CIS Controls and Safeguards recommended to combat System Intrusion, for example, include: 4.1, Establish and Maintain a Secure Configuration Process1; 7.1, Establish and Maintain a Vulnerability Management Process2; and 14, Security Awareness and Skills Training3. Similar lists of Controls and Safeguards are provided in the DBIR for other incident classification patterns.
Continuous Controls Monitoring (CCM) is an invaluable tool to measure implementation for cybersecurity controls, including many of the CIS Safeguards. These might include measuring the level of deployment for a solution within a population of assets, e.g., is endpoint detection and response implemented on all end user workstations and laptops? Or has a task been completed within the expected timeframe, such as the remediation of a vulnerability, closure of a security policy exception, or completion of secure code development training? While reporting on these tasks individually may seem easy enough, CCM takes it to the next level by reporting on a large set of controls through a single interface, rather than requiring users to access a series of different interfaces for every distinct control. Additionally, CCM supports the automation of data collection and then refreshing report content so that the data being reported is kept current with significantly less effort.
Doing (and measuring) “the basics”
The CIS CSCs are divided into three “implementation groups.” The CIS explains implementation groups this way: “Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Critical Security Controls.” The CIS defines Implementation Group 1 (IG1) as “essential cyber hygiene and represents an emerging minimum standard of information security for all enterprises.” In the CIS CSCs v8.1, there are 56 Safeguards in implementation group 1, slightly more than a third of the total Safeguards. Interestingly, most of the Safeguards listed by Verizon in the DBIR are from implementation group 1, the Safeguards for essential cyber hygiene, that is, “the basics.”
Considering “the basics,” a few years ago, the 2021 Data Breach Investigations Report made this point:
“The next time we are up against a paradigm-shifting breach that challenges the norm of what is most likely to happen, don’t listen to the ornithologists on the blue bird website chirping loudly that “We cannot patch manage or access control our way out of this threat,” because in fact “doing the basics” will help against the vast majority of the problem space that is most likely to affect your organization.” (page 11)
Continuous controls monitoring is ideally suited to help organizations measure their progress when implementing essential security controls. That is, those controls that will help against “the vast majority of the problem space.” These essential controls are the necessary foundation on which more specialized and sophisticated controls can be built.
Moving beyond the basics
Of course, CCM is not limited to reporting on the basics. As Verizon notes, the CIS Safeguards listed in the 2024 DBIR report are only a small subset of those which could help to protect the organization, or to detect, respond to, or recover from an incident. Any control which lends itself to measurement, especially when expressed as a percentage of implementation, is a viable candidate for CCM. Additionally, the measurement can be compared against a target level of compliance, a Key Performance Indicator (KPI), to assess if the target is being met, exceeded, or if additional work is needed to reach it.
The Critical Security Controls from CIS provide a pragmatic and comprehensive set of controls for organizations to improve their essential cybersecurity capabilities. CCM provides a highly useful solution to measure the progress towards effective implementation of the controls, both at the organization level, and the levels of management that make up the organization.
Mapping incident classification patterns to CIS controls & safeguards to DataBee for Continuous Controls Monitoring dashboards
DataBee’s CCM solution provides consistent and accurate dashboards that measure how effectively controls have been implemented, and it does this automatically and continuously. Turns out, it produces reports on many of the Controls and Safeguards detailed in the CIS CSC. Here are some examples:
-
The DBIR recommends Control 04, "Secure Configuration of Enterprise Assets and Software," as applicable for several Incident Classification Patterns, namely System Intrusion, and Privilege Misuse. The Secure Configuration dashboard for DataBee for Continuous Controls Monitoring reports on this CSC Control and many of its underlying Safeguards.
-
Control 10, “Malware Defenses,” is also listed as a response to System Intrusion in the DBIR. The Endpoint Protection dashboard supports this control. It shows the systems protected by your endpoint detection and response (EDR) solutions and compares them to assets expected to have EDR installed. DataBee reports on the assets missing EDR and which consequently remain unprotected.
-
“Security Awareness and Skills Training,” Control 14, is noted in the DBIR as a response to patterns System Intrusion, Social Engineering, and Miscellaneous Errors. The DataBee Security Training dashboard can provide status on training from all the sources used by your organization.
In addition to supporting the controls and safeguards listed in the DBIR, the DataBee dashboards also report on CSC controls such as Control 01, “Inventory and Control of Enterprise Assets.” While the DBIR does not list Control 01 explicitly, the information reported by the Asset Management dashboard in DataBee is needed to support Secure Configuration, Endpoint Protection, and other dashboards. That is, the dashboards that do support the CIS controls listed in the DBIR.
With the incident patterns in the 2024 Verizon Data Breach Investigations Report mapped to the Critical Security Controls and Safeguards provided by the Center for Internet Security, security teams are given a great start – or reminder – of the best practices and tools that can help them avoid falling ‘victim’ to these incidents. Continuous controls monitoring bolsters an organization’s security posture even more by delivering dashboards that report on the performance of an organization’s controls; reports that provide actionable insights into any security or compliance gaps.
If you’d like to learn more about how DataBee for Continuous Controls Monitoring supports the Controls and Safeguard recommendations provided in the CIS CSC, be in touch. We’d love to help you get the most out of your security investments.
