“There can be only one”
If you’re a fan of the movie Highlander like I am, you remember that line. Now, we’re not talking about immortals killing each other until only one remains. We’re talking about security and how to get started. Although, if you post comments on that, perhaps I can start another blog, but I digress.
CIS agreed with Connor MacLeod of the Clan MacLeod and felt that there can (should) be only one task for people to start their cybersecurity journey and created that with the CIS Controls. There were 20 Controls and you started at 1 then 2 and so on. If you try to do 15 first, you’re doing it wrong and probably not helping yourself or your organization. Prescriptive, prioritized, simplified!
This methodology worked great for years. However, with the rise of ransomware, the threat landscape changed and threats became more advanced, severe, and frequent. To adequately protect against these threats, several other Safeguards in Controls further down the stack needed to be prioritized higher (data protection, backup, secure configuration, etc.). CIS had to find a way to prioritize the most impactful mitigations that required the least amount of effort (and cost where appliable) and still provide a starting point and path. Additionally, they had to ensure the 20 Controls were still relevant. So, uh, yeah. Lots to do.
Enter CIS Controls v8 and the Implementation Groups.
CIS Controls v8 - Leveraging the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, CIS mapped the MITRE ATT&CK mitigations of the most common attack types (made up of attack techniques and sub-techniques) to the relevant Safeguards. They found some Safeguards that were not as relevant and found others that were much more relevant. The result reduced the controls from 20 to 18. Better security, fewer steps. That’s what I’m talking about!
They also created three Implementation Groups.
- IG1 contains 56 Safeguards that provide the highest level of protection for the lowest level of effort. IG1 can defend against approximately 77% of the top five attack types and is referred to as “Essential Cyber Hygiene”.
- IG2 adds an additional 74 Safeguards that expand capabilities and protection in larger organizations with multiple departments, locations, risk profiles and increased operational complexity.
- IG3 adds 23 more Safeguards and focuses on mitigations of more complex/sophisticated attacks.
Oh and did I mention, they are also measurable. This sets them apart from other frameworks. You can now measure your effectiveness of each safeguard using the Controls Assessment Specification. No more guessing as to whether you’ve met the requirements. You now have a clearly defined process to confirm whether you have or haven’t.
You’re now an expert in Implementation Groups. Your certificate is in the mail.