Top Five Critical Security Controls According to SANS

Posted on November 21, 2013


Security is a paramount issue for Enterprise Managers and Network Administrators today. Your enterprise network is made up of hundreds or even thousands of stationary, mobile or VDI generated user desktops. To complicate matters, these desktops reside on all types of devices, hosting an assortment of operating systems. Each of these desktops is a vulnerability for your enterprise network, especially since each desktop is operated by a user, and user behavior is a major weakness in itself and the most difficult to protect from. When you think about it, ensuring that all of your desktops remain secure throughout the enterprise is a daunting task. Where do you even start?

The well-known computer security training, certification and research organization, SANS, states that first function of security is to find and shield vulnerabilities in business and IT processes. Working with the U.S. National Security Agency, SANS developed the Twenty Critical Security Controls for Effective Cyber Defense.

In a recent interview with John Pescatore, SANS Institute Director of Security Trends, published in TechRepublic titled, IT security: Fix the leaky roof before remodeling the house, Pescatore discusses the top five security controls of this list, a short list that should every networked organization needs to address.

These top five critical security controls are:

1. Inventory of Authorized and Unauthorized Devices;
2. Inventory of Authorized and Unauthorized Software;
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers;
4. Continuous Vulnerability Assessment and Remediation;
5. Malware Defenses

Pescatore goes on to discuss the why these five controls are paramount to today’s enterprise environments.
The first part is that security has to have less focus on convincing IT management and business management to do things, and more, first focus first on shielding them. Because that’s inevitable—people make mistakes. There are deficiencies in all processes. That’s why we have guard rails on highways. That’s why there are interlocks, so you have to have your foot on the brake, before you go into park.

The first focus of security, everybody likes to talk about, is to convince management. No, really first you’ve got to focus on what’s obvious and the resources that were given to you to shield things.

The next big area that comes out of consumerization is that homogeneity is a thing of the past. Most of what IY has done managing security for the past couple years is “forced” homogeneity. Everybody will use Windows PCs with “this” configuration. We will use standard things, and… that’s going away, that’s gone.

Compressing the scope of IT security into five identifiable controls makes the task of protecting the desktops throughout your enterprise more palatable. Now if only there were a short list of solutions to manage and address these five controls.
Obviously every organization requires some sort of malware protection application as is stated in control #5. Some of the most respected names that offer solutions for this control are Symantec, Barracuda, Trend Micro and Endset. Some of these names, as well as companies like Fortinet offer solutions that address control #4 as well. All of these are great solutions for these last two controls.

What about the first three controls however, especially the controls of inventorying your devices and users? How does one do that? One comprehensive solution that addresses these controls is offered by Bradford Networks. The solution is called Network Sentry. It is a network access control device that leverages the existing network infrastructure to manage up to 20,000 concurrent devices from a single physical or virtual appliance. Network Sentry identifies every type of device on your network, identifies if it is corporate issued or employee-owned, and identifies the user on the device to enable role-based network access policies. Once identified, devices are scanned for configuration compliancy such as missing patches and outdated antivirus and connections are then prevented and quarantined until endpoints are remediated. A review of the Network Sentry can be found here.

IT security doesn’t have to be overwhelming. As Pescatore states, the first priority is to shield the organization. Just as there’s no one encompassing security control to address within an enterprise, there’s no one solution that addresses all five.