An updated version of the Center for Internet Security’s “community defense model” matches the group’s well-known set of controls against the most prevalent attack techniques, providing organizations with a path to implementing highly effective and less-costly security measures.
The center on Wednesday issued “Community Defense Model v2.0,” identifying a set of controls that are the “least costly and difficult to implement, [and] are the Safeguards that every enterprise should deploy,” according to CIS.
“Enterprises that adopt the CIS Controls have repeatedly asked us to identify ‘What should we do first?’ In response, the Controls Community sorted the Safeguards in the CIS Controls into three Implementation Groups (IGs) based on their difficulty and cost to implement,” CIS says in the new report.
“The model shows that the CIS Controls defend against approximately 86% of all ATT&CK (sub-)techniques found in the MITRE ATT&CK® framework. Furthermore, Implementation Group 1 (IG1) of the Controls, the definition of essential cyber hygiene (formerly basic cyber hygiene), provides enterprises a high level of protection, positioning them to defend against the top five attack types – malware, ransomware, web application hacking, insider privilege and misuse, and targeted intrusions,” CIS explains.
CIS says, “The findings in the CDM demonstrate the security value of the CIS Safeguards against the top five attack types:”
- Malware: 77% of Malware ATT&CK (sub-)techniques can be defended through implementation of IG1.
- Ransomware: 78% of Ransomware ATT&CK (sub-)techniques are defended through implementation of IG1.
- Web Application Hacking: 86% of Web Application Hacking ATT&CK (sub-)techniques are defended through implementing IG1 Safeguards.
- Insider Privilege and Misuse: IG1 defends against 86% of the Insider Privilege and Misuse ATT&CK (sub-)techniques.
- Targeted Intrusions: IG1 defends against 83% of Targeted Intrusions ATT&CK (sub-)techniques.
“This year’s CDM findings strongly reinforce the value of a relatively small number of well-chosen and essential defensive steps found in IG1. As such, enterprises should aim to start with IG1 to obtain the highest value and work up to IG2 and IG3, as appropriate,” commented Curtis Dukes, CIS executive vice president and general manager, security best practices.
CIS says Implementation Group 1, “the group that is least costly and difficult to implement, are the Safeguards that every enterprise should deploy. For enterprises that face more sophisticated attacks or that must protect more critical data or systems, these Safeguards also provide the foundation for the other two Implementation Groups (IG2 and IG3).” – Charlie Mitchell (email@example.com)