The 20 Controls That Arent – The Falcons View.

I would like to respond to Ben Tomhave’s attack on the SANS 20 Critical Security Controls.

Ben says they are not actionable. They surely are actionable. While SANS refrains from specifying actual implementation recommendations, Cymbel does not. Also each control includes metrics to enable you to evaluate its effectiveness.

Ben says they are not scalable, i.e. they are only appropriate for large organizations with deep pockets. In reality the SANS 20CCs provide a maturity model with four levels, so you can start with the basics and mature over time.

Ben says they are designed to sell products. Sure, 15 of 20 are technical controls. As the SANS 20CCs document says, the attackers are automated so the defenders must be as well. And while technical controls without well trained people and good process are useless, the inverse is also true. And SANS surely covers this in the 20CCs document. I’ve seen too many really good security people forced to waste their time with poor tools.

Most importantly, I would contend that the SANS 20CCs were developed from a threat perspective, while the IT UCF which Ben favors (and is the basis of the GRC product Ben’s employer, LockPath sells) is more compliance oriented. In fact, UCF stands for “Unified Compliance Framework.”

While I surely don’t agree with every aspect of the SANS 20CCs, there is a lot of value there.

For example, the first four controls relate to discovering devices and the adherence of their configurations to policies. How can you argue with that? If you don’t know what’s connected to your network, how can you assure the devices are configured properly?

How many organizations can actually demonstrate that all network-attached devices are known and properly configured? Who would attempt to do this manually? How many organizations perform the recommended metric, i.e. add several new devices and see how long it takes to discover them – minutes, hours, days, months?

In closing, I find SANS to be a great organization and I applaud their efforts at developing a set of threat-oriented controls. In fact, I post a summary of the 20 Critical Security Controls on our web site.