Automation Can Help Navigate Security Framework Roadmap

Automation of security comes in many forms. there’s a lot of column inches written about AI in security systems. We should be starting much earlier in the cycle by using Threat Modelling to identify the controls you need to put in place, using a common framework, and then move into automation of the controls themselves (full disclosure: my business is a partner of ThreatModeler)…:

[…] Fortunately, NIST and other security frameworks point to either of two publicly available configuration standards, the Security Technical Implementation Guides (STIGs) or the CIS benchmarks.

STIGs and CIS

The STIGs, published by the Defense Information Systems Agency, a support agency for the Department of Defense (DoD), outline hundreds of pages of detailed rules that must be followed to properly secure or “harden” the DoD computing infrastructure.

Although STIGs are mandatory for DoD agencies, any civilian agency and even commercial companies are welcome to use the STIGs.

For most commercial organizations, however, CIS is the security standard of choice. Originally formed in 2000, CIS (Center for Internet Security) is a nonprofit organization with a mission to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense.”

CIS employs a closed crowdsourcing model to identify and refine effective security measures, with individuals developing recommendations that are shared with the community for evaluation through a consensus decision-making process.

“Most organizations need a starting point that works today and that they can explain in simple language to their board on what needs to be done, and that is really where the CIS benchmarks and CIS Critical Security Controls provide is that starting point,” said Curtis W. Dukes, executive vice president and general manager of the Best Practices and Automation Group at CIS.

Although there are minor differences between the STIGs and CIS benchmarks, the two overlap and are pretty much interchangeable, said Brian Hajost, president and CEO of automated security control compliance company SteelCloud.

[…]

Original article here