The Power of Community: Building a Safer Connected World with CIS

Rocky Giglio:
You’re listening to another episode of Cloud and Clear, SADA’s Cloud Transformation podcast. I’m your host, Rocky Giglio, and on with me today is Sean Atkinson, CISO at the Center for Internet Security. Sean, welcome to the show, man.

Sean Atkinson:
Thank you so much for having me.

Rocky Giglio:
I’m excited to have you on. I know this has been a little while in the works and there’s a lot going on in what you guys are doing at CIS. Of course, in the cyberspace, there’s always something going on. And yeah, it’d be great to hear your perspective of just all the things, but maybe starting with who is CIS? What are you guys doing and where do you mostly see customers engaging and folks engaging with CIS?

Sean Atkinson:
Sure, absolutely. Thank you. So Center for Internet Security or CIS, a nonprofit organization really focused on the CIS benchmarks and CIS controls, critical security controls. People may be familiar with the top 20. We’ve now made them 18. We’re making more efficiencies, Rocky. That’s just what we do.

Rocky Giglio:
I like it.

Sean Atkinson:
And from a nonprofit perspective, very much focused on mission. And that mission really is creating a safer, connected world. We want to help organizations reduce those cyber threats and really implement best practices. And really, that’s what we’re known for is best practice implementation and strategies for those implementations over time to reduce that risk in this ever-changing world, as you mentioned, Rocky.

Rocky Giglio:
Yeah, no, that’s super interesting. I mean, going from 20 to 18, that doesn’t usually happen, right? Usually it’s like, “Hey, we have more stuff for you to do.” So talk about that a little bit. How’d you go from 20 to 18? What was the decision framework there and what are you seeing as a result as customers are looking at those benchmarks? One of the things we do [inaudible 00:02:27] is we build a data model of all the different controls that are out there for NIST, CIS, CSA, a bunch of others, different frameworks, compliance frameworks, and walk through those in 10 major domains for our customers. So like you, we were like, “Hey, we can’t have a 100 domains to look at. Here are the major buckets. Let’s look there.” But talk a little bit about that. What were the 20? What took you down to the 18 and what’s the hope there?

Sean Atkinson:
Yeah, no, absolutely. I mean the way we do this as well I think is important, Rocky, is this is consensus-based. We have global community of cybersecurity experts that are contributing to these elements. And as we went through version seven and we’re now on version eight of the controls, really was thinking about the environment that we’re in now, and we have to take that into consideration. And we were looking at combinations of controls, and that’s where two of those controls move together in terms of access. And we even did some re-prioritization. It also helped that we were thinking about implementation strategy, so thinking about the evolution of certain cycles of organizations, whether you’re beginning or you have elements of maturation in terms of your overall security program. So we built implementation groups along with that. So it was a reduction in the control, but also a strategic way of implementation of those respective controls for organizations, trying to meet organizations where they are in their cybersecurity journey.

That allowed us as well to think about governance, a very important topic as we move into this space, Rocky, really together in terms of partnership as well. So important that we think about how we stress the need to build security in early. Not as a secondary consideration, not as a, “Oh, that would be a nice to have.” That’s not where we are. It has to be early. And we follow some of the tenants of shift left in a lot of cases, but we want to shift that perspective into design representatively as organizations think about implementation strategy, maintaining control infrastructure, and then reacting to a very dynamic environment.

Rocky Giglio:
Yeah. And you mentioned shifting left as I guess the underlying strategy or goal. I don’t know what the right way to say that is, but strategy is probably the right way, because that enables that day zero security hardened world. But that’s hard to do, right? I mean as a CISO, for sure you’ve run into, “Yes, we should do this right,” but we’re not doing it. And to get there it seems like such a daunting task. And so how is CIS helping customers with that challenge? It is a big deal to switch from the old click ops way of doing things. And still to this day, I mean probably 80% of the organizations I’ve come into contact with are still doing a lot of click ops. There’s still a lot of old manual process in place. And so you see that. I mean, it’s everywhere. It’s hard to break away from when your day job has this giant backlog of stuff you’ve got to do. It is hard. It is hard to switch and shift that security focus left. So how is CIS doing that and how are you making that easier for customers?

Sean Atkinson:
So it’s really an adage that I’ll bring to the table, Rocky, is this start secure, stay secure, and really trying to make it easy for organizations, specifically those utilizing cloud infrastructure. So what we have through our benchmark capability is a set of standardized configurations that we then port into an image, what we call a hardened image. And so we say utilize this image as your initial foundational step into a cloud infrastructure. We’ll talk Google Cloud for this episode. And that necessarily takes that onus away. You’re already secure. I’ve shifted that into your design principle. All it is, that click and point element, let’s click that benchmark, let’s get that enabled. That hardened image becomes then foundational to your underlying security posture. You don’t really necessarily have to think about what do I have to do in order to implement the benchmark? We’ve done it for you. So I think it’s that simplification, Rocky, that makes it easy. The value proposition comes across in the simplification.

Rocky Giglio:
Yeah, I think you nailed it. And I mentioned, most customers still, you see a lot of click ops, even in cloud. Even in cloud where you can… All these platforms, GCPs, no exception is built to be driven by code. But again, it’s not that easy to change process and operational process. Probably the first time I ran into CIS… Man, this is going back a ways. But I took this course at SANS Institute 25 years ago, so it’s been a minute, and we were talking about hardening Windows’ images, and I was like, “Well, this is genius.” There’s all these controls that I have to put in place, all these tweaks that I want to make. I need to be looking at hardened images.

And of course, fast-forward to today, you guys have created this ecosystem of standardization, hardened images, things that just make that… What you were saying, it’s easier right now. Now I don’t have to go think through all that. I don’t have to hit every single configuration item in a virtual machine image that I’m going to run a Kubernetes cluster on, and then, and then, and then… I can take this image. I know it’s already hardened. And so when I start building that cluster, that expanding platform, that cloud driven infrastructure, all of that is built from day zero with a hardened proven image using best practices. I might need to tweak that. There’s a whole bunch of principles around how you do that and keep your own golden states and all those things. But I’m starting from a good state, and oh man, that makes such a huge difference.

Sean Atkinson:
One of the things in this space, Rocky, I see, is it being really a catalyst. Because to your point… And I love the word you used there, the ecosystem, because it really is. You lay the strong foundation thinking… We’ll use the adage of the house. We’re not going to build the roof before necessarily we’ve got the foundation in place. So utilizing the foundational benchmark, the 4.0 version that we have for the Google Cloud platform really then helps cascade those controls. Because like you said, it’s an underlying operating system capability, but without those controls cascade throughout the underlying infrastructure that you’re going to create, now we’ve set that foundation. It’s amazing what it can do, and ultimately gives you maturity out of the box. And that’s really what we want to see.

And really want to utilize platforms like this, and obviously the advocacy of SADA and yourself, Rocky, to promote those types of ideas and ideals so that we can now start to get that put into processes into the ecosystem. So really, we get that security baked in and it becomes a lot easier and representatively helps everybody in the ecosystem as well.

Rocky Giglio:
Yeah. You talked about the benchmarks. Tell us a little bit about that. How did the benchmarking come about? And when you think about a platform like a Google Cloud, what does it take to benchmark that and then what do customers do with those benchmarks?

Sean Atkinson:
Sure. Yeah. So a benchmark, again is one of those community vetted processes. So we look at certain underlying operating systems. And many different products we have over 150 benchmarks in our inventory, and what we look at is building out representative systems. So you think a new Windows server, new Windows operating system release, so going through and necessarily vetting the requirements in terms of necessarily those are operationalized with a lot of different functionality for many different applications and use cases. What we want to do in that space is utilize the consensus-based approach to assess those configurations, build necessarily configuration control in terms of overall security perspective and the necessarily threat or utility of certain functionality as a threat vector for organizational use of these.

And so we go through, vet those best practices and really create this catalog of control, and that’s what becomes the benchmark. We then have those benchmarks freely available for PDF download on our website for non-commercial use. We then take those benchmarks and programmatically, as you mentioned, everything is code now, put those into a hardened image that we can then deploy on cloud service providers with the benchmarks already configured, really ready to go. It’s the click point enable for compute, and you’re well on your way to that security. But it’s that vendor community, bringing all of that knowledge together that really makes these vetted and such a valid resource in any ecosystem that we see in this technology space.

Rocky Giglio:
No, that’s awesome. Yeah, I love the community element too, because we do live in a time where the cloud vendors themselves are changing stuff constantly, threat vectors are changing constantly, standards are changing constantly. And so you really do need that community of practitioners helping practitioners. “Hey, there’s this new feature in Windows server. I turned it off and here’s all the controls that go along with that. Feeding that back to the community, getting it into the next iteration of a hardened image, making sure all those new services and features are hardened the way they need to be, ports are closed, whatever it is that goes into creating that hardened image. I mean just Windows alone is a massive undertaking. Then add Linux, then add every flavor of Linux, then add all your GCP services and your Amazon services and your Azure. Like, oh man, that’s a ton to take on. And so I love the community element of it.

One of the first security assessments I ever did was with the benchmark tool. So took that in and just ran that, said, “Okay, here’s all the stuff we need to go fix as a result of this benchmark.” And of course, hardened images was often the answer. “Hey, let’s just not fix this and just rebuild this thing on a new hard system.” I mean, often that is the answer. As a CISO, you’ve probably been in that situation. You do the assessment, you get the results, or you’re looking at the vulnerability dashboard and you’re going, “Oh boy, we’ve got a lot of work to do.” Talk about that a little bit. How easy is it to switch to these hardened images? Where do you see customers struggling or succeeding with going to a hardened image as the foundation?

Sean Atkinson:
One of the things that we do see, and given just the nature of cloud infrastructure it makes it so much easier. The time and effort has been reduced. So think, Rocky, back to when we were doing this on-prem and then it was a complete installation and renewal. Given the flexibility, the scalability, and the elasticity of cloud capability, this allows us now to create and instantiate these images so much simpler. The effort and time saved is absolutely incredible. And doing it, to your point, in some cases we don’t want it to be reactionary. This is the proactive where we’re trying shift left, but there are reactionary elements, to your point. We go through, do an assessment, look at the vulnerabilities that exist within the infrastructure, look at the configuration weaknesses, and oh, we’ve got to go through and tweak every little element that exists. And as you mentioned, the operating systems are becoming so much more complex, because representatively, there is more things to do that are now digitized and creating this type of functionality.

So when we necessarily build out a capability in this space, it’s crucial for that ongoing verification element, to your point, as we come through, do audit, validation, this is absolutely needed. Because really, when you see the threat landscape, and from SADA’s perspective, our perspective, the velocity of change in that area requires that due diligence. So ultimately, we want to be on that journey. This is not the set it and forget it. I wish it was, but we just don’t live in that world at this point, Rocky. And so it’s set it and continue to verify.

We see configuration drift where there’s issues and concerns with those that haven’t used hardened images, and these tweaks can have catastrophic changes necessarily, can have a really damaging effect. And we really want to bring in not only, as you mentioned, an ability to assess and review that configuration, we want to then validate and allow that to become part of our security posture. Doing that, I think simplifies those processes. And for me, sitting in the CISO seat, very, very helpful because it’s something necessarily that I can rest on in terms of that foundational element being the strength that I build all the other elements of the organization on top of.

Rocky Giglio:
Yeah, I think one of the most fun times for me seeing that was a customer that had over 4,000 vulnerabilities. And then thankfully, some code driven infrastructure. They’d done a lot of manual builds of stuff. And just being able to go in, put hardened images underneath there and watch those vulnerabilities disappear, because we went from older versions of things to hardened versions that had all the things turned off. And so you didn’t have this giant attack surface that you then had to go deal with. But you said it in the way that it is a constant thing.

So yeah, we did that. That was a one-time thing. We went in and we cleaned up all this stuff. Those didn’t just go away forever. There’s always new stuff happening. There’s new versions of operating systems, patches. Somebody needed this thing to work, and so they went in and changed this config or that config, and you start getting these little bits of drift on an ongoing basis. So how is CIS helping there with the benchmarking tools and things like that? How does that feed back into that community and then help with this continual verification process?

Sean Atkinson:
Yeah, absolutely. Well, you mentioned it before, it’s the ecosystem. So whenever we see changes, ultimately, we have to respond. There is not a choice now. We’re in this space and we’re maintaining those elements of configuration and reliance and really building that reputation for having up-to-date, secure and compliant solutions. And that’s another area, Rocky, that has so many nuances. The regulatory landscape is constantly changing too, and we’re trying to keep all of that in line with creating the benchmark. And it’s over its respective lifetime. Because in some cases, as you see operating systems age, become end of life, okay, we keep those operational for a while. It’s amazing in terms of some of the underlying operating systems that hit end of life, that still have operational requirement for certain organizations. And so we keep those updated as well. Very important.

Again, we want to progress. We want to move to updating underlying infrastructure, making sure that those updates, we consider those as part of the benchmark, make sure we’ve got the configuration controls adjusted for those. But it really then fits this ecosystem. We’re trying to work with and meet our customers, our members where they are in terms of their overall ecosystem, their life cycles, and then try to integrate changes into their processes. And then when we move into the cloud, and we’ve mentioned this just previously, but it’s that velocity of change and that ability to change very, very quickly, very dynamically, gives new opportunity. And ultimately, we want to use that opportunity to highlight security and make sure it’s again, part of that design and that start secure, stay secure mantra.

Rocky Giglio:
And you’re talking about the community and getting towards this end state, having that built in, even things like old operating systems. I mean that’s a huge part of just running an organization. This thing got built, it was built on this operating system. It has a dependency here. We have to keep it running. The vendors drop in support. “Oh no, what do we do?” A hardened image is a great answer to that, at least in the short term to help keep things operating while you do make your migrations and transfers or upgrades or whatever it is that you’ve got to do. But it gives you that peace of mind that at least we’re not just out in the cold with a vendor that’s not developing new patches. At least we’ve got a hardened standard to work against and measure against and look for a way to provide that protection while we figure out that next step, next path.

Which feeds nicely then into compliance. So how’s CIS playing in the compliance space? Talk a little bit about that and then how you’re feeding in some of these other frameworks. There’s a lot going on there that you guys are involved in, and obviously most of our customers have some form of compliance that they’re being measured against.

Sean Atkinson:
Exactly. Exactly. Yeah. Again, it becomes one of those false feeding functions of the utility of respective benchmarks and hardened images, and we see it with the controls, and we use control mapping to take a look at updates to current NIST, PCI, HIPAA, really many, many… I think over 30 compliance requirements that we now have a mapping capability or we have our chief cartographer basically going through and mapping all of these frameworks together. And the reason why it’s so important, because it’s the effect of those respective compliances that we build in to the benchmarks and then the hardened images, ultimately streamlining that effect. So implementation allows you alignment to compliance.

And then ultimately you’ve got a documented approach. This is a defensible baseline. And auditors recognize us when they see it respectfully. When talking at many conferences, RSA, et cetera, it’s often that I get auditors, “Oh, you’re the benchmark guys. We use you as the standard by which we then measure against alignment to compliance frameworks.” And that’s so great to hear. And that again, is another false feeding function that is the reason why we build those in is to make it just as easy as we can for implementation of those respective contextual controls in that space.

Rocky Giglio:
Yeah. And that’s super important. I mean, you said it, and it’s part of this discussion, but CIS benchmarks are part of these standards. And so when you’re building on a secure hardened image from CIS, you’re already compliant with most of the things that the auditor is going to be looking for, at least from an infrastructure perspective for your cloud provider, if you’re using the cloud standards from CIS for Google Cloud, the hardened images that are out there. So if you’re building in that way, and then come audit time for NIST standards or PCI or whatever it is, you’ve got 90% of what you need, at least from a configuration perspective, baked into these standards that’s going to get you that much closer and make compliance that much easier.

Because then if you do change standards… I mean, this happens all the time. You’re running an organization, you don’t have SOC 2 Type 2, you’re in the SaaS space, you’re building on Google Cloud, customers are coming, you’re getting more customers, the company’s growing, things are looking great, and then somebody comes and says, “Hey, are you SOC 2 Type 2?” Oops. Yeah, we will be. And then all this work ensues to get there. And if we build with these standards from day one, day zero, it makes that that much easier. We’re already starting on good footwork. So now when it does come time to say, “Hey, yeah, we’ve got to look at the processes around this, et cetera,” obviously for compliance standards, but the infrastructure, the configuration stuff, that part’s done, we’re already building with CIS. Great. That makes it so much easier.

And then that feeds into all the tools that we’re using to measure. I mean, that’s another element that you’ll see CIS in there, but it gets overlooked because everyone’s like, “I’ve got this compliance standard for PCI,” or, “I’ve got this NIST standard that I’m trying to measure against.” But underlying all of that in the tools, security command center enterprise from Google or other tools in the marketplace that you’re using to look at your configurations and measure your ability to comply and how compliant you are, I mean, these are tools that are reliant on what you guys are doing and what the community is doing to provide those controls. And so that’s a huge, huge part of the success for our customers, not just with what CIS is doing and using CIS hardened images or the CIS benchmark, but also the other tools that we’re using on security standards to measure how we’re doing against security standards, I should say. That’s building on what you guys are doing at CIS.

So it’s really cool to see that and then obviously to see that whole full circle community, “Oh, NIST has this new standard now. It feeds back into control.” The community’s going to work, put it back into the next hardened image, and away we go, and we’re pushing compliance forward. So it’s neat to see that come around.

Sean Atkinson:
Exactly right. Yeah. And that area is so important because we can’t do it without necessarily the volunteer community, and we can’t do it without partnership either. And I think that’s so important when we’re in the space is, there’s only so much we can do to force necessarily people to utilize this capability. But we want to exemplify that, one, obviously through strategic partnership, and then two, through the advocacy that so many do on our behalf. Obviously, we’re mission-driven and we want to be in the space and doing the best we can.

And then it takes really a community to build necessarily that flow, to bring this type of knowledge, bring this type of expertise to the market, and then integrate it into the ecosystem. And it’s so funny, you’ll hear people who are fully aware of what CIS does, and then some never heard of what you’re trying to do in this space. And it’s so important that we work with yourself, Rocky, SADA, and other organizations to be able to promote this type of capability. Just so important to realize that and to really celebrate it. And we really do come together as a community to help better secure underlying infrastructure that has cascading effects just beyond the individuals to many, many different services and capabilities throughout the world.

Rocky Giglio:
Yeah, love it. Sean, you mentioned the partnership. It’s an important part of success in the security space. You’re going to need partners, you’re going to need help along the way. And so it’s a great partnership between SADA and CIS as well as with our parent company Insight. And so we’re excited to have that partnership in place and be able to go to our customers and say, “Hey, let’s build security from day one.” Actually, day zero. I keep saying day one, it’s really day zero. And then in our assessments we’re looking at, are you using these images? Those kinds of things.

So we’re working together to help bring those community standards, bring these hardened images, bring the benchmarks to each other’s customers and make sure that they’re secure. And then working together, giving back to the community. I think I had a bunch of my guys going in and making contributions in the community space. So that’s always fun to see too. It’s like, yeah, you should do this, but we’re actually participating. We’re making sure that these standards are functioning the way they need to for our customers to execute successfully and securely in Google Cloud.

So Sean, thank you. Thanks again for joining us here today. Any last call-outs, shout-outs for your team at the CIS team and then for our customers, and then we will wrap it up there.

Sean Atkinson:
Just a shout-out to all of the team, everyone putting this together and just bringing us together, Rocky. I really appreciate it. And to our volunteer community, thank you so much for all your efforts and what you bring to make the connected world a safer place. Thank you, Rocky.

Rocky Giglio:
Thanks, Sean. It’s great to have the partnership and great to be part of the community. Thanks for joining us. And if you liked this episode, don’t forget to like and subscribe and we’ll catch you on the next Cloud and Clear.