Add Structure and Credibility to

Your Security Portfolio with CIS

Controls v8 Cybersecurity
Framework
Mar 7, 2023
 Today’s speakers

Alex Fields David Bjurman-Birr

Real Human Microsoft
ITProMentor.com
A story about when things go very wrong
When things go very wrong

“the threat actor leveraged information stolen during the first incident,
information available from a third-party data breach, and a vulnerability in
a third-party media software package to launch a coordinated second
attack.”

“the threat actor was able to leverage valid credentials stolen from a senior
DevOps engineer to access a shared cloud-storage environment, which
initially made it difficult for investigators to differentiate between threat
actor activity and ongoing legitimate activity”
When things go very wrong

“the threat actor targeted one of the four DevOps engineers who had
access to the decryption keys needed to access the cloud storage service”

“This was accomplished by targeting the DevOps engineer’s home

computer and exploiting a vulnerable third-party media software package,
which enabled remote code execution capability and allowed the threat
actor to implant keylogger malware”
Password Manager Kill Chain
Highly Targeted Attack

Data Exfiltrated

Personal Device DevOps Credentials Production backups, database

Attacker backups, other resources

Reconnaissance Initial Access & Execution Collection, Credential Access, Recon, Exfiltration
1. Reconnaissance & 2. exploit enables 6. Access keys & 9. Lateral movement
configuration data remote code decryption keys stolen attempts
from attack #1 execution

3. Keylogger installed
4. Engineer
authenticates with
MFA and accesses
sensitive data
7. Recon for high value data, 10. Highly sensitive
production backups, data accessed,
customer password stores decrypted, and
exfiltrated
8. C&C communication
of recon data, credentials, keys

5. Privileged accounts
compromised
Discussion

How do you think they felt about their security posture pre-breach?
Could more advanced and specialized security tools stop this threat?
Could this happen to MSPs?
The methods used in this attack were discovered after the fact. How could
a zero-trust ‘assume breach’ security posture have helped?
How can I keep up with increasing sophisticated threats?
What can we learn from this, and what can we start doing today to help
protect ourselves and our customers?
Agenda Items

1 2 3 4
Cybersecurity Control Addressing Addressing Q &A
Framework review unauthorized assets vulnerabilities
Cybersecurity
Control
CIS Controls Frameworks
and other common frameworks
 Cybersecurity
Frameworks
Control frameworks:
• CIS Top 18 Controls
$$$
• NIST 800-53
Risk
Program frameworks:

Experience
$$
• NIST CSF
• ISO 27001 Program
$

Risk frameworks: Control

• CIS RAM
• ISO 27005 Time
A Cybersecurity Control Framework is a
pre-defined and pre-prioritized set of
recommended activities or tasks which
are proven to reduce risks associated
with common cyber threats
National Institute of Standards and Technology
Cyber Security Framework (NIST CSF)

Less prescriptive, more like

“Choose your own adventure!”

Build target Profiles out of:

1. Core Categories &

Subcategories (i.e., controls)
2. Tiers (i.e., commitment level)

by aligning business objectives and

(Program Framework) budget requirements.
CIS Controls v8: Implementation Groups

IG1: Basic cyber hygiene; for SMBs with

limited budget & resources for cybersecurity
56
Cybersecurity
Safeguards

IG2: Enterprises with multiple departments, 74

differing risk profiles and more complexity Additional
Safeguards

IG3: Enterprises with dedicated professionals 23 153

defending against sophisticated attacks Additional Total Safeguards
Safeguards
 CIS Top 18 Critical Security Controls v8

# Description – CIS Control v8 # Description – CIS Control v8

1 Inventory & Control of Enterprise Assets 10 Malware Defenses
2 Inventory & Control of Software Assets 11 Data Recovery
3 Data Protection 12 Network Infrastructure Management
4 Secure Configuration of Assets & Software 13* Network Monitoring & Defense
5 Account Management 14 Security Awareness & Skills Training
6 Access Control Management 15 Service Provider Management
7 Continuous Vulnerability Management 16* Application Software Security
8
9
Audit Log Management
Email & Web Browser Protections
17
18*
Incident Response Management
Penetration Testing
153
Total Safeguards
*No Safeguards for these Controls in IG1.
Example: 1. Inventory & Control of Enterprise Assets

56
IG1 Safeguards
Sample IT Security Policy
Demo: Set up device enrollment
Demo: Require MFA for device
enrollment
Demo: Enroll devices with MFA
Demo: Only allow authorized, low risk
devices
Demo: Block unauthorized or medium to high-risk
devices
 CIS Top 18 Critical Security Controls v8

# Description – CIS Control v8 # Description – CIS Control v8

1 Inventory & Control of Enterprise Assets 10 Malware Defenses
2 Inventory & Control of Software Assets 11 Data Recovery
3 Data Protection 12 Network Infrastructure Management
4 Secure Configuration of Assets & Software 13* Network Monitoring & Defense
5 Account Management 14 Security Awareness & Skills Training
6 Access Control Management 15 Service Provider Management
7 Continuous Vulnerability Management 16* Application Software Security
8
9
Audit Log Management
Email & Web Browser Protections
17
18*
Incident Response Management
Penetration Testing
153
Total Safeguards
*No Safeguards for these Controls in IG1.
Example: 2. Continuous Vulnerability Management

56
IG1 Safeguards
Sample IT Security Policy
Demo: Threat and Vulnerability
Management
Discussion

Can I pick and choose the controls that are most important to me based on
this incident and others I’ve heard of?

What’s the impact of missing a single control in the framework?

How does CIS recommend getting started with implementing the

framework, and what else should we keep in mind?
3 Phases to implement CIS Controls

Know Protect Prepare

• Devices • Secure Baselines • Backups
• Software • Educate Users • Incident Response

Questions to consider before performing an assessment

What is connected to your computers & network?

What software is running on the systems & networks?
Is every computer secure?
Who has access to sensitive information or admin privileges?
Does all staff understand their role in protecting from cyber incidents?
3 Phases to implement CIS Controls

Know Protect Prepare

• Devices • Secure Baselines • Backups
• Software • Educate Users • Incident Response

Additional considerations once work is underway

What is connected to the network?
What software is installed?
Are the administrators and users all using strong authentication?
Which online platforms are in use by employees?
Where is the most important data stored?

Computers
Credit card, banking, and financial information
Servers
Personally Identifiable information (PII)
Mobile Devices
Customer lists, product info, pricing
Switches
Trade secrets, formulas, methods
Internet of Things (IOT)
> 23,000 incidents
Get the 2022 DBIR
> 5,200 confirmed breaches
 Top threats facing SMBs:
"...very small 1. Ransomware
organizations are just 2. Use of stolen creds
as enticing to criminals 3. Phishing & pretexting
4. Trojan
as large ones, and, in 5. Exploit vulnerabilities
certain ways, maybe
even more so."
 Your CIS-Based Cybersecurity Program

1. Assessment 2. Written Policies 3. Projects: implement 4. Process, Tools

based on IG1 & Procedures reference architecture & Reporting
Your To-Do’s

 Help customers understand the “why” of cybersecurity

 Use ‘Zero Trust’ language and simplified concepts

 Present the Shared Responsibility Model

 Use included templates as a starting point

Key Point: M365 Business Premium

Collaborate in Enable secure access Defend against Easily secure and

real time and protect identity cyberthreats and data loss manage devices

• Video • MFA • Microsoft Defender for • Intune Device

Conferencing • Conditional Access Office 365 Management
• Group Chat • Azure Information • Intune Mobile App
• App Proxy
• Easy access to files, Protection Management
• Dynamic Groups
Co-authoring • Office 365 DLP • Autopilot
• Azure Virtual Desktop
• Phone system • Cloud App Discovery
(Business Voice • New! Microsoft Defender
add-on)
for Business
• App integrations
Resources for M365 Cybersecurity Assessment Workbook
https://aka.ms/smbcisworkbook
download
Information Security Policy Template
https://aka.ms/smbpolicytemplate
(These templates are
aligned with CIS SMB Security Guide for M365
Controls IG1)
https://aka.ms/smbsecurityguide

Shared Responsibility Model Reference Sheet

https://aka.ms/smbresponsibilitytemplate

Recommended Baseline Security Configuration

https://aka.ms/smbbaselinesample
Q&A
2023 Modern Work for SMB Partner of the Year Award (POTYA)
Submit by the April 5, 2023 nomination deadline! https://aka.ms/POTYA
• Recognition for substantial and sustainable growth in helping customers in the small (<25 seats)
What is and midmarket space (25+seats) to transform their workplaces.
the • Partners positioned to win this award will have created innovative service offerings while engaging
directly with customers to deliver business value by leveraging any of the following technologies:
POTYA? Microsoft Teams Essentials, Microsoft Defender for Business, Windows 365, and/or Microsoft 365
Business Premium.

Partner • Customized logos and public relations templates to help promote your award-winning status.
• Recognition collateral to signify your success.
benefits • Winners are celebrated at Microsoft Inspire.

Now through April 5, 2023 at 6:00PM Pacific Time: The POTYA Nomination Tool is open for partners
Timeline •
to self-nominate.
• May 25: Winners are notified

Call to Action • Prepare your nominations & submit before April 5, 2023! Visit https://aka.ms/POTYA for more details.

Resources • Complete award guidelines: https://aka.ms/POTYA_Guidelines

• Guidance from the judges: https://aka.ms/POTYA_JudgesGuidance
• Tips on creating award-winning entries: https://aka.ms/POTYA_NominationTips
• Frequently asked questions: https://aka.ms/POTYA_FAQ
• Nomination tool: https://aka.ms/POTYA_Nominate
Any questions? Gisela.laya@microsoft.com
Dankie Faleminderit Shukran Chnorakaloutioun Hvala Blagodaria

Děkuji Tak Dank u Tänan Kiitos Merci Danke Ευχαριστώ A dank

Mahalo .‫תודה‬ Dhanyavād Köszönöm Takk Terima kasih Grazie Grazzi

Thank you!
https://aka.ms/SMBMastersDigitalEventsSurvey

감사합니다 Paldies Choukrane Ačiū Благодарам ありがとうございました

谢谢 Баярлалаа Dziękuję Obrigado Mulţumesc Спасибо Ngiyabonga

Ďakujem Tack Nandri Kop khun Teşekkür ederim Дякую Xвала Diolch