Research

The 20 Critical Security Controls

The 20 Critical Security Controls For CyberSecurity

The 20 Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG) is a publication of best practice guidelines for IT security. The project was initiated in 2008 in response to data losses experienced by organizations in the U.S. defense industrial base.

The Consensus Audit Guidelines consist of 20 key actions, called security controls, that organizations should take to block or mitigate known cyber attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give practical, actionable recommendations for cyber security, written in language that's easily understood.

The goals of the 20 controls are to:

  • Leverage cyber offense to inform cyber defense, focusing on high payoff areas,
  • Ensure that security investments are focused to counter the highest risk threats,
  • Maximize use of automation to enforce security controls, thereby negating human errors, and
  • Use consensus process to collect best ideas.

The 20 Critical Controls are being prioritized for implementation by organizations that understand the evolving risk of cyber attack. Leading adopters include the U.S. National Security Agency, the British Centre for the Protection of National Infrastructure, and the U.S. Department of Homeland Security Federal Network Security Program. Ten state governments as well as power generation and distribution companies and defense contractors are among the hundreds of organizations that have shifted from a compliance focus to a security focus by adopting the Critical Controls.

All of these entities have adopted the Critical Controls in answer to the question: "What needs to be done right now to protect my organization from known attacks?" Adopting and operationalizing the Critical Controls allows organizations to easily document those security processes to demonstrate compliance.

Notable results

Starting in 2009, the U.S. Department of State began supplementing its risk scoring program in part using the Critical Controls. According to the Department's measurements, in the first year of site scoring using this approach the Department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and 89 percent in domestic sites.

The Critical Controls are regularly updated by The Consortium for Cybersecurity Action (CCA), a virtual community of more than 100 agencies, companies, and individuals.  More info on the CCA and the Controls, including the complete list, can be found at www.SANS.org.

This lists 10 of the 20 Critical Controls that can be addressed with Dell SecureWorks services:

Control #

Critical Control

Relevant Services from Dell SecureWorks

4

Continuous Vulnerability Assessment and Remediation

Vulnerability Management Services

5

Malware Defense

Managed Advanced Malware Protection, Managed Next Gen Firewall, Managed IDS/IPS, Managed Host IPS

6

Application software security

Managed Web App Firewall, Web Application Testing

10

Secure configurations for firewalls, routers and switches

Firewall Management, Managed Next Gen Firewall

11

Limitation & Control of Network ports, protocols and services

Firewall Management, Managed Next Gen Firewall, Managed IDS/IPS

13

Boundary Defense

Firewall Management, Managed Next Gen Firewall, Managed IDS/IPS, Managed UTM, Security Monitoring

14

Maintenance, Monitoring & Analysis of Audit Logs

Security Monitoring, Log Management

16

Account Monitoring & Control

Log Management

18

Incident Response & Management

Incident Response Services, Security Monitoring

20

Penetration Testing, Incident Response Capabilities Testing

Penetration Testing, Incident Response Testing & Capability Analysis

Back to all Blogs

Additional Resources

TRY TAEGIS TODAY!

See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.