CIS Control recommendations

Thank You.

Thank you.

You may now close this message and continue to your article.

  • For all the years of hard work, the DBIR can finally have some standardized controls, as a treat.

    To be fair, this is simply a new take on an old approach. If you were to take out the 2014 version of the DBIR, blow the dust off of the cover and glance through the findings, you’ll see an effort that we undertook to help standardize our approach to talking about defense and controls. 

    In this effort, we aligned our findings with the Center for Internet Security (CIS) Critical Security Controls (version 6 at the time) to provide you, our most devoted and loyal readers, with a way to match our findings to your security efforts. You may (or may not) be happy to hear that we’ve revisited our earlier attempt to help provide you with the same types of integration and assist you with tying your security program prioritization to our data. 

  • DBIR critical security controls table
  • Why CIS?

    Most of us probably have our own preferences regarding security frameworks and guidance, and the authors of this report are certainly not without theirs (hint: one of us may have contributed to the CIS Critical Security Controls (CSCs) at one point or another), but there are several empirical reasons why we chose this specific collection of controls. In brief, they provide sufficient levels of detail to meaningfully tie back between our Actions and Vectors, and there’s a multitude of different mappings between the CIS CSCs and other standards freely available online. Also, it helps that we jibe with their non-profit community approach.

    For those who are unacquainted with the CIS CSCs, they are a community-built, attacker-informed prioritized set of cybersecurity guidelines that consist of 171 safeguards organized into 20 higher-level controls. One of the unique elements of the CIS CSCs is their focus on helping organizations understand where to start their security program. This prioritization is represented in two ways:

    • Through the ordering of the Critical Security Controls so that they allow a loose prioritization (Critical Security Control 1: Inventory of Hardware is probably a better place to start than Critical Security Control 20: Penetration Testing)
    • Introduced in version 7.150 is the concept of Implementation Groups, in which the 171 safeguards are grouped based on the resources and risks the organizations are facing. This means that a smaller organization with fewer resources (Implementation Group 1) shouldn’t be expected to implement resource-and-process-intensive controls such as Passive Asset Discovery even if it is within Critical Security Control 1, while an organization with more resources and/or a higher risk level may want to consider that control

  • How we used it

    The more observant among you may notice that we included a new item on our summary tables in our industry sections that identify the Top Controls for the breaches found in that specific industry. To get those Top Controls, we developed a mapping between the VERIS Actions and the safeguards and then aggregated them at the Critical Security Control level. By so doing, you can get a rough approximation of some of the controls that you should consider prioritizing for your security program.

  • Figure 134
  • Figure 134 is based on the initial mapping we did and captures the percentage of safeguards per Critical Security Control that play a role in mitigating the patterns identified.51 Below is also a quick description of some of the top controls identified across all the industries analyzed. Additional information on the actual Critical Security Controls can be found on the CIS website.52

    • Continuous Vulnerability Management (CSC 3) —A great way of finding and remediating things like code-based vulnerabilities, such as the ones found in web applications that are being exploited and also handy for finding misconfigurations.
    • Secure Configuration (CSC 5, CSC 11)53 —Ensure and verify that systems are configured with only the services and access needed to achieve their function. That open, world-readable database facing the internet is probably not following these controls.
    • Email and Web Browser Protection (CSC 7) —Since browsers and email clients are the main way that users interact with the Wild West that we call the internet, it is critical that you lock these down to give your users a fighting chance.
    • Limitation and Control of Network Ports, Protocols and Services (CSC 9) —Much like how Control 12 is about knowing your exposures between trust zones, this control is about understanding what services and ports should be exposed on a system, and limiting access to them.
    • Boundary Protection (CSC 12) —Not just firewalls, this Control includes things like network monitoring, proxies and multifactor authentication, which is why it creeps up into a lot of different actions.
    • Data Protection (CSC 13) —One of the best ways of limiting the leakage of information is to control access to that sensitive information. Controls in this list include maintaining an inventory of sensitive information, encrypting sensitive data and limiting access to authorized cloud and email authorized cloud and email providers
    • Account Monitoring (CSC 16) —Locking down user accounts across the organization is key to keeping bad guys from using stolen credentials, especially by the use of practices like multifactor authentication, which also shows up here.
    • Implement a Security Awareness and Training Program (CSC 17) —Educate your users, both on malicious attacks and the accidental breaches.


    The future is under control

    To aid us both in our continuous improvement and transparency, we’ll be adding our mapping of Critical Security Controls to our VERIS GitHub page at We encourage you to use it as well and provide feedback on how you think we can improve. This is really our first step toward making this more accessible and easier for others to leverage, and while we acknowledge that this first version may have room for improvement, we plan to iterate rapidly on it. The more we share a common language, the easier it will be for us to work together toward more secure environments and organizations.


51 One thing of note is that the CIS Controls are focused on cybersecurity best practices and don’t touch upon things like physical security (Payment Card Skimmers pattern) or availability practices (Denial of Service pattern), so we did not include them in our diagram.


53 We combined both Secure Configuration for Desktops, Servers and Workstations (CSC 5) AND Secure Configuration for Networking Devices (CSC 11), for two potential reasons. For one, it’s difficult to know if it’s a networking issue or a system issue that is the ultimate cause of the breach and for another, it’s become increasingly more difficult to separate the network from the device in certain environments.