SANS Top 20 Critical Controls: A Beginners Guide

March 12, 2014

In today's Whiteboard Wednesday, Bill Bradley, Product Marketing Manager at Rapid7, will discuss the topic, "SANS Top 20 Critical Controls: A Beginners Guide".

Watch this video to learn why the SANS Top 20 Critical Controls was developed, why you should care about these controls, and even how to approach this list of controls based on your environment.

If you are interested in getting more detailed insight into the effectiveness of your controls and where you should focus on risk based on your configurations, check out ControlsInsight.

Learn more here -

Video Transcript

Hi. I'm Bill Bradley with Rapid7 Product Marketing, here to talk to you about the SANS Top 20.

Show more Show less

Let's start from the beginning. What is the SANS Top 20?


This is originally for official use only government document looking at some security best practices. This document was designed to look at known attacks and how you can prevent them with a list of best practices across the industry. This document was created with input from retail, government agencies, private and public sectors, looking at what are the known attacks out there and using the experience from these attacks. As they say, experience is something you get generally right after you need it. Leverage that experience from these organizations to help your company.

What it's designed to do and where it can help your company . . . For smaller companies, it is a good conversation starter, a way to begin the discussions in security about how you can help your company have a better security policy. For more mature organizations, add this to your discussions with your chief information security officer. How do we look at these controls and say, 'Do these make sense to our organization?' or maybe 'These aren't quite as relevant to us where we are in our security world.'

What SANS isn't . . . It is not a silver bullet. There are no be-all, end-all products, solutions, what have you, out in the security world. Not a one-size-fits-all. There are 20 different controls to look at out there. The organization may have more importance to some versus the other.

And finally, it is not a set-and-forget. Security is a constantly evolving world. Once you've gotten these controls in place, it is a matter of 'How do we iterate and make sure they stay relevant and fresh over time?'

Here at Rapid7, we're looking at these controls through a product called ControlsInsight, which helps you analyze, measure, and improve your security posture. If you have more questions or would like to learn more about the ControlsInsight, please go to to learn more. Thank you, and please join us next week for the next Whiteboard Wednesday session.