Engineers don’t have time to translate their workloads into “audit speak”. Auditors can’t provide value in cloud-based engineering domains.

Organizations today spend upwards of 2 million dollars to accomplish critical compliance milestones such as FedRamp, and run at a minimum, hundreds of thousands annually just to stay in compliance with existing mandates for PCI DSS 3.2, ISO27001, SOX, NIST Cybersecurity Framework (CSF), HIPAA or Hitrust Common Security Framework, and Trust Services Principles or SOC 2 assurance. All of today’s regulatory and compliance frameworks include substantial coverage for information security management systems (ISMS). In addition, any lack of externally validated security architecture or compliance program is increasingly viewed as unethical and even criminal.
With all this compliance, one might ask, “Where are companies wasting the most time? What are the greatest hidden costs? Which activities associated to audit bring the greatest actual security value?”

Unfortunately, the compliance areas that waste the most time (auditor to engineering conversation), have the highest hidden cost (business disruption), and those areas that could have, but likely didn't reap the most value (resilient configuration), are one and the same. 

Effective secure host and instance baseline configuration are still in the NSA top ten most important IT initiatives and unfortunately is also the most wildly misrepresented control domain in preparing for and conducting an audit. Any web search on "exploits older than one year" returns a remarkable set of research concluding the same thing, that most exploited vulnerabilities today have existed on systems for more than a year, in many cases for more than three years. Returning to the recommendations of the NSA, a large number of the simple initiatives to become cyber secure were established at the moment an asset was released. Seven out of ten can be categorized as asset monitor, meaning they could be handled as a part of configuration management and policy.

  1. Control Administrative Privileges
  2. Limiting Workstation-to-Workstation Communication
  3. Antivirus File Reputation Services
  4. Anti-Exploitation
  5. Host Intrusion Prevention (HIPS) Systems
  6. Secure Baseline Configuration
  7. Web Domain Name System (DNS) Reputation
  8. Take Advantage of Software Improvements
  9. Segregated Networks and Functions
  10. Application Whitelisting

According to the CIS, Center for Internet Security, up to 80% of cyber-attacks could be prevented by:

  • Maintaining an inventory of authorized and unauthorized devices and software
  • Developing and managing secure configurations for all devices
  • Conducting continuous (automated) vulnerability assessment and remediation
  • Actively managing and controlling the use of administrative privileges

Even if that sounds completely reasonable, consider Gartner’s Strategic Planning Assumption which states that through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.

The mismanagement of recommended configuration is both in and beyond our locus of control, however, cloud breaches impact everyone’s brand. Laws put increasing responsibility for all consumers of the cloud to increase accountable oversight to their providers of cloud services, i.e dependency responsibilities

What’s a small company to do? What’s a big company to do? 

One answer might be to avoid complex or new environments such as Azure, Google Cloud, or Amazon Web Services (AWS). For most businesses, that’s no longer an option. It is nearly impossible to find a thriving company that’s not dependent upon some level of IAAS (infrastructure as a service), PAAS (platform as a service) or SAAS (software as a service), and it’s not practical to limit data centers from a liberal or complete use of virtualization technology. 

Also, pretty much all of our networks are transitioning to SDN (Software Defined Networking), so that’s the whole stack, in the cloud. (Gone are the days of having your hands in everything unless your arms happen to be long enough to stretch into the clouds.)

It's getting a lot harder to keep track of your data

Delivery5MBHardriveIBM

Today’s MBA has to understand business as a service, and one of those critical services not yet mentioned is security. SecAAS, or security as a service, offers another way to extend security operations via compliance fabric or platform. Security too, must become a platform and foundation layer beneath SecOps, and must act as a force multiplier in the speed of DevOps. 

you're a company deploying AWS workloads two to three times a day and you get a matter of seconds to assess security at release.

An example of the solutions available to assist in determining security over cloud-enabled systems is to leverage Open Vulnerability Assessment Language (OVAL) and The Security Content Automation Protocol (SCAP) from NIST. This too can be time-consuming. With over 75 CIS benchmarks, and 300+ DISA Security Technical Implementation Guides or STIGS, maintaining continuous visibility over configurations across On-Premise, Hybrid and Public Clouds is just not possible. Security operations require a compliance platform and integrated reporting. It's just one more point of inevitable security tooling that's become a mandate of the day.

So what do we need to automate?

CISAMAZON2 0bm

CIS AMAZON LINUX BENCHMARK V2.0.0 provides prescriptive guidance for establishing a secure configuration posture for Amazon Linux systems running on AWS. At 282 pages in length, the task of interpreting and setting rules to meet the needs of your business environment is not resource or time effective.

To meet the challenges of DevOps, guidance like CIS prescriptive benchmarks, security operations requires a compliance platform that can quickly answer questions like:

"What are the top ten ways our configured enterprise is most likely to fail an audit?"

From the perspective of things that are BOTH most exploited and most audited, using a compliance platform allows for an integration of best practice at the speed necessary for DevOps. There's no other way to meet the challenge. Business compliance has to find and report alignment with security best practice in real time. The issue is that engineering can't wait for security's blessing. They simply have to deploy. Additionally, sending a long list of security issues where the impact is only noted as a "potential" problem is ineffective. If the act of detection lacks the logic to also send a notification with the exact steps to remediation, detection is a liability and waste of time.  These are reasons that security has to work with tools like Cavirin, ServiceNow, Allgress, CIS, and many others.

Top ten ways to get exploited and fail audit

A full review of required security policy is larger than most people realize. In the case of Amazon Linux, for example, there are 215 recommended system automated policy checks, organized by over 50 control subjects, and associated to specific NIST 800-54 r4 control policies more than 1500 times. Security needs tools that can reliably and repeatedly do this work.

CISCATEGORYRANK

With system information, it becomes relatively easy to see where configuration recommendations have the greatest potential to disrupt the most regulated areas of security and IT governance, not to mention bringing focus to the areas most often exploited by cyber attack.

CISBENCHAUDITIMPACT

How do we prioritize and respond?

Risk Ranking Requires Classification Context - It's more than just the audit

Much like the value of a home, an asset's risk and value are all about location, location, location, or in this case, understanding the neighborhood surrounding your data.

Security needs to enforce asset classification. To effectively scope and prioritize mandated controls, all operations should be far down the path of asset classification. Whether government classified or non-classified information, the strata of classification on assets is the key to setting priority and removing findings from a relevant scope.

RISKRESPONSEBANDIMPACT

Some examples of classification used by Defense Information Systems Agency or DISA include:

  •  MAC-1_Classified - I - Mission Critical Classified
  •  MAC-1_Public - I - Mission Critical Public
  •  MAC-1_Sensitive - I - Mission Critical Sensitive
  •  MAC-2_Classified - II - Mission Support Classified
  •  MAC-2_Public - II - Mission Support Public
  •  MAC-2_Sensitive - II - Mission Support Sensitive
  •  MAC-3_Classified - III - Administrative Classified
  •  MAC-3_Public - III - Administrative Public

For non-military and unclassified systems, a simpler approach might include such classifications as 

  •  Level 1 - Workstation - Items in this profile intend to:
  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Level 2 Workstation - This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as a defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.

Level 1 Server - Items in this profile intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Level 2 Server  - This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as a defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.

Level 1 Domain Controller - Items in this profile apply to Domain Controllers and intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Level 2 Domain Controller - This profile extends the "Level 1 - Domain Controller" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount
  • acts as a defense in depth measure
  • may negatively inhibit the utility or performance of the technology

Level 1 Member Server - Items in this profile apply to Member Servers and intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

Items in this profile also apply to Member Servers that have the following Roles enabled:

  • AD Certificate Services
  • DHCP Server
  • DNS Server
  • File Server
  • Hyper-V
  • Network Policy and Access Services
  • Print Server
  • Remote Access Services
  • Remote Desktop Services
  • Web Server

Level 2 Member Server - This profile extends the "Level 1 - Member Server" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount
  • acts as a defense in depth measure
  • may negatively inhibit the utility or performance of the technology

One final question: Isn't Compliance Fabric and Compliance Platform just another way to say GRC?

GRC tools provide the business view of Risk, Compliance & Security, whereas the compliance fabric solution supplies the evidence based operational and platform necessary to supply security operations with remediation work plans, as well as the necessary content for effective asset based vulnerability, risk, compliance programs. 

 

EnterpriseGRC Solutions actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards. In addition to organic CIS Benchmarks and DISA STIG NIST based configuration hardening and change management, EnterpriseGRC Solutions has implemented all assessments with NIST Cybersecurity Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy. Clients who elect to use multiple policy packs, including ISO/IEC 27002:2013, will benefit from the extended use of multiple frameworks to align Information Security Programs and Policy.

About EnterpriseGRC Solutions

EnterpriseGRC Solutions is empowered to implement governance, security, risk, and compliance automation products and programs, emphasizing system based policies specific to security settings for secure configuration management. EnterpriseGRC is a women-owned small business offering compliance readiness, Security & GRC tools, Enterprise Security Architecture, Cybersecurity Risk Assessment, and a wide variety of resources for security and GRC technology support. Founded October of 2002 as Phoenix Business and Systems Process, and rebranded in 2011 as EnterpriseGRC Solution, the company is positioned to solve an organization's greatest cloud security and cyber challenges. True to its tagline "Simple Solutions to Complex Problems" the company offers pragmatic, remote and on-site web-enabled compliance implementation, training, strategy, management consulting, security and risk management services.

About Cavirin

Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become agiler, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Cavirin’s Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures. Offering up-to-the-minute compliance assessments, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.

About Center for Internet Security

The Center for Internet Security, Inc. (CIS) is a 501c3 nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. CIS provides resources that help partners achieve security goals through expert guidance and cost-effective solutions. 

About DISA

DISA, a Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, national level leaders, and other mission and coalition partners across the full spectrum of operations.