Achieving Compliance Through Security


Published on

Presented by Patrick Miller, The Anfield Group and Jason Ile, Tripwire

Abstract: This presentation emphasis the importance of building an environment where compliance is a natural byproduct of effective security controls. The presenters discuss how to establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of IT operations, software and service development, project management and Internal audit.

Additional, the presenters explore the various benefits of continuous monitoring and how to achieve it through a step-by-step practice.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Achieving Compliance Through Security

  1. 1. Achieving Compliance Through Security Jason Iler – Tripwire Patrick Miller – The Anfield Group
  3. 3. 3 “Boss, We Are Ready For The Upcoming Audits…”
  4. 4. 4 “OMG. The Auditors Are Coming When?!?”
  5. 5. 5 IT Operations Not Quite As Ready As They Thought…
  6. 6. 6 Infosec Must Do Heroics Generating Reports and Presentations from scratch
  7. 7. 7 Despite Heroics, The Business Still Fails The Audit…
  8. 8. 8 …Infosec Can’t Say, ‘I Told You So’
  9. 9. 9 …And Has To Be The Professional Apologist
  10. 10. 10 Problems: The Real Business Cost ®  Scheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep work ®  Business continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time ®  Next time requires just as much effort, instead of integrating controls into daily business and IT operational processes ®  The business starts treating audit prep as a legitimate value- adding project, even charging time against it ®  Multiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times
  11. 11. 11 Security And Compliance Already Don’t Get Along Compliance Hinders Security… §  Creates bureaucracy §  Imposed processes hinder rapid responses to security threats §  Focuses on ‘checking the box’ §  Does not respond quickly to changes in technology §  Consumes resources/budget that might otherwise be invested in security controls Words often used to describe both disciplines: “hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with the business, immature, shrill, perpetually focused on irrelevant technical minutiae…” Security Hinders Compliance… §  Activities difficult to measure/track §  Notoriously poor at documenting §  Can focus on ‘high profile’ threats and ignore more common risks (e.g. default passwords)
  12. 12. 12 The Goal ®  Build an environment where compliance is a natural byproduct of effective security controls ®  Establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of… ®  IT operations ®  Software and service development ®  Project management ®  Internal audit
  14. 14. 14 " Enables dynamic security to respond to evolving threats " Provides details of your information systems §  Make risk based decisions §  Take control and remain in control of your infrastructure Spirit of Continuous Monitoring " Provides continuous input to the C&A process " Moves the focus back to Security
  15. 15. 15 Step 4: Detailed Reporting Step 3: Determine Monitoring Frequency Step 1: Categorize Assets Step 2: Determine Risk Threshold How To Achieve Continuous Monitoring?
  16. 16. 16 Step 1: Categorize Assets ®  Establish relative value of Assets ®  High, Medium, Lower impact ®  DMZ, EMS, Processing, etc ®  Categorize logically and by criticality ®  Benefits of Categorization ®  Easier to make risk-based decisions ®  Risks are easier to determine knowing the business the asset supports ®  Enables rapid triage during incident response Categorize Assets
  17. 17. 17 Step 2: Determine Risk Threshold ®  Identify and select your scoring systems ®  OCTAVE, CAESARS, iPOST, iRAMP, etc. ®  Set appropriate thresholds to policies and assign weights to control checks ®  Example of Policy Thresholds ®  < 50% Do Not Operate ®  < 75% System should go through preplanning ®  < 90% Operational ®  Test and control weights need to be set ®  Weights affect the Risk scoring ®  Examples: ®  HIGH – Administrator set to blank or default password ®  LOW – Users are part of a remote desktop group Determine Risk Threshold
  18. 18. 18 Step 3: Determine Monitoring Frequency ®  Start with your Policy ®  Determine frequency of monitoring ®  System-level Frequency ®  Security Control-level Frequency ®  Application-level Frequency ®  Determine the frequency by function and risk associated with each system and security control Determine Monitoring Frequency
  19. 19. 19 Step 4: Provide Detailed Reports ®  Provide valuable input to Ops and Security teams ®  Incident Response ®  Security Alerts ®  Change and Compliance metrics ®  Use the intelligent data feeds to make accurate risk based decisions ®  Create feedback loop to adapt and improve security and risk posture ®  Construct reports that have both operational and audit-evidence value Provide Detailed Reports
  20. 20. 20 Benefits of This Approach ®  Leverages automation to reduce time & effort for audit and oversight ®  Provides assurance that controls are implemented properly and stay that way ®  Enables accountability for proper results ®  Provides objective data for gap analysis, remediation planning, and budget priorities ®  Enables benchmarking across entities
  21. 21. 21 What and How Should I Measure? ®  Leverage existing work ®  CAESARS ®  Continuous Asset Evaluation, Situational Awareness, and Risk Scoring ® ®  iPOST – Guidance on Continuous Monitoring and Risk Scoring model used in Department of State ®
  22. 22. 22 Other Metrics Examples ®  Configuration Quality: ®  % of configurations compliant with target security standards (risk-aligned) ®  e.g. > 95% in High; > 75% in Medium ®  number of unauthorized changes with security impact (by area) ®  patch compliance by target area based on risk level ®  e.g. % of systems patched within 72 hours for High; within 1 week for Medium ®  Control effectiveness: ®  % of incidents detected by an automated control ®  % of incidents resulting in loss ®  mean time to discover security incidents ®  % of changes that follow change process
  23. 23. 23 Report On Status & Progress vs. Goals
  24. 24. 24 Focus At A Higher Level
  25. 25. 25 Summary ®  Continuous Monitoring is not a “checkbox activity” ®  Continuous Monitoring is an integral part of effective Security and Risk Management ®  Continuous Monitoring is adaptable to enable you to focus on the highest risk first
  26. 26. 26 Continuous Monitoring is about….. Risk Management Empowering Strengthening Reducing Decision Making Leadership to make educated decisions The Control Environment Resources spent on annual IT Audits Actionable Alerts to focus resources and respond