Achieving Compliance Through Security

Jason Iler – Tripwire Patrick Miller – The Anfield Group

THE AUDIT BLAME CYCLE

2

3

“Boss, We Are Ready For The Upcoming Audits…”

4

“OMG. The Auditors Are Coming When?!?”

5

IT Operations Not Quite As Ready As They Thought…

6

Infosec Must Do Heroics Generating Reports and Presentations from scratch

7

Despite Heroics, The Business Still Fails The Audit…

8

…Infosec Can’t Say, ‘I Told You So’

9

…And Has To Be The Professional Apologist

10

Problems: The Real Business Cost

®  Scheduled value-adding work and projects are delayed because of all the urgent and unplanned audit prep work

®  Business continues to implement controls as a part of a one-time audit preparation project to achieve compliance, with little thought on how to maintain compliance over time

®  Next time requires just as much effort, instead of integrating controls into daily business and IT operational processes

®  The business starts treating audit prep as a legitimate value-adding project, even charging time against it

®  Multiple regulatory and contractual requirements result in IT controls being tested numerous times by numerous parties, requiring management to perform work multiple times

11

Security And Compliance Already Don’t Get Along

Compliance Hinders Security…

§  Creates bureaucracy

§  Imposed processes hinder rapid responses to security threats

§  Focuses on ‘checking the box’

§  Does not respond quickly to changes in technology

§  Consumes resources/budget that might otherwise be invested in security controls

Words often used to describe both disciplines:

“hysterical, irrelevant, bureaucratic, bottleneck, difficult to understand, not aligned with the business, immature, shrill, perpetually focused on irrelevant technical minutiae…”

Security Hinders Compliance…

§  Activities difficult to measure/track

§  Notoriously poor at documenting

§  Can focus on ‘high profile’ threats and ignore more common risks (e.g. default passwords)

12

The Goal

®  Build an environment where compliance is a natural byproduct of effective security controls

®  Establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of… ®  IT operations

®  Software and service development

®  Project management

®  Internal audit

CONTINUOUS MONITORING

14

" Enables dynamic security to respond to evolving threats

" Provides details of your information systems §  Make risk based decisions §  Take control and remain in control of your infrastructure

Spirit of Continuous Monitoring

" Provides continuous input to the C&A process

" Moves the focus back to Security

15

Step 4: Detailed

Reporting

Step 3: Determine Monitoring Frequency

Step 1: Categorize

Assets

Step 2: Determine Risk

Threshold

How To Achieve Continuous Monitoring?

16

Step 1: Categorize Assets

®  Establish relative value of Assets ®  High, Medium, Lower impact

®  DMZ, EMS, Processing, etc

®  Categorize logically and by criticality

®  Benefits of Categorization ®  Easier to make risk-based decisions

®  Risks are easier to determine knowing the business the asset supports

®  Enables rapid triage during incident response

Categorize Assets

17

Step 2: Determine Risk Threshold

®  Identify and select your scoring systems ®  OCTAVE, CAESARS, iPOST, iRAMP, etc.

®  Set appropriate thresholds to policies and assign weights to control checks ®  Example of Policy Thresholds

®  < 50% Do Not Operate

®  < 75% System should go through preplanning

®  < 90% Operational

®  Test and control weights need to be set

®  Weights affect the Risk scoring

®  Examples:

®  HIGH – Administrator set to blank or default password

®  LOW – Users are part of a remote desktop group

Determine Risk

Threshold

18

Step 3: Determine Monitoring Frequency

®  Start with your Policy ®  Determine frequency of monitoring

®  System-level Frequency

®  Security Control-level Frequency

®  Application-level Frequency

®  Determine the frequency by function and risk associated with each system and security control

Determine Monitoring Frequency

19

Step 4: Provide Detailed Reports

®  Provide valuable input to Ops and Security teams ®  Incident Response

®  Security Alerts

®  Change and Compliance metrics

®  Use the intelligent data feeds to make accurate risk based decisions

®  Create feedback loop to adapt and improve security and risk posture

®  Construct reports that have both operational and audit-evidence value

Provide Detailed Reports

20

Benefits of This Approach

®  Leverages automation to reduce time & effort for audit and oversight

®  Provides assurance that controls are implemented properly and stay that way

®  Enables accountability for proper results ®  Provides objective data for gap analysis, remediation

planning, and budget priorities ®  Enables benchmarking across entities

21

What and How Should I Measure?

®  Leverage existing work ®  CAESARS

®  Continuous Asset Evaluation, Situational Awareness, and Risk Scoring

®  www.dhs.gov/xlibrary/assets/fns-caesars.pdf

®  iPOST – Guidance on Continuous Monitoring and Risk Scoring model used in Department of State

®  www.cio.ca.gov/OIS/Government/events/documents/Scoring_Guide.doc

22

Other Metrics Examples

®  Configuration Quality: ®  % of configurations compliant with target security standards (risk-aligned)

®  e.g. > 95% in High; > 75% in Medium

®  number of unauthorized changes with security impact (by area)

®  patch compliance by target area based on risk level ®  e.g. % of systems patched within 72 hours for High; within 1 week for Medium

®  Control effectiveness: ®  % of incidents detected by an automated control

®  % of incidents resulting in loss

®  mean time to discover security incidents

®  % of changes that follow change process

23

Report On Status & Progress vs. Goals

24

Focus At A Higher Level

25

Summary

®  Continuous Monitoring is not a “checkbox activity” ®  Continuous Monitoring is an integral part of effective

Security and Risk Management ®  Continuous Monitoring is adaptable to enable you to focus

on the highest risk first

26

Continuous Monitoring is about…..

Risk Management

Empowering

Strengthening

Reducing

Decision Making

Leadership to make educated decisions

The Control Environment

Resources spent on annual IT Audits

Actionable Alerts to focus resources and respond

tripwire.com | @TripwireInc

THANK YOU JASON ILER – TRIPWIRE

PATRICK MILLER – THE ANFIELD GROUP