In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Thordis Thorsteins, Senior Data Scientist at Panaseer. Panaseer provides a controls monitoring platform and has played a valuable role in the development of the CIS Critical Security Controls, as well as the implementation of the CIS Controls Assessment Specification. Together, Tony and Thordis discuss the role that data collection and automation play in cybersecurity.
When It Comes to Data, More Doesn’t Always Mean Better
When it comes to cybersecurity, an enterprise must start by listing the assets it needs to protect, select controls to protect those assets, and institute a system to monitor those controls. Simple steps in theory – but complex and time consuming to implement in reality.
Examples of some types of data sources and tools include:
In-house vulnerability management tools
Patching tools
Phishing tools for employee training
By using a wide variety of sources, an enterprise can create a more expansive picture of its cybersecurity posture. The challenge with using all these data sources is that it creates an immense amount of data that need to be analyzed. This leads to what Sager refers to as “The Fog of More”. The collected data set is inevitably messy and noisy, and that creates an overwhelming task for teams to pore through and uncover any discrepancies.
Cybersecurity Frameworks are Open to Interpretation
The difficulty with cybersecurity frameworks is that they provide the criteria for compliance, yet no advice to implement the framework itself. This places the burden of interpreting the framework on the enterprise, making it difficult to measure compliance effectively. While frameworks are valuable, they can be interpreted by different enterprises in different ways. Then an auditor or governing body comes in and applies their own interpretation. This multitude of opinions makes it difficult to know when something is truly being done right.
Working with the Controls Assessment Specification
Panaseer was an early adopter of the Controls Assessment Specification and played an integral role in developing its components. It was created to provide a comprehensive list of specifications available to work against, as well as assessments to suit companies at different maturities. This allows for a more uniform system for compliance, with the goal of having enterprises improve their assessment and monitoring activities.
Automate for Success
The Controls Assessment Specification enables any sized enterprise to develop guidelines for viewing how it is measuring and monitoring their cybersecurity posture. The next step would be to identify opportunities to automate these activities. While some frameworks require a degree of self-attestation performed by a cybersecurity expert, frequent and repetitive requirements can be labor-intensive and costly. In addition to saving time and money, automation creates consistency by:
Enabling data to be measured the same way every time
Enabling the process to be clear for the person responsible for interpreting the outcomes
Creating a roadmap for anyone performing the assessment in the future
Driving consistency in how data is collected, analyzed, and interpreted
By continuing to find new and better ways for companies to automate their cybersecurity posture, compliance will become more achievable and interpretations of these frameworks will become more uniform.
Resources: