In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Thordis Thorsteins, Senior Data Scientist at Panaseer. Panaseer provides a controls monitoring platform and has played a valuable role in the development of the CIS Critical Security Controls, as well as the implementation of the CIS Controls Assessment Specification. Together, Tony and Thordis discuss the role that data collection and automation play in cybersecurity.
When It Comes to Data, More Doesn’t Always Mean Better
When it comes to cybersecurity, an enterprise must start by listing the assets it needs to protect, select controls to protect those assets, and institute a system to monitor those controls. Simple steps in theory – but complex and time consuming to implement in reality.
Examples of some types of data sources and tools include:
In-house vulnerability management tools
Patching tools
Phishing tools for employee training
By using a wide variety of sources, an enterprise can create a more expansive picture of its cybersecurity posture. The challenge with using all these data sources is that it creates an immense amount of data that need to be analyzed. This leads to what Sager refers to as “The Fog of More”. The collected data set is inevitably messy and noisy, and that creates an overwhelming task for teams to pore through and uncover any discrepancies.
Cybersecurity Frameworks are Open to Interpretation
The difficulty with cybersecurity frameworks is that they provide the criteria for compliance, yet no advice to implement the framework itself. This places the burden of interpreting the framework on the enterprise, making it difficult to measure compliance effectively. While frameworks are valuable, they can be interpreted by different enterprises in different ways. Then an auditor or governing body comes in and applies their own interpretation. This multitude of opinions makes it difficult to know when something is truly being done right.
Working with the Controls Assessment Specification
Panaseer was an early adopter of the Controls Assessment Specification and played an integral role in developing its components. It was created to provide a comprehensive list of specifications available to work against, as well as assessments to suit companies at different maturities. This allows for a more uniform system for compliance, with the goal of having enterprises improve their assessment and monitoring activities.
Automate for Success
The Controls Assessment Specification enables any sized enterprise to develop guidelines for viewing how it is measuring and monitoring their cybersecurity posture. The next step would be to identify opportunities to automate these activities. While some frameworks require a degree of self-attestation performed by a cybersecurity expert, frequent and repetitive requirements can be labor-intensive and costly. In addition to saving time and money, automation creates consistency by:
Enabling data to be measured the same way every time
Enabling the process to be clear for the person responsible for interpreting the outcomes
Creating a roadmap for anyone performing the assessment in the future
Driving consistency in how data is collected, analyzed, and interpreted
By continuing to find new and better ways for companies to automate their cybersecurity posture, compliance will become more achievable and interpretations of these frameworks will become more uniform.
Resources:
More Stories
Friday Squid Blogging: Protecting Cephalopods in Medical Research
From Nature: Cephalopods such as octopuses and squid could soon receive the same legal protection as mice and monkeys do...
Russian Company Offers $20M For Non-NATO Mobile Exploits
Operation Zero will pay $20m for exploits like RCE, LPE and SBX, integral to a full-chain attack Read More
Microsoft’s Bing AI Faces Malware Threat From Deceptive Ads
Malwarebytes said the goal of these tactics is to lure victims into downloading malicious software Read More
Phishing, Smishing Surge Targets US Postal Service
The surge in these attacks has prompted DomainTools to delve into their origins and implications Read More
Three men found guilty of laundering $2.5 million in Target gift card tech support scam
Three Californian residents have been convicted of laundering millions of dollars tricked out of older adults who had fallen victim...
ZeroFont trick makes users think that message has been scanned for threats
Attackers are using the "ZeroFont" technique to manipulate the preview of a message to suggest it had already been scanned...