In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Thordis Thorsteins, Senior Data Scientist at Panaseer. Panaseer provides a controls monitoring platform and has played a valuable role in the development of the CIS Critical Security Controls, as well as the implementation of the CIS Controls Assessment Specification. Together, Tony and Thordis discuss the role that data collection and automation play in cybersecurity.
When It Comes to Data, More Doesn’t Always Mean Better
When it comes to cybersecurity, an enterprise must start by listing the assets it needs to protect, select controls to protect those assets, and institute a system to monitor those controls. Simple steps in theory – but complex and time consuming to implement in reality.
Examples of some types of data sources and tools include:
In-house vulnerability management tools
Patching tools
Phishing tools for employee training
By using a wide variety of sources, an enterprise can create a more expansive picture of its cybersecurity posture. The challenge with using all these data sources is that it creates an immense amount of data that need to be analyzed. This leads to what Sager refers to as “The Fog of More”. The collected data set is inevitably messy and noisy, and that creates an overwhelming task for teams to pore through and uncover any discrepancies.
Cybersecurity Frameworks are Open to Interpretation
The difficulty with cybersecurity frameworks is that they provide the criteria for compliance, yet no advice to implement the framework itself. This places the burden of interpreting the framework on the enterprise, making it difficult to measure compliance effectively. While frameworks are valuable, they can be interpreted by different enterprises in different ways. Then an auditor or governing body comes in and applies their own interpretation. This multitude of opinions makes it difficult to know when something is truly being done right.
Working with the Controls Assessment Specification
Panaseer was an early adopter of the Controls Assessment Specification and played an integral role in developing its components. It was created to provide a comprehensive list of specifications available to work against, as well as assessments to suit companies at different maturities. This allows for a more uniform system for compliance, with the goal of having enterprises improve their assessment and monitoring activities.
Automate for Success
The Controls Assessment Specification enables any sized enterprise to develop guidelines for viewing how it is measuring and monitoring their cybersecurity posture. The next step would be to identify opportunities to automate these activities. While some frameworks require a degree of self-attestation performed by a cybersecurity expert, frequent and repetitive requirements can be labor-intensive and costly. In addition to saving time and money, automation creates consistency by:
Enabling data to be measured the same way every time
Enabling the process to be clear for the person responsible for interpreting the outcomes
Creating a roadmap for anyone performing the assessment in the future
Driving consistency in how data is collected, analyzed, and interpreted
By continuing to find new and better ways for companies to automate their cybersecurity posture, compliance will become more achievable and interpretations of these frameworks will become more uniform.
Resources:
More Stories
CISA and Partners Unveil Cybersecurity Guide For Civil Society Groups
The guide is designed to provide high-risk communities with actionable steps to bolster their cybersecurity defenses Read More
How Scammers Hijack Your Instagram
Authored by Vignesh Dhatchanamoorthy, Rachana S Instagram, with its vast user base and dynamic platform, has become a hotbed for...
NIST Confusion Continues as Cyber Pros Complain CVE Uploads Stalled
Several software security experts have told Infosecurity that no new vulnerabilities have been added to the US National Vulnerability Database...
China Presents Defining Challenge to Global Cybersecurity, Says GCHQ
GCHQ chief warns China's cyber actions threaten global internet security, while Russia and Iran pose immediate risks Read More
44% of Cybersecurity Professionals Struggle with Regulatory Compliance
Infosecurity Europe research highlights significant challenges faced by organisations in staying up to speed with increasing compliance requirements Read More
Russian Actors Weaponize Legitimate Services in Multi-Malware Attack
Recorded Future details a novel campaign that abuses legitimate internet services to deploy multiple malware variants for credential theft Read...