If your organization is like most, you go through the annual process of compliance via a 3rd party audit every year for the compliance frameworks that make the most sense for your company. I’ve always found these to be a valuable exercise for finding and addressing process deficiencies and weaknesses in training and documentation. As the need for better security at all levels of business function has become a top priority for boards, this process to be necessary, but not sufficient to address the scale and speed, and adaptation needs for security in the current era.
- The frameworks don’t drive new approaches. They represent the current minimum standard, but there are more efficient, cost effective ways to meet and exceed the standards than using things like SIEM.
- The annual frequency of verification is too infrequent. I assert that organizations should consider daily verification the minimum viable standard in today’s security landscape. With external systems, even daily may not be enough.
- As a security leader, you need assurance that compliance is continuous. Your company’s reputation, and your career, may depend on it.
What’s next? You’ve implemented the right controls and process, and have solid operations teams that do all the right things.
For ProKarma, automation was the next step. Detection and remediation that could be scheduled and orchestrated. That meant designing components to monitor security configurations programmatically, and communicate deviations to our SOC or automated remediation systems for triage and incident response.
We started with the basics, the most important systems that represented the highest risk. Network devices, external systems, servers that housed sensitive data, and systems involved in authentication.
We brought our production configurations under a change detection regimen and began alerting on any changes to production configurations. We found Chat Operations to work well for this, as most teams already use team chat for daily communications and incident management.
We added steps to change management processes to include updates to DevSecOps components if applicable as part of a systems or policy change, ensuring that the monitoring components remain in alignment with policy. Of the observed issues, not surprisingly human error topped the list of root causes, with over 80% of changes that resulted in a degradation to security posture originating either with a training issue or an error, such as a typo.
Adding scheduling and orchestrated remediation to this approach had additional benefits aside from the primary goal of reducing exposure. Automating remediation of commonly observed and well understood configuration issues reduced the amount of time spent responding to incidents leaving analysts with more time for strategic security initiatives.