CISOs have a tough job. They are faced with securing data across thousands of devices. They are often brought in after a bad breach and are asked to make sure “it never happens again.” When it comes to developing a roadmap for my company’s security, where is the best to start? That's the focus of this blog series, which goes through the SANS Top 20 controls from the perspective of a CISO trying to implement good controls.
The Crux of the Control
That first word—continuous—is the crux. We’ll get to vulnerability assessment and remediation later. “Continuous” has seen a bit of hype in tech circles in other contexts. In particular, I’m thinking of continuous integration from the world of DevOps, continuous delivery from the world of Software Development, and continuous improvement from the world of Digital Transformation.
Why should CISOs make a big deal of “continuous assessment”? Why not just settle for “regular assessment” or “very frequent assessment”? It’s because continuous in the context of this control actually is less about frequency and more about level of effort. If I changed the name of this control to “Effortless Vulnerability Assessment and Remediation,” it would probably evoke a more correct correct image in your mind.
Now that we understand why ‘continuous’ matters, why is it important for your company’s security? Two reasons:
First, the Internet is continuously subjecting your company’s systems to low-intensity attacks. You must be continuously defending—ideally also at low-intensity, see the “PKC Insight” below. It used to be acceptable to patch your system within a few days of a security update. Now, the gap between patch and exploit is so dangerously tight that most major security vulnerabilities are actually reported and silently fixed by the major vendors weeks or months before the bug is even publicly acknowledged. That’s what happened (and also failed to happen) with Spectre and Meltdown. In a world of continuous low-intensity attacks, you must identify out-of-date systems and patch continuously.
Second, continuous assessment is a healthy alternative to a draconian policy about change control. Change control boards suck. Why? Because they are always a bottleneck to Getting Things Done. And also because humans are horrible at exactly the type of work Change Management boards require: slogging through a haystack of tens of changes each week looking for that one change that actually matters. Continuous vulnerability assessment and remediation allow you to be reactive, while still reacting in near- real-time.
The PKC Insight
Now that we’ve covered why it’s important to do this control continuously, a brief word on the Vulnerability and Assessment part.
A lot of CISOs get hung up on how they’ll achieve the last 20% of this control, and go down a very expensive rabbit-hole. There are crazy solutions in the automated vulnerability / mitigation space. My advice is to start simple and follow the Pareto Principle. Don’t let the perfect be the enemy of the good. There are a lot of solid open-source options, like Facebook’s osquery, that when linked with some simple scripting and log monitoring, can get you pretty far. Take advantage of the native services provided by your cloud, like Security Center for Azure, and CloudWatch in AWS.
Another hidden way to help achieve these goals is to offload the responsibility on platforms that automatically patch the badness away. Worried about out-of-date Wordpress sites? Put them on WPEngine, which automatically applies security patches, and behind Cloudflare’s WAF, which actually adds filtering rules pre-patch-release to mitigate a vulnerability, and you’ve basically got this control covered, as it pertains to Wordpress deployments.
The previous article talked about the third SANS Top 20 control: Secure Configurations for Hardware and Software
The next article will talk about the fifth SANS Top 20 control: Controlled Use of Administrative Privileges