Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

// // //
6/30/2021
10:00 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Is Compliance-Only Security Giving Cybercriminals Your Security Playbook?

Compliance-only security strategies aren't working. CISOs should squarely focus on being secure while achieving compliance.

Today's chief information security officer (CISO) is often judged by how well the organization adheres to compliance regulations. But when organizations focus solely on compliance, they are missing important cybersecurity practices and are essentially handing their security playbooks to attackers.

Related Content:

How 2 New Executive Orders May Reshape Cybersecurity & Supply Chains for a Post-Pandemic World

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

This is because most organizations follow a specific set of industry-specific compliance requirements that are publicly available and typically have static, legacy security requirements baked in, which gives attackers a good sense for an organization's defenses. By understanding an organization's compliance regulations, a threat actor can better target and understand the barrier of entry in most organizations.

As an example, there are very few security requirements in the Health Insurance Portability and Accountability Act (HIPAA), as the regulation is mainly focused on privacy and encryption. In fact, HIPAA and other compliance regulations don't adequately address the risk of an external cyber-threat actor breaching and gaining access to an organization.

Compliance requirements are also fairly static and do not routinely update or mandate security requirements beyond basic measures such as reactive signature-based detection, one of the most common techniques used to address software threats aimed at a computer. It's up to the CISO to move beyond compliance and layer in additional security for the organization to keep up with cyber-threat actors' innovations. Compliance-only security strategies aren't working, and CISOs should squarely focus on advancing detection and accelerating detection coupled with network segmentation to avoid catastrophic hacks, breaches, ransomware, or other negative impacts.

One of the most important metrics for evaluating such threats looks at mean "dwell-time," or the amount of time before an attack is detected. According to Booz Allen Hamilton, cybersecurity dwell times may last between 200 and 250 days before discovery. The SolarWinds attack and long dwell time is enough evidence that CISOs need to strengthen their threat-detection procedures and build mitigations for third-party risk.

The following are some key cybersecurity strategies to consider when moving beyond compliance-only security to create a stronger defense.

1. Reduce Triage Times
Every security operations center (SOC) is drowning in events, and improving prioritization and reducing triage times will help improve threat detection and dramatically limit attacker dwell times. Creating an efficient and accurate triage process will make the most of SOC analysts' time, reduce the time to respond to and address incidents, and ensure that only valid alerts are promoted to "investigation or incident" status. Leveraging tools that are not black boxes and provide rich context and automated correlation to analysts is a good start. Every part of the triage process must be performed with urgency, as every second counts when potential hackers have access to an organization's network. Establishing a workflow that divides tasks among responders is a good first step. Workflow tools that automate assigning tasks can also help with reassigning or rejecting tasks to streamline the triage process. Speeding up triage times gives attackers less time to infiltrate and steal important data.

2. Protect Critical Data
Not all data is created equally in an organization, and companies must understand what data needs critical protection. Identifying key assets in advance is paramount to successfully guarding an organization against imminent security threats. The key to any good cybersecurity defense is to reduce exposure and minimize attack surfaces, but organizations can't protect everything equally, so sensitive data, like credit card or personal employee data, needs to be isolated from the core business network.

3. Minimize Trust Relationships
Minimizing trust relationships across parts of your business or third-party partners will help organizations better protect key assets and limit collateral damage if there is a successful attack. While organizations strive to implement zero-trust practices, this is more difficult than most security teams realize.

The basic premise of zero trust is to not trust someone until certain criteria are met. Unfortunately, most organizations don't know how many computers or users are on their network and don't know what type of data is located within the network. Implementing zero trust at scale means security teams need to know everything simultaneously at scale across the entire company — a daunting task. A more achievable first step may be to have organizations limit trust relationships by segmenting parts of their network to ensure a compromise in one area doesn't impact the entire company's network and data, which, unfortunately, happens all too often.

4. Practice Good Cybersecurity Hygiene
Organizations must keep up with basic cybersecurity hygiene, such as regularly patching applications, conducting simulated attacks, and performing regular cybersecurity training for employees. Most companies following a compliance-only security strategy will keep up with implementing security patches, but CISOs must move beyond basic compliance and design an organization with layers of cyber resiliency. And it starts with investing in basic cybersecurity practices.

The Risk of Compliance-Only Security
Cybersecurity adversaries are both opportunistic and patient. Attackers will wait for the right time to strike, such as during a natural disaster, a holiday, or simply a job change at the CISO level (as in some high-profile attacks). Attackers will also often seek the path of least resistance, and compliance-only security strategies offer a clear path to attack. Just upholding minimum compliance requirements gives hackers access to an organization's security playbook, which dramatically increases the likelihood of a security breach.

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35734
PUBLISHED: 2022-08-16
'Hulu / ????' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app.
CVE-2022-36293
PUBLISHED: 2022-08-16
Buffer overflow vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary code via unspecified vectors.
CVE-2022-36344
PUBLISHED: 2022-08-16
An unquoted search path vulnerability exists in 'JustSystems JUST Online Update for J-License' bundled with multiple products for corporate users as in Ichitaro through Pro5 and others. Since the affected product starts another program with an unquoted file path, a malicious file may be executed wit...
CVE-2022-36381
PUBLISHED: 2022-08-16
OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor WAP-001 All versions allows an attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors.
CVE-2022-34156
PUBLISHED: 2022-08-16
'Hulu / ????' App for iOS versions prior to 3.0.81 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack.