Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/30/2021
10:00 AM
Travis Rosiek
Travis Rosiek
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Compliance-Only Security Giving Cybercriminals Your Security Playbook?

Compliance-only security strategies aren't working. CISOs should squarely focus on being secure while achieving compliance.

Today's chief information security officer (CISO) is often judged by how well the organization adheres to compliance regulations. But when organizations focus solely on compliance, they are missing important cybersecurity practices and are essentially handing their security playbooks to attackers.

Related Content:

How 2 New Executive Orders May Reshape Cybersecurity & Supply Chains for a Post-Pandemic World

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

This is because most organizations follow a specific set of industry-specific compliance requirements that are publicly available and typically have static, legacy security requirements baked in, which gives attackers a good sense for an organization's defenses. By understanding an organization's compliance regulations, a threat actor can better target and understand the barrier of entry in most organizations.

As an example, there are very few security requirements in the Health Insurance Portability and Accountability Act (HIPAA), as the regulation is mainly focused on privacy and encryption. In fact, HIPAA and other compliance regulations don't adequately address the risk of an external cyber-threat actor breaching and gaining access to an organization.

Compliance requirements are also fairly static and do not routinely update or mandate security requirements beyond basic measures such as reactive signature-based detection, one of the most common techniques used to address software threats aimed at a computer. It's up to the CISO to move beyond compliance and layer in additional security for the organization to keep up with cyber-threat actors' innovations. Compliance-only security strategies aren't working, and CISOs should squarely focus on advancing detection and accelerating detection coupled with network segmentation to avoid catastrophic hacks, breaches, ransomware, or other negative impacts.

One of the most important metrics for evaluating such threats looks at mean "dwell-time," or the amount of time before an attack is detected. According to Booz Allen Hamilton, cybersecurity dwell times may last between 200 and 250 days before discovery. The SolarWinds attack and long dwell time is enough evidence that CISOs need to strengthen their threat-detection procedures and build mitigations for third-party risk.

The following are some key cybersecurity strategies to consider when moving beyond compliance-only security to create a stronger defense.

1. Reduce Triage Times
Every security operations center (SOC) is drowning in events, and improving prioritization and reducing triage times will help improve threat detection and dramatically limit attacker dwell times. Creating an efficient and accurate triage process will make the most of SOC analysts' time, reduce the time to respond to and address incidents, and ensure that only valid alerts are promoted to "investigation or incident" status. Leveraging tools that are not black boxes and provide rich context and automated correlation to analysts is a good start. Every part of the triage process must be performed with urgency, as every second counts when potential hackers have access to an organization's network. Establishing a workflow that divides tasks among responders is a good first step. Workflow tools that automate assigning tasks can also help with reassigning or rejecting tasks to streamline the triage process. Speeding up triage times gives attackers less time to infiltrate and steal important data.

2. Protect Critical Data
Not all data is created equally in an organization, and companies must understand what data needs critical protection. Identifying key assets in advance is paramount to successfully guarding an organization against imminent security threats. The key to any good cybersecurity defense is to reduce exposure and minimize attack surfaces, but organizations can't protect everything equally, so sensitive data, like credit card or personal employee data, needs to be isolated from the core business network.

3. Minimize Trust Relationships
Minimizing trust relationships across parts of your business or third-party partners will help organizations better protect key assets and limit collateral damage if there is a successful attack. While organizations strive to implement zero-trust practices, this is more difficult than most security teams realize.

The basic premise of zero trust is to not trust someone until certain criteria are met. Unfortunately, most organizations don't know how many computers or users are on their network and don't know what type of data is located within the network. Implementing zero trust at scale means security teams need to know everything simultaneously at scale across the entire company — a daunting task. A more achievable first step may be to have organizations limit trust relationships by segmenting parts of their network to ensure a compromise in one area doesn't impact the entire company's network and data, which, unfortunately, happens all too often.

4. Practice Good Cybersecurity Hygiene
Organizations must keep up with basic cybersecurity hygiene, such as regularly patching applications, conducting simulated attacks, and performing regular cybersecurity training for employees. Most companies following a compliance-only security strategy will keep up with implementing security patches, but CISOs must move beyond basic compliance and design an organization with layers of cyber resiliency. And it starts with investing in basic cybersecurity practices.

The Risk of Compliance-Only Security
Cybersecurity adversaries are both opportunistic and patient. Attackers will wait for the right time to strike, such as during a natural disaster, a holiday, or simply a job change at the CISO level (as in some high-profile attacks). Attackers will also often seek the path of least resistance, and compliance-only security strategies offer a clear path to attack. Just upholding minimum compliance requirements gives hackers access to an organization's security playbook, which dramatically increases the likelihood of a security breach.

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3556
PUBLISHED: 2021-10-26
HHVM supports the use of an "admin" server which accepts administrative requests over HTTP. One of those request handlers, dump-pcre-cache, can be used to output cached regular expressions from the current execution context into a file. The handler takes a parameter which specifies where o...
CVE-2021-35499
PUBLISHED: 2021-10-26
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim...
CVE-2021-41182
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now t...
CVE-2021-41183
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now al...
CVE-2021-41184
PUBLISHED: 2021-10-26
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a...