Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Travis Rosiek
Travis Rosiek
Connect Directly
E-Mail vvv

Is Compliance-Only Security Giving Cybercriminals Your Security Playbook?

Compliance-only security strategies aren't working. CISOs should squarely focus on being secure while achieving compliance.

Today's chief information security officer (CISO) is often judged by how well the organization adheres to compliance regulations. But when organizations focus solely on compliance, they are missing important cybersecurity practices and are essentially handing their security playbooks to attackers.

Related Content:

How 2 New Executive Orders May Reshape Cybersecurity & Supply Chains for a Post-Pandemic World

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

This is because most organizations follow a specific set of industry-specific compliance requirements that are publicly available and typically have static, legacy security requirements baked in, which gives attackers a good sense for an organization's defenses. By understanding an organization's compliance regulations, a threat actor can better target and understand the barrier of entry in most organizations.

As an example, there are very few security requirements in the Health Insurance Portability and Accountability Act (HIPAA), as the regulation is mainly focused on privacy and encryption. In fact, HIPAA and other compliance regulations don't adequately address the risk of an external cyber-threat actor breaching and gaining access to an organization.

Compliance requirements are also fairly static and do not routinely update or mandate security requirements beyond basic measures such as reactive signature-based detection, one of the most common techniques used to address software threats aimed at a computer. It's up to the CISO to move beyond compliance and layer in additional security for the organization to keep up with cyber-threat actors' innovations. Compliance-only security strategies aren't working, and CISOs should squarely focus on advancing detection and accelerating detection coupled with network segmentation to avoid catastrophic hacks, breaches, ransomware, or other negative impacts.

One of the most important metrics for evaluating such threats looks at mean "dwell-time," or the amount of time before an attack is detected. According to Booz Allen Hamilton, cybersecurity dwell times may last between 200 and 250 days before discovery. The SolarWinds attack and long dwell time is enough evidence that CISOs need to strengthen their threat-detection procedures and build mitigations for third-party risk.

The following are some key cybersecurity strategies to consider when moving beyond compliance-only security to create a stronger defense.

1. Reduce Triage Times
Every security operations center (SOC) is drowning in events, and improving prioritization and reducing triage times will help improve threat detection and dramatically limit attacker dwell times. Creating an efficient and accurate triage process will make the most of SOC analysts' time, reduce the time to respond to and address incidents, and ensure that only valid alerts are promoted to "investigation or incident" status. Leveraging tools that are not black boxes and provide rich context and automated correlation to analysts is a good start. Every part of the triage process must be performed with urgency, as every second counts when potential hackers have access to an organization's network. Establishing a workflow that divides tasks among responders is a good first step. Workflow tools that automate assigning tasks can also help with reassigning or rejecting tasks to streamline the triage process. Speeding up triage times gives attackers less time to infiltrate and steal important data.

2. Protect Critical Data
Not all data is created equally in an organization, and companies must understand what data needs critical protection. Identifying key assets in advance is paramount to successfully guarding an organization against imminent security threats. The key to any good cybersecurity defense is to reduce exposure and minimize attack surfaces, but organizations can't protect everything equally, so sensitive data, like credit card or personal employee data, needs to be isolated from the core business network.

3. Minimize Trust Relationships
Minimizing trust relationships across parts of your business or third-party partners will help organizations better protect key assets and limit collateral damage if there is a successful attack. While organizations strive to implement zero-trust practices, this is more difficult than most security teams realize.

The basic premise of zero trust is to not trust someone until certain criteria are met. Unfortunately, most organizations don't know how many computers or users are on their network and don't know what type of data is located within the network. Implementing zero trust at scale means security teams need to know everything simultaneously at scale across the entire company — a daunting task. A more achievable first step may be to have organizations limit trust relationships by segmenting parts of their network to ensure a compromise in one area doesn't impact the entire company's network and data, which, unfortunately, happens all too often.

4. Practice Good Cybersecurity Hygiene
Organizations must keep up with basic cybersecurity hygiene, such as regularly patching applications, conducting simulated attacks, and performing regular cybersecurity training for employees. Most companies following a compliance-only security strategy will keep up with implementing security patches, but CISOs must move beyond basic compliance and design an organization with layers of cyber resiliency. And it starts with investing in basic cybersecurity practices.

The Risk of Compliance-Only Security
Cybersecurity adversaries are both opportunistic and patient. Attackers will wait for the right time to strike, such as during a natural disaster, a holiday, or simply a job change at the CISO level (as in some high-profile attacks). Attackers will also often seek the path of least resistance, and compliance-only security strategies offer a clear path to attack. Just upholding minimum compliance requirements gives hackers access to an organization's security playbook, which dramatically increases the likelihood of a security breach.

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.