Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Travis Rosiek
Travis Rosiek
Connect Directly
E-Mail vvv

Is Compliance-Only Security Giving Cybercriminals Your Security Playbook?

Compliance-only security strategies aren't working. CISOs should squarely focus on being secure while achieving compliance.

Today's chief information security officer (CISO) is often judged by how well the organization adheres to compliance regulations. But when organizations focus solely on compliance, they are missing important cybersecurity practices and are essentially handing their security playbooks to attackers.

Related Content:

How 2 New Executive Orders May Reshape Cybersecurity & Supply Chains for a Post-Pandemic World

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

This is because most organizations follow a specific set of industry-specific compliance requirements that are publicly available and typically have static, legacy security requirements baked in, which gives attackers a good sense for an organization's defenses. By understanding an organization's compliance regulations, a threat actor can better target and understand the barrier of entry in most organizations.

As an example, there are very few security requirements in the Health Insurance Portability and Accountability Act (HIPAA), as the regulation is mainly focused on privacy and encryption. In fact, HIPAA and other compliance regulations don't adequately address the risk of an external cyber-threat actor breaching and gaining access to an organization.

Compliance requirements are also fairly static and do not routinely update or mandate security requirements beyond basic measures such as reactive signature-based detection, one of the most common techniques used to address software threats aimed at a computer. It's up to the CISO to move beyond compliance and layer in additional security for the organization to keep up with cyber-threat actors' innovations. Compliance-only security strategies aren't working, and CISOs should squarely focus on advancing detection and accelerating detection coupled with network segmentation to avoid catastrophic hacks, breaches, ransomware, or other negative impacts.

One of the most important metrics for evaluating such threats looks at mean "dwell-time," or the amount of time before an attack is detected. According to Booz Allen Hamilton, cybersecurity dwell times may last between 200 and 250 days before discovery. The SolarWinds attack and long dwell time is enough evidence that CISOs need to strengthen their threat-detection procedures and build mitigations for third-party risk.

The following are some key cybersecurity strategies to consider when moving beyond compliance-only security to create a stronger defense.

1. Reduce Triage Times
Every security operations center (SOC) is drowning in events, and improving prioritization and reducing triage times will help improve threat detection and dramatically limit attacker dwell times. Creating an efficient and accurate triage process will make the most of SOC analysts' time, reduce the time to respond to and address incidents, and ensure that only valid alerts are promoted to "investigation or incident" status. Leveraging tools that are not black boxes and provide rich context and automated correlation to analysts is a good start. Every part of the triage process must be performed with urgency, as every second counts when potential hackers have access to an organization's network. Establishing a workflow that divides tasks among responders is a good first step. Workflow tools that automate assigning tasks can also help with reassigning or rejecting tasks to streamline the triage process. Speeding up triage times gives attackers less time to infiltrate and steal important data.

2. Protect Critical Data
Not all data is created equally in an organization, and companies must understand what data needs critical protection. Identifying key assets in advance is paramount to successfully guarding an organization against imminent security threats. The key to any good cybersecurity defense is to reduce exposure and minimize attack surfaces, but organizations can't protect everything equally, so sensitive data, like credit card or personal employee data, needs to be isolated from the core business network.

3. Minimize Trust Relationships
Minimizing trust relationships across parts of your business or third-party partners will help organizations better protect key assets and limit collateral damage if there is a successful attack. While organizations strive to implement zero-trust practices, this is more difficult than most security teams realize.

The basic premise of zero trust is to not trust someone until certain criteria are met. Unfortunately, most organizations don't know how many computers or users are on their network and don't know what type of data is located within the network. Implementing zero trust at scale means security teams need to know everything simultaneously at scale across the entire company — a daunting task. A more achievable first step may be to have organizations limit trust relationships by segmenting parts of their network to ensure a compromise in one area doesn't impact the entire company's network and data, which, unfortunately, happens all too often.

4. Practice Good Cybersecurity Hygiene
Organizations must keep up with basic cybersecurity hygiene, such as regularly patching applications, conducting simulated attacks, and performing regular cybersecurity training for employees. Most companies following a compliance-only security strategy will keep up with implementing security patches, but CISOs must move beyond basic compliance and design an organization with layers of cyber resiliency. And it starts with investing in basic cybersecurity practices.

The Risk of Compliance-Only Security
Cybersecurity adversaries are both opportunistic and patient. Attackers will wait for the right time to strike, such as during a natural disaster, a holiday, or simply a job change at the CISO level (as in some high-profile attacks). Attackers will also often seek the path of least resistance, and compliance-only security strategies offer a clear path to attack. Just upholding minimum compliance requirements gives hackers access to an organization's security playbook, which dramatically increases the likelihood of a security breach.

With nearly 20 years of experience in the security industry, Travis is a highly accomplished cyber defense leader having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file