As a Chief Information Security Officer (CISO) or Information Security manager, you have to make decisions on how to best mitigate and handle risks for your business.As with any proverbial cat, there are many ways to skin it. However, technology becomes a great friend to many a security program with promises of providing compliance with regulations and standards, stopping zero-day vulnerabilities, and preventing the ever-feared data exfiltration.
With all of this technology installed, one might be led to think one has put in place numerous security controls and has a mature security program in place but when does a technology really become a security control?
What is a Security Control?
A Security Control is a measure, technical or administrative, that is used to counteract, mitigate, or remove risks to security.
Upon cursory evaluation, this definition of security control seems to inherently support an assumption that when one deploys a firewall, anti-virus product, or IDS/IPS, they have indeed deployed a security control. However, breach after breach has shown that, despite the presence of these “controls,” threats were able to make it past the control and exfiltrate data. One common reason is that many companies deploy a technology rather than deploying a control.
A Security Control, apart from the definition, also requires management, operationalization, and frequent auditing for effectiveness.
It should go without saying that if you cannot manage something, you cannot secure it. The same goes for security controls. If you are not actively managing your various technical controls, then you cannot expect those technologies to properly act against threats.
Management of technology means that someone is actively ensuring that policy, settings, configuration, and adoption of said technology is being maintained. This could be ensuring that A/V is installed on all in-scope endpoints and servers across the organization. It can also perhaps mean ensuring that the appropriate policy is installed and active on all firewalls.
Management also means that the technology is being actively maintained and updated. IDS and A/V signatures, upgrades to base code of software for point products as well as server software, patching vulnerabilities to these technologies, and more are all actions that should be regularly executed. This means that the latest protections, features, and code are being used to properly secure your environment. Setting it and forgetting it is not a security control.
Do you know when security incidents and events occur? Do you know when your endpoint product found a threat that your IPS failed to stop? Do you have an automated process to forward those events to a ticketing system or operations team to investigate and respond to these events? Do you even investigate or respond to these events?
Most leading technology providers include APIs to be able to integrate with third party products on various functional levels. This would allow one technology, say, an endpoint product, to inform and trigger a reaction in a different product, say, a firewall, to isolate or quarantine access from an infected system.
SIEMs are worth several separate articles. It should be noted for this discussion, however, that SIEMs provide a great way to automate and orchestrate operations in order to detect incidents and remediate them.
It is always great to have out-of-the-box protection, but if you haven’t customized alerting and haven’t setup processes to investigate these alerts and remediate incidents as a part of security operations, then you do not have a security control.
How is your technology being accessed? Who is accessing it? Are processes being followed for change control? Have you tested the efficacy of your technology? Have you run a vulnerability scan on your security appliances?
As with your other systems, processes, and people, you need to audit your security controls to ensure they are still doing what they need to do. You also need to make sure the appropriate people have been accessing the system not only on the application level but on the operating system and physical access level too.
This, of course, is in addition to your regular compliance audits and assessments you may be required to do.
Do you have Security Controls or just Technologies?
It should be noted that each compliance or regulatory requirement system may have a different definition for “security control”; however, that does not mean that it is the absolute definition. It is merely the definition you need to recognize for compliance purposes. Security should always be tailored to an organization’s circumstances and threat models. That means a security control must include managing, operationalizing, and auditing those controls in a continuous improvement model. Otherwise, you just have an expensive, blinky box.