Audit Once, Comply Many, and other lies

Audit Once, Comply Many
and other lies in cybersecurity.
@tsudo
Keith S. Crawford | Little Rock Tech Fest 2022 | #LRTF2022

Are you a good driver?
I haven’t had any tickets in 5+ years.
I have auto insurance.
I attended driver education.
@tsudo

Do you have a good cyber program?
No breaches in 3yrs*
We perform an annual pen test.
I have a SOC report.
@tsudo

THE CHALLENGE 01
SUCCESS THROUGH CLAIRITY 02
DEATH BY ALPHABET 03
CONTROLS ARE TERRIBLE 04
HOW I LEARNED TO LOVE THE CONTROL 05
TABLE
OF
CONTENTS
How to build and maintain a
structured cybersecurity program
that inspires confidence

ABOUT ME
Cybersecurity GRC specialist, Supervisor of Assurance for
Arkansas Blue Cross and Blue Shield.
For the past decade I’ve helped organizations build sustainable
& practical security programs that auditors love.
I love helping organizations transform & thrive through
cybersecurity and compliance.
• vCISO – Finance & Healthcare
• SOC Specialist
• CISSP, CCSFP, CCSK
• 800-53 fanboy

Most orgs struggle to describe their
security program in a manner that
inspires confidence.
@tsudo

Disclaimer
The views in this presentation are my own and do not necessarily represent the views of Arkansas Blue Cross

Adopt the SU/CR.
FRAMEWORK
The security unicorns and compliance rainbows
framework is fictional. I apologize.
63 2 days 50K
International Standards mapped To deploy ecause it is designed to
work out-of-the-box
SU/CR clients worldwide.

The Real Answer.
You must adopt, customize, define, test, and
maintain security controls.
Yes, really.
@tsudo

FFIEC CAT
Federal Financial Institutions Examination
Council (FFIEC) developed the Cybersecurity
Assessment Tool (CAT) – Regulators FDIC,
NCUA.
CMMC*
Cybersecurity Maturity Model Certification,
DoD program that applies to Defense
Industrial Base (DIB) contractors. Required
for acquisitions/contracts.
@tsudo

CMMC
If hadn’t been for those darn
kids.
DFARS ➡ 800-171 ➡ 800-53
@tsudo

HIPAA
Few understand it.
Fewer practice it.
@tsudo

We are drowning with standards.
AICPA SOC
HITRUST
NIST CSF
CCM / CAIQ
CIS20
ISO 27001
@tsudo
HIPAA
BSIMM
PCI
PCI SSF
GDPR
CCPA
And whatever
set of questions
your latest client
just sent over.

There are some good efforts…
Wasn’t SOC was supposed to solve this?
@tsudo

A Security Control
The safeguard or countermeasure prescribed for
an organization and/or information system(s) to
protect the confidentiality, integrity, and availability
of information.
In other words, a documented expected outcome.
@tsudo

NIST CSF – DE.CM-4
Malicious code is detected.
@tsudo

FFIEC - D3.DC.Ev.B.2
Mechanisms (e.g., antivirus alerts, log event alerts) are in
place to alert management to potential attacks.
@tsudo

AICPA SOC CC 7.2.ii
Detection policies and procedures are defined and
implemented, and detection tools are implemented on
Infrastructure and software to identify anomalies in the
operation or unusual activity on systems. Procedures may
include (1) a defined governance process for security
event detection and management that includes provision
of resources; (2) use of intelligence sources to identify
newly discovered threats and vulnerabilities; and (3)
logging of unusual system activities.
@tsudo

REDACTED
The organization configures malicious code and spam
protection mechanisms to (i) perform periodic scans of the
information system according to organization guidelines;
(ii) perform real-time scans of files from external sources
at endpoints and network entry/exit points as the files are
downloaded, opened, or executed in accordance with
organizational security policy; and, (iii) block malicious
code, quarantine malicious code, or send an alert to the
administrator in response to malicious code detection.
@tsudo

800-53 SI-3
Implement signature based or non-signature based
malicious code protection mechanisms at system entry
and exit points to detect and eradicate malicious code;
Automatically update malicious code protection
mechanisms as new releases are available in accordance
with organizational configuration management policy and
procedures;
@tsudo

800-53 SI-3 continued…
Configure malicious code protection mechanisms to:
• Perform periodic scans of the system [frequency] and real-
time scans of files from external sources at endpoints;
firewalls, as the files are downloaded, opened, or executed
in accordance with organizational policy; and
• Block malicious code OR quarantine malicious code; and
send alert to TEAM in response to malicious code
detection; and
• Address the receipt of false positives during malicious code
detection and eradication and the resulting potential impact
on the availability of the system."
@tsudo

Pick your poison
There is NO single set of controls that fits your org
or addresses all security/privacy concerns
Mission must drive adequacy.
@tsudo

HOW I LEARNED
TO LOVE THE
CONTROL
05

THE PLAN
ADOPT
TEST & MAINTAIN
DEFINE
CUSTOMIZE
@tsudo

Adopt
Start somewhere.
Try NIST CSF or CIS18
If you have more risk/complexity dive into 800-53.
@tsudo

Customize
Non-signature based malicious code detection will
be deployed on all workstations & servers. It will
be updated continuously. Full scans will be
performed weekly. Threats will be quarantined and
alert appropriate parties in a timely manner.
@tsudo

Define (1)
The organization has deployed XYZ EDR to all
Windows workstations and servers. The EDR is
centrally managed via a cloud management
console. Detection and version updates are
deployed automatically.
@tsudo

Define (2)
The following scans are configured for all
workstations
• Period Scans – Weekly
• Active File scans upon download or execute
@tsudo

Define (3)
The EDR is configured to alert the SOC via an API
integration with SIEM platform. The alert
thresholds are configured to Sev1 for threats that
fail quarantine and Sev2 for quarantined threats.
False positives are reviewed on a weekly basis via
the console/report.
@tsudo

TEST & MAINTAIN
Narrow control based on ownership.
For each promise how would you prove?
@tsudo

Ownership
The organization has deployed EDR to all
Windows workstations and servers. – (Base
Image, GPO, Desktop Team)
The EDR is centrally managed via a cloud
management console. Detection and version
updates are deployed automatically. – (EDR,
MSP, SecEng)
@tsudo

Testing
The organization has deployed EDR to all
Windows workstations and servers. –
(Detective Control, population report)
The EDR is centrally managed via a cloud
management console. Detection and version
updates are deployed automatically. – (same)
@tsudo

MAINTAIN
Maintain Mapping
Bake controls into change management!!!!!!
Watch for guidance changes.
@tsudo

All this work gets you…
The flexibility to describe your program to a variety
of standards.
The ability to measure
• coverage (do we have the right controls)
• confidence (are the controls effective)
@tsudo

Audit Once, Comply Many, and other lies

More Related Content

Audit Once, Comply Many, and other lies

Editor's Notes