Two Sides of the IT Security Coin
There are two sides of the IT security coin. They are related and rely heavily on each other, but they are very different animals. Without proper communication and understanding on both sides, things can become toxic and infuriating for IT staff and impossibly frustrating for end users.
One side is tactical security. These are the things we do to protect our data and systems. This is the EDR, MDR, SIEM, SASE, Firewall, Security Operations Center, Incident Response, Vulnerability Scans, Penetration Testing, etc. The tactical side of security is full of tools and techniques that prevent, detect and stop the bad guys.
The other side is compliance. To oversimplify it, compliance is the documentation and evidence of all the tactical security things that you’re doing.
Cybersecurity Requirements
The FTC, SEC and, most impactfully, insurance providers, are now requiring some form of IT security compliance. And these things have teeth.
Business leaders, those in C-level roles overseeing technology, are now being held personally responsible for their decisions. Fines, legal consequences and even jail time are now on the table for breaches where management intentionally ignored risks or blocked best-practice security.
A Few Examples
Take a look at the SolarWinds breach. Tim Brown, their CISO, was charged by the SEC for Fraud because they claim he ‘defrauding investors by overstating cybersecurity practices and understating or failing to disclose known risks’. Compliance is no longer just about a seal of approval, it now about personal legal protection for the C-suite. In Tim’s case, he won the lawsuit and is now championing global cybersecurity laws (aka, compliance).
Another case is Joe Sullivan, Uber’s former chief security officer, who was sentenced to three years of probation after covering up a data breach.
Even if you’re not in a ‘regulated’ industry, every company is impacted by requirements to disclose when an IT security breach occurs. The FTC Red Flags Rule requires written policies around identity theft. To quote the FTC’s website: “The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or red flags – of identity theft in their day-to-day operations.”
Cybersecurity Compliance
In the compliance world, we don’t really care how fancy the tool is or how many features it has, we care about checking the box on that vaguely written control and having some kind of report or screen shot that the auditor will accept as evidence. Oh, and I’ll need that evidence every month, please?
Yes, compliance can be annoying. But it’s necessary. It’s the interface between the technical folks and the non-technical: insurance, risk management, finance and business leaders. While annoying, compliance can be used to build a case for proper investment on the tactical side.
The Convergence of Tactical and Compliance
The tactical side of security is like a police officer in SWAT gear running through a house with tasers, guns and flash/bang grenades. It’s terrifying, and occasionally, action packed.
The compliance side of security is like that same police officer the following day who has to to sit down and calmly write out a report in great detail, documenting every turn made, every decision, every use of a tool. The action-packed side is difficult to translate into a court room, which is why the lawyers and judges need the reports.
IT security compliance is simply writing the report ahead of time. Providing evidence of the policies, settings and programs you use to tactically protect company data.
Yeah, I said the word policies. Now, here’s where things get difficult. Compliance isn’t just about the firewall ports that are open or how detailed your SIEM is, there’s a people side that’s extremely important as well. This is where policies come into play. Computer use policies, work from home policies, TPM report policies ;). Compliance officers have to work with both the tactical IT folks and the business management to ensure employees are properly trained and aware of their responsibilities.
Being a compliance officer is boring, it’s methodical and there’s pressure from all sides to ‘get off my lawn’!
On our journey to SOC2 and ISO27001 compliance, there are 304 controls that require written policies and evidence. Some of these I find fun, like ‘Threat intelligence’. I love showing off our SIEM and know that it does a great job of covering this. But there’s another one: ‘Application of Sanctions’, not so much fun writing or reviewing a policy about firing someone.
It takes a special person to handle the tactical side of security. To think of the dark ways in which an attacker can sneak into your environment and steal data. It also takes a very special person to love checkboxes and turning vague wording into actionable documentation. Rarely are these the same two people, but the organization needs both, working in harmony, to keep them safe.
Here at DataTel, we have the unique capability of providing both sides of this security coin and I’m old enough to have transitioned from the young guy busting through the door in tactical gear to the desk guy checking the boxes.
Tactical Tools
Let’s talk about some tactical tools that make compliance much, *much* easier:
SIEM: Security Information Event Management. It’s a fancy way of saying ‘capture all the logs’. A SIEM is a bit of software and a huge amount of storage that collects everything happening across the enterprise. From ‘Sally opened a file’ to ‘Jim visited a website’ to ‘This software started changing a whole bunch of files at once’. The job of a SIEM is to collate data from endpoints, firewalls, security software, identify management systems and more, turning it into actionable data.
That’s really hard to do well. There are plenty of SIEM solutions out there – free ones, paid ones, ones built into platforms like Microsoft 365. A good SIEM has a ton of integrations and collects logs from the endpoint to the cloud.
A great SIEM correlates events into a cohesive story, allowing you to track an email being delivered to Billy, him clicking the link, the DNS queries being made, the website content being loaded and the application username and password being entered. On the application side, it should now notice that a login is happening from an unusual country or location. That’s right, credentials were just stolen and a good SIEM tracks that back to the source.
Combine that with a SOAR (Security, Orchestration, Automation & Response) and now that story becomes action: automatically locking down the user account, killing active sessions and starting incident response.
None of this is set-and-forget. The SIEM needs constant feeding and care. Unlike the orderly, carefully documented and analyzed blue side of IT security, the red attackers move quickly, silently and erratically. They are constantly finding new ways to breach our systems. Yesterday alone, there were 85 new known vulnerabilities posted. Free, low cost or internally managed SIEM solutions run the risk of being great security cameras: they can show you what happened in the past, but they’re useless in the now because we can’t sit there and watch thousands of events in real time.
A properly managed SIEM and SOAR are tools that both checks the compliance boxes AND provides meaningful security response to prevent data from being stolen.
Antivirus Solutions
This same concept applies to antivirus solutions. Yes, I’m old, so I’m going to call things by what they used to be. Marketing would prefer EDR, MDR, MXDR, A-I-M-X-E-D-R. You know, that software that detects and blocks malicious code from running. These days, A/V is more of a collection tool for the SIEM. We’ve gotten pretty good at detecting and preventing ransomware from running, so attackers rarely bother anymore. Internet connections are so fast that they would rather just steal the information and blackmail you.
Holding Data Hostage
Ok, another quick tangent: holding data hostage. They get the data, you pay the ransom, they claim to delete it… really? You know they’re just going to hold onto that data for a year or so, then sell it off anyway. They’re greedy and criminals, why would they pass on the opportunity to make money from both sides? Folks: Don’t pay ransom demands, regardless of the PR impact. All it does is delay the inevitable.
Zero Trust
Next on our toolbelt is a term: Zero Trust. This fancy word started being thrown around a few years ago, but the concept is very, very old. We used to call it micro segmentation, which doesn’t have the letter Z, so it’s not sexy. It’s the concept of building your network in a way that limits a user or device’s access. Anyone remember setting up and managing DMZ’s? That’s a form of micro segmentation or zero trust.
Today, there are tools that can rapidly and easily deploy zero trust across the entire enterprise without making any network changes. For example, ours identifies the user when the log into the computer and applies dynamic firewall rules based on their group membership. If you’re part of the accounting group, you can see the accounting servers. If you’re not part of accounting, your computer has no clue those servers even exist.
This goes far beyond permissions, preventing even basic visibility between endpoints.
From the compliance side, this checks off a lot of boxes: identify management, data isolation and access control. It’s a lot easier to provide evidence that a user simply can’t see the source of the data, rather than proving that granular permissions are working properly.
The Compliance Side of the Coin
Shifting gears to compliance: How many of you are still working off of spreadsheets? As business data sprawls across the globe and compliance requirements get more and more detailed, keeping track of controls, evidence, tasks, vendors and control breaks becomes very difficult.
There are plenty of compliance platforms out there, expensive software that integrates with a some things, but not all. Most of these platforms are geared toward software development, because that’s the current hotness. Every software vendor must have SOC2 and there’s a ton of money available for intellectual property.
For the rest of us, these platforms are a great step up from spreadsheets, but they lack the flexibility that we, on the non-development corporate side, could really use. We have partnered with a company called Cyber Sierra who has built a really unique compliance platform. Not only do they integrate with your normal list of applications, but they also build custom integrations into any platform with an API. Yes, your ERP compliance evidence can now be automated!
The platform also tracks control breaks, automatically assigning tasks to get things back on track. And with AI, filling out those pesky insurance security questionaries becomes a copy/paste task. Upload the questionnaire, the software fills it out based on your compliance programs, controls and policies. Simply download and send it back.
Conclusion
In conclusion: compliance is a massive task. It requires collaboration between business leaders and information technology. It requires patience and great levels of detail. All of this can be made easier with a smart set of tools.
One more thing about tools: they cost money. Just a simple, plain fact. Smart tools pay for themselves. To justify tool spending, find the business case. The single most expensive part of any business is people. People take time and turn it into product and thus, money. Any smart tool that saves sufficient time to pay for itself is worth the investment.
For example, a security platform that combines SASE, Zero Trust, SIEM, SOAR, EDR and compliance management? That’s a unique set of features that saves hundred of hours of work, not just on the IT side, but for the end users. No more VPN software or worry about a computer on a personal network with a VPN getting breached.
No, that’s not some sky-high promise of a utopian future, it’s the reality of now. These are things I use every day to secure our client’s data.
If you would like to discuss your cybersecurity posture and growth strategy with our IT services experts, schedule a consultation at your convenience.
