Managing Business Risk with Assurance Report Cards This white paper explains how to manage cyber risk which is on the list of concerns for business executives.
Table of Contents Introduction... 3 Cybersecurity is a Business Issue... 3 Standards, Control Objectives and Controls... 5 Standards and Frameworks... 5 Control Objectives... 5 Controls... 5 Assurance Report Cards... 6 Tenable s Critical Cyber Controls... 8 Conclusion... 10 About Tenable Network Security... 10 2
Introduction Business executives have been traditionally concerned with revenue, market share, competitive threats, expenses and economic indicators. Today, inundated with frequent headlines about high profile security breaches, cyber risk has joined their list of concerns. Executives need to know if their organization is managing cyber risk adequately, and they must be able to communicate that information upward to their board members who have the responsibility for risk oversight. Information security professionals, typically conversant about attack surfaces, threat vectors, anomalies and indicators of compromise, need a way to communicate the organization s risk and security posture in a manner that both executives and board members can easily understand. The challenge is to define a small set of metrics that are both comprehensive and quickly understood. This whitepaper explains how SecurityCenter Continuous View with Assurance Report Cards, enables Chief Information Security Officers and other security leaders to continuously demonstrate security assurance, using high-level business objects supported by underlying metrics. Cybersecurity is a Business Issue Virtually every organization, whether it be a public or private company, non-profit or a government agency, is responsible for safeguarding protected information, such as cardholder data, patient health information and personally identifiable information and/or safeguarding proprietary information, such as business plans, product designs and process documentation. Failure to safeguard this information may well result in breach notification costs, litigation, regulatory fines, tarnished reputation, lost business and forensic consulting costs. According to the Ponemon Institute, the average cost of a data breach in 2014 was $3.5 million 1. At a minimum, the organization must manage and secure this information with due care. Due care refers to the degree of care that is expected from a reasonable person under the circumstances; the efforts expected from a prudent person in a given situation. When applied to cybersecurity, due care involves investigating and understanding the risks an organization faces, developing and implementing appropriate controls to manage the risks, and monitoring to ensure the controls are operating effectively. Due care is not a one-size-fits-all standard because every organization is different. A bank s due care standard will be different from a manufacturing company s. Any organization that does not practice due care pertaining to the security of its information assets, the organization, its officers and its board of directors can be legally charged with negligence and held accountable for any ramifications of that negligence. The due care principle applies broadly to all organizations having a fiduciary responsibility for protected data. An additional concern for entities registered with the U.S. Securities and Exchange Commission (SEC) is the disclosure guidance for cybersecurity risk published by the SEC Division of Corporate Finance. The guidance pertains to how registered entities should disclose cybersecurity risk in public filings. Currently, disclosure of cybersecurity risk and incidents is not mandated by a specific SEC rule. However, the 2011 Guidance communicated that various existing disclosure requirements may impose an obligation to disclose cybersecurity risks and incidents and that material information about cybersecurity risks and incidents could be required to be disclosed to make other required disclosures not misleading. 1 2014 Cost of Data Breach Analysis: Global Analysis, Ponemon Institute, May 2014 3
In a recent speech, SEC Commissioner, Luis A. Aguilar, said, Given the significant cyber-attacks that are occurring with disturbing frequency, and the mounting evidence that companies of all shapes and sizes are increasingly under a constant threat of potentially disastrous cyber-attacks, ensuring the adequacy of a company s cybersecurity measures needs to be a critical part of a board of director s risk oversight responsibilities. 2 Although information security professionals may not think business executives and board members know enough or care enough about cybersecurity, there is mounting evidence to the contrary. Research performed by the law firm, EisnerAmper 3, demonstrates that board members are quite concerned about risks related to cybersecurity, and the research was not restricted to board members of public companies. Twenty-six percent of the respondents were from private companies, and thirty-six percent were from not-for-profit organizations. As shown in Figure 1, the top three concerns are related to information security. Figure 1: Board Members Top Risk Concerns In addition to due care and cybersecurity risk disclosure guidance, many organizations are subject to government regulations and/or industry standards that define minimum requirements for safeguarding protected information. All these factors combine to motivate business leaders to be concerned about how their organization is managing cybersecurity risk. 2 Cyber Risk and the Boardroom Conference, New York Stock Exchange, June 10, 2014 3 Concerns About Risks Confronting Boards, Fifth Annual Board of Directors Survey, 2014 4
Standards, Control Objectives and Controls Standards and Frameworks Business and information security leaders are likely to agree on a top-level objective such as managing cyber risk to acceptable levels in order to provide reasonable assurance regarding the achievement of the entity s objectives. The objective is straightforward. However, a lot of heavy lifting is required to demonstrate reasonable assurance that cyber risk is being managed within acceptable levels. Keeping the due care principle in mind, it is generally prudent to base cybersecurity control objectives on recognized standards/frameworks, such as one of the following: Council on CyberSecurity: The Critical Security Controls for Effective Cyber Defense: A prioritized list of actionable controls an organization can use as a starting point for high-value actions (previously known as the SANS Critical Cyber Controls). NIST: Framework for Improving Critical Infrastructure Cybersecurity: A set of industry standards and best practices to help organizations meet cybersecurity risks as part of the organization s risk management processes. National Campaign for CyberHygiene: A program developed by the Center for Internet Security and the Governors Homeland Security Advisors Council to provide key recommendations for a low-cost program that any organization can adopt to achieve immediate and effective defenses against cyber-attacks. The abovementioned general purpose standards/frameworks lay a foundation for mandatory compliance or regulatory requirements but are not a substitute for them. Depending upon industry or business activity, an organization may be mandated to comply with PCI DSS, GLBA, HIPAA, FISMA, and other requirements. Control Objectives General cybersecurity standards and industry-specific standards vary widely in the degree to which they specify detailed control objectives and/or specific controls. Standards and frameworks typically focus on high-level control objectives. For example, the NIST framework includes a control objective related to asset management, The data, personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Similarly, most regulations focus on control objectives. For instance, the Gramm Leach Bliley Act (GLBA) Section 501(b) tells financial institutions what to do by requiring them to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of customer records and information from any anticipated threats, unauthorized access, etc. Such what to do requirements are control objectives, and GLBA does not mandate the specific controls required to meet the objective. Each financial institution is responsible for defining the specific administrative, technical and physical controls required to meet the control objective. Controls Controls are the set of policies, procedures, and activities designed to meet control objectives. Controls define How to do it. They make the control objectives actionable. On the other end of the spectrum from GLBA, the PCI Data Security Standard is quite prescriptive and requires entities involved with payment card processing to deploy specific controls; e.g., build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Controls can be categorized in multiple ways, and perhaps the simplest is to categorize them as administrative, technical or physical: Administrative: Primarily operational and accountability procedures, such as background checks and employee training. 5
Technical: Safeguards or countermeasures for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system and information security software. Examples include maintaining an inventory of authorized hardware and software on the network and maintaining secure system configurations. Physical: Primarily preventive measures such as locks, badges and security guards to control access to the network and computing systems Operational speed is a key aspect of different controls. Many administrative controls are slow moving. For example, new employee training may occur monthly, and if an employee misses a training session, waiting until the next scheduled training session may be an acceptable option. Conversely, many technical controls are fast moving in that the objects they monitor can change quickly. When a critical vulnerability is discovered in a system that processes protected/proprietary data, the control should quickly detect it because response time is critical. Assurance Report Cards Periodic assessments are typically performed to determine if controls are operating effectively and if control objectives are being met. Such audits are well suited to evaluating slow moving controls, but introduce unacceptable latency for many technical security controls where continuous network monitoring is required to take the pulse of security and risk postures and identify any exceptions that must be immediately remedied. The challenge is to define and operationalize automated indicators that are both meaningful and easily understood throughout the organization. Both business leaders and information security professionals expect indicators to be supported by solid data. Both are comfortable with reports and dashboards, but their specific expectations regarding reports and dashboards may be quite divergent. Business leaders typically prefer scorecards that report pass/fail results; summaries presented in three colors: red, yellow and green. On the other hand, security staff members, being technical experts, are wary of oversimplified indicators that attempt to boil down the status of their complex security controls into a handful of metrics; security leaders want to see details. The different perspectives of business and security leaders have resulted in a frustrating communication gap. Executives request evidence demonstrating that the cybersecurity and compliance controls are in place and operating effectively, and security leaders answer with statistics about the number of new vulnerabilities discovered, the number of blocked attacks and the patch rate. Assurance Report Cards (ARCs) correspond to control objectives, and rely on multiple policy statements to evaluate the underlying controls. Results are displayed using a familiar report card paradigm. ARCs bridge the communication gap between business executives and security professionals by measuring and visually communicating status of the most critical, fast-moving, automated security controls in an easy to understand format. They present executives with an up-to-date status relative to their organization s security standards and compliance requirements so the executives can quickly understand their cyber risk and compliance posture. Although ARCs summarize the status from potentially hundreds of controls, they retain the underlying data so it can be readily examined, if needed. Assurance Report Cards are part of SecurityCenter Continuous View (SecurityCenter CV), Tenable s enterprise continuous network monitoring platform. They are a visualization capability built on SecurityCenter CV s measurement and analysis capabilities. 6
Measurement is performed by: Nessus : Actively scans networks, systems, data and applications to assess vulnerabilities, configurations and compliance status. Passive Vulnerability Scanner (PVS): Monitors network traffic in real-time to identify new assets, risk and vulnerabilities. Log Correlation Engine : A SecurityCenter CV component that collects and aggregates data from network and security infrastructure, raw network traffic and user activity to detect complex malware and isolate threats and compliance issues. Together, these measurement capabilities gather vulnerability, configuration, and real-time threat information from hundreds of different assets, including operating systems, network devices, virtual infrastructure, databases, mobile devices, web servers and embedded systems. They also gather information about network and system activity to identify suspicious traffic and anomalies. Analysis is initially performed by Tenable s more than 77,000 plugins that identify assets, detect vulnerabilities, assign severities, evaluate configurations and discover protected/proprietary data at rest and in transit, etc. SecurityCenter CV then applies filters, queries and conditional logic to perform additional analysis. ARCs correspond to control objectives. An example ARC could be Track Your Inventory of Hardware and Software. Each ARC s pass/fail status is evaluated by examining its underlying policy statements, which are typically conditional tests which evaluate to true or false. Example policy statements are: Greater than 95% of detected systems were included in a configuration audit in the past 30 days Greater than 75% of systems are sending system log messages for review Greater than 95% of the systems are found in DNS An ARC will only pass if all of its underlying policy statements evaluate to True. In the above example, all three conditions must be met for the ARC to pass. Another example, Detect and Prevent Malware and Intruders, demonstrates how an ARC and its underlying policy statements gather information from Nessus and its plugins (along with the Log Correlation Engine and Passive Vulnerability Scanner) to determine if business objectives are being met. Figure 2: ARCS are supported by Policy Statements and Plugins 7
Visualization is intuitive. As shown in Figure 3, each ARC is represented in SecurityCenter CV s user interface on a separate line. A status summary of each of the ARC s underlying policy statements is represented by a red or green dot shown on the right. If desired, individual policy statements and detailed scores can be enumerated under each ARC. Figure 3: Assurance Report Cards In addition to summarizing current status information for executive consumption, ARCs also foster discussion among internal stakeholders about high-level business objectives and the specific controls and effectiveness indicators that should be examined by the organization to take the pulse of their security and risk posture in terms of those objectives. Additionally, ARC s underlying data, showing which policy statements passed and which failed, is useful for security and compliance staff when prioritizing areas for improvement. ARCs are extremely flexible. A common set of policy statements can be applied with different pass/fail thresholds for different asset groups. For example, certain parts of the network that contain protected/proprietary data may require that none of the systems have unpatched critical or exploitable vulnerabilities for which a patch exists, but other parts of the network may have slightly less stringent requirements, such as criteria that up to 2% of the systems can have unpatched critical or exploitable vulnerabilities for which a patch exists. This flexibility allows the organization to manage risk based on business decisions, rather than on purely technical criteria. Additionally, thresholds can also be adjusted over time as an organization gains experience. Most organizations create ARCs to support their specific security and compliance requirements and frameworks. ARCs measure what is most important to their business objectives using familiar terminology. They can be grouped in multiple ways; multiple control objectives for a single network/location, a single control objective measured across multiple networks/locations, or by compliance requirement. In addition to creating their own ARCs, organizations can use and/or modify the ones Tenable provides on an ongoing basis as part of its content feed. SecurityCenter 5.0 comes pre-installed with five executive ARCs corresponding to Tenable s Critical Cyber Controls, which are described in the next section. Tenable s Critical Cyber Controls To help organizations form an effective security policy, Tenable security experts have distilled recommendations from the following standards into five controls that make it easy for organizations to draw from industry best practices. 8
Council on CyberSecurity: The Critical Security Controls for Effective Cyber Defense NIST: Framework for Improving Critical Infrastructure Cybersecurity National Campaign for CyberHygiene PCI Data Security Standard Tenable s Critical Cyber Controls are pre-defined, executive focused ARCs in SecurityCenter 5.0, which enable continuous monitoring of the top five security objectives that have the greatest impact to ensuring the security posture of any business. They highlight strengths and weaknesses so an organization can take action to prevent malicious activity. 1. Track your authorized inventory of hardware and software: Discovery of all assets is a critical first step, including identification of all authorized or unauthorized hardware and software, transient devices and applications, unknown endpoints, BYOD devices, network devices, platforms, operating systems, virtual systems, cloud applications and services. SecurityCenter CV includes a combination of automated discovery technologies running in near real time. 2. Continuously remove vulnerabilities and misconfigurations: To remove all vulnerabilities organizations must implement a regular continuous network monitoring program. Procedures should include three areas: Applying software, hardware and cloud service patches to remove vulnerabilities Applying configuration changes to limit malicious exploits Applying additional host or network based security monitoring Tenable recommends that you organize your technologies by business function and asset. Each asset should be assessed and patched on an agreed upon schedule with a repeatable process. 3. Deploy a secure network: Network security should be a daily practice. For each asset, one or several mitigating technologies can be deployed to prevent or detect malicious activity. For example, host-based technologies include antivirus, application white-listing and system monitoring; network-based technologies include activity monitoring, intrusion prevention and access control; auditing cloud-based technologies can be done with APIs, threat subscriptions and network monitoring or endpoint system monitoring. 4. Give users access to only what they need: All users should have a demonstrated business need to access specific systems and data. Limit and control administrative privileges, avoid using default accounts, enforce strong password creation and log all accesses. Tenable recommends that multiple technologies are implemented to determine active user accounts, such as authentication logging and network protocol analysis. 5. Search for malware and intruders: Organizations must actively monitor systems for anomaly detection and exploitation. It is frankly unrealistic to expect all systems to be 100% incident free. Attackers acquire new technologies every day; security controls have to stay one step ahead of them by proactively managing systems with near real time continuous scanning for viruses, malware, exploits and inside threats. Each of the previous four controls make the search for malicious activity easier and create several audit trails to be used in a forensic analysis. 9
Conclusion Business executives and board members are vitally concerned about cybersecurity because they understand the potential impact of a security breach: diminished brand/reputation, lost revenue, breach notification costs, litigation costs, fines and more. Tenable s Assurance Report Cards monitor (typically) fast-moving technical controls and enable organizations to measure and visualize their security and compliance status every day, virtually eliminating much of the uncertainty that increases during the time between one audit to the next. ARCs provide executives the scorecards they expect and direct security professionals as they continually work to increases and maintain the organization s security and compliance posture. About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, visit tenable.com. 10