LAS VEGAS — If there was one message a team of panelists conveyed here at the Qualys Security Conference 2013 it was this: When it comes to keeping their business-technology systems secure most organizations are concentrating on the wrong things.
Instead of building resilient systems, Pescatore said, enterprises are emphasizing their efforts on being compliant, and proving to auditors that they’re meeting regulatory mandates. Or they’re spending too much time creating hypothetical risk equations where they’re estimating the costs of incidents (typically a large imaginary number) with the likelihood of the breaches (typically a small imaginary number). In the meantime, with their heads down in speculative risk models, real-world attackers are infiltrating their systems.
It’s time to flip the perspective. “Compliance must follow security,” Pescatore said. “Compliance reports that say we are compliant are great, yet most credit card exposures occur on PCI compliant systems.”
It’s this misguided focus on compliance first that makes it too easy for most any large security consultancy to find evidence of live, ongoing compromises on most of the systems they evaluate for clients, he explained.
Surprisingly, he added, many of the persistently weak areas in these programs are the basics. Organizations continue to be lax in areas of vulnerability and configuration management, operate with no real visibility into advanced threats, or put forth much in the way of a mature application security program.
Considering that, how do security managers prioritize their spending and efforts so that security is the first priority?
Essentially, panelists argued, organizations need to combine the expertise of the security professional with automation of best-practice security processes and controls along with accurate and timely threat and vulnerability information. The panel, consisting of Pescatore and panelists Jonathan Trull, CISO, State of Colorado, Doug Dexter, audit lead, Cisco Systems, and Wolfgang Kandek, CTO, Qualys, all pointed to the value of the SANS 20 Critical Security Controls.
The SANS 20 Critical Controls, they explained, helps enterprises to change their focus from compliance to continuous security monitoring.
Cisco’s Doug Dexter told how Cisco started its journey on implementing the critical controls – such as inventorying unauthorized and authorized applications and devices or continuous security monitoring – before the list had been formalized.
One example Dexter shared was how Cisco, rather than scan for new vulnerabilities as they are publicly announced, the company continuously scans its systems and maintains a database of information around hosts for when new software flaws surfaced,” Dexter said. This way when there was an issue, “all we had to do was query the database to gain an understanding of the situation rather than have to conduct a full scan,” he said.
Colorado’s Jonathon Trull added that the SANS 20 Critical Controls is the primary security framework for the state’s IT security program. Trull said that the initial goal was to obtain quick wins and build momentum around the programs implementation.“We focused on things that we could achieve in 120 days, and by August of this year we will have the first five controls completed,” he said.
One of the main objectives for the state is move away from a compliance mindset to a security mindset. “We were investing 80 percent of our time on compliance and 20 percent on security,” he said. But those efforts didn’t create the level of security Trull thought adequate. “That’s why we’re flipping the equation to 20 percent compliance and 80 percent security.”