Assessing Security and Privacy Controls
NIST Special Publication (SP) 800-53A, Revision 5, “Assessing Security and Privacy Controls in Information Systems and Organizations”, was published on January 25, 2022 (and supersedes the previous version). Continued NIST compliance requires asking tough questions today.
Regardless of the changes made following comments to the initial draft to this NIST Cyber Security Assessment and Management (CSAM) recommended standards, there are constants, as the new format for assessment procedures is introduced to:
- Improve the efficiency of conducting control assessments
- Provide better traceability between assessment procedures and controls
- Better support the use of automated tools, continuous monitoring, and ongoing authorization programs
The requirements for assessments are considerably increased, in terms of efficiency, traceability, and continuousness.
Generally speaking, NIST considers that “risk assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.”
These new standards might actually hide unexpected business benefits, as continuous assessments with improved efficiency metrics and traceability might help solve the cybersecurity cost/benefits analysis conundrum.
So, how do you combine abiding with NIST’s improved standards, optimizing and rationalizing your cybersecurity tool stack, improving your cyber investment ROI, and facilitating communication with the board?
The first thing to do is to assess. Assessing an organization’s overall security posture is a multi-pronged procedure that can be done either through guessing – based on measuring the result of defensive detecting tools, typically through comparing benchmark policies to target system states, or through measuring – based on data collected through offensive tools.
Exposure Management and Security Validation is an approach particularly well suited to streamline compliance to the new NIST standards. Exposure Management and Security Validation platforms implement that approach by automating end-to-end risk assessment, thus challenging, assessing, and optimizing cyber-security posture simply and continuously and equipping security professionals with the visibility to know, control, and remediate their dynamic environment.
How Exposure Management and Security Validation Facilitates Complying with NIST Revision 5 Standards
A comprehensive Continuous Security Validation approach is ideal to address all the aspects broached in Revision 5, as it covers all the sections of its chapter on procedures:
- Access Controls: As a subsection of security controls, can automatically be validated through regularly running simulated attack scenarios using Cymulate Breach and Attack Simulation (BAS). Cymulate BAS capabilities automatically verify that all assessment objectives, methods, and objects delineated in NIST Revision 5 are included.
- Awareness and Training: Cymulate built-in scenarios and campaign templates can be leveraged by a SOC to run incident response (IR) training practical exercises. The phishing awareness capability pinpoints employees needing additional awareness training. Additionally, the security gaps uncovered through the email and web gateway capabilities can be used to document awareness campaigns with examples drawn directly from employees’ behavior.
- Audit and Accountability: The Cymulate continuous security validation performs ongoing audits with detailed reports that increase collaboration between IT security and internal GRC and risk management teams in organizations.
- Assessment, Authorization, and Monitoring: The Cymulate platform continuously assesses and verifies that authorizations cannot be bypassed. The technique used is to attempt, through launching a variety of production-safe attack simulations, to find gaps in the least privileged access policy and leverage these authorization gaps to gain unauthorized access.
- Configuration Management: When integrated with SIEM and SOAR systems, the Cymulate platform automatically maps out misconfiguration and security gaps enabling ’attackers’ intrusion and the ensuing attack path. It then provides prescriptive guidance for enhancing configuration management.
- Contingency Planning: The reports of attacks’ potential reach and damages yielded by IR training exercises run with Cymulate attack scenarios and campaigns can be used by SOC and the executive board as comprehensive databases to create contingency plans.
- Identification and Authentication: production-safe attack scenarios and campaigns are designed to exploit insufficiently tight identification and authentication policies. Reports list all detected ID or authentication security gaps and include actionable mitigation recommendations.
- Incident Response: Launching production-safe attack simulations enables updating IR playbooks with live production information, and setting up a TTE (Tabletop Exercise) with minimal effort.
- Maintenance: Access to a single source of truth for all security gaps in an organization greatly facilitates assigning maintenance roles and missions and subsequently updating those to match the dynamic nature of agile development. The Cymulate platform provides this visibility, as well as prioritization and mitigation guidance.
- Media Protection: Once a required level of protection for a media is defined, Cymulate can validate that it is applied and enforced across the board and raise an alert if its personnel or roles fail to implement the required procedures.
- Physical and Environmental Protection: This is not typically covered by the information security software and should be complemented by on-site physical measures.
- Planning: The overarching view of the entire environment’s exposure, including the attack surface, provides invaluable information when establishing a list of the people who should be informed of security and policy procedures and can be used to automatically update any relevant modification.
- The ability to define accurate granular and global baselines reflecting the organization’s risk appetite and measure its variance with precise metrics facilitates both planning and monitoring:
- Program Management: The information regarding SIEM and SOAR tools efficacy extracted from Cymulate assessments uncovers overlapping and missing capabilities and provides prescriptive recommendations to optimize the configuration of the available detecting, monitoring, and response solutions.
- Personnel Security: Same remarks as for point 9.
- PII (Personally Identifiable Information) processing and transparency: Same remarks as point 8.
- Risk Assessment: The Cymulate platform provides the highest and most comprehensive level of risk assessment attainable with today’s technology.
- System and Service Acquisition: The Cymulate platform can be used to comprehensively and granularly evaluate the risk introduced by granting access to an external service provider or integrating with an external system by testing the impact on the security posture during the trial period.
- System and Communication Protection: As the Cymulate platform identifies security gaps in the entire network, including those affecting system and communication, protecting those can be achieved by applying the mitigation recommendation provided in automatically generated reports.
- System and Information Integrity: same remarks as for point 15.
- Supply chain Risk Management: same remark as point 14, except that, instead of testing the supplier’s impact on security posture during a trial posture, it would require testing the impact of momentarily disconnecting the third party.
To better understand the value of an exposure management and security validation approach, it helps to understand the fundamental differences between defensive and offensive risk assessment.
Defensive-Based Risk Assessment
Typically, testing is done through a combination of a yearly or bi-annual pen testing exercise and continuous adjustment to industry-recognized benchmarks, such as those published by CIS, NIST, OWASP, and others.
This approach, unfortunately, suffers from some major and minor flaws.
- It does not enable measuring the ongoing efficiency of the existing tool stack, preventing tool use optimization.
- It does not identify potential overlap between tools, preventing tool stack rationalization.
- It lists all uncovered vulnerabilities and ideally prioritizes catching based on industry-wide criticality scores, not based on risks to the specific environment.
- Limited visibility hampers the optimization of the balance between operational agility and security concerns.
Annual or bi-annual pen testing exercises provide a snapshot of the security posture at a defined point in time. Reports are obsolete before they are handed over a few days or weeks after the exercises.
This is due to:
- The rapidly evolving malicious actors’ offensive tooling and capabilities
- The agile nature of continuous deployment might introduce new vulnerabilities with each new deployment
- Without integrating continuous Immediate Alert Intelligence (ITI) in security posture management, there is no possibility of evaluating resilience against emerging attacks.
- Without attack-based vulnerability patching prioritization, remediation queues are overloaded, and patching priorities are misaligned with the actual risks to the environment.
- Lack of quantified baselines and trends hobble the efficacy of continuous monitoring in evaluating the improvement – or lack of thereof -of the security posture.
From Offensive-Based Risk Assessment to Cyber Risk Quantification
When switching from defensive to offensive-based cyber risk assessment methodology, doing it right enables cyber risk quantification.
Cyber risk includes the realm of all impacts where you are exposing your digital and physical environments simply by interconnected people, processes, and technology. Cyber risk quantification is a method for expressing risk exposure from interconnected digital environments to the organization primarily in business terms, meaning with a direct link to its $ value.
A comprehensive offensive-based cyber risk assessment needs to cover the entire kill-chain, from intelligence gathering and initial foothold to execution and Command & Control, and network propagation, and, of course, action on objectives such as data exfiltration. It also needs to have the capability of establishing a baseline for security control resilience.
Advanced offensive-based assessment tools, such as the Cymulate Exposure Management and Security Validation solutions, meet all the NIST increased requirement stringency for risk assessment and are invaluable in achieving compliance quickly, efficiently, and comprehensively.
As a bonus, it provides 360° visibility into the inner working of each cyber-defensive tool, from their ability to improve security controls to their detection and attack-prevention mechanisms and detailed itemized cyber risk quantification.
To see our product in action, start your free trial here: