Assessing Security and Privacy Controls
NIST Special Publication (SP) 800-53A, Revision 5, “Assessing Security and Privacy Controls in Information Systems and Organizations”, was published January 25, 2022 (and supersedes the previous version). Continued NIST compliance requires asking tough questions today.
Regardless of the changes made following comments to the initial draft to this NIST Cyber Security Assessment and Management (CSAM) recommended standards, there are constants, as the new format for assessment procedures is introduced to:
- Improve the efficiency of conducting control assessments
- Provide better traceability between assessment procedures and controls
- Better support the use of automated tools, continuous monitoring, and ongoing authorization programs
The requirements for assessments are considerably increased, in terms of efficiency, traceability, and continuousness.
Generally speaking, NIST considers that “risk assessments are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.”
These new standards might actually hide unexpected business benefits, as continuous assessments with improved efficiency metrics and traceability might help solve the cybersecurity cost/benefits analysis conundrum.
So, how do you combine abiding with NIST improved standards, optimizing and rationalizing your cybersecurity tool stack, improving your cyber investment ROI, and facilitating communication with the board?
The first thing to do is to assess. Assessing an organization’s overall security posture is a multi-pronged procedure that can be done either through guessing – based on measuring the result of defensive detecting tools, typically through comparing benchmark policies to target system states, or through measuring – based on data collected through offensive tools.
Extended Security Posture Management (XSPM) is an approach particularly well suited to streamline compliance to the new NIST standards. XSPM platforms implement that approach by automating end-to-end risk assessment, thus challenging, assessing, and optimizing cyber-security posture simply and continuously and equipping security professionals with the visibility to know, control, and remediate their dynamic environment.
How XSPM Facilitates Complying with NIST (SP) 800-53A, Revision 5 Standards
A comprehensive Continuous Security Validation approach is ideal to address all the aspects broached in Revision 5, as it covers all the sections of its chapter on procedures:
- Access Controls: as a subsection of security controls, those can automatically be validated through regularly running simulated attack scenarios using a BAS (Breach and Attack Simulation) tool. It automatically verifies that all assessment objectives, methods, and objects delineated in NIST Revision 5 are included.
- Awareness and Training: The Phishing Awareness assessment pinpoints employees in need of additional awareness training, and the security gaps uncovered through the email and web gateway vectors can be used to document awareness campaigns with examples drawn directly from employee’s behavior and increase awareness campaigns relevance.
- Audit and Accountability: Continuous Security Validation performs ongoing audits with detailed reports that increase collaboration between IT security and internal GRC and risk management teams in organizations.
- Assessment, Authorization, and Monitoring: Continuous Security Validation technology continuously assesses and verifies that authorizations are not flaunted by attempting, through production-safe attacks, to find gaps in the least privileged access policy and leverage these authorization gaps to gain unauthorized access.
- Configuration Management: When integrated with SIEM and SOAR, continuous security validation automatically identifies weaknesses in tools and system configuration and suggests actionable remediation solutions.
- Incident Response: As launching production-safe attacks is an integral part of XSPM, IR playbooks can be updated with live production information, and setting up a TTE (Tabletop Exercise) requires minimal labor.
- Maintenance: Access to a single source of truth for all security gaps in an organization greatly facilitates assigning maintenance roles and missions and subsequently updating those to match the dynamic nature of agile development. An XSPM platform provides this visibility, as well as prioritization and mitigation guidance.
- Media Protection: Whether part or not of the crown jewel, once defined, the required level of protection applied to media can be validated continuously.
- Physical and Environmental protection: This is not typically covered by the information security software, including XSPM, and should be complemented by on-site measures.
- Planning: The overarching view of the entire environment’s exposure, including attack surface, provides invaluable information when establishing a list of the people who should be informed of security and policy procedures and can be used to automatically update them of any relevant modification.
- Personnel Security: same remarks as for point 9
- PII (Personally Identifiable Information) processing and transparency: same remarks as point 8
- Risk Assessment: XSPM approach provides the highest and most comprehensive level of risk assessment attainable with today’s technology.
- System and Service Acquisition: XSPM technology can be used to comprehensively and granularly evaluate the risk introduced by granting access to an external service provider or integrating with an external system by testing the impact on the security posture during the trial period.
- System and Communication Protection: As XSPM identifies security gaps in the entire network, including those affecting system and communication, protecting those can be achieved by applying the mitigation recommendation provided in XSPM automatically generated reports.
- System and Information Integrity: same remarks as for point 15
- Supply chain Risk Management: same remark as point 14, except that, instead of testing the impact on security posture during a trial posture, it would require testing the impact of momentarily disconnecting the third party.
To better understand the value of an XSPM or simply continuous security validation approach, it helps to understand the fundamental differences between defensive and offensive risk assessment.
Defensive-Based Risk Assessment
Typically, testing is done through a combination of a yearly or bi-annual pen testing exercise and continuous adjustment to industry-recognized benchmarks, such as those published by CIS, NIST, OWASP, and others.
This approach, unfortunately, suffers from some major and minor flaws.
- It does not enable measuring the ongoing efficiency of the existing tool stack, preventing tool use optimization.
- It does not identify potential overlap between tools, preventing tool stack rationalization.
- It lists all uncovered vulnerabilities and ideally prioritizes catching based on industry-wide criticality scores, not based on risks to the specific environment.
- Limited visibility hampers the optimization of the balance between operational agility and security concerns.
Annual or bi-annual pen testing exercises provide a snapshot of the security posture at a defined point in time. Reports are obsolete before they are handed over a few days or weeks after the exercises.
This is due to:
- The rapidly evolving malicious actors’ offensive tooling and capabilities
- The agile nature of continuous deployment might introduce new vulnerabilities with each new deployment
- Without integrating continuous Immediate Alert Intelligence (ITI) in security posture management, there is no possibility of evaluating resilience against emerging attacks.
- Without attack-based vulnerability patching prioritization, remediation queues are overloaded, and patching priorities are misaligned with the actual risks to the environment.
- Lack of quantified baselines and trends hobble the efficacy of continuous monitoring in evaluating the improvement – or lack of thereof -of the security posture.
From Offensive-Based Risk Assessment to Cyber Risk Quantification
When switching from defensive to offensive-based cyber risk assessment methodology, doing it right enables cyber risk quantification.
Cyber risk includes the realm of all impacts where you are exposing your digital and physical environments simply by interconnected people, processes, and technology. Cyber risk quantification is a method for expressing risk exposure from interconnected digital environments to the organization primarily in business terms, meaning with a direct link to its $ value.
A comprehensive offensive-based cyber risk assessment needs to cover the entire kill-chain, from intelligence gathering and initial foothold to execution and Command & Control, and network propagation, and, of course, action on objectives such as data exfiltration. It also needs to have the capability of establishing a baseline for security control resilience.
Advanced offensive-based assessment tools, such as Extended Security Posture Management (XSPM) solutions, meet all the NIST increased requirement stringency for risk assessment and are invaluable in achieving compliance quickly, efficiently, and comprehensively.
As a bonus, it provides 360° visibility into the inner working of each cyber-defensive tool, from their ability to improve security controls to their detection and attack-prevention mechanisms and detailed itemized cyber risk quantification.
To see our product in action, start your free trial here: