products:

Sorry,

there are no posts to show...


Helpful Resources

News:

If you were a bank robber, you would target the largest bank around in order to secure the biggest prize possible in exchange for the risk associated with committing the crime, right? The same is true for cybercriminals. They specifically target organizations within industries that provide the most return for their crime. These unseen criminals, though they are not stealing physical cash, are stealing your personal information that can grant them access to more than just what is in your bank account. The prime targeted industries are those that house customer information in some form or another, examples would be banks, healthcare providers, and retailers, among others. Thankfully, our everyday institutions are fortifying their security against these cyber thieves by employing software solutions such as RSA Archer to aid in the prevention of theft of customer data and fraud from ever occurring in the first place by tracking threat behavior and analyzing patterns of risk.

The banking industry maintains millions of dollars of assets and huge databases of customer data and therefore, are prime targets for fraud. Big banks, along with other major organizations, have traditionally held a nonintegrated approach to GRC, negatively impacting business performance and resulting in inefficient manual processes, poor visibility across the enterprise, and a mixing bowl of risk and compliance frameworks.

In a case study conducted by GRC 20/20, they researched how large commercial banks achieved value through an enterprise GRC platform, RSA Archer. “Siloed GRC processes are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of GRC. Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk” (EMC). The bank developed a strategic plan that rolled out 35 GRC programs designed to assess and evaluate risk across all lines of business. A few of those programs included control self-assessments, third-party risk, and contract management, SOX control assessments and management, marking material compliance and content review, quality assurance compliance management, internal audit management, and incident response management. RSA Archer permitted the bank to utilize a common organizational hierarchy, asset repository, list of facilities, contact (employee) information, risk register, corporate policies, and control library to establish relationships between all 35 programs, which resulted in greater efficiency, agility, and effectiveness across the business. Here are just a few examples of real results achieved from the implementation of Archer within the first year:

  • Time to complete assessments and approvals reduced by 60%
  • Saved the bank approximately $1.65 million
  • Reduced the time and expense involved in managing previously disconnected solutions
  • An overall reduction in third-party risk
  • Increased participation and effectiveness by 320% in product/service/control assessments
  • Increased ability for reporting and visibility of risk for end-users and executive management alike

At CyberSheath, we know cybersecurity processes first, and we use that knowledge and experience to help our partners get real value from Archer. To learn more about our Governance, Risk and Compliance service click the link below to download a datasheet detailing our unique GRC approach for both government and commercial clients.

Wouldn’t it be great if there were an “easy” button for developing your organization’s governance, risk, and compliance departments? There are several aspects to consider when building out each sector, such as, what kind of control assessments should we have and how often? What kind of approval chain should our policy documents be following? How should we conduct our business impact analyses? Where should we house our asset inventory? How do we tie all of these aspects together? Why is GRC even important?

As the result of several notable cyber-attacks throughout the years, governance, risk, and compliance are factors in the corporate environment that no organization, either big or small, can escape from. The concept of focusing on growth without considering risks is not only impractical but also unsustainable. Too often we see common themes among the victims of cyber-attacks: failures to link development strategy with risk, the lack of oversight for risk management, and the lackadaisical viewpoint on a day-to-day risk. A major problem with most corporations is that their processes involving GRC are spread out amongst several different groups. These groups often fail to share information and wind up having a multiplicity of frameworks and processes. This results in inefficiency and greater exposure to risk across the entire organization. For all these reasons, it is imperative organizations of all sizes recognize the importance of GRC convergence and collaborate across all lines of business to reduce risk and enforce compliance. One of the best ways to achieve this mentality and efficiency is by employing a comprehensive risk management tool such as RSA Archer.

The RSA Archer GRC platform offers users a simple yet comprehensive way to design, build, and manage solutions that can grow right along with your business. Customers can configure enterprise-class, security-assured applications and deploy them in a way that enables and prepares their organization to maintain compliance and prevent risk. In addition to providing customers with a foundation for compliance through content bundles for the Policies, Control Standards, Control Procedures, Authoritative Sources, and other applications; Archer also comes complete with pre-configured reports and dashboards to utilize as building blocks for your reporting metrics. Furthermore, Archer provides users with assessment content such as built-in business impact analysis, quarterly risk, control self-assessment, device, and facility questionnaires. These pre-configured questionnaires allow users to automatically score questionnaires and generate findings for incorrect answers, they can even be issued automatically via campaigns. When it comes to governance, risk and compliance functionality, the possibilities are endless with Archer.

CyberSheath’s team of experienced Archer security consultants have years of experience in both private and public environments implementing and deploying both custom and prepackaged solutions. Having worked with and successfully deployed all use cases provided by RSA, we are your “easy” button to developing your GRC sector of your organization.

In the ever-evolving world of cybersecurity, one component remains both dynamic and widespread, risk itself. The flu virus, much like risk itself, is ever-mutating and adapting to new environments and we as human beings are consistently trying to defend ourselves against it by getting our flu shot every year, washing our hands frequently, and trying the latest new prevention trends like Emergen-C and clean eating. Yet despite some of our best efforts, we often become infected with this virus year after year. Similarly, many organizations put their faith in the “latest and greatest” next-generation firewall or anti-malware software, their margin of risk is only slightly narrowed – why?  As defense technologies perpetually adapt to new environments, attackers are doing the exact same thing with their arsenal. Just because we got our flu shot and maintained good hygiene, we were still impacted by the virus. Organizations face attacks on a daily basis no matter what method of prevention they employ.

However, in the case of cybersecurity, knowledge is power. In this day and age, businesses are growing at rapid rates and sometimes are unable to track their risk management as needed. The most efficient way to reduce risk and monitor performance is the ability to track and identify critical assets business processes and to ensure compliance regulations are being met. Maintaining an effective GRC program entails a strong platform on which tools are in place to automatically protect, detect, and respond to security events quickly and proficiently. Additionally, they map all sectors of business together in order to paint a better picture of the risk an organization is facing. Through the use of real-time dashboards and reports, organizations are provided with enhanced user experience and improved visibility of risk activity amongst business unit managers.

Here at CyberSheath we promote both healthy lifestyles and streamlined risk and compliance management, though we may not be able to tell you exactly how to avoid the flu next fall, we can definitely help protect your company and its assets via professional GRC services and consulting. The next string of security incidents are just around the corner, don’t let your assets remain unprotected!

The winds of change blow at gale force speed when we talk about the IT industry and the need for information security that is becoming accepted as essential to doing business; recent high profile cases of large scale corporate hacks have shown how essential it is to have security programs in place. In this two-part post, we will focus on Governance, Risk, and Compliance (GRC)– an increasingly important aspect of a mature information security program, and how you can begin to apply the concepts of GRC to your organization. First, we will discuss GRC at a high level, and how GRC should be applied from the top down in an organization, since governance, risk, and compliance ultimately falls on the executive team’s areas of responsibility. Next weeks post will provide information on three of the top GRC platforms and will discuss the strengths and weaknesses of these products in supporting the automation and measurement of your information security capability.

Applying Information Security Governance

This can be a daunting task for many businesses as it’s no longer adequate enough (not that it has ever been) to only have a flimsy security policy written, while primarily focusing on trying to secure your network, typically in a reactive way. However, the policy is an important aspect of governance, as it sets the requirements for what capabilities and controls will be applied. It is absolutely imperative that the security policy is not only robust but also needs to be mapped to other external factors such as the key business drivers, your local/national regulatory and legal requirements, and of course the internal and external threat and risk tolerance of the business. Beyond that, a security policy should serve to govern all security program aspects, and align with documented procedures, implemented capabilities, and measurability of security programs effectiveness.

So how does it all work? Information security is similar to other governance procedures a business may have in place such as IT and Corporate governance, and there will always be overlapping goals between these three entities. The companies organizational structure and formally defined interfaces and control gateways will determine how these departments interact with each other and how the goals of each department align. Communication is key and careful consideration should be taken by the most senior roles in the organization to ensure proper stakeholder involvement and oversight are in place across the functional areas. The main goal being that security should not operate without alignment to other areas of the business. Security as a function should be involved in other areas of the business to promote the culture of security, integrate itself procedurally, and operate as a program that has measured effectiveness while continuously and proactively aligning with the goals of the entire business.

“Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”

TechTarget

As you can see from the quote above this clearly articulates the need for leadership involvement in the process of security governance. If you don’t currently have this level of involvement in your organization, then it is recommended that executive teams with security and compliance objectives seek out the help of a professional within this area of expertise. Let the experts at CyberSheath help you establish a security governance model appropriate for your business and executive team.

Governance, Risk and Compliance (GRC) is an all-encompassing term that can cover an array of areas from business continuity through vendor management. Given the range of meaning, it’s important to understand what it means to you and your organization before selecting a platform like RSA’s Archer, which has many modules and even more use cases.

To help narrow down your selection of Archer modules and use cases as well as increase your likelihood of success in deployment and utilization, here are 3 things to consider before making your purchase:

3 Things to Consider When Choosing RSA Archer for GRC

1: Requirements First, Technology Second

Many late and over budget technology projects can be traced to a project that started with a “bake-off” of technologies or worse statements like “we need (fill in the blank with your favorite security tool)”. My experience is when requirements drive the technology selection process outcomes are far more likely to be aligned with expectations.

Decide what you are trying to accomplish and turn high-level statements of need into fact-based requirements that will drive the technology selection. Forget looking at Forrester or Gartner first to see what vendor product is the “best”. Best is relative and your requirements could very well lead you to a solution that didn’t make the Magic Quadrant (MQ). Defining your requirements relative to GRC will help you avoid overbuying a solution leaving you with modules or use cases you can never extract value from.

2: Don’t Forget Operations and Maintenance

Someone, an actual human being, is going to have to support the solution that you purchase and you should factor that into your operational expense budget as part of the total cost of ownership. If it won’t be an internal employee then budget for consulting to maintain the solution that you have deployed. Avoid falling into the trap of sending one employee to a 5-day vendor class that covers the entire GRC landscape and range of modules so you can check the box and say you have trained someone to support your implementation. If you didn’t buy Incident Response, Vulnerability Management or some of the other modules covered in the high-level training class why spend time and money training to use them?

Your plan for supporting RSA Archer operations and maintenance should tie back to your requirements. Ask what it will take to satisfy your requirements on a continuous basis, whether in FTE’s or consulting hours and budget accordingly.

3: Integration with Existing Technologies

One of the great benefits of the RSA Archer platform is its ability to take data feeds from existing tools and create dashboards that convey information into a single pane of glass. If configured properly the information displayed can be fact-based metrics that tell you in real-time, or as close to, how effective your existing tools are. Archer gives you the ability to leverage a standard like the 20 Critical Security Controls and actually display the metrics provided for each control within the platform. It’s just one example of how you can integrate existing technologies into the platform and show a return on your security investment.

How Can CyberSheath Help Your Organization?

At CyberSheath, we know cybersecurity processes first, and we use that knowledge and experience to help our partners get real value from Archer.  Effective GRC doesn’t begin with a GRC technology solution – a concept we discuss more in-depth here – but rather understanding your requirements first, ensuring your valuable time and resources won’t be wasted.

GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance and a better understanding of the impact of risk on business performance. GRC can vary dramatically depending on the businesses vertical market (e.g. Healthcare, Finance, Information Technology, etc.) and even further complexity can be found from one business unit to another. This complexity drives the need for different, highly specialized tools, which raises a huge set of cost, integration, and management issues. To address this challenge, many businesses are opting for a single enterprise GRC (eGRC) solution and, when necessary, integrating the many points and functional solutions to satisfy specific needs.

An Integrated and automated GRC aims to resolve the challenges associated with scattered and disconnected operational security processes through the centralization of data, alignment and automation of processes and workflows, and clear enterprise-level visibility with trend and analysis metrics and reporting. The benefits of an integrated and automated GRC are substantial however; businesses should not look to integration and automation without first having a mature GRC environment in place.

Throughout my years of helping businesses improve security and GRC processes, I’ve noticed common trends in businesses striving to build and integrate automated GRC processes. I have compiled a list of 8 critical steps that any business should accomplish before trying to automate and integrate their GRC with technology:

1: Understanding the GRC Business Driver

Why are you doing this? Establish the need and convey the value of GRC to the business.  GRC reduces risk, helps demonstrate the value of security, makes compliance a natural outcome, and optimizes your businesses people, processes, and technologies. Most importantly, GRC helps tell the compliance and security story in a language that the business can understand through the language of numbers and metrics.

2: Establish GRC Scope with Business Context

Understanding the context of your business is critical to the successful application of GRC goals. The internal context (e.g. systems, applications, networks, organizational structure, etc.) and the external context (e.g. customer impact, legal or regulatory compliance requirements, etc.) define the GRC scope with a clear understanding of constraints and opportunities.

3: Current State vs. Future State

A clear understanding of the current state of your GRC and the desired future state of your GRC will allow you to develop a roadmap that is aligned with the mission, value, and strategic agenda of your business.

4: Get Leadership Support and Sponsorship

Senior executive backing is critical to ensuring GRC activities (e.g. compliance initiatives, risk assessments, policy creation, etc.) are not executing in silos and that business units are working towards the GRC future state.

5: Define the GRC Strategy

Clear Business Objectives are the destination for any project and provide a guidepost for the many decisions that will be made along the way. In order to eliminate surprises and ensure directional correctness, the successful PM will work with project sponsors and stakeholders to develop and articulate the business objectives early and often in a project.

6: Cross-Departmental Collaboration

GRC impacts every business unit in some capacity and will inevitably drive a culture change throughout the business. Getting the right people at the right times is critical to creating change that deeply impacts the culture and ensures success in GRC activities.

7:  Define What Success Means

Develop a set of Key Performance Indicators (KPIs) to measure the effectiveness of GRC activities. KPIs should be in the common language of the business, not technology, or security centric. KPIs should provide a clear picture of how GRC is integrating into the activity and rhythm of your business operations.

8: Continuous Improvement and Optimization

GRC must adapt to the accelerated and dynamic pace of business. Environment changes occur rapidly and data is more fluid than ever before thus in In order for GRC to be a truly effective continuous improvement is a must! Leveraging the results from your KPIs, you can steadily optimize the GRC activities, one at a time, to increase the efficiency, agility, and effective with managing your risk and compliance.

Effective GRC doesn’t start with a GRC technology solution and successful completion of these steps will ensure that when you are ready to integrate and automate your GRC activities into technological solutions, your valuable time and resources won’t be wasted. Let the experts at CyberSheath help your business maximize the efficiency of processes, connecting operational tasks with strategic objectives.

Modern Healthcare recently reported that “Health insurer Centene Corp. is hunting for six computer hard drives containing the personally identifiable health records of about 950,000 individuals…” While this potential data loss doesn’t come close to the monumental data breaches suffered by Anthem, Blue Cross and Blue Shield and others in 2015; it highlights 5 actions that companies of any size in the healthcare space should be taking now to optimize security.

5 Actions You Should Take to Improve Security

1: Manage and Encrypt Assets

Know what you own, who it’s assigned to and if it’s mobile encrypt it. Wrap these efforts into your existing Governance, Risk, and Compliance efforts for HIPAA Hitech, PCI DSS and any other relevant business requirements around compliance. As a goal measure once, comply many but whatever you do encrypt and track your endpoints.

2: Manage Your Vulnerabilities

Establish a capability to assess the risk of systems, applications, and IT services by evaluating the prevalence of vulnerabilities in your environment. You won’t ever be able to remediate them all but you don’t have to. Focus on the high risk/high probability first and establish a documented, repeatable program to continually address this basic requirement for IT security.

3: Privileged Access Management

Monitor and manage your privileged accounts as these will be the accounts likely exploited in a successful breach. Ignoring this accepted minimum standard of care for information security is akin to not encrypting laptops, it’s a necessity, not a luxury.  For further explanation, we discuss privileged account exploitation more in-depth in our white paper, CyberSheath APT Privileged Exploitation.

4: Protect the Network

Provide protection for your network environment with a set of network security tools to detect, alert, and automatically respond to malicious activities targeting your environment. Prioritize requirements here to fit your budget and make tradeoffs were required to include protection for internally and externally available systems, email platforms, and internet use via browser.

5: Incident Response, Logging, and Monitoring

Build a capability to monitor critical systems, applications, and IT services as well as to detect and respond to incidents and/or breaches when information is improperly handled, accessed, or transmitted as it inevitably will be at some point. Do what you can with what you have as not everyone can afford 24/7 monitoring. Outsource where necessary but do not get caught with no plan or capability or you will spend exponentially more being reactive.

How Can CyberSheath Help Your Organization?

All of these efforts can and should be integrated with the day-to-day delivery of IT operations to maximize your efficiency and effectiveness. CyberSheath will work with your organization, large or small, to help secure your valuable assets. CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards and regulations.

Due to the way the RSA Archer product is sold, customers often find themselves the proud owners of the Risk Management module.  Side-by-side with the Enterprise, Policy, and Compliance modules, Risk Management is marketed as a necessary and important module to tackle in the initial phase of the Archer journey.  As professional services providers, clients often ask CyberSheath to assist them with the creation of a risk register as their first step with Archer because it is something they have heard they need to do.

A Risk Register as a First Step is Not the Answer

The problem is that the majority of new Archer customers that we have partnered with are in the information security field, where actual threats and incidents consume every working hour.  The daily realities of malware, vulnerabilities, exception requests, business needs, and compliance requirements take up more than enough of a security team’s time each month for them to be prioritizing a risk register as their first GRC capability.

In today’s fast-paced and dynamic cybersecurity world, a risk register managed by the security team seems almost a quaint and antiquated concept.  I cringe at the memories of my life in a large corporation before CyberSheath, where someone from corporate would take weeks and months to hold working groups, developing a risk register and asking us all about our thoughts on the likelihood and impact of a tsunami hitting our Austin, Texas data center.  At the time, my thoughts and efforts were instead concentrated on actual cyber events happening right then and how we were responding to them both tactically and strategically.

What NIST Recommends Your First Steps Should Be

NIST 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems does not mention the term “Risk Register,” not even once.  In fact, the steps in the RMF Process are now clearly focused on control definition and assessment:

  • RMF Step 1: Categorize Information System
  • RMF Step 2: Select Security Controls
  • RMF Step 3: Implement Security Controls
  • RMF Step 4: Assess Security Controls
  • RMF Step 5: Authorize Information System
  • RMF Step 6: Monitor Security Controls

The RSA Archer Risk Management Module does have a place and is valuable for mature organizations. However, it is best managed at a corporate, non-security level, assessing business risk, and only after significant Archer groundwork has been completed to map out governance.

For commercial information security organizations, the prioritized modules that provide the most value to the security team, in order are:

  • Enterprise Management
  • Policy Management
  • Compliance Management
  • Threat (Vulnerability) Management
  • Vendor Security Management

How Can CyberSheath Help Your Organization?

These modules provide structure, process, metrics, visibility, and accountability that can be used to gain a true picture of the effectiveness and maturity of the security organization.  At CyberSheath, we know cybersecurity processes first, and we use that knowledge and experience to help our partners get real value from Archer.

Let’s be clear – POS is an ill-termed acronym for Point of Sale.  As the collective giggles fade, it’s time to think about security in the retail industry.  With Black Friday fast approaching, stores preparing for the mad rush of shoppers should ensure their POS systems are secure.  Cardholder data has been a lucrative draw for the cybercriminals seeking to make some serious money selling your stolen credit card data.  Along with cardholder data comes your customers’ personally identifiable information that is now floating around the Internet and could potentially fall into the wrong hands.

Point of sale systems is the catchall term to describe the consumer’s relationship to the store and how the consumer exchanges money for the goods and/or services.  A point of sale system has many different facets operating at different levels.  For the purpose of this blog post, I am only referring to the information technology assets that retailers have control over.  Payment gateways and bank systems are beyond the scope of this post.

The breaches of Home Depot, Target, and Neiman Marcus are prime examples of major retailer organizations that attested to PCI compliance, yet they were still breached.  While PCI compliance is important and ensures your organization has its ducks in a row, it doesn’t necessarily make your POS system more secure.  There are additional steps every organization should take to become proactive about securing your POS, arguably the lifeblood of your store.

3 Steps To Secure Your POS Systems

1: Conduct a Security Assessment

How do you secure your bread and butter?  For starters, I recommend a security assessment.  Conducting a security assessment will not only identify gaps in coverage but will provide your organization with a valuable roadmap to becoming more secure.  A security assessment will measure how your people, processes, and technologies stack up against your chosen security framework (be it NIST, SANS, etc).  The assessment is designed to quickly identify problems, as in the case of the 2014 Neiman Marcus breach where over 60,000 alerts were triggered but ignored or went unnoticed while the thieves moved around the network over a period of months.  An interview with personnel could have identified the problems or concerns personnel may have had with a particular security tool, such as too many alerts, or not enough personnel to monitor the systems.

2:  Invest in a Governance, Risk, and Compliance Tool

Following the assessment, I recommend bringing your metrics and reporting together with governance, risk, and compliance tool.  This will provide your organization with valuable metrics, superb reporting capability, and a single dashboard to give your security team time to respond to incidents.  Your compliance team will love it because they can effectively manage compliance requirements and documentation.  PCI compliance is a major undertaking for any organization.  Having everything in one place for the auditors will make your next PCI audit go smoothly.  Even if you are a small organization with no team in place, having a centralized way to view metrics and spot trends will keep you ahead of the curve.

3: Develop a Continuous Monitoring Strategy

And finally, institute a continuous monitoring strategy.  From the major retailers to the local mom-and-pop shops, some type of system that generates valuable alerts when there is suspicious activity on your network will provide that shift your organization needs to become proactive about security.  Having a strategy in place will allow you to quickly identify events of interest and provide the guidance you need to respond to an incident. Spotting anomalies in your network and making sure your systems are up-to-date will go a long way in preventing a costly data breach.  If you are at a loss as to where to begin, check out CyberSheath’s blog post on vulnerability management to get some helpful ideas.

CyberSheath will work with your organization, large or small, to help secure your valuable assets.

Note: This is the second in a series of blog posts in which CyberSheath GRC consultants specifically describe how the RSA Archer GRC Solution can assist with the adoption of the Critical Security Controls for Effective Cyber Defense.  Each post of this series will focus on one of the 20 Critical Security Controls. Click here to access the first post of this series.

CyberSheath has worked with many customers who are just beginning their GRC journey.  As security consultants first, the initial steps we take when building out GRC efforts for any organization align with the Critical Security Controls for Effective Cyber Defense.  These controls, formerly known as the SANS 20 Critical Security Controls, focus on prioritizing actionable and pragmatic security functions that are effective against advanced attacks.

20 Critical Security Controls

Control 2: Inventory of Authorized and Unauthorized Software

The second Critical Control, Inventory of Authorized and Unauthorized Software, tells us that organizations should “Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”  To accomplish this, companies need to maintain a list of authorized software, by version, which is required in the enterprise, preferably through an automated software inventory tool.  The control also recommends deploying application whitelisting that allows systems to run software only if it includes don the whitelist and prevents the execution of all other software on the system.

This control is high on the list of priorities because attackers exploit vulnerable versions of legitimate software as well as uncontrolled software that contains malware.  By inventorying software that is necessary for business purposes and whitelisting only those, attack risks are minimized.

To actively manage your software inventory, Archer can receive data feeds from Software Change Management tools, Vulnerability Management scanners, Application Whitelisting software, and Configuration Compliance tools.  These sources can be fed into the “Applications” database in Archer, which tracks all relevant information on software name, version, ownership, etc.  No other product collects and rationalizes application data from multiple sources like Archer.

Managing software inventory is an accomplishment in itself, but tying the data into other parts of Archer is where we start to see real GRC context and meaning.  Mapping software to the system it resides on, the business process it supports and the business units it belongs to can help us visualize our IT infrastructure like no other tool can.  Without a GRC platform to relate records, our inventories are just individual siloes of lists.

When organizations do attempt to tackle application whitelisting, Archer can be the single tool with which users can request permission to have new software approved.  CyberSheath has worked with several customers who are using software such as BeyondTrust PowerBroker to manage whitelisting.  Using an Archer “on-demand application”, we created a process where employees identified the software, its business need, and created an approval process that included supervisor escalation and workflow.  Archer became the inventory for not only all enterprise applications but also for the requests that were linked to each new software approved.

Building out the Enterprise Management module in Archer is always a top priority for organizations beginning a GRC journey.  So it is no coincidence that the goals of the GRC program often align with those of a pragmatic security framework like the Critical Security Controls.  Application inventory and whitelisting is a smart initiative for all companies to tackle early, and Archer provides the visibility to manage the process with clarity, structure, and transparency.

Watch for our next post as we discuss how Archer can assist with the third Critical Control, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, coming soon.

CyberSheath took to the road this month to talk about Archer GRC.  To learn more about GRC and how to be a successful consumer of a governance, risk and compliance framework, check out our post on 8 Steps that Drive GRC Success.  If you are still not convinced, listen to one of our customers, a multi-billion dollar technology integrator, describe how CyberSheath Professional Services successfully implemented GRC to create a business-enabling capability!  Click here to view the video.

I just returned from two of the first RSA Archer Roadshows.  On Tuesday I was in the great city of Minneapolis and quickly flew to DC for the event on Wednesday.  Both sessions had a great turnout and served to educate existing and potential customers on the capabilities of Archer.  With plenty of time scheduled for networking, customer use cases, and product news, the events were definitely worth attending and I was able to catch up with friends I hadn’t seen since the Summit.

Throughout all of the interesting presentations from users I heard one recurring theme:  Make it easier!  Every amazing success story of Archer implementations in organizations of all types and sizes came with a lesson learned or feedback that was common among all six sessions.  “Our users want a more intuitive experience with less clicks.”  “We implemented Archer to make our business processes simpler, yet we get pushback on the user experience daily.”  “Why is there still an Apply Button?” It was a message that many of us Archer practitioners had experienced ourselves over the years, yet had come to accept as an unavoidable cost of using a very powerful GRC tool.

 

“Simplify, Simplify.”
H.D. Thoreau

“One ‘simplify’ would have sufficed”
Ralph Waldo Merson, In response

 

These concerns were addressed, however, when RSA made the biggest revelation of the Roadshow with details on Version 6.0.  All of the improvements we got an early glimpse of focus on an enhanced user experience and an improved interface.  The screenshots alone prompted smiles and whispers of  “Finally”, and we left really excited about the future.

It’s hard to get large organization to go with you on a GRC journey and everything we can do to limit the impact on our stakeholders and improve their experience with the tool helps.  Through the awesome Community idea submission site and events like the Roadshows, Archer has always listened to customers and has sought to implement the features the users want.  I’m excited to be attending the other roadshows in Boston and New York in the next few weeks to see what others think of the future ahead for eGRC.

Security assessments can be of transformational value for your organization or they can be shelfware, the determining factor on what you end up with is a matter of leadership and strategy. Here just one example of how an assessment can be transformational.

Several years ago I came into an organization with 5 separate security silo’s, all reporting independently of one another with almost no unifying set of objectives or control framework. One thing all 5 groups had in common was their belief that “the business just doesn’t get it”, it being security. When the 5 “families” got together the debate was fierce, discussions academic and action towards improvement nonexistent. If only we had more money, more tools, more people, more, more, more…then and only then could we be effective. I’m simplifying the story a bit to fit into a blog posting, but not by much.

Having the advantage of being new to the organization I recognized that part of the problem with the state of security was security. If you listened to the groups the sky was falling but they had no data to support their assertions. They had no way to demonstrate, with facts and figures, that the company was taking on more risk than was reasonable.

We needed a quantifiable way to give the business actionable data and let them come to the right conclusions around investments in the security arena. So with my enormous team of 1 which eventually grew to 3 (including me), we set out to educate the business as to the risks they were taking and make the company more secure. It’s not an exaggeration to say that the effort to transform security at a global Fortune 500 company began with 3 people and an assessment.

We knew that we needed a way to measure security and to do that we had to select a control framework that could withstand scrutiny and provide an actionable baseline against which we would measure improvement year over year. The two candidates were NIST and ISO and there were passionate arguments for and against each. In my opinion, this is an area that can be “overthought”, meaning you can always change your mind later but the most important thing is taking action now. In fact, we did exactly that by selecting ISO and then reverting NIST.

Contrary to what many people might think the next step was not to start the assessment. For the assessment to be effective the business would have to understand how and why it was important to their business and making them ISO or NIST experts was not in the cards. We had to select the parts of ISO and NIST that were relevant to the business from a regulatory compliance perspective. The business understands compliance, be it with HR (Employment law), workplace safety (OSHA), finance (SOX) and or any other functions that support the business. Security, however, had never taken the time to map the work they were doing back to regulatory requirements in a language the business could understand.

So we set out to do that mapping….long before we started engaging vendors to do an assessment. In my next post, I’ll share some of the challenges with doing the mapping and how we ended up selecting a vendor.

This post will be broken into multiple parts…taking readers through my experience from the customer side of the equation and how to derive real value out of security assessments.

Before I get too far into this posting let me provide a disclaimer similar to a financial pundit who has to disclose the stocks he/she owns as they pontificate on the merits of said stocks. DISCLAIMER: One of the services my company sells is assessment services and I think they are invaluable, not because I sell them but because in past lives I’ve used them to literally transform the organizations I was leading. Assessments tell you where you are and provide the map that will get you where you want to go.

Security professionals share a common trait, they all have more work than resources and that is not likely to change anytime soon. So, every day is spent fighting fires and you end up “living” on the hamster wheel of security.  Fun, right? Because there is always so much to do its difficult to know what to do first, then second, then third….so that eventually you have strung together a series of investments that measurably improve your security posture. More likely than not you will make a series of investments in response to a series of crisises and probably not have the time or system of management in place to measure the effectiveness of those investments.  Assessments can change that paradigm, permanently and for the betterment of your entire company, if you do them correctly.

The assessment is not an audit so don’t describe it that way; socialize it appropriately with your management and your team. How? Every culture and set of circumstances is different but something along the lines of, “We’ve got a good understanding of what we need to do in security to better align with the business and we are using this assessment to validate that thinking and create a multi-year investment strategy that will drive measurable improvement as opposed to the one off point solution improvements.”  If this assessment is going to be transformative you need to build support before it starts and ultimately you will have a burning platform off of which you can launch your strategy. The assessment is a tactic that will enable the execution of your strategy.

Don’t do the assessment yourself; you won’t have the time to do it justice and somehow having a third party conduct the assessment is always more effective. When you select a third party make sure they invest the time to know what you want to get out of this assessment. Lots of mediocre companies can produce assessments that follow a boiler plate template and answer all of your obvious question leaving you no better off than where you started and a little poorer. Take time up front to write a statement of work that forces your provider to deliver real value and not just a 100 page report. What’s real value?

In my next post I’ll take you through my experience as a customer and how I derived transformational value from security assessments, multiple times…

Due diligence and fiduciary responsibility for corporate executives is now widely acknowledged to include exercising sound judgment and effective controls in the domain of cybersecurity. There’s no escaping the responsibility to protect corporate information and infrastructure and eventually the law will catch up with this reality. Until it does here’s what you should be doing to right now to exercise due care in managing cybersecurity risk.

1 – Be pragmatic, there are more risks than you can possibly address. If you try to do everything you will end up doing nothing.

2 – Get a baseline of the controls you currently have in place, how effective they are and compare yourself with NIST 800-53 or the Consensus Audit Guidelines. (HINT: Remember step 1 and don’t overthink this, your assessment shouldn’t be a six month exercise.)

3 – Do something! Prioritize your risks and address ONLY the things that can show measurable improvement, i.e. reduced risk. If you’re stuck in analysis paralysis just start with Consensus Audit Guidelines and address the ones that you’ve found to be vulnerabilities in your baseline.

4 – Document and tell your story using words and numbers that matter. Telling the board that SQL injection vulnerabilities have been reduced because you implemented a Web Application Firewall is why security often doesn’t get “a seat at the table”. Talk in term of compliance and risk, they get that.

5 – Stop buying tools and adding complexity until you’ve mastered the ones you already own and have laid in the process (documented) to use them effectively and in an integrated fashion.

As Einstein said, “Everything should be made as simple as possible, but not simpler.” Apply this approach in exercising due care with respect to cybersecurity.

I’ve spent the week here at RSA talking with current and future customers and a great question I get from customers looking for a trusted security partner is “So what exactly is it you do?” It seems like a simple question but what it usually implies is some level of “consultant fatigue”, CISO’s have had enough assessments, reports and outsiders telling them what their problems are. They want solutions and partners who do real work. Here’s what CyberSheath does to add value …guaranteed.

What We Do

We integrate your compliance activities with security activities and measureably reduce your risk.

How We Do It

Set a security strategy, select standards, implement controls, measure effectiveness.

What Results Look Like

A recent engagement for a customer led us to design and deploy an incident response and management plan. This particular security control happens to be Critical Control 18: Incident Response and Management from the CSIS: 20 Critical Security Controls list. Implementing all 20 controls would have been ideal but we are realists not idealists. The customer had suffered a significant attack where the APT had been embedded for over two years and the lack of process to contain and expel attackers directly contributed to massive amounts of data loss.

What We Did

Documented written incident response procedures that included specific roles and responsibilities for both management and technical personnel during each phase on an incident.

Documented and implemented organization wide service level objectives (SLO’s) related to mitigation of an incident.

The Results

Customer has a documented, repeatable and measureable incident response and management plan for cyber-attacks and mitigates attacks on average in less than 2 hours once discovered.

Our focus is on implementing real results that make you more secure, we guarantee it.

The Keynote sessions here at RSA 2013 kicked off yesterday and Art Coviello, RSA Executive Chairman, focused on the importance of big data and the opportunities that it presents security teams from an intelligence perspective. He’s right, the opportunities are tremendous and customers are anxious to better leverage “big data” but documented and repeatable process along with baseline implementation of critical controls are prerequisites for taking advantage of “big data”.

The actionable intelligence that can be gained from big data is only useful if it causes an organization to take the RIGHT actions in the correct sequence with measurable outcomes. Conceptually leveraging big data makes perfect sense but the implementation will yield more of the same firefighting that bogs down security organizations today if it’s not part of a documented strategy with measurable outcomes enabled by rigorous process and a thorough understanding of the controls you currently have in place.

The actionable intelligence that big data can provide could very well enable an organization to quickly and efficiently mitigate an attack by correlating unstructured data in a context that directs an SoC analyst to take appropriate action. Attack mitigated, the good guys win right? Maybe not…are we really still just addressing the symptoms and not the root cause? The attack is a result of a vulnerability that was exploited and resources are being expended on the incident response because resources were not expended on preventative maintenance. Perhaps if the control to prevent the attack in the first place had been documented, implemented and measured the attack would never have happened.

I realize that implementing critical controls won’t stop every attack but there is such a great opportunity to do some fundamental and meaningful work around implementing critical controls to stop attacks that get overlooked.

It’s just good hygiene. Would rather brush your teeth, floss and get regular dental examinations or be really good at getting fillings?

Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.

CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:

  • Identify a need
  • Hold a “bake-off” and select a product
  • Set deployment objectives (entire enterprise, all Windows desktops, etc…)
  • Achieve deployment objectives
  • Declare victory with reports showing deployment saturation metrics

It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser-focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.

100% deployment isn’t the goal, that’s just your day job.  Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches every day it’s difficult, sometimes impossible, to address the bigger picture but in my experience, the organizations that do are the most effective.

All checked in @RSA 2013 here in San Francisco!

It’s interesting to me the difference in perspective in attending one of these industry conferences as the CEO of a security services company rather than a CISO. When you are a CISO for a Fortune 500 company EVERY vendor wants your time and you can be sure you will meet for as long as you want with whomever you want. As the CEO of a services company you’re competing for time with all of the big vendors and had better have something important to say as you vie for precious the precious time of oversubscribed CISO’s.

It’s a great reminder for me of how important the work we do is. C level executives are inundated with competing demands on their time and what they need most is someone to solve real-world problems for them. They need a vendor, individual, product or service that literally takes something off of their plate so that they can move on to other priorities. Adding value in the security space is about delivering real-world pragmatic solutions that improve security posture.

Do you need that kind of a partner for your company? Let’s talk; I’ll be here all week, sales@cybersheath.com.

 

Security assessments can be of transformational value for your organization or they can be shelfware, the determining factor on what you end up with is a matter of leadership and strategy. Here just one example of how an assessment can be transformational.

Several years ago I came into an organization with 5 separate security silo’s, all reporting independently of one another with almost no unifying set of objectives or control framework. One thing all 5 groups had in common was their belief that “the business just doesn’t get it”, it being security. When the 5 “families” got together the debate was fierce, discussions academic and action towards improvement nonexistent. If only we had more money, more tools, more people, more, more, more…then and only then could we be effective. I’m simplifying the story a bit to fit into a blog posting, but not by much.

Having the advantage of being new to the organization I recognized that part of the problem with the state of security was security. If you listened to the groups the sky was falling but they had no data to support their assertions. They had no way to demonstrate, with facts and figures, that the company was taking on more risk than was reasonable.

We needed a quantifiable way to give the business actionable data and let them come to the right conclusions around investments in the security arena. So with my enormous team of 1 which eventually grew to 3 (including me), we set out to educate the business as to the risks they were taking and make the company more secure. It’s not an exaggeration to say that the effort to transform security at a global Fortune 500 company began with 3 people and an assessment.

We knew that we needed a way to measure security and to do that we had to select a control framework that could withstand scrutiny and provide an actionable baseline against which we would measure improvement year over year. The two candidates were NIST and ISO and there were passionate arguments for and against each. In my opinion, this is an area that can be “overthought”, meaning you can always change your mind later but the most important thing is taking action now. In fact, we did exactly that by selecting ISO and then reverting NIST.

Contrary to what many people might think the next step was not to start the assessment. For the assessment to be effective the business would have to understand how and why it was important to their business and making them ISO or NIST experts was not in the cards. We had to select the parts of ISO and NIST that were relevant to the business from a regulatory compliance perspective. The business understands compliance, be it with HR (Employment law), workplace safety (OSHA), finance (SOX) and or any other functions that support the business. Security, however, had never taken the time to map the work they were doing back to regulatory requirements in a language the business could understand.

So we set out to do that mapping….long before we started engaging vendors to do an assessment. In my next post, I’ll share some of the challenges with doing the mapping and how we ended up selecting a vendor.

Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.

As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.

Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.

The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.

If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.

FAQs:

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security