Welcome to the world of overflowing regulations and compliance standards, of evolving infrastructure and the ever-present data breach. Each year, fraudulent activity accounts for $600 billion in losses in the United States. In 2017, more than 1 billion account records were lost in data breaches – an equivalent of 15% of the world’s population. 72% of security and compliance personnel say their jobs are more difficult today than just two years ago, even with all the new tools they have acquired.
Within the security industry, we are constantly searching for a solution to these converging issues – all while keeping pace with business and regulatory compliance. Many have become cynical and apathetic from the continuous failure of investments meant to prevent these unfortunate events. There is no silver bullet, and waving a white flag is just as problematic.
The fact is, no one knows what could happen next. And one of the first steps is to recognize the inherent limits to our knowledge and faculties of prediction. From there, we can adopt methods of reason, evidence and proactive measures to maintain compliance in a changing world. Dethroning the myth of passive compliance is an important step to achieve security agility, reduce risk, and find threats at hyper-speed.
Let’s debunk a few myths about IT security and compliance:
Myth 1: Payment Credit Industry Data Security Standards (PCI DSS) is Only Necessary for Large Businesses
For the sake of your customers data security, this myth is most unequivocally false. No matter the size, organizations must meet with Payment Card Industry Data Security Standards (PCI DSS). In fact, small business data is very valuable to data thieves and often easier to access because of a lack of protection. Failure to be compliant with PCI DSS can result in big fines and penalties and can even lose the right to accept credit cards.
Credit cards are used for more than simple retail purchases. They are used to register for events, pay bills online, and to conduct countless other operations. Best practice says not to store this data locally but if an organization’s business practice calls for customers’ credit card information to be stored, then additional steps need to be taken to ensure to ensure the safety of the data. Organizations must prove that all certifications, accreditations, and best practice security protocols are being followed to the letter.
Myth 2: I need to have a firewall and an IDS/IPS to be compliant
Some compliance regulations do indeed say that organizations are required to perform access control and to perform monitoring. Some do indeed say that “perimeter” control devices like a VPN or a firewall are required. Some do indeed say the word “intrusion detection”. However, this doesn’t necessarily mean to go and deploy NIDS or a firewall everywhere.
Access control and monitoring can be performed with many other technologies. There is nothing wrong in using a firewall or NIDS solutions to meet any compliance requirements, but what about centralized authentication, network access control (NAC), network anomaly detection, log analysis, using ACLs on perimeter routers and so on?
Myth 3: Compliance is All About Rules and Access Control.
The lesson from this myth is to not become myopic, solely focusing on security posture (rules and access control). Compliance and network security is not only about creating rules and access control for an improved posture, but an ongoing assessment in real-time of what is happening. Hiding behind rules and policies is no excuse for compliance and security failures.
Organizations can overcome this bias with direct and real-time log analysis of what is happening at any moment. Attestation for security and compliance comes from establishing policies for access control across the network and ongoing analysis of the actual network activity to validate security and compliance measures.
Myth 4: Compliance is Only Relevant When There Is an Audit.
Networks continue to evolve, and this remains the most critical challenge to network security and compliance. Oddly enough, network evolution does not politely standby while compliance and security personnel catch up.
Not only are network mutations increasing, but new standards for compliance are changing within the context of these new networking models. This discrete and combinatorial challenge adds new dimensions to the compliance mandate that are ongoing, not just during an impending audit.
Yes, the latest generation of firewalls and logging technologies can take advantage of the data streaming out of the network, but compliance is achieved when there is a discipline of analyzing all that data. Only by looking at the data in real-time can compliance and network security personnel appropriately adjust and reduce risks.
Tightening network controls and access gives auditors the assurance that the organization is taking proactive steps to orchestrate network traffic. But what does the actual network tell us? Without regularly practicing log analysis, there is no way to verify compliance has been achieved. This regular analysis happens without reference to when an audit is forthcoming or recently failed.
Myth 5: Real-Time Visibility Is Impossible.
Real-time visibility is a requirement in today’s global business environment. With legislative and regulatory change coming so rapidly, network security and compliance teams need access to data across the entire network.
Often, data comes in multiple formats and structures. Compliance reporting and attestation becomes an exercise in ‘data stitching’ in order to validate that network activity conforms to rules and policies. Security and compliance staff must become de facto data scientists to get answers from the ocean of data. This is a Herculean effort.
When implanting a new compliance requirement, there is an assurance process where the standard is tested against the access the new rule allows or denies. How do you know if a given rule or policy is going to have the desired effect (conform to compliance)? In most organizations, you do not have the personnel or time to assess network activity in the context of compliance standards. By the time a new compliance standard is due, the data stitching process is not complete, leaving us with no greater confidence that compliance has been achieved. No matter how fast you stitch data, it seems that the sheer number of standards will keep you spinning your wheels.
Of course, the other side of this dilemma is that these standards genuinely do prevent data compromises. But while a good chunk of your resources is tasked with testing and rolling out standards, another part of the team is implementing even more permutations of the network. This is what physicists call a dynamical system.