Security Data Analytics and Reporting, Developing reporting viewpoints: CISO

SDAR: Core SeriesCore Series
Written By Rhonald John Rose

In Security Data Analytics and Reporting: Developing Reporting Viewpoints for the Board of directors, we defined the architectural term Viewpoints and then outlined the board of directors’ viewpoint for security reporting in SDAR. We applied these concepts to a case study of an imaginary SaaS Consumer business that we called Akrogoniaios Technologies Corp (ATC). We then defined the potential programs that could be part of ATC’s cybersecurity strategy and the reporting viewpoint for the board of directors based on this strategy.

We will continue to use ATC to define reporting viewpoints for their Cybersecurity executive for SDAR (hereafter referred to as a Chief Information Security Officer - CISO).

CISO

As we discussed in the previous article, ATC’s security strategy is driven by regulatory compliance requirements and its organizational needs. The board of directors delegates the responsibility of developing and executing an optimal security strategy to the CISO. When the proposed cybersecurity strategy is approved by the board of directors, the CISO establishes the programs and activities and then monitors them.

For the purpose of our SDAR discussion, we will only focus on technical controls that are part of the cybersecurity strategy. The programs and major activities that are required to be compliant with regulatory requirements and organizational cybersecurity requirements were discussed in the previous article. Based on the board of directors’ requirements and the cybersecurity strategy, below are the views for the CISO:

  1. Compliance with cybersecurity frameworks

  2. State of compliance towards the regulatory requirements

  3. Organizational cybersecurity posture

  4. Cybersecurity trends within ATC

Figure 01: The views that makes up the CISO viewpoint in a SDAR system

In the real world, if an organization benchmarks the security maturity against CIS benchmarks, its stakeholders can add additional high level view reporting on CIS benchmark status.

Compliance with cybersecurity frameworks

Compliance with cybersecurity frameworks is a well established topic and all modern security software solutions have modules that automate technical control compliance in the information systems. However, under a SDAR system, a high level view of cybersecurity compliance can be provided for the CISO and then redirected to an appropriate detailed reporting view ⁠— either within the same SDAR system or in a different one.

ATC’s overall progress in complying with cybersecurity framework security controls can be grouped and tracked in the below categories:

  • Access Control

  • Audit and Accountability

  • Configuration Management

  • Identification and Authentication

  • Media Protection

  • Physical and Environmental Protection

  • Risk Assessment

  • System and Communications Protection

  • System and Information Integrity

Some of these categories do have management controls. Since these controls are usually manual processes, they cannot be automated and, therefore, cannot be integrated directly into an SDAR system.Usually, the CISO picks the family of controls or specific control across the physical domains, adds narratives and presents to ATC’s stakeholders. Each widget on the dashboard represents one category.

State of compliance towards the regulatory requirements

In this view, the CISO is presented with compliance reporting as per regulatory mandated cybersecurity standards, PCI compliance standards, privacy standards and any other relevant standards. This view is also an established area and hence, all modern software solutions that are meant for security monitoring and reporting come with modules to monitor and report on this area.

For ATC, below are the high level widgets presented available on this view:

  • NIST-CSF compliance

  • ISO 27001 compliance

  • PCI compliance

  • Privacy compliance

In a real world scenario, there will be additional compliance reporting against frameworks such as COBIT, BSI-100-2 and others, depending on the ownership and the industry.

Organizations cybersecurity posture

ATC’s cybersecurity posture view is developed entirely based on what the CISO wants to see. A view contains one or more widgets, each summarizing the overall risk rating for that domain composed from different categories of metrics. In this article, we will discuss one such physical domain; Identity, directory and access control services. ATC uses Active Directory that helps them manage identities and provision access for applications. It syncs user information from the HR system.

Figure 02: Physical security posture view with individual widgets, each representing one physical domain.

One of the widgets can be used to summarize Active Directory’s security posture. The summary widget is the weighted average of the below categories for identity, directory and access control services:

  • Vulnerability

  • Identity management

  • Session management

  • Single sign-on

  • Access control

  • Policy management

  • Classification

  • Abnormal behaviour

Each reporting category is made of several metrics. For example, the identity management category comprises a weighted summary of the below metrics:

  • User accounts configured as service accounts (or similar)

  • User accounts with policies which are not usually applied for users (on an average)

  • User accounts present on Azure AD but not on-premise AD

  • Service accounts used by users to login

  • Service accounts that do not conform to the password reset policies

  • Service account authentication failure trends

  • Service accounts associated with more than one service

  • Shared accounts used by more than one department or section

  • Shared accounts having privileged access

  • Shared accounts having access to classified fileshare, documents (sharepoint, etc.) and PCI resources

  • Password not changed for the Pwned accounts past 15 days of the compromise

  • Password not changed for the Pwned non-user accounts past 15 days of the compromise

  • No. of active users with passwords that never expire

  • User Accounts with non-expiring passwords

  • Domain controller accounts that have access outside Domain Controllers

  • Inactive accounts (accounts that have not been used for more than 60 days and have not been disabled)

  • Clear Text Password in Account Description

  • High Privileged group is a member Of "Allow Password Replication Group" on RODC

  • Administrative Accounts that have internet-browsing and/ mailbox capabilities

The above metrics are specifically related to the active directory used by ATC in our example. The selection of metrics for this widget must be tailored to the technologies that are being used within an organization.

Cybersecurity trends within ATC

Identifying trends helps organizations understand the effectiveness of their security strategy, track the progress of their security programs in eliminating threats, and assess the likelihood of cybercriminal attacks. Trends like vulnerability mitigation rate are valuable, but not necessarily useful for a CISO, since new vulnerabilities can appear anytime during the lifecycle of a software technology. Vulnerability mitigation is complex due to the need to coordinate with the business to bring down a critical service for patching (or other mitigation activities) and is thus typically beyond the scope of a CISO. Instead, this process is usually handled by the operations team.

However, some trends are relevant to CISOs and give them insight into the effectiveness of their organization's cybersecurity strategy, progress of their security program or overall security controls performance trends. Such trends can be better reported via architectural or logical domains, as opposed to physical ones. Some of the  widgets within this view for the CISO of ATC are:

  • Identity and Access Management

  • Vulnerability Management

  • Data Leakage Prevention

  • Security Posture

  • Regulatory Compliance

These widgets pack so many metrics and are therefore extremely complex. However, a cybersecurity trends view can give a CISO an idea of the overall performance of each security domain and, in turn, enables them to send recommendations to the board of directors, security governance committee or IT leadership team. One of the major issues with many security controls is that they gradually decline due to lack of automation, organizational changes or simply lack of interest. Trends help CISO get this crucial information and help initiate discussion within the organization to keep security practices on track.

Conclusion

The security reporting viewpoint used by CISOs consists of views such as the state of security compliance, security posture and cybersecurity trends. These views must be meaningful to the CISO and thereby help them make decisions that retain or improve organizational cybersecurity posture. This also helps the CISO demonstrate the effectiveness of the organization's security investments to the board of directors (or whoever they’re reporting to).

Rhonald John Rose https://www.akrogoniaios.com
Previous

Business continuity planning: requirements, scope of work and deliverables

Next

Security Data Analytics and Reporting, Developing reporting viewpoints: Board of Directors