Security Data Analytics and Reporting, Developing reporting viewpoints: CISO
In Security Data Analytics and Reporting: Developing Reporting Viewpoints for the Board of directors, we defined the architectural term Viewpoints and then outlined the board of directors’ viewpoint for security reporting in SDAR. We applied these concepts to a case study of an imaginary SaaS Consumer business that we called Akrogoniaios Technologies Corp (ATC). We then defined the potential programs that could be part of ATC’s cybersecurity strategy and the reporting viewpoint for the board of directors based on this strategy.
We will continue to use ATC to define reporting viewpoints for their Cybersecurity executive for SDAR (hereafter referred to as a Chief Information Security Officer - CISO).
CISO
As we discussed in the previous article, ATC’s security strategy is driven by regulatory compliance requirements and its organizational needs. The board of directors delegates the responsibility of developing and executing an optimal security strategy to the CISO. When the proposed cybersecurity strategy is approved by the board of directors, the CISO establishes the programs and activities and then monitors them.
For the purpose of our SDAR discussion, we will only focus on technical controls that are part of the cybersecurity strategy. The programs and major activities that are required to be compliant with regulatory requirements and organizational cybersecurity requirements were discussed in the previous article. Based on the board of directors’ requirements and the cybersecurity strategy, below are the views for the CISO:
Compliance with cybersecurity frameworks
State of compliance towards the regulatory requirements
Organizational cybersecurity posture
Cybersecurity trends within ATC
In the real world, if an organization benchmarks the security maturity against CIS benchmarks, its stakeholders can add additional high level view reporting on CIS benchmark status.
Compliance with cybersecurity frameworks
Compliance with cybersecurity frameworks is a well established topic and all modern security software solutions have modules that automate technical control compliance in the information systems. However, under a SDAR system, a high level view of cybersecurity compliance can be provided for the CISO and then redirected to an appropriate detailed reporting view — either within the same SDAR system or in a different one.
ATC’s overall progress in complying with cybersecurity framework security controls can be grouped and tracked in the below categories:
Access Control
Audit and Accountability
Configuration Management
Identification and Authentication
Media Protection
Physical and Environmental Protection
Risk Assessment
System and Communications Protection
System and Information Integrity
Some of these categories do have management controls. Since these controls are usually manual processes, they cannot be automated and, therefore, cannot be integrated directly into an SDAR system.Usually, the CISO picks the family of controls or specific control across the physical domains, adds narratives and presents to ATC’s stakeholders. Each widget on the dashboard represents one category.
State of compliance towards the regulatory requirements
In this view, the CISO is presented with compliance reporting as per regulatory mandated cybersecurity standards, PCI compliance standards, privacy standards and any other relevant standards. This view is also an established area and hence, all modern software solutions that are meant for security monitoring and reporting come with modules to monitor and report on this area.
For ATC, below are the high level widgets presented available on this view:
NIST-CSF compliance
ISO 27001 compliance
PCI compliance
Privacy compliance
In a real world scenario, there will be additional compliance reporting against frameworks such as COBIT, BSI-100-2 and others, depending on the ownership and the industry.
Organizations cybersecurity posture
ATC’s cybersecurity posture view is developed entirely based on what the CISO wants to see. A view contains one or more widgets, each summarizing the overall risk rating for that domain composed from different categories of metrics. In this article, we will discuss one such physical domain; Identity, directory and access control services. ATC uses Active Directory that helps them manage identities and provision access for applications. It syncs user information from the HR system.
One of the widgets can be used to summarize Active Directory’s security posture. The summary widget is the weighted average of the below categories for identity, directory and access control services:
Vulnerability
Identity management
Session management
Single sign-on
Access control
Policy management
Classification
Abnormal behaviour
Each reporting category is made of several metrics. For example, the identity management category comprises a weighted summary of the below metrics:
User accounts configured as service accounts (or similar)
User accounts with policies which are not usually applied for users (on an average)
User accounts present on Azure AD but not on-premise AD
Service accounts used by users to login
Service accounts that do not conform to the password reset policies
Service account authentication failure trends
Service accounts associated with more than one service
Shared accounts used by more than one department or section
Shared accounts having privileged access
Shared accounts having access to classified fileshare, documents (sharepoint, etc.) and PCI resources
Password not changed for the Pwned accounts past 15 days of the compromise
Password not changed for the Pwned non-user accounts past 15 days of the compromise
No. of active users with passwords that never expire
User Accounts with non-expiring passwords
Domain controller accounts that have access outside Domain Controllers
Inactive accounts (accounts that have not been used for more than 60 days and have not been disabled)
Clear Text Password in Account Description
High Privileged group is a member Of "Allow Password Replication Group" on RODC
Administrative Accounts that have internet-browsing and/ mailbox capabilities
The above metrics are specifically related to the active directory used by ATC in our example. The selection of metrics for this widget must be tailored to the technologies that are being used within an organization.
Cybersecurity trends within ATC
Identifying trends helps organizations understand the effectiveness of their security strategy, track the progress of their security programs in eliminating threats, and assess the likelihood of cybercriminal attacks. Trends like vulnerability mitigation rate are valuable, but not necessarily useful for a CISO, since new vulnerabilities can appear anytime during the lifecycle of a software technology. Vulnerability mitigation is complex due to the need to coordinate with the business to bring down a critical service for patching (or other mitigation activities) and is thus typically beyond the scope of a CISO. Instead, this process is usually handled by the operations team.
However, some trends are relevant to CISOs and give them insight into the effectiveness of their organization's cybersecurity strategy, progress of their security program or overall security controls performance trends. Such trends can be better reported via architectural or logical domains, as opposed to physical ones. Some of the widgets within this view for the CISO of ATC are:
Identity and Access Management
Vulnerability Management
Data Leakage Prevention
Security Posture
Regulatory Compliance
These widgets pack so many metrics and are therefore extremely complex. However, a cybersecurity trends view can give a CISO an idea of the overall performance of each security domain and, in turn, enables them to send recommendations to the board of directors, security governance committee or IT leadership team. One of the major issues with many security controls is that they gradually decline due to lack of automation, organizational changes or simply lack of interest. Trends help CISO get this crucial information and help initiate discussion within the organization to keep security practices on track.
Conclusion
The security reporting viewpoint used by CISOs consists of views such as the state of security compliance, security posture and cybersecurity trends. These views must be meaningful to the CISO and thereby help them make decisions that retain or improve organizational cybersecurity posture. This also helps the CISO demonstrate the effectiveness of the organization's security investments to the board of directors (or whoever they’re reporting to).