CONTINUOUS MONITORING DRIVES BETTER PERSPECTIVES OF RISK While some may argue that cybersecurity regulations do more harm than good, governments and industry organizations disagree. The increasing reality is that with the growing abundance of regulations, the choice is to sink — and be ex- posed to bigger risks and penalties — or swim, which requires knowledge and awareness of what’s happening throughout the organization, and the ability to prove it. WATCHING THE HORIZON “With newer tools, an organization can determine its compliance state at any point in time, not just when auditors de- liver a report, and adjust controls in order to prevent a security breach.” — Matthew O’Brien CSC Global Cybersecurity Senior Principal CYBERSECURITY CONTINUOUS MONITORING
Transcript
!!!!!!!!!!!!!!!!!!!!CONTINUOUS MONITORING DRIVES BETTER PERSPECTIVES OF RISK While some may argue that cybersecurity regulations do more harm than good, governments and industry organizations disagree. The increasing reality is that with the growing abundance of regulations, the choice is to sink — and be ex-posed to bigger risks and penalties — or swim, which requires knowledge and awareness of what’s happening throughout the organization, and the ability to prove it.
!
!!!!!!WATCHING THE HORIZON “With newer tools, an organization can determine its compliance state at any point in time, not just when auditors de-liver a report, and adjust controls in order to prevent a security breach.”
— Matthew O’Brien CSC Global Cybersecurity Senior Principal
CYBERSECURITY CONTINUOUS MONITORING
CONTINUOUS MONITORING DRIVES BETTER PERSPECTIVES OF RISK
The fluidity with which new security regulations, policies and laws emerge and existing ones change continues to demonstrate attempts to control risks — rang-ing from financial to, at worst, loss of human life — enabled by information tech-nology. Some more notable actions include:
• The Payment Card Industry’s Data Security Standards v3.0 — January 2014
• The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs approves new European Union data protection and privacy regula-tions — October 2013
• U.S. Cybersecurity Framework v1.0 — February 2014
“Due to increasing security and regulatory complexities, simply having a state-ment that details the requirement to comply with corporate policies isn’t good enough,” says Matthew O’Brien, CSC Global Cybersecurity senior principal. “Or-ganizations need to know in as close to real time as is possible if they are or aren’t complying with their policies and be more proactive in enforcing compli-ance.”
To achieve this, organizations must continuously monitor their systems, which, besides enabling them to better mitigate threats, also gives them the ability to report on their actions and the status of their cybersecurity controls, such as en-cryption of credit card data or monthly scans for vulnerabilities.
However, as organizations attempt to track their regulatory controls and compli-ance, they are suffering audit fatigue. To help, some organizations have bolted on tools to their infrastructure to automate the effort needed to track audits and compliance with different regulations.
SECURITY INFORMATION OVERLOAD “Organizations’ attempts to reduce risk and increase compliance by adding on discrete, potentially incompatible security tools has generated large amounts of data, resulting in security information overload,” says O’Brien. “This approach is ineffective, causes high overhead and actually makes it more difficult for organi-zations to correlate information for audits.
“Without a dashboard-type tool that links information to provide an integrated view, organizations rely on discrete security solutions that provide limited infor-mation and views.”
While organizations may lack the ability to effectively monitor, detect and re-spond to threats throughout the enterprise, these dashboard capabilities can help them better determine where risk is high and therefore where to spend lim-ited resources to secure valuable data and functions. Just as people use different levels of security to protect their valuables — locks for homes, safes for valuable papers — organizations must choose how much security their different assets and systems need to remain flexible and avoid unnecessary expenses where pos-sible, while securing valuable assets.
!!2
“Due to increasing security and regulatory complexities, governing via corporate policy alone no longer works.”
Matthew O’Brien, CSC Global Cybersecurity, Senior Principal
CONTINUOUS MONITORING DRIVES BETTER PERSPECTIVES OF RISK
NEW TOOLS OVERSEERS, NOT GATEKEEPERS While compliance costs can run high — one CSC client, O’Brien says, reported spending millions of dollars to support its audit teams — new tools and services that can automatically monitor an organization’s enterprise can help reduce those costs. Newer offerings, such as those providing dashboard views of an or-ganization’s security health, specifically address governance and provide more of an oversight of risk compared to more traditional tools that act as gatekeepers of data or networks.
“With newer tools, an organization can determine its compliance state at any point in time, not just when auditors deliver a report, and adjust controls in order to prevent a security breach,” says O’Brien. “If we identified a security threat in the wild that attacks a particular vulnerability within a Windows environment, for example, and had an integrated enterprise view of an organization, we could then identify the systems that would be vulnerable to that particular threat, which ones lack any remediating controls, as well as assign priority for remediation based upon the critical nature of the systems.
“This would then let us value the risk and put in place measures to mitigate that risk. The expectation is that the more closely an organization complies with its security and risk policies, the less vulnerable it is to attack.”
Reducing one’s vulnerability footprint becomes increasingly important as crimi-nals continue to develop new ways to attack, gaining entrance to data and sys-tems via mobile devices and social media, as well as through more traditional entry points.
Respondents to Ponemon Institute’s 2013 Cost of Cyber Crime Study: Global Re-port reported that their companies experienced an average of 1.4 successful at-tacks per week, up 20% over the prior year. To protect against this onslaught, organizations are broadening their approach from one that focuses solely on compliance to one that includes continuous monitoring and awareness, giving them greater abilities to react to the possibilities of threats before they become a reality.
“For years, compliance made us predictable,” says O’Brien. “Today, by being aware of what’s happening within our systems, we can become operational. That still lets us comply, but it also gives us control, makes us less predictable and, in turn, drives adversaries crazy.”
!
!3
“With newer tools, an organization can determine its compliance state at any point in time, not just when auditors deliver a report, and adjust controls in order to prevent a security breach.”
Matthew O’Brien, CSC Global Cybersecurity, Senior Principal
CONTINUOUS MONITORING DRIVES BETTER PERSPECTIVES OF RISK
CSC’s Managed Security Services include next-generation solutions to streamline governance, risk and compliance (GRC) processes by integrating data and report-ing from existing cybersecurity controls into easy-to-understand views. Based upon technology from the RSA Archer® GRC platform, CSC’s Horizon service pro-vides clients with real-time continuous monitoring of their cybersecurity status through the use of vulnerability analysis, exploit discovery, threat remediation and recovery services.
!WORLD CSC HEADQUARTERS !THE AMERICAS 3170 Fairview Park Drive Falls Church, VA 22042 United States +1.703.876.1000 !ASIA 20 Anson Road #11-01 Twenty Anson Singapore 079912 Republic of Singapore +65.6221.9095 !AUSTRALIA Level 6/Tower B Macquarie Park, NSW 2113 Sydney, Australia +61(0)2.9034.3000 !EUROPE, MIDDLE EAST, AFRICA Royal Pavilion Wellesley Road Aldershot, Hampshire GU11 1PZ United Kingdom +44(0)1252.534000
ABOUT CSC The mission of CSC is to be a global leader in providing technology-enabled business solutions and services. !With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with part-ners and clients and improve operations. !CSC makes a special point of understanding its clients and provides experts with real-world experience to work with them. CSC leads with an informed point of view while still offering client choice. !For more than 50 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs. !The company trades on the New York Stock Exchange under the symbol “CSC.”
