White Paper

Continuous Compliance: Is It a Reality?

Continuous Compliance: Is It a Reality?2

Table of ContentsIntroduction 3

Compliance and Security Failures 4

Continuous Compliance to the Rescue 4

Tools for Continuous Compliance 7

Continuous PCI DSS 2.0 9

Continuous FISMA 10

Conclusions 10

About the Author 11

3Continuous Compliance: Is It a Reality?

Compliance barged in and became the defining influence on information security over the last four to five years. While some claim that this is what brought information security to the boardroom and made it mainstream, others say that it nearly destroyed it. In any case, the huge impact of regulations and mandates on the practice of information security cannot be underestimated. It will likely take years before the IT industry will be able to understand the overall impact that regulations are having on the way we secure business information and IT systems.

Introduction In this paper we explore the subject of continuous compliance versus audit-driven compliance, as well as how an ongoing approach to compliance makes compliance a positive force for securing data and systems. Using examples from mandates such as PCI DSS and FISMA, we offer some useful tips for avoiding both breaches and audit failures.

Compliance and security today stand locked in an uneasy balance. While security professionals often say that “compliance is not security,” the reality is more complex. For better or for worse, compliance, in fact, is security for many organizations today. More often than not, auditor-focused projects compete with attacker-focused projects for resources and executive attention. The attitude is: “I might be hacked, but I will be audited.” Some companies never go beyond what they perceive is an externally mandated minimum. Needless to say, such situations leave a lot of organizations exposed to attackers.

It is interesting to note that the great compliance debate has manifested in other fields as well. For example, why do we wear seat belts while driving? What motivates us to buckle up: the risk of death (which, in security terms, parallels the continuous risk of suffering heavy damage from attackers) versus the risk of a $60 fine (which, at audit time, companies only suffer only when caught). The risk of death or bodily harm is continuous, while the risk of a fine exists only when a police car is nearby. Recent US Department of Transportation research points at both fines and education as primary drivers for growing seatbelt compliance levels.

On the other hand, compliance compels organization to secure regulated data, whether payment cards, patient information, or sensitive agency information. For example, the spirit of PCI DSS is to reduce the risk of payment card transactions, while HIPAA seeks to improve the security of personal health information. These and other mandates came into being after market forces failed to motivate organizations to improve the security of data which resulted in large-scale breaches, while both our reliance on it and attacks on our assets increased dramatically.

The most well-known example, the Payment Card Industry Data Security Standard (PCI DSS) applies to organizations that accept payment cards or handle payment card data. The PCI Council, tasked with maintaining standards since 2004, states that “The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data.” This broadly applicable statement makes PCI one of the most influential security standards today. What adds to PCI DSS’s global power is compliance enforcement, wielded by the global card brands such as Visa and MasterCard. PCI DSS means two different things: PCI regulatory fines, assessments, and enforcement and the PCI DSS document with more than 220 security controls. PCI DSS compliance is validated via an annual Qualified Security Assessor (QSA) on-site assessment (for merchants and services providers with larger transaction volumes) or annual self-assessment plus a quarterly external vulnerability scan. Many companies choose to pay attention to compliance only on an annual basis.

4 Continuous Compliance: Is It a Reality?

So, how do companies approach PCI and other regulations today? Why do unnatural situations where PCI ends up being more important than a live breach response still arise? The audit mentality that focuses narrowly on avoiding fines and not on the underlying security requirements has led to many breaches at companies that were also noncompliant. In reality, if you focus on security, you have a fair shot at both security and compliance, and if you focus on compliance, it is likely that you will fail at both security and compliance.

Compliance and Security Failures Let’s delve into some of the failures of the current audit-oriented compliance model.

In the Verizon 2010 PCI Report and the Verizon 2011 Data Breach Report, one thing was clear. While regulatory compliance has raised the visibility of information security in many organizations, many organizations were not found to be compliant at the time of the breach. The PCI report confirms that the following controls have the largest gap in implementation:

• Requirement 10: Track and monitor all access to network resources and cardholder data—39 percent • Requirement 11: Regularly test security systems and processes—38 percent (Source: Verizon Business

PCI Report 2010)

According to the PCI report, logging and monitoring (Requirement 10) and regular testing (Requirement 11) are some of the hardest requirements to comply with and are most often missed by organizations worldwide, as they call for ongoing, daily efforts. Monitoring access to cardholder data must be continuous to be effective against data breaches. The log review, the key part of Requirement 10.6, is explicitly mandated to occur on a daily basis.

Other industry research also indicates that nearly all organizations fall out of compliance over time. Password policies on systems revert to shorter, less secure passwords over time due to negligence. Even security awareness campaigns get an initial compliance boost, but then grow stale and ineffective and are ignored by the employees. Vulnerability scanning continues every quarter, as mandated, but scans after network changes fall out of shape. The logs are only reviewed before the QSA visit and for a few weeks afterwards, but then the proverbial “other priorities” take over. All this leads to simultaneous security and compliance failures, well-documented in recent industry research.

Continuous Compliance to the Rescue What is the way out of this vicious audit cycle that wastes money and does not lead to meaningful security improvements? Organizations need to internalize the spirit or the intent of regulations and secure the data without breaking the budget and while staying compliant during every day of the year.

The notion of continuous, ongoing, or even proactive compliance has been around for more than a few years, but very few organizations have taken it to heart due to perceived higher costs as well as other real or imagined drawbacks. Let’s define continuous compliance as compliance that is internalized by an organization (as opposed to being seen as something forced on it from the outside) and turned into an ongoing process and program that is part of routine operational practices, performed daily, weekly, and monthly.

5Continuous Compliance: Is It a Reality?

There are many reasons why such an approach to regulatory compliance has not become truly popular. One of the driving forces hindering its adoption is the view, held by management at some organizations, that compliance is an external annoyance that needs to be dealt with as cheaply and as quickly as possible. Treating compliance as way of getting auditors off your back and not as a signal that a new approach to information security is required leads to compliance efforts that waste money without delivering any benefits. Such an extremely tactical and short-sighted approach has led many organizations to damaging breaches and multimillion dollar losses.

So, how do you achieve cost effectiveness, ongoing compliance, and a secure IT environment? How do you change steer your organization’s culture away from the audit mad dash? And most importantly, how do you to start down that road and build a program, talk management into adopting a continuous compliance strategy, and obtain budget for security and continuous compliance?

Let’s start by looking at how some regulations approach ongoing compliance. A great deal of money and IT staff hours are spent on getting organizations to achieve compliance. However, it is a known fact that investments sharply drop after the first successful audit or PCI assessment, which often leads to the decay of security measures in the environment.

The first step is to adopt a compliance-plus approach: acquire solutions for compliance before the first audit and use them for security every day afterwards. Simply having an ongoing program and using all the security tools that you have procured for compliance will help turn thinking from annual audit to daily security. A great many PCI-focused technology safeguards are useful for other tasks beyond PCI DSS and even beyond security—log management, configuration management, and application network analysis are just a few examples. Going with a “one win at a time” approach works to get both the budget and other needed resources for such an ongoing program—using compliance for security daily and validating it annually or as needed.

The second step is to operationalize compliance. By that we mean make its requirements part of routine, daily security procedures. In fact, PCI DSS itself begs to be utilized in exactly that way: Requirement 12.2 states, “Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).”

The third step is to realize that staying compliant is even more important than getting compliant. Your executives may not provide you with an instant budget windfall, but it can get them thinking of compliance as something to do every day and not something that is a big burden once a year.

The fourth step is to realize the intent of regulations and not just the “letter of the law.” PCI DSS and other regulations simply cannot mandate that organizations care about security. The regulatory approach allows you to mandate security controls, but not mandate caring or even being a responsible corporate citizen and safeguarding regulated and personal data. Moreover, we can mandate controls, approaches, tools, but we cannot mandate doing a good job with security. Think of continuous compliance as another way of doing a good job with security. This will allow your organization to experience a progression from fear of audits to caring about the business.

Continuous Compliance: Is It a Reality?6

Finally, it’s important to realize that the attacker is the enemy, and that the QSA and even the auditor are really allies. The audit mad dash only helps with the latter, while frustrating everybody. The real goal of PCI is the former. So continuous compliance is a must—a way to start planning your ongoing compliance is to make a commitment to it.

“Mad dash” compliance Done for the auditor, teaching to the test

Continuous compliance Done for the benefits, teaching to succeed in life

Pros

• Only takes time once a year

• Solves the immediate problem, the audit

Pros

• Solves many problems

• Improves security

• Reduces cost over time

• Reduces breach costs

• Inherently strategic, future-oriented

Cons

• Does not help security

• No side benefits

• Disruptive to business

• Not strategic

•Audit failures are unavoidable

• Future costs are unpredictable and likely include breach costs

• Inherently tactical, short-sighted

Cons

•Takes time every day

•Takes effort to adopt

• Might take some convincing with executive management

So, how can an organization “audit” itself every day? Obviously, it calls for heavy automation of the entire process—fortunately, we are not talking about paying the auditors to be on site every day for a year. In fact, such continuous self-audit is simply security monitoring, using SIEM and other security intelligence tools.

7Continuous Compliance: Is It a Reality?

Tools for Continuous Compliance Security information and event management (SIEM) tools are an example of a perfect compliance technology, as they help you collect and analyze logs and other compliance-relevant activity records, as well as context. More robust SIEM tools also help you analyze content data and can present the information in a format directly applicable to regulatory audit needs. On top of this, SIEM tools are designed for continuous security monitoring and are ideal for continuous compliance efforts.

SIEM thus becomes the central point for continuous compliance. Let’s address two critical questions in detail:

1. What information needs to flow into a SIEM for effective continuous compliance?

2. What capabilities and features should a SIEM tool possess to be successfully used in continuous compliance projects?

Knowing these two things will help your organization to both improve your compliance efforts as well as pick a better SIEM for securing your information and systems.

What information needs to flow into a SIEM to enable continuous compliance?

• All compliance mandated logging, which varies by regulation but usually includes: logins to systems (both successful and failed), system configuration changes, privileged user actions, access to data, and known security issues such as malware and detected

• Records of access to sensitive data, in databases, files, and other locations • Information on compliance-relevant IT assets, their configurations, and other asset parameters

For example, it might include all Microsoft Windows Event Log records for logins, user account changes, system security policy changes and, in some cases, object access audit events. On a firewall, the above might cover management access to the device itself, detected security issues, and attempts to connect to/from a regulated network.

8 Continuous Compliance: Is It a Reality?

What capabilities should a SIEM tool have to be best for continuous compliance?

• Compliance reports are a mainstay of the compliance use case for SIEM. Leading SIEMs now have hundreds of prebuilt compliance reports included at no additional cost. PCI DSS, FISMA, HIPAA, and other regulations are typically covered.

• Specifically for continuous compliance, real-time monitoring dashboards complement static reports, thus consolidating regulatory compliance requirements with daily security operations to maximize efficiency and avoid surprises during an audit

• Correlation rules focused on regulatory issues also help automate many tasks around achieving and maintaining regulatory compliance. Rules cover automated monitoring for suspicious login patterns, changes following attacks, as well as access to the regulated environment from unusual sources and during abnormal hours.

• More advanced products also feature deviation analysis for both activities and controls, thus allowing the operators to detect violations of compliance without writing specific rules for all types of possible violations. Such capability is a commonly enabled by risk scoring or algorithmic correlation.

•The same technology also helps to prioritize regulatory issues by importance through asset management. As a result, violations on assets which are also critical to business will be handled sooner, possibly reducing the workload of the security team.

• On top of traditional SIEM use, network flow and content monitoring allows automatic detection of more types of violations, such as regulated data transfer without encryption, use of unauthorized applications on regulated data or systems and leaks of sensitive data

• Cross-regulatory mapping and a “monitor once, comply with many” compliance taxonomy allows the organization to practice a unified approach to multiple regulations as well as unique risk management and internal audit needs

As a result, using a SIEM as your central point for ongoing monitoring fully aligns your security model and your compliance model and helps with both ever-present attacks and unavoidable annual audits. The entire process—updating or creating your security policy based on applicable regulations, designing corresponding operational procedures, customizing automated violation alerting, and final compliance reports—can be accelerated and optimized by using a SIEM tool.

Let’s review two brief case studies of continuous compliance with PCI DSS 2.0 and FISMA.

9Continuous Compliance: Is It a Reality?

Continuous PCI DSS 2.0 PCI DSS 2.0 seems to be a step towards more proactive regulation, despite sticking to the original validation model via annual assessments and quarterly scans. PCI DSS documentation states that maintaining PCI compliance at all times is indeed the responsibility of the merchant. The PCI DSS guidance prescribes many ongoing activities, including the following:

• Log review (Requirement 10.6) • IDS/IPS monitoring (Requirement 11.4) • Monitoring for critical file changes (Requirement 11.5) • Monitor vendor remote access (Requirement 8.5.6)

Also, as a matter of process, the merchants must monitor their environment for missing technical PCI DSS controls: password policy, antivirus tools, firewall configurations, database access, and other controls.

The table below shows some of the key ongoing tasks in PCI DSS.

Risk assessment, security awareness, key changes, review off-site backups, QSA assessment Annual

ASV and internal scans, wireless scans Quarterly

File integrity checking Weekly

Log and alerts review, other security operational procedures (see Requirement 12.2) Daily

In the case of PCI DSS, compliance does not end when a QSA leaves or a Self-Assessment Questionnaire (SAQ) is submitted. The organization should use what you built for PCI to reduce risk and essentially own PCI DSS. Make it the basis for your policies. In fact, a good QSA will check whether you are wired for continuous compliance. Pick one of that type.

As a result, knowing that your efforts would only be checked by a QSA once a year should not discourage you from following the daily procedures—the attackers will be testing them every second of that year. For example, SIEM is a straightforward way of automating daily log review (Requirement 10), as well as ongoing monitoring for attacks via IDS/IPS (Requirement 11). In addition, SIEM is also an ideal central reporting system for many other requirements reported by other systems (such as antivirus, firewalls, and integrity checking). SIEM’s roll goes beyond any individual requirement—it covers the entire compliance implementation and maintenance process in PCI DSS.

10 Continuous Compliance: Is It a Reality?

Continuous FISMA The Federal Information Security Management Act of 2002 (FISMA) “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”

It is rumored that FISMA might soon be updated with a new law (FISMA 2.0) that explicitly prescribes continuous monitoring; even today’s FISMA includes inherently continuous requirements such as logging, log review, and security monitoring. FISMA and the related NIST guidance have also been trying to move towards the continuous model to replace the infrequent audit model.

As defined by NIST, “The objective of a continuous monitoring program is to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur.” (Source: NIST Special Publication 800-37, Revision 1, Applying the Risk Management Framework to Federal Information Systems, February 2010)

This indicates that more and more regulation will be leaving the infrequent audit model behind and moving towards continuous compliance. For example, SIEM can obviously be used for audit log and other activity review as well as serve as a central point for all continuous control monitoring activities. It also plays a key role in access control by providing the monitoring layer, as well as supporting identity and access management. Multiple FISMA metrics can be operated using SIEM rules and dashboards.

Conclusions After validating that you are compliant, don’t stop. Continuous compliance and security is your goal, not just passing an audit. Your organization must develop a security and risk mindset, not a compliance and audit mindset. Eventually, auditor-resistant security should give way to attacker-resistant security.

To achieve this, your organization must learn how to internalize and operationalize compliance and thus gain security benefits—which only occur from continuous compliance. In other words, everything you do for compliance, must have security benefits for your organization. What helps to get this done is an ability to change the mindset that thinks that “compliance is being done to me, not by me.” And wouldn’t it be great if attackers only hit once a year, like auditors?

11Continuous Compliance: Is It a Reality?

About the Author Dr. Anton Chuvakin (www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance.

He is an author of two books, Security Warrior and PCI Compliance (www.pcicompliancebook.info); a contributor to Know Your Enemy II and Information Security Management Handbook. He is currently working on a book about system logs. Dr. Chuvakin has published dozens of papers on log management, correlation, data analysis, PCI DSS, and security management (see list at www.info-secure.org). His blog, www.securitywarrior.org, is one of the most popular in the industry.

In addition, Dr. Chuvakin teaches classes (including his own SANS class on log management) and presents at many security conferences all over the world. He recently addressed audiences in US, UK, Singapore, Spain, Russia, and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups.

Dr. Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Dr. Chuvakin worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance, and operations. Before LogLogic, he was employed by a security vendor in a strategic product management role. Dr. Chuvakin earned his Ph.D. degree from Stony Brook University.

2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com

McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 44602wp_continuous-compliance_0612_fnl_ETMG