Compliance is a thorn in the side of any business. Ticking the boxes of regulatory standards and best practice security guidelines like NIST or ISO 27001 is one thing but companies who leave it at that often leave vulnerabilities in their systems as well.
It is true that regulations can help with security risk management, and act as a solid foundation for effective security. Unfortunately, stopping there can also leave blind spots in your system’s protection.
What’s happening in your network?
When referring to a business’ systems, “visibility” is usually thought of as the ability to monitor performance of a company’s applications and network performance and uptime. But, it’s much more fundamental than that. Visibility really means knowing where and how your data is being collected and distributed, across your entire business and if you don’t have full visibility of your systems, there will be blind spots.
There are many factors that inhibit visibility. One is the fact that companies are constantly generating and accumulating more data. This leads to a complex, environment. Another major factor is that security practices, like firewalls, intrusion prevention systems (IPS), and SIEM tools, must access your network in order to work well. This means that they are also vulnerable to people who can tap into that network. By accessing the internet through encrypted tunnels, threats can also be cloaked by security measures of their own.
Meanwhile, the cloud poses an entirely new difficulty to maintaining visibility. Independent research revealed that over 60% of respondents reported network blind spots that were posing a major obstacle to effective data protection. By outsourcing your data to a public or hybrid cloud the processes going on inside the cloud can become obscured to clients. While you might have a plethora of detection tools in place for your operations in-house, if an attacker sticks to your cloud-hosted data, your in-house tools may not help you.
Visibility is something that many regulations don’t touch on or talk about, although regulations still prohibit the consequences of having blind spots (like having a data breach), even if they don’t address the necessity of visibility in plain terms.
Many regulations were developed in the wake of consequences of disastrous and embarrassing failures that already happened. Many security issues that don’t catch the public eye are simply neglected by compliance, even though that can easily lead to future disasters as well.
This how just following the regulatory requirements leads to gaps. The preferred approach would be to carry out your own (data) asset-based risk assessment and mitigate accordingly.
But beware, overconfidence relating to the likelihood and potential impact of IT disasters is a common problem. Some companies go for years with the attitude “it hasn’t happened yet, so it must be OK”. Don’t trust to luck. Take a pessimistic approach in your security risk assessment.
What’s the answer?
Meeting compliance with standards like NIST and ISO 27001 is a good start and can be a strong foundation for network and cyber security. The best approach however, is to team-up compliance standards and threat intelligence and analytics to give you the best chance of predicting potential attacks and finding on-going problems much quicker.
Companies that focus mainly on compliance and less on threat intelligence/analytics do not fare well on discovering compromised endpoints. Whereas, those who focused on the latter are able to discover compromises faster.
In summary: Take the two-pronged attack – meet compliance as a foundation but add threat intelligence with analytics to bring it to the next level.