Control Checks are essential for Continuous Controls Monitoring

May 05, 2020

Peter Goodall

In order to address a key problem in managing risk and compliance, the Panaseer Platform introduced the concept of Control Checks to continuously and automatically measure the compliance of your assets to your security policies.

Continuous Controls Monitoring (CCM) sits above your existing security tooling and provides visibility of all of your assets, users, applications and databases, as well as the confidence that controls are working effectively. Combining Control Checks with the building blocks of CCM, specifically automatic data collection and measurement, fills an important gap in GRC and IRM solutions.

 

Measuring compliance 

Many Governance, Risk and Compliance (GRC) tools can document your security policies to the nth degree – except reliably measuring how well your controls are working.

When building a security strategy, many companies use one or more security frameworks as the basis for creating internal security policies, and to ensure they create a wide range of security policies to suit their current needs. The security policies are usually defined at a high-level, so you create standards that define what needs to be done to enforce those security policies. The enforcement of standards will involve the use of various tools or controls. 

control can be physical (‘entrances are locked outside hours of operation’) or technical (‘antivirus software is installed and updated on all workstations’). The specific terminology in the hierarchy below policies often varies for different companies, but it effectively boils down to these three things: policies, standards and controls. 

Unfortunately, the final crucial piece is often missing or done ineffectively. Can we verify whether those controls are effective? 

These internal or company-specific policies, standards and controls must be documented and maintained somewhere. For a small organisation, it is relatively easy to keep track of and verify internal policies, but for larger organisations (1000+ employees), managing, tracking and verifying policies is challenging. 

In these larger organisations, an owner is assigned for the various areas and these owners need to either manually verify compliance with each policy or gather the necessary data to prove compliance and manually upload that data to some internal tracking system – usually either a spreadsheet or a GRC tool. The problem with this approach is that the very next day that data is probably out of date. For really large organisations, this problem is increased, and the data could be out of date before it is even submitted. 

What is really needed is a system that can use the data from all technical controls, combine that data into a digestible format, and keep that information up to date continually. While GRC tools are great at documenting policies, procedures and controls, they still rely at some stage on a manual process to document the crucial step of verifying all those controls are not just present but working as expected. You don’t just want to document the process of compliance, you want to continually measure your compliance and make sure the data is never out of date. 

This is where Continuous Controls Monitoring (CCM) can help. A CCM platform keeps everyone informed and focused on the current state of an organisation’s security posture. The Control Checks feature of the Panaseer platform can measure the effectiveness of your controls. 

 

Giving you context  

Control Checks define the criteria used in checking that your controls are working effectively, so you can fully understand the context of what you are measuring and why you are measuring it.

Large organisations will inevitably have many different technical controls that produce large volumes of data. In a recent study by Forrester, 55% of respondents said they were running over 50 different tools. As anyone that has worked with data knows, it isn’t just about having access to the data, but what you do with it, and crucially, how trustworthy it is. 

The Panaseer Platform enables users to create dashboards to group that data and bring focus to collections of metrics and measures. The metrics and measures are displayed as visualised calculations, which can be expanded to dig deeper into the data. Each dashboard is customisable to show different perspectives on the data, e.g. using different time frames, viewing calculations as numbers or percentages, or applying filters to focus on certain aspects like region or environment type. 

Part of digging deeper into the data is understanding the criteria underlying the calculations you are exploring. Imagine you are a security analyst looking at how well your controls are performing to ensure servers are patched in a reasonable timeframe. If you see that 65% of your devices are compliant with your vulnerability patching security policy, you probably want to understand what devices are in scope for this policy and the timeframe is expected. When you expand the visualised calculation for Devices out of policy for vulnerability patching you might see the following definition for your Control Check. 

 

Name:  Vuln Patching Control Check 
   
Description:  Maximum allowed time between patch becoming available and being remediated 
   
Criteria:  Scope: device_type = “server” 
Duration: 15 Days  
 
  Default: 30 days 

 

From the Criteria section, you now know that even though the default timeframe for patching is 30 days it is defined as 15 days for servers. The default duration means that any other devices with critical vulnerabilities must be patched within 30 days. This context helps you understand what is actually meant by 65% compliance. 

It is this last point that helps people to better understand the data, but it can also raise some questions about how you are applying that criteria. Should all servers use the same criteria, or should some servers have different patching deadlines based on whether they are production or development servers?  

 

Giving you control 

The Panaseer Platform gives you the ability to tailor the Control Checks to your own needs and make sure the data always reflects your current security policies as your organisation matures and grows.

Security policies often change and evolve with the organisation. When you start using Control Checks there will inevitably be a period where you adjust what you measure and how you measure your controls. 

Longer term, they may change based on organisational priorities and key strategic changes, such as tightening privileged access policies, or a change in security leadership whereby a new CISO might take the team in a new direction with new tools and controls. As security policies and procedures change it is imperative that the way compliance is measured also changes and aligns with those new security policies and procedures. For this reason, the Panaseer Platform allows you to have certain people in your team manage the Control Checks defined in the platform to make sure the criteria are always correct. 

For instance, building on the previous example, you may want to define different criteria for production servers (as opposed to development servers). Rather than creating a new Control Check, you can simply add a new block of criteria.

  

 

Name:  Vuln Patching Control Check 
 
Description:  Maximum allowed time between patch becoming available and being remediated 
 
Criteria:  Scope: device_type = “server”, env_type = “production”, functional_area = “payments”
Duration: 7 days  
 
  Scope: device_type = “server” 
Duration: 15 Days  
   
  Default: 30 days 

 

We’ve made the criteria more specific, so now for production servers used for payment systems vulnerabilities must be patched within 7 days. The criteria are evaluated in order, so if a device matches the first criteria, no further criteria blocks are evaluated.  This helps to better direct the wider IT team to take remedial action. 

The ability to continually and automatically measure the effectiveness of your technical controls is critical to the success of your security programme. Using a CCM solution that includes Control Checks, such as Panaseer, compliments a GRC or IRM solution by providing the crucial final step. As we continue to improve this capability, we will aim to free up your security team to spend less time on the menial tasks of reporting and more time securing your organisation.