How to analyze and improve your cybersecurity controls coverage
September 07, 2023
Despite massive investment in cybersecurity tools, gaps in security controls are still a common problem – find out the causes and the impact on security posture.
Large organizations typically have numerous security tools deployed across vast IT infrastructures, applying security controls to thousands of connected devices.
Managing the controls coverage of these security tools is a complex business. Some controls overlap in places, while others aren’t deployed correctly leading to security coverage gaps. A major challenge is reconciling what controls should be in force on a given device versus the reality of what’s actually happening — a process made more difficult by the common problem of ‘unknown devices’ in your environment.
Complicating matters further is the fact that the IT environment is constantly changing, along with the risks that surround it. Change events such as digital transformation initiatives, mergers and acquisitions, and security tool consolidation can make cybersecurity controls coverage even more challenging for security operations teams.
In this article we’ll look at:
- What are security coverage gaps?
- Why are cybersecurity coverage gaps a problem?
- The challenge with CMDBs like ServiceNow
- Why do gaps occur in CMDBs and security controls?
- How to solve this problem with Continuous Controls Monitoring
What are security coverage gaps?
Security coverage gaps are unexpected holes in security controls coverage, where devices that are supposed to be protected by security controls (e.g. vulnerability assessment, EDR, encryption, etc.) are not.
Security teams face a constant battle to ensure their tools and controls are operating as expected, however for most controls it’s not realistic to achieve 100% coverage. Instead, organizations set policies and thresholds for the control coverage they want to target based on their risk appetite.
According to Charlotte Jupp, Panaseer’s Head of Security Performance Management, these targets will vary depending on the type of tool or control. “Our customers typically want to achieve 100% coverage for critical EDR tools [endpoint detection and response] that give immediate protection from security threats,” she explains.
“However, they will likely have a higher risk tolerance for tools such as vulnerability scanners and CMDBs [configuration management databases]. This means their coverage target will be around 90%-95%.”
Context is also important when measuring controls coverage. Organizations should have a lower risk tolerance for business critical assets or those on an external network, and will aim to ensure they are never left exposed by control gaps.
“It’s also important to analyze toxic combinations of risk,” says Charlotte. “If a device isn’t covered by both your EDR or vuln scanners, then you have a major blind spot in understanding your exposure to risk. Organizations need this contextual data to help prioritize remediation.”
To achieve an accurate picture of where control gaps exist and the business context of all assets, organizations will need to implement Continuous Controls Monitoring (CCM). This correlates data across all security and business tools to give context and insights that aren’t possible in siloed security tools.
Why are cybersecurity coverage gaps a problem?
Cybersecurity coverage gaps are a critical problem for organizations, as it creates a weakness in their defenses that can be exploited. Control gaps allow threat actors to avoid being hindered or detected by using routes into IT infrastructure that security teams believe to be blocked off.
Cybersecurity coverage gaps can therefore be regarded as a failure of cyber hygiene, something that Microsoft’s Digital Defense Report estimates to be responsible for 98% of all cyber attacks.
This false sense of security makes coverage gaps a particularly dangerous attack vector. Data breaches arising from these gaps are more unexpected because security teams will have anticipated the threat and been operating on the mistaken belief that they had risk mitigation measures in place.
Recent Panaseer research found that 90% of security leaders say control failures are the primary reason for data breaches, while 79% have experienced cyber incidents that should have been prevented with existing safeguards.
All this contributes to higher financial consequences for organizations, with IBM/Ponemon Institute’s 2023 ‘Cost of a Data Breach’ report putting the average figure for a single breach at an all-time high of $4.45m, with only one-third of these being discovered by the affected organization’s own security teams.
The other challenge with cybersecurity coverage gaps is understanding how and why they exist. Discovering coverage gaps fills security professionals and tool owners with a paradoxical mixture of relief and despair. When gaps are located, it’s often by chance or as a result of a manually intensive process. It begs the question, what other security coverage gaps might there be?
Any breaches that result from cybersecurity coverage gaps have significant repercussions for governance and compliance, calling into question how the execution of security controls can have been allowed to deviate from the intended security strategy.
It also undermines the investment cases for security tools that are failing to deliver the value they’d promised. This may even compromise future investment decisions and erode business confidence in the cybersecurity function.
Compounding the pain further for security teams will be other stakeholders in the business who are free to point out that, technically, such breaches can be avoided. But there is a path forward through continuous monitoring of security controls, including using a CCM (Continuous Controls Monitoring) platform, and these are increasingly specified in the latest data protection legislation coming into force in both the EU and US.
The challenge with CMDBs like ServiceNow
CMDBs (configuration management databases) promise a great deal in the wider practice of IT service management (ITSM) and are commonly assumed to be the best available single source of truth for IT assets, which should reduce the risk of control gaps.
However, security teams can seldom rely on CMDBs like ServiceNow as a ‘golden source inventory’ of IT assets because they weren’t designed to meet the needs of security teams. To reduce the risk of control gaps, security leaders need an accurate, near real-time inventory along with the status of security controls across all assets.
Let’s take a comparatively simple question: how many IT assets are there? In an environment that’s changing all the time, can your CMDB give a 100% accurate picture of device inventory? Or even a 99% accurate picture?
In reality, it’s likely to be far lower than that. One expert puts the accuracy of most CMDBs at around 60%. That’s nowhere near good enough asset intelligence for data security and governance purposes.
According to Gartner, only 25% of organizations are receiving meaningful value from their CMDB investments. Bear in mind that’s from the perspective of CMDBs as an IT service management tool, not solely its role as a reliable baseline indicator for security controls analysis.
Why do gaps occur in CMDBs and security controls?
Gaps occur in CMDBs and security controls because of technical and operational issues as well as human factors.
These include:
1. Lack of data quality and accuracy. If CMDB data is not validated or regularly updated, it becomes less reliable, leading to gaps in asset intelligence – data about IT assets and the relationships and dependencies between them.
2. Manual data entry. Relying on manual data entry for CMDB updates can lead to errors and omissions. The absence of automated tools also adds latency between when changes are made and when the CMDB record ‘catches up’.
3. IT environment scale and complexity. The larger and more multifaceted the IT infrastructure, the higher the likelihood of CMDB hygiene failures such as overlooking certain assets or leaving security gaps unintentionally. This challenge is made more difficult with the number of new devices being spun up in large organizations, as there is often a delay before new devices are added to the CMDB.
4. Rapid and/or major IT infrastructure change. Hardware upgrades, software installations, or system decommissions that occur frequently can cause CMDBs to steadily lag further and further behind reality. Combining separate CMDB records (e.g. following M&A activity) can be particularly challenging when one or the other (or neither) are wholly trusted as accurate.
5. Disconnected data sources. Gaps can arise when data from different systems and sources are not effectively integrated into the CMDB or security control systems. Organizations can struggle to understand the implications of adding or removing security tools.
6. Unsanctioned ‘shadow’ IT. Unmanaged IT devices that function as part of the IT estate are often not included in CMDB asset inventories, and therefore not properly accounted for or protected. Other CMDB governance issues include lack of clear ownership of CMDB administration and maintenance, particularly when third parties are involved.
How to solve this problem with CCM
To understand gaps in cybersecurity controls, control owners must determine if a security tool is deployed on all expected assets by comparing their coverage to an accurate inventory. This inventory would ideally be the CMDB, however – as we’ve established – CMDBs are known to be problematic and at risk of propagating the coverage gap problem across each deployed tool.
Creating your own accurate inventory from multiple sources is extremely challenging without automation and entity resolution. Finding the reasons for gaps is also difficult without drill-down capabilities to identify where processes are failing.
These capabilities are provided within Panaseer’s Continuous Controls Monitoring (CCM) platform, which ingests data from all available security, IT and business tools (e.g. CrowdStrike, Qualys, Workday, MS Active Directory, VMware Carbon Black, Cofense, BigFix, etc.), giving near real-time visibility of assets and controls status.
Security controls gaps can be further analyzed, with clear reasoning for how they occurred and the aspects affected (e.g. location, OS, asset type, data source, business unit, etc.) so they can be addressed immediately. Security teams can even model the potential impact of future controls changes.
Understanding gaps in vulnerability scanning
To give a common use case, our customers use CCM to get an accurate measure of their vulnerability scanner coverage. In this instance, by comparing data across multiple tools our platform showed that the vulnerability scanner had 89% coverage – meaning that 11% of devices weren’t being scanned.
By drilling down into the regional analysis, we find that the EMEA region has the biggest coverage gaps for this tool. This suggests there could be a bigger issue within the EMEA region that needs to be addressed.
Further analysis of assets in the EMEA region that aren’t covered by the vulnerability scanner found that they shared an IP address range. This is a common problem we help solve for customers — vulnerability scanners are often configured to scan based on IP ranges, which can lead to groups of assets being accidentally left unprotected.
Maintaining full security controls coverage is fundamental to cybersecurity posture, enabling organizations to protect data assets, mitigate risks and defend against advanced and emerging threats. Address gaps in cybersecurity controls with a CCM platform like Panaseer and you can significantly reduce the risk of being surprised by a breach you thought you had covered.
Request a demo of Panaseer’s Continuous Controls Monitoring Platform to find out how it can help you analyze and improve your controls coverage.
