On the starting block: How to set yourself up for CCM success

May 26, 2020

Sam Curcuruto

A key theme of this year’s FS-ISAC conference was measuring risk. Sure, many of the sessions focused on how things have changed with this new COVID-19 reality, but nearly every session had something to do with helping organizations understand and remediate risks. In our FS-ISAC presentation, we were joined by security thought leader Max Bemrose. In his talk, Max highlighted some of the key steps to take as you begin to implement Continuous Controls Monitoring (CCM) as the metrics program underpinning your organization.

This blog is a break-down of the key steps he took to do this.

Step 0: Why do you (or should you) have a metrics program to begin with? 

Nearly every organization uses some form of metrics and measurement to gauge the effectiveness of their security program. But, under the hood, most are doing only point-in-time assessments that simply check compliance boxes or fill out a report for executives or the board. This is despite the fact that security leaders have reported that they don’t trust the data they’re using for these purposes.

Instead of these point-in-time reports, your metrics and measurements of your program should be driving change in the business. You should be thinking of ways that you can improve your security posture in the most strategic way. This often involves looking at risk not just holistically as a company, but segmenting risks down to the business process level. 

By doing this, you can evolve your organization’s concepts of what technology risk means. You can move from low-level, reactive questions like, “What is our risk around [insert vulnerabilitdu jour here]?” to proactive, deeper questions like, “Is our patch management program effective?” or “Are our email security and employee awareness tools able to prevent new COVID-19 phishing campaigns?” 

CCM is designed to help mature your organization. You can continuously measure the success and progress of your security program, pinpoint specific parts of a system (devices, users, accounts, or databases) which contribute to risks, and segment your business processes to home in on areas to focus. 

Step 1: Establish the Process 

The important first step is to evaluate what your current landscape looks like and what your core use case will be. For this example, we looked at some fundamental projects: asset inventory, vulnerability management, and anti-virus deployment and effectiveness. 

Max implemented Continuous Controls Monitoring in an MVP (minimum viable product) fashion to check it against our current programs. The data sources needed for the initial MVP use cases were in place—CMDB, vulnerability scanners, and end-point software that provided catalogs of software installed and running. They were also essential to provide a benchmark. 

Previously, when reporting was needed for items like asset inventory or vulnerability management, it was necessary to manually pull report data from each of the tools used, and then merge it together in spreadsheets or BI tools. This proved to be time-consuming and often error prone. 

The goal when implementing the CCM process was to map to these key use cases and get from data source to metrics reporting in an automated way with zero manual work. That was the guiding principle and the gauge to whether the MVP was the right choice to replace previous processes. 

Step 2: Initiate, build, and configure your program

Once it’s clear that your MVP fits the needs of the business, is accurate and can produce better insights than the previous process, it’s time to start to think about how else CCM can be used in your organization beyond your legacy needs. 

Above and beyond reporting, the data that is available for measurements and metrics can be used to drive change within the organization. Think about a vulnerability analyst or manager who can not only see that system vulnerability trends are going down, but can also get a real-time view of systems within a critical business process which are still affected. This makes targeted remediation much easier. 

At the core of CCM is the data which is available across your security tools, IT tools, and business tools. The more data that it has access to, the more ways that you can derive unique insights for your use cases. 

Step 3: Decide what to measure, visualise, and dashboard 

Because of the wealth of data and nearly limitless insights that can be realized from CCM platforms, it’s easy to get distracted when thinking about ways to slice, dice, and julienne the data. 

When thinking about what to measure, ensure that you’ve built each of your most important metrics out to the deepest extent. First, this will provide confidence to the stakeholders that receive data from the CCM platform. Second, it will give those in charge of CCM platforms the feedback needed to ensure that the data is tailored appropriately to each audience. 

This focus also lets the process and platform begin to be the source of truth for the insights it produces, as well as ongoing status updates using dashboards. 

Step 4: Release CCM into the wild 

Once CCM is in place for key use cases, many parts of the organization will begin to ask the deeper questions of data that you have in place. It’s important to work collaboratively with users of different security domains, lines-of-business, and recipients of the data to ensure that the ways that data is being displayed fit the needs of the audiences, and keep in mind that this will change over time. 

By proactively offering both access to insights from CCM and spending time with users to understand their specific questions and needs, other teams, departments, and business units will likely look to use the technology to solve their problems. 

Further resources and guidance 

If you’re a member of FS-ISAC, you can watch part one of the presentation, “CCM: How to do it,” on-demand on the FS-ISAC website. Part two is a follow-on webinar which is available for everyone: “CCM: What to measure”.