Welcome to the world of bursting regulations and compliance standards, evolving infrastructure and pervasive data breach. Each year, fraudulent activity causes losses of $ 600 billion in the United States. In 2017, more than one billion account records were lost in data breaches, equivalent to 15% of the world's population. 72% of security and compliance personnel said that their job is more difficult today than it was two years ago, even with all the new tools that they have acquired.
In the security industry, we are constantly seeking a solution to these converging issues, while remaining in tune with business and regulatory compliance. Many have become cynical and apathetic about the continued failure of investments to prevent these unfortunate events. There is no quick fix, and shaking a white flag is just as problematic.
The fact is nobody knows what could happen next. And one of the first steps is to recognize the limitations inherent in our knowledge and our ability to predict. From there, we can adopt reasoning methods, evidence and proactive measures to maintain compliance in a changing world. Demonstrating the myth of passive compliance is an important step towards achieving security, risk reduction and early detection of threats.
Let's get rid of some myths about IT security and compliance:
Myth 1: The Data Security Industry Credit Payment Standards (PCI DSS) are only needed for large companies
For the sake of your customers' data security, this myth is absolutely false. Organizations of all sizes must comply with PCI DSS standards. In fact, small business data is very valuable to data thieves and is often easier to access because of a lack of protection. Failure to comply with the PCI DSS standard may result in heavy fines and penalties, or even the loss of the right to accept credit cards.
Credit cards are used for more than just retail shopping. They are used to sign up for events, pay bills online and perform countless other transactions. Best practices do not recommend storing this data locally, but if an organization's business practices require that customers' credit card information be stored, additional steps must be taken to ensure data security. Organizations must prove that all certifications, accreditations and best security protocols are followed to the letter.
Myth 2: I need a firewall and an IDS / IPS to be compliant
Some compliance regulations stipulate that organizations are required to perform access control and perform monitoring. Some say that perimeter control devices such as a VPN or a firewall are necessary. Some say indeed the word "intrusion detection". However, this does not necessarily mean that you are deploying NIDS or a firewall everywhere.
Access control and monitoring can be done with many other technologies. There is nothing wrong with using a firewall or NIDS solutions to meet all compliance requirements, but what about centralized authentication, network access control (NAC), network anomaly detection, log analysis, ACL usage on peripheral routers, etc.
Myth 3: Compliance is about rules and access control.
The lesson to be learned from this myth is not to become shortsighted, focusing only on the security posture (rules and access control). Compliance and network security are not just about creating rules and access control for better posture, but also about real-time assessment of what's going on. Hiding behind rules and policies is no excuse for compliance and security issues.
Organizations can overcome this bias by analyzing directly and in real time the logbook of what is happening at any time. The attestation of security and compliance stems from the establishment of access control strategies on the network and a continuous analysis of the actual network activity to validate the security and compliance measures.
Myth 4: Compliance is only relevant when there is an audit.
Networks continue to evolve, which remains the biggest challenge for network security and compliance. Curiously, the evolution of the network does not go to sleep politely as security and compliance staff catch up.
Not only are network changes increasing, but new standards of compliance are changing in the context of these new network models. This discreet and combinatorial challenge adds new dimensions to the ongoing compliance mandate, not just in an imminent audit.
Yes, the latest generation of firewalls and logging technologies can take advantage of streaming data out of the network, but compliance is achieved when it is necessary to analyze all this data. It is only by reviewing the real-time data that the compliance and network security staff can adjust and reduce the risks appropriately.
Tightening controls and network access gives listeners the assurance that the company is taking proactive steps to orchestrate network traffic. But what does the current network tell us? Without regular log analysis, there is no way to verify that compliance has been achieved. This regular analysis occurs without reference when an audit is coming up or has recently failed.
Myth 5: Real-time visibility is impossible.
Real-time visibility is a necessity in today's global business environment. With upcoming legislative and regulatory changes, network security and compliance teams must be able to access data across the entire network.
Often, data comes in many formats and structures. Compliance Reports and Certifications become a "data collection" exercise to validate that network activity is consistent with rules and policies. Security and compliance personnel must become de facto data scientists to obtain ocean data responses. It's a Herculean effort.
When implementing a new compliance requirement, there is an assurance process in which the standard is tested against access allowed or denied by the new rule. How to know if a given rule or policy will have the desired effect (comply with the compliance)? In most organizations, you have neither the staff nor the time to evaluate the network activity in the context of compliance standards. At the end of a new compliance standard, the data assembly process is not complete, leaving us no confidence that compliance has been achieved. No matter how quickly you assemble data, it seems that the large number of standards will keep you going in circles.
Of course, the other side of this dilemma is that these standards really prevent trade-offs in data. However, while many of your resources are responsible for testing and deploying standards, another part of the team is implementing even more network permutations. This is what physicists call a dynamic system.
It's natural to assume, "Well, I guess that just can not be done." This is an error. The use of automated data assembly reduces the time required to evaluate compliance standards and results generated by policies and rules.