Without a security policy, there is no security.
This is a pretty bold statement, but think about variations of this which we all know not to be true:
I'm secure because I have a firewall.
I'm secure because we passed a penetration test.
I'm secure because we haven't detected any intrusions recently.
I'm secure because my CSO has lots of experience.
The only way to really have a concept of security is to have a plan which aligns to your business risks and goals and then measure how well you are doing against this plan.
Unfortunately, networks have become very complex. There are a plethora of devices, users, connections and applications running on other people's infrastructures.
Historically, it was not possible to audit all of these things with a comprehensive policy, so we instead relied on humans to perform audits. Many of these audits were periodic in nature and did not consider the continuous nature of how fast risks to our network could be discovered and exploited.
Today however, automation can be used to discover, assess and then report about how well your network is doing against your plan. This can often be done in near real time.
Your plan could be a direct implementation of something like the NIST Cyber Security Framework, a realtime measurement of your compliance with PCI or something more basic, such as measuring that everyone of your web servers is protected by a WAF.
As the CEO for Tenable Network Security, I've seen a dramatic change in how organizations view the functions of audit. As organizations move from periodic audits to continuous audits, they gain tremendous advantages. These include:
- near real-time inventory discovery which also implies realtime change detection
- near real-time discovery of security risks and violations
- earlier detection of potential hacker targets and regulatory compliance issues
- confidence in the network's ability to operate at an appropriate risk level
One of the most popular items our customers use are our dynamic dashboards. We've seen tremendous growth in organizations who want to know how they compare to regulatory and compliance standards from NIST, DISA, PCI, .etc. Our customers leverage dashboards and report templates which allow them to re-interpret the scanning, network monitoring and log analysis data they are already collecting to monitor how compliant they are with these standards. I've included links to many of our more popular dashboards below:
CSC 20 Controls
NIST CyberSecurity Framework
Securities and Exchange Commission
Australian Signals Directorate Top 4 Mitigation Strategies
Each of these dashboards includes a lengthy description of how technologies such as network traffic monitoring, net flow collection, credentialed vulnerability scanning and configuration auditing can be leveraged to perform a technical assessment of compliance with each of these controls. We have published several hundred of these types of dashboards for our customers. Many of these were requested by our customers as well.
At Tenable, we consider realtime automated testing of a security policy the very essence of continuous monitoring. Without a security policy to translate the security telemetry from your scanners, logs and security systems, all of this data produces security noise. It takes a policy to make sense and understand if the data from your sensors is telling you that you are secure or that you have a problem.