Going Further: Maintaining Cyber Essentials and Broader Compliance

Intro

Previously, we focused on the five security controls and their requirements, necessary for Cyber Essentials Plus (CE+) certification. We dove deeper, explaining the most recent version of the Cyber Essentials Requirements for IT Infrastructure and how that guidance helps organizations to scope their desktops and mobile devices, including BYO devices, to align compliance measures with CE+.

In this final blog, we go beyond the requirements, tools and solutions to achieve CE+ certification. Here we discuss what lies beyond certification. Before we proceed, take a moment to ask yourself this: Once CE+ certification is achieved, then what? While you ponder that, here’s a follow-up question to start us off:

How do you maintain compliance with CE+?

Achieving compliance is one thing, but maintaining is something different but equally as important. Both require hard work and diligence, but achieving is a fixed point, like a destination – maintaining is a path, one that continues on.

As with CE+ or similar standards and framework initiatives, maintaining compliance comes down to several critical functions and technologies working together to form solutions; which in turn, are part of any comprehensive security plan.

Visibility

The ability to see into your enterprise is critical to both achieving and maintaining compliance. Being able to have a macro view of your organizational network to see each and every touch point gives IT that “big picture” look into everything coming and going across their infrastructure. Conversely, zooming in for a micro view of any traffic stream, device, app and process is equally crucial to compliance at all levels.

Telemetry

The key to visibility and what makes it all possible, is telemetry. What is telemetry?

In short, telemetry is a record of everything that occurs on your device that is essential to determining its health and security posture at any given point in time. Some examples of it are:

• Any actions performed
• Programs affected
• Diagnostic information
• System services utilized
• Date and time stamps

Put another way, each piece of telemetry data is but a piece of the puzzle that represents a device’s security posture. The more pieces to the puzzle, the greater the picture. The richer the telemetry data, the more detailed that picture becomes.

Consider this example based on a CE+ requirement: Malware prevention. To achieve CE+, devices must have endpoint security enabled to stop malware from running. Telemetry data will certainly provide insight that a device meets this critical requirement. But what if after certification, the endpoint has a zero-day vulnerability that is exploited by a threat actor. How would your IT or Security team know?

Again, telemetry records the events that occur on a system. In this case, telemetry would be used to identify the presence of a threat through suspicious behaviors, such as network communications that are out of scope or the existence of processes that do not adhere to an established baseline.

Reporting

Telemetry data must exist in some form in order for it to be useful to administrators. In one form, it can be shared securely, integrating solutions and often unlocking additional benefits in the form of advanced workflows and automations (more on this later) to make managing and securing endpoint compliance less complex.

While this form facilitates sharing between digital systems easier, it is difficult for humans to quantify this data, which leads to reporting as a means of centrally gathering the data and analyzing it with a SIEM solution, which then allows telemetry data to be shaped and formatted in ways that are human-friendly, like executive and technical reports issued by consultants after performing a penetration test of a network or being fed into a dashboard for sharing via visual displays, broken out by OS, device, network and organizational health categories.

Correlating telemetry into reports also provides another critical function in compliance: it provides the documentation necessary to show auditors that compliance was achieved during an initial audit or that it was maintained as part of a subsequent audit.

Compliance

In case you haven’t realized by now, telemetry is table stakes to an organization’s compliance path. Regardless of whether they just identified what that specific path looks to address their unique needs or whether they’ve been on it for any period of time: telemetry are like the mile markers letting travelers know where they’re headed (or if they need to course correct).

Enforcement

Speaking of course correction, think back to the scenario posited earlier regarding the endpoint security software that was enabled and working before getting certified but then shortly after, was still enabled but not performing properly. The question we ask in this section is amended from our previous one: how does the issue get fixed regardless of whether IT or Security are aware of the problem or not?

The answer to that, is enforcement.

In an ideal world, IT/Security teams have more than enough hands to go around to resolve all of the issues that come their way. However, this is often not the case simply because there are just far more devices than there are bodies to oversee them all and do so in a timely manner. Hence the case for the development of security technologies and solutions, such as:

• Policy-based management
• Conditional access
• Zero Trust Network Access (ZTNA)

Each of these serve a dual-purpose:

1. Ensuring that endpoints have the settings, apps and configurations required by the organization to remain compliant.
2. They help IT and Security teams to work smarter – not harder, by automating how systems respond to non-compliance without requiring manual intervention each time.

After all, which scenario allows the IT admin to focus on delivering value to stakeholders?

1. Manually checking the thousands of devices in their fleet to ensure that each is running the latest version of the device’s OS (and if not, to perform a manual installation for each non-compliant device); or,
2. Enabling Managed Software Updates in their MDM solution with download and schedule to install so that each targeted device will run the most recent version of their OS when the policy refreshes.

Incident Response

“Security gaps happen.” – Security Practitioner, Jamf

With a robust incident response and recovery plan, gaps can be minimized so that known threats are prevented and unknown threats can be detected proactively before they can become something worse (more on threat hunting in the next section).

The keys to speedy incident response, effective threat hunting and timely remediation are the quality and relevance of your telemetry data.

Having a team of security pros standing by waiting to resolve an incident, only to be held up by data that doesn’t paint a complete picture of what’s affecting the device(s) in question are similar to firefighters prepped and ready to stop a five-alarm fire only to not know the address of the location in crisis.

In short: incident response is all about speed and information. The more accurate the latter is, the quicker first responders can get to work on resolving the incident.

Threat Hunting

Preventing known threats is a core tenet of endpoint security solutions. These have qualities that may be systematically assessed and compared against a metric to identify malicious code and stop it quickly. But sadly the same cannot be said of unknown threats, such as the new breed of advanced threats that result from threat actors evolving their tactics and attacks.

Increasingly, unknown threats are sophisticated, converging several different threat types into one with the aim of slipping under the radar. Though detecting them proves far more challenging, security pros armed with right tooling and rich data sources are able to categorize threats, launch incident response and develop a plan to mitigate the risk combining expertise, extensive telemetry data and AI/ML-based solutions to effectively and consistently thwart threats hiding within organizational networks.

While discussing how to establish a threat hunting team within your organization is beyond the scope of this blog, a good place to start is by looking at your own organization’s threat intelligence data. Specifically, assessing the efficacy of thetelemetry data gathered by your endpoint security solution and using it via “reports, scans and analysis to assess and categorize threats using real-time, live data that is pertinent to the organization and relative to the assets currently in production.”

Remediation

Like incident response above, remediation processes largely rely on the organization, their budget, partnerships and so forth. There is no “one size fits all” to determine the processes that work for each incident at every organization. Because of each organization’s unique needs, only best practices and industry guidance provides organizations the best opportunity to develop the plans, policies, people and tools that will offer them the greatest chance of success in responding to and remediating threats within their unique parameters.

Remediating threats and vulnerabilities requires the right tools to make the workflow, well, work. But just as critical as having the right tools is, so is the need to have the right data. Any tool, with the knowledge of how to use it properly is of very little use. Not unlike the incident response analogy with the firefighters, without directionality, IT/Security team member efforts are, at best misguided and at worst, a waste of resources that could lead to threats getting worse before they get better.

Consistency

The word consistency is used in connection with compliance here because it connotes complementary points. What is compliance, if not a consistent state of security; similarly, verifying that devices remain consistent with apps, configurations, settings, processes and workflow outcomes that fall within established security baselines means endpoints remain compliant.

This is exemplified in the compliance lifecycle:

1. Document Requirements: Identify what compliance requirements exist.
2. Implementation: Set controls, procedures, solutions and standards.
3. Device Monitoring: Actively gather endpoint telemetry data.
4. Assessment: Deploy incident response and remediation workflows.
5. Reporting: Analyze telemetry data, documenting compliance.

Automation

In our final section, we tackle how automation applies to compliance. Though we touched upon it in some sections, let it be clear that automating plays as significant a role in maintaining compliance as it does on the path to achieving it. Perhaps more so.

The main reason for stating that calls back to maintenance being a path not a destination like certification or compliance achievement is. It is never-ending and the longer the road the more twists and turns await. Automation doesn’t help to anticipate those twists but it certainly does aid IT and Security teams ensure that responses to changes in device compliance will result in triggering remediation workflows to bring impacted devices back into compliance.

Of additional importance, automation ensures that the issues and incidents impacting compliance are handled quickly and efficiently, the moment a policy detects the change. This helps admins to stay atop of blossoming issues regardless of when, where or how it happens. It’s a no fuss, no manual intervention required process that automatically takes corrective action the moment its necessary – not before or after.