Top security challenges and how to overcome them: Compliance regulations

Welcome to this blog series which highlights the top security challenges organizations are facing and discusses how to overcome them. In this series of five articles, each will target a specific challenge while providing guidance on how to find the method(s) that work for you while meeting your organization’s unique needs to rise above each of the challenges.

Given each organization’s differing needs, requirements, budgetary constraints and regional location, consider the guidance provided here to be less prescriptive (i.e., you need to do this), instead, look at it as listing out the potential options available – alongside their respective strengths and weaknesses – allowing organizations and the administrative teams that support them to develop the security strategy that works best for them while still addressing the threats, attacks and concerns of the modern threat landscape that most impact their business operations, processes, users and of course, data.

Up first is governance and regulatory compliance. Specifically, this article will tackle this in a one-two-three-type of format, as follows:

1. Why is complying with regulations important?
2. What are some of the top global regulations?
3. How can organizations overcome regulatory challenges?

Without further ado, let’s dive right in, shall we?

Why is complying with regulations important?

To best answer this question, let’s first look at what regulations are and why regulations exist in the first place.

reg·u·la·tion

/ˌreɡ(y)əˈlāSH(ə)n/

noun

1. a rule or directive made and maintained by an authority.

"planning regulations"

2. the action or process of regulating or being regulated.

"the regulation of financial markets"

Regarding the topic before you today, both definitions apply and organizations would do well to understand each meaning. The former refers to the rules, or in this case, laws enacted by governing authorities (like states, countries and regions) relating to a specific industry, product and/or process. The latter refers to the enforcement of these laws by their enacting authorities and how each industry that is subject to these regulations must abide by them or run the risk of being found in violation of these laws (but more on what happens if compliance is not met later).

Now that we understand what regulations are, why do they exist? They exist for different reasons depending on the particular law. But suffice it to say that regulations collectively exist to ensure that consumers of products and/or services that are covered by these laws are protected against acts that would otherwise cause harm or distress to the user. Furthermore, regulations exist to ensure that organizations that provide products and services are governed to ensure that the processes they take to carry out business operations are done so in a safe, secure manner to minimize the level of risk they expose their customers to.

So back to our primary question: Why is it important to comply with regulations? It is important because simply put: regulations exist to guide organizations on how to safely and securely provide access to sensitive or even critical products and services. At the same time, these provisions protect the users of these products and services from the undue risk that may have been avoidable, if only the proper care had been taken and due diligence had been performed by the provider.

What happens if organizations fail to comply?

As explained above, a key part of governance is guidance to ensure that processes are hardened to minimize risk. Another key part of governance is enforcement, ensuring that organizations do comply with the laws related to their industry. Consider guidance and enforcement sort of like, cause and effect, if you will.

The effect that occurs depends on whether the cause happens or does not happen. Well, in the case of compliance, the effect often comes in the form of a violation. Depending on the law that is broken, the severity of the offense, the circumstances of the incident and the fallout resulting from non-compliance, organizations can be subject to severe fines, including loss of federal or government funding, if applicable. Organizations that have been found guilty of frequent non-compliance may even find their business suspended or forced to be terminated by the governing body of the state, federal, country or region.

Additionally, individual users may be found liable for any violations and could be subject to civil and/or criminal charges if found guilty of knowingly not complying with regulations.

What are some of the top global regulations?

While certainly not exhaustive by any means, the list below represents some of the most commonly known industry regulations and their associated regions.

Finance

• U.S. Securities and Exchange Commission (SEC) [US]
• Financial Industry Regulatory Authority (FINRA) [US]
• Commodity Futures Trading Commission (CFTC) [US]
• Financial Conduct Authority (FCA) [UK]
• Financial Services Agency (FSA) [Japan]
• Authorité des marchés financiers (AMF) [France]
• Financial Consumer Agency of Canada (FCAC) [Canada]
• Digital Operations Resilience Act (DORA) [Europe]
• Gramm-Leach-Bliley Act (GLBA) [US]
• Sarbanes-Oxley Act (SOX) [US]

Education

• Family Educational Rights and Privacy Act (FERPA) [US]
• Children’s Online Privacy Protection Act (COPPA) [US]

Government

• Federal Risk and Authorization Management Program (FedRAMP) [US]
• Centre on Regulation in Europe (CERRE) [Europe]

Healthcare

• Health Insurance Portability and Accountability Act (HIPAA) [US]
• The Privacy Act of 1988 [Australia]
• Personal Information Protection and Electronics Act (PIPEDA) [Canada]
• Digital Information Security in Healthcare Act (DISHA) [India]

Consumer

• General Data Protection Regulation (GDPR) [Europe]
• Personal Data Protection Law [United Arab Emirates]
• California Consumer Privacy Act (CCPA) [US]

Cybersecurity

• Cyber Essentials [UK]
• Cloud Computing Compliance Controls Catalogue (C5) [Germany]
• Federal Information Security Modernization Act (FISMA) [US]
• European Union Agency for Cybersecurity (ENISA) [Europe]
• Directive on Security of Network and Information Systems II (NIS Directive) [Europe]
• Cyber Resilience Act (CRA) [Europe]

It is important to note that multiple regulations may sometimes apply to an industry. As evidenced above, with an example of the finance sector and numerous US-based regulations. This does not mean that organizations get to cherry-pick which regulations they’ll adhere to, but rather provides a concrete example that businesses in the finance industry must abide by all the requirements contained within each of those regulatory bodies.

The same applies to international organizations doing business in multiple countries or regions. Regardless of where the business is headquartered, if the business is part of a regulated industry, that business is subject to the regulatory laws of every country and region in which they conduct business – even if they do not have a physical presence in those countries.

Complying with some regulations but failing to comply with others is still considered non-compliance by the country or region in which compliance has failed to be met, possibly making non-compliant businesses subject to consequences for violating the laws in those countries.

How can organizations overcome regulatory challenges?

Identifying which regulations apply to your business is the rather easy part. The difficulty comes in two waves:

1. Determining the settings, configurations, processes and workflows that address the various bits of regulatory guidance.
2. Enforcing each of the above to verify that endpoints, users and data are (and remain) compliant with each facet of regulation.

Ask any IT administrator that is tasked with achieving and maintaining this goal and they’ll no doubt share the challenges that are presented in this undertaking. But with the right combination of knowledge, tools and information, overcoming the challenges presented are not only possible but a considerable amount of the heavy lifting can be automated to ensure that your organization is not only mitigating risk but also has a system to remediate devices that are found to be out of compliance quickly and efficiently – with little to no impact on the end-user or business operations.

Sounds good, right? You bet it does and, in the following subsections, we’ll cover some of the tools, processes and best practices that can help your organization to do just that.

Compliance management framework

Identifying which regulation(s) pertain to your organization is the first step. Second, is to perform a risk assessment to determine the level of risk attributed to all devices, data and the criticality of business processes.

The next step is deciding upon and implementing a management framework that will significantly aid your organization – and IT and Security teams – in establishing the protocols required to achieve compliance goals.

There are several frameworks developed by different vendors but they all provide a similar goal: to help organizations meet their compliance goals through guidance on which settings and processes need to be secured in order to achieve and maintain compliance. It’s certainly not required in order to achieve compliance, but the structured format of the framework provides the key information necessary for IT and Security teams to lockdown device and application settings. In fact, some of the frameworks we highlight may already be integrated with your preferred security solutions or provides a way to integrate them for comprehensive management of devices and security. Think of it as Yin (management) and Yang (security), or a holistic IT compliance strategy.

• National Institute of Standards and Technology (NIST): The NIST is part of the U.S. Department of Commerce and provides guidance for organizations on cybersecurity and compliance – and numerous other computer security-related topics. The documentation they provide is written by industry professionals and updated regularly to keep up with the modern threat landscape. While their publication on Security and Privacy Controls for Information Systems and Organizations (SP 800-53) is maintained, their Guide to Securing Apple macOS 10.12 Systems for IT Professionals (SP800-179) has since been deprecated and instead merged with the macOS Security Compliance Project covered later in this section.
• Center for Internet Security (CIS): The CIS guidance for Apple macOS comes in the form of benchmarks derived from the “community consensus process and consists of secure configuration guidelines developed for Apple macOS.”, as explained by CIS themselves. Their benchmarks provide updated information on secure configurations for locking down macOS and iOS devices against cyber threats.
• macOS Security Compliance Project (mSCP): Formally part of the NIST SP 800-179, this open source effort is hosted on GitHub, deriving its guidance as a joint project by the NIST, National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), Los Alamos National Laboratory (LANL) and Jamf, culminating in NIST SP 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). The project acts as a resource for MacAdmins to “easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements…to meet the particular cybersecurity needs of any organization.”

Hardening configuration profiles

We won’t go into much detail in this section since which configuration profiles are to be secured will largely depend on the unique needs of your organization and which regulations it’s subject to.

That said, this section will be greatly influenced by the previous one. Namely, the framework chosen details which settings require hardening and the degree to which they should be secured as they map directly to a particular compliance benchmark.

Whether this is performed manually by MacAdmins per device or as part of an automated workflow (more on automation later) is also up to the organization. However, it is greatly recommended that the deployment of configuration profiles be managed and automated to minimize user error and achieve the greatest level of success when mitigating risk in a timely manner.

Actively monitoring for threats

Like having your finger on the pulse of what’s going on within your organization, active monitoring clues administrators into the status of the devices they’re tasked with maintaining every step of the way. If malware infects an endpoint, a user downloads a risky app or Apple releases a new update – knowing this is happening as it occurs is a key element to not only keeping endpoints compliant, but critical when it comes to triaging an issue or remediating an incident quickly as opposed to letting it linger longer than is preferred.

Apart from continuously monitoring health status (which we’ll get into in the next section), an established notification system provides real-time alerts when something deviates from the expected behavior or implemented benchmark, triggering a swift response and hopefully, equally swift resolution to an incident.

Gathering and analyzing health data

Similar to the alerts above, active monitoring also means logging all pertinent telemetry data that can be used to paint a picture of endpoint health as well as provide important clues to incident response teams.

Telemetry data can answer a plethora of questions surrounding endpoint health, compliance status and what caused it to deviate, such as:

• Was it something the end-user introduced?
• Did an external attack occur?
• How was it able to slip past the device’s defenses?
• Where did the threat come from?
• Who (or what) was the intended target?
• What was taken or modified during the incident?
• Why did it happen and is it something we can protect against in the future?

This and seemingly dozens of other important questions can be answered by gathering and analyzing telemetry data to ascertain not only what happened but to build a timeline of how and when it happened. Also, it allows for comparison against other endpoints that were not impacted. What are the commonalities and differences? For example, OS version, device type or even the location of the endpoint when the incident was first detected are useful for aiding investigations.

Securely sharing telemetry data

Imagine you’re an employee of an organization that has both an IT and a Security team. You are a member of the former and after a recent incident, are tasked with deploying patches to the affected devices to ensure that the vulnerability is remediated. Only thing is, the Security team does not share the information they have on which devices were impacted nor what the vulnerability is. Let’s just say your job has just become several degrees more difficult without this critical data.

Well, the same applies to sharing telemetry data. An endpoint that generates a log of everything that occurs on the device but is stored locally on the device itself is of little use if the device belongs to a remote user. It becomes even more useless when you’re required to gather logs for hundreds or thousands of devices – all located remotely – to analyze them to gain a current understanding of the overall device security posture.

This is where integration between solutions becomes a critical ally, regardless of whether you’re part of IT or Security. Streaming logging data from each remote endpoint to a centralized repository, like your preferred SIEM solution, not only gathers all the necessary details in one easy-to-review location but the analysis of rich telemetry data is simplified by the SIEM’s built-in tooling to provide you with real-time assessment of the device security posture in just a few taps.

Integrating and extending solutions

Here we only begin to scratch the surface of integration and in a later section, how it enables automation. Sharing rich telemetry data via a supported solution’s Application Programming Interface (API), secure integration between solutions can further extend capabilities to include a number of useful administrative functionality, like:

• advanced workflows
• automated processes
• policy-based management
• triggering incident response actions
• visualizing telemetry data and reporting
• chaining together first- and third-party solutions
• automated triage and remediation

Quite literally near endless possibilities depending on the solutions in use within your organization and how they’re configured, based on your unique needs. Consider the following example when Jamf Protect is integrated with Jamf Connect and Jamf Pro.

Jamf Protect detects some unusual behavior occurring on a MacBook Pro that is connected to public Wi-Fi without VPN enabled trying to access business resources. Behavioral analytics determine this action to be risky and shares the telemetry data with Jamf Pro. The latter triggers a policy that checks for the existence of a ZTNA configuration and when it does not find one, it automatically installs the configuration profile to the device. Jamf Protect rechecks the endpoint, determining the profile was installed successfully. Though an authorized user appears to be logged onto the device, they continue to try to access business resources without enabling ZTNA. This telemetry data is shared with Jamf Connect, which effectively triggers a prompt to authenticate the user account before ZTNA can be enabled to secure the connection and grant access. Without successful authentication, access to protected business resources is not granted, thereby keeping data secured from unauthorized access.

Threat remediation and incident response

In the example above, we showed a cursory method of securing network communications by checking if ZTNA is installed and enabled. If not, the integration between Jamf Protect and Jamf Pro deploys the appropriate configuration using the latter while the former verifies it’s configured properly and enables it to provide data security when accessing protected business resources.

But what if this was not the case of a ZTNA client that was needed but rather an app that is not permitted by the organization was downloaded on the endpoint? An incident response workflow could spring into action the second the app is downloaded to the device, scanning it to determine its hash value and if a successful match is found, the suspect application can be immediately removed from the endpoint while a prompt is displayed to the end-user informing them that the app is not allowed and therefore was removed to maintain compliance.

If the threat is something far worse, say a particularly nasty piece of ransomware that gets installed through an exploit on a vulnerable app, remediation workflows leveraging telemetry data and your preferred MDM can perform the following steps to clear out the infection and bring the device back into compliance quickly and with little impact to the end-user:

1. Jamf Protect’s behavioral analytics detect the ransomware’s actions and immediately quarantine the endpoint to prevent further damage.
2. The user is logged out and prevented from authenticating while the malware is programmatically removed from the system.
3. After the malicious code is determined to be gone, Jamf Pro deploys the updated app to mitigate the vulnerability and the device is rebooted.
4. Once remediated, the endpoint once again permits the end-user to authenticate and get back to being productive.

All this occurs with notifications informing the user of each step of the process so they stay informed while allowing the workflow to bring the endpoint back into compliance without further delay.

Pulling it all together with automation

Automation is key. The computing landscape has changed so drastically in recent years with global businesses migrating to remote work environments and the adoption of mobile device technology…and let’s not forget bad actors that have also evolved their attack campaigns alongside the modern threat landscape.

Simply put: there are simply too many users, relying on even more devices that are being attacked by a never-ending stream of threats – counterbalanced by too few IT and Security professionals – to possibly respond to each incident manually. Not to mention that we’re human, there are only so many hours in a given day and ultimately, attackers only need to get it right once to be successful in their attacks…IT and Security need to be right every single time.

That’s a lot of pressure, so leveraging solutions by extending workflows to include advanced automation helps MacAdmins to elevate this buildup tremendously, freeing them up to:

• develop advanced workflows to keep devices, users and data better protected
• turn their personal attention toward higher severity level incidents
• ensure that endpoints are standardized to meet compliance requirements
• work with other teams, like compliance and risk assessment, to verify that endpoints are compliant with regulatory governance
• Work smarter, not harder by offloading repetitive or tedious tasks to minimize the risk of user error and misconfiguration