Comment: The need for Proactive Compliance Management
Current compliance methods are reactive and do little to improve security; rather, they can introduce a documentation and procedural burden that actually hinders security. By Simon Edwards
In place of annual audits and document-heavy processes, an ongoing, proactive compliance model works as an extension of normal information security operations. Proactive compliance management, as an extension of the real-time information gathering, assessment and remediation practices of the security operations centre (SOC), can both facilitate the audit process and also increase a regulated company’s security profile in the process.
The shift moves from a ‘collect, wait, report’ methodology to one where compliance is managed day today, hour to hour and minute to minute. With proactive compliance management, a company has a clear understanding of their compliance standing at any given time. However, achieving proactive compliance management presents some technology challenges, requiring large amounts of information to be gathered and processed in real-time and in an ongoing manner.
The failure of the annual audit
The current compliance model, which is built upon annual audits, fails due to three primary concerns. The first is that PCI compliance demands that a security process be in place, and that certain controls are implemented in a certain manner. However, there is little incentive to execute that plan beyond the basic requirements provided, meaning it is possible to become compliant without being secure.
The second is that the audit process places a burden on the regulated company – a burden that taxes the same resources and budgets that might otherwise be used to maintain a strong security posture. This often leads to a target-oriented methodology, where the goal becomes hitting the target rather than aiming for the true intent of the compliance guideline, which is to secure the organisation.
That is, instead of reinforcing the spirit of PCI DSS (strong security of financial data), the threat of non-compliance can actually impede security as efforts shift from security log monitoring, risk assessment and remediation to efforts solely devoted to compliance documentation.
Once the audit process is complete, of course, important issues about information security will be revealed, allowing the regulated company to revisit and improve security as a direct result of remediating noncompliance.
However, after the audit is complete and remediation has occurred, a company can easily and unknowingly fall back out of compliance. The root cause is the project-nature of the compliance assessment: a security plan is an ongoing process, and yet compliance – which aims to enforce strong security – is a single hurdle. Once the hurdle is overcome, the ongoing process of security is left to its own accord until the next audit is performed.
Security, in contrast, is a process – not a product nor a project. It demands continuous assessment, mitigation, and remediation in a real-time or near real-time capacity. Again, the problem stems from the current compliance/audit model, which is built upon annual assessment and grading. The incentive is to pass the audit in order to prevent fines. However, while the ability to pass an audit might imply the need for ongoing security assessment and remediation, it only requires clear documentation that security plans and policies are in place, and little more. The dichotomy between strong security and strong compliance will continue to result in an either/or scenario where success in one is at the expense of the other, because one requires constant, ongoing assessment and remediation, while the other requires long-term retention and documentation, and only at set intervals that could be months or years apart.
Proactive compliance management
The solution is ongoing, proactive compliance management, where the documentation and evidentiary retention of logs, activities and plans all become a bi-product of ongoing security operations. In other words, ‘compliance management’ becomes a required function of the SOC. In the SOC, logs might be reviewed on a daily, hourly, or even real-time nature in order to detect high-risk activities, evidence of a clear threat, and/or of a successful breach – and then to immediately investigate, remediate and adapt.
Under the mandate of proactive compliance, the SOC must also look for areas of non-compliance, to similarly investigate, remediate and adapt – ensuring that the regulated company is in good compliance standing at any given time.
This requires a fundamental shift in how we collect and manage compliance information.
Traditionally, compliance management efforts focused on ‘retaining’ compliance information for reporting purposes, using a log management system. This is a reactive approach, which only looks at security incidents after the fact – sometimes weeks or even months after the incidents occur.
To achieve proactive compliance management, this data needs to be collected and analysed in the same manner as security event data. Compliance information must be collected in real-time, assessed in real-time, and reviewed continuously. The information needs to be presented to both security analysts and compliance officers using interactive, real-time consoles and dashboards that directly map security concerns to compliance requirements as they occur. For traditional security management, these tasks are performed by a centralised and automated security information and event management system (SIEM).
While this represents a significant change, the benefits of proactive compliance management are numerous. The melding of compliance into ongoing security operations facilitates rather than impedes the security process.
Instead of imposing a resource drain in advance of an audit (and potentially immediately after an audit), compliance issues will be identified as they occur. Because most compliance requirements are designed to prevent risk, a detected compliance issue can be treated as an identified risk by security operations, allowing the risk to be mitigated in advance of a breach while also maintaining compliance in advance of an audit.
When it is time for an audit, assuming that compliance has been managed proactively as a part of daily security operations, there should be little or no additional burden on security or compliance management teams. All required information, reports, and a clear audit trail of all incidents and actions should be readily available as a bi-product of good security practices. This improves security while facilitating an efficient and successful compliance audit, and prevents security resources from being reallocated to other functions as a company prepares for an audit. It also prevents the eventual degradation of compliance efforts after an audit is complete, by keeping the assessment and remediation of compliance issues at the forefront of daily operations – ultimately reducing all of the costs associated with audit preparation, execution, and remediation.
Achieving proactive compliance management
Because SIEM solutions and log management systems have begun to converge, newer SIEMs are ideal candidates for proactive compliance management. However, there are also significant challenges that must be overcome both technically and operationally to achieve this.
The first hurdle is technical. Compliance requires that every detail be preserved, in full granularity, and with digital signatures and other safeguards to preserve nonrepudiation of the information. However, the real-time analytical qualities of a SIEM as used in a SOC rely heavily on information compression or aggregation – that is, they use methods of minimising the amount of distinct information events as well as methods to minimise the specific data points preserved for an event. This is done to overcome the performance/scale limitations of current database technology.
In addition, when looking at network and user activity from a combined security and compliance perspective, more information needs to be assessed from more systems, to remove any potential compliance ‘blind spots.’
Therefore, for proactive compliance management to be implemented, SIEM performance needs to improve to the point where fully non-reputable information can be collected and analysed in real-time. This may require older legacy SIEMs to be upgraded, replaced, or supplemented with a modern, more scalable and higher-performance system.
The second hurdle is a shift in how security and compliance are understood by the various involved parties: security managers and compliance managers need to work together, with the understanding that compliance regulations are designed to ensure and assure better security. When security and compliance teams work together – to the point where they share roles, responsibilities and even utilise the same informational tools – both functions become more effective and efficient, with common data points being expressed to both parties in the correct context and using the correct terminology.
A move to proactive compliance management practices improves security and compliance standings, while also improving efficiencies and eliminating the negative effects of current cyclic compliance efforts. With the appropriate tools in place, a regulated company can easily ascertain their compliance standing at any given minute, making an audit a mere formality rather than a significant drain on resources and energy. These tools, in the form of SIEM and log management systems that are likely to be already in place, may require upgrades to handle the new information burden that comes with compliant reporting, chain of custody and non-repudiation. However, the result will be improved security, improved compliance, and lower costs – both in terms of improved operational efficiencies and fewer compliance fines.
Compliance to regulatory standards such as PCI DSS and PA DSS has gone from being ‘nice to have’ to being a necessary facet of doing business. As the benefits of 24/7/365 compliance are realised, the move from a reactive to a proactive stance will also become a necessity.
Simon Edwards is EMEA Systems Engineer at NitroSecurity