Security hygiene and posture management requires new tools

It's time to scale security controls

All enterprise security programs, regardless of an organization's size, industry or location, are built on a foundation of strong security hygiene and posture management. This is also evident in every best practice, international standard and government regulation.

Take the Center for Internet Security (CIS) critical controls, for example. This set of well-established security guidelines is composed of 18 critical controls that include things such as inventory and control of enterprise assets (CIS Control 1), inventory and control of software assets (CIS Control 2), data protection (CIS Control 3), account management (CIS Control 5), access control management (CIS Control 6) and continuous vulnerability management (CIS Control 7). If you boil these guidelines down, they recommend some common practices, including the following:

• Establish secure baseline configurations.
• Follow least privilege rules.
• Know what's on your network.
• Know the state of what's on your network.
• Correct anything that drifts away from a known and approved secure configuration.

These security hygiene practices sound sensible and logical. Yet CISOs face a common problem: How do you address security hygiene and posture management at scale when hybrid IT environments are constantly growing and changing?

Unfortunately, many organizations respond to this question with a shoulder shrug and puzzled facial expression. They have no idea how to manage security hygiene and posture management across tens of thousands of constantly changing assets. Recent research from Enterprise Strategy Group (ESG) reflected this sad reality. The data indicated the following:

• Sixty-nine percent of organizations believe security hygiene and posture management is more difficult today than two years ago. This is largely due to factors such as the expanding attack surface, a growing population of remote workers and greater use of cloud computing.
• Seventy percent or organizations use more than 10 different tools for security hygiene and posture management. It's difficult to get a holistic perspective on cyber-risk when you need to look across 10 or more tools to figure this out.
• Sixty-one percent of organizations find it difficult to figure out the right priorities for addressing security hygiene and posture management issues and mitigating cyber-risk. As the saying goes, "When everything is a priority, nothing is a priority." In security terms, this means critical vulnerabilities remain open for unacceptably long periods of time.
• Fifty-seven percent of organizations struggle to figure out which assets should be considered business-critical. It's hard to prioritize actions when you don't have a crystal-clear understanding about which IT assets support the business and which do not.

The data also revealed that 73% of organizations still depend on spreadsheets for security hygiene and posture management. Someone is responsible for going out and finding multiple data sources, inputting the data into spreadsheets and maintaining those spreadsheets over time. At best, these manual tasks provide a point-in-time status of security hygiene and posture management. This is hardly optimal when hybrid IT is in a constant state of change.

Achieve security hygiene with the proper tools

CISOs know the importance of security hygiene and posture management and understand that their current programs need improvement. Many are addressing program deficiencies with new technologies, including attack surface management tools, security asset management platforms, risk-based vulnerability management and security validation tools.

• Attack surface management tools. Available from CyCognito, Mandiant, Palo Alto Networks, Randori (an IBM company) and SecurityScorecard, these can help discover and classify internet-facing assets.
• Security asset management platforms. Available from Axonius, JupiterOne, Sevco Security and ServiceNow, these can aggregate and consolidate asset data from disparate systems.
• Risk-based vulnerability management systems. Available from Kenna Security (a part of Cisco), Qualys, Rapid7 and Tenable, these can help organizations prioritize vulnerability remediation based on exploits and machine learning algorithms.
• Security validation tools. Available from AttackIQ, Cymulate, SafeBreach and XM Cyber, these can evaluate security controls against real-world attack patterns to discover gaps and misconfigurations.

Over the next few years, ESG believes these tools will converge into a security hygiene and posture management dashboard for the enterprise within a new security technology category: security observability, prioritization and validation (SOPV). As this happens, CISOs may finally have a single source for managing security hygiene and posture management programs, as well as the CIS critical controls described above at scale -- certainly a welcome development.

What needs to happen on the supply-and-demand side for SOPV to take hold and evolve? I'm about to launch a new research project to address this and other questions.

ESG is a division of TechTarget.