Uniform Compliance and Risk Management through Harmonized GRC

Mark Butler CISO Qualys

Challenges To Compliance and Risk Management Programs

Qualys, Inc. Corporate Presentation 2

4 Key Challenges • Multiple Compliance Regulations and Standards • Broken Link to Security baseline • Risk in Silos • GRC’s own challenges

Challenge 1: Multiple Regulations and Standards

Industry Recommended and Mandate-Based Standards

• PCI • NERC • HIPAA • SANS • NIST • ISO • Vendor

Recommendations

Numerous Existing Technologies…

Operating Systems

Applications

Databases

Infrastructure

New / Emerging Technologies…

• Docker, OpenStack, Pivotal Cloud Foundry, HyperV, VMWare

• Elastic / Ephemeral Workloads

• Moving beyond classic Databases into Data Lakes with mixed Data Sensitivity

• Aggressive Cloud And Hybrid-Cloud Adoption outside of IT

Challenge 2: Broken Link to Security Baseline • Guidance vs. Implementation • Scoping and Tracking Assets • Technical and Procedural Control Selection • Lacking Third Party Control Assessment Data • Application Complexity

Challenge 3: Risk in Silos

Technology CRM / Support

Legal / Finance / HR

Operations Sales

Challenge 4: GRC’s own challenges

• What is GRC’s primary objective?

• Top down or Bottom up approach?

• Defining Scope

• Operational Aspects of Compliance/Risk

Approach To Harmonizing GRC

Qualys, Inc. Corporate Presentation 11

Objectives of GRC - Nirvana Simplified

MITIGATE REPORT

Common Compliance Baseline Mandates

Policies

Standards

Threats

Vulnerabilities

Risks

Controls

Checks

ASSESS BUSINESS STRATEGY

People

Information

Technology

Processes

BASELINE

Assets

Harmonized GRC Reporting

Harmonization of Compliance Requirements

Mapping to Security and Risk baseline

Automation and Reporting

Continuous, Cloud Benchmarking, Intelligence

Continuous Mapping of security checks to ‘One’ set Map risk to ‘Middle’ set

Find overlapping ‘Middle’ set, report multiple

Why Quarterly Audit and Report; Why not report on changes

FedRAMP, CSA Certified Cloud providers

Report in terms of Industry Averages

Prioritization in terms of

Most common baseline

Report security data and risk in terms of ‘Middle set’ Security data = Assessed data of Config, Vuln, FIM etc.

Step 1: Harmonization of Requirements

NIST (800-53 Revision 4) IA-5 (1) a - Password Based Authentication - Password Complexity IA-5 (1) d -Password Based Authentication - Password Life

Custom CO1.12 - Password Management - Complexity and Strength CO1.13 - Password Management - Password Age Restrictions

HiTrust 01.d - User Password Management 01.f - Password Use

CIS Top 20 controls

CSC 16-3 - Account Monitoring and Controls

CIS Top 20 Controls

NIST Controls

Define your own Control Statements

HITRUST Controls

UCF Controls

Middle Set

COM

PLY TO

PCI 8.2.3 8.2.4

HIPAA 164.308 (a)(5)(2)

ISO 11.2.3

NERC CIP-007-5 R5

Security Objectives

Mapping

Continuous and Automatic view

Step 2: Map Security baseline to Objectives End point Technical Security – Password Checks

Status of the 'Maximum Password Age' setting (expiration) Windows

Status of the 'Minimum PIN length' setting Mobile

Status of the 'Enforce password history' setting AIX

Status of the 'Minimum Password Length' setting Ubuntu

List all users with password expiration date within /etc/shadow file Red Hat

Status of the 'Enforce password complexity' setting

Cisco Firewall Checkpoint

Firewall Password reuse maximum - password_reuse_max - Profile level Oracle

IAM password policy - password strength

Amazon Web Services

Vendor controls assessment – Password

Are Password required to access the systems storing, processing or transmitting the customer data?

Vendor

Has the Service organization implemented a password policy, which clearly mentions the password strength, password age, account lockout/duration information

Vendor

Based on : NIST (800-53 Revision 4)

IA-5 (1) a - Password Based Authentication - Password Complexity

IA-5 (1) d -Password Based Authentication - Password Life

Security Configuration Baseline

Security Objectives

Vulnerabilities

FIM Events

Risk Register and Risk Events

Step 3: Automate Assessment and Reporting

Automate Security Control Assessment

MSB

TSR

STANDARDS

CIS

Vendor RECOMENDATIONS

SCM

PCI

SOX

HIPAA

• Technical and Procedural Control Automation

• Vulnerability Assessment • Asset Discovery • Change Detection • Don’t Forget Application Assessments (Web/UI/API)

COBIT

NIST 800-53

COSO

Step 4: Ongoing Monitoring

▪ Asset Discovery & Classification

▪ Automated Application of Standards

▪ Change Tracking & Notification

▪ Business Process Integration

▪ Continuous Baseline Monitoring

Step 5: Intelligence Driven Benchmarking

▪ Vertical and Industry Comparisons

▪ “Wall of Shame” Approaches

▪ Comparative Risk & Compliance

▪ Means of Prioritization

▪ Use Internally

Summary

▪ Step 1: Harmonization of Requirements

▪ Step 2: Map Security baseline to Objectives

▪ Step 3: Automate Assessment and Reporting

▪ Step 4: Ongoing Monitoring

▪ Step 5: Intelligence Driven Benchmarking

Qualys Policy Compliance Cloud-Based Security Configuration Auditing

Reduce Compliance

Costs

Automate Security Control

Assessment

Prioritize Remediation to Improve

Security

Raise Auditors’

Confidence & Trust

Qualys, Inc. Corporate Presentation 21

Qualys Cloud Platform / Enabling Audit Visibility

Integrated Suite of Applications

Qualys API

Analytics and Reporting Engines

Distributed Sensors

Reporting & Dashboards

Distributed Correlation

Solr Lucene Indexing

Remediation and Workflows

ElasticSearch Clusters

Oracle and BFFS Storage

Hardware Agent Passive

3+ billion IP scans and audits per year

100 billion Detections per year

1+ trillion Security events per year

Virtual Cloud API

DX / Security / Auditing Visibility Challenges

CISO

Are my cloud and on-premise environments secure?

Show me data that proves I am

meeting my security standards on my new cloud infrastructure?

Why can’t I reduce the number of

security tools deployed and associated support staff?

Threat Management

Do my Business partners trust what I’m telling them?

How do I accurately prioritize

remediation to address real risks?

How am I solving root cause issues and demonstrating improvements in both security and compliance over

time?

DevSecOps

Do my Business partners trust what I’m telling them?

How do I accurately prioritize

remediation to address real risks?

How am I solving root cause issues and demonstrating improvements in both security and compliance over

time?

Auditors

How can we partner with Sales/Marketing since we are

compliant?

Can you generate the required reports in the standardized formats?

Are the new environments meeting

contractual, PCI and Regulatory requirements?

Qualys, Inc. Corporate Presentation 22

Digital Transformation Auditing Success Factors

Enable Digital Transformation Initiatives (Speed / Efficiency / Visibility)

Extend required security visibility to all of your cloud infrastructure and deployments (known & newly built & recently discovered)

Discover assets beyond traditional hosts (anywhere in the workload)

Integrate with new API services that are replacing web services

Resolve vulnerabilities or insecure configurations in near real-time

Remediate and secure all cloud infrastructure for compliancy

Qualys, Inc. Corporate Presentation 23

Thank You

mbutler@qualys.com

Qualys, Inc. Corporate Presentation 24