Security compliance 101 with Intruder and Secureframe
Every business these days has to "do compliance" or "check the security compliance box". But what does it actually mean? How can vulnerability management help make it easy? And how do you get started?
In our latest webinar, Intruder CEO Chris Wallis and Marc Rubbinaccio, CISSP, CISA (Compliance Expert at Secureframe), offered their top tips on achieving compliance and showed how easy it can be with the right tools. Here’s a recap in case you missed it...
What is security compliance?
Security compliance means all the measures you must take to adhere to established security standards or frameworks such as SOC 2, ISO 27001 and Cyber Essentials. It includes the policies, procedures, and best practices needed to safeguard sensitive information from unauthorized access and misuse, which can vary between frameworks.
Compliance has always been important for certain organizations, but in 2023 it’s more important than ever with the numbers of vulnerabilities and breaches on the rise. Organizations need to be proactive to safeguard their sensitive data and prove it to customers, shareholders and regulators.
How to get started with security compliance
Marc explains that it’s up to you as an organization to determine what data you consider is sensitive and therefore needs protection. Then you need to determine the scope of your efforts by considering:
- how you ingest this data
- how you process it
- where the data is transmitted in your environment and your network
- where you store it and for how long
“A great way to begin understanding your scope is by creating a network diagram and a data flow diagram so that you have a way to visualize exactly how that sensitive data is ingested all the way through its lifecycle throughout your environment,” Marc adds.
The scope of some frameworks goes beyond just data however, such as the digital and physical infrastructure, the resources that impact this data, and the personnel handling it. This may seem overwhelming but there are a number of controls you can put in place that will help your security compliance efforts. Marc categorized these into two groups: technical controls and operational controls.
Of the technical controls, vulnerability management is one of the most important, and should include:
- Infrastructure testing (both external and internal vulnerability scanning)
- Application scanning
- Penetration testing
Also on Marc’s list for key technical controls are:
- Encryption of sensitive data
- Logging and monitoring of security events, such as changes to your production infrastructure
- Secure configuration of resources and devices
As for operational controls, the stages at which personnel are hired, managed and let go matter. “Performing background checks and reference checks are important and new hires must also go through security awareness training,” says Marc.
And, every access change whether it’s for a new starter or a termination must be tracked, along with any software or infrastructure changes. An auditor will check!
In fact, all of the aspects of your security control environment should have related policies and procedures. Even the tools you’re using and the personnel responsible should be documented in the vulnerability management policy too.
Why is vulnerability management important for security compliance?
“Vulnerability management is simply finding the weaknesses that hackers exploit to get into your systems, and fixing them before the hackers get to them,” explains Chris. “All the compliance frameworks understand that vulnerability management is vital to keeping your company secure because last year alone, 25,000 vulnerabilities were discovered - that's nearly 70 every single day.”
Different compliance frameworks give different guidelines on how frequently scans should be run. For example, PCI DSS expects organizations to run an external scan once a quarter. However, hackers are moving so quickly that from Intruder’s perspective, a scan should be run every 30 days at least. “If anything, you want to be doing it more often than that to give your teams’ time to fix these things,” Chris says.
He adds, “You don't want this to be something that you wait until an audit comes along to pick up. You want to bake it into your process so that you are audit ready. A bit like you wouldn't go a whole year without brushing your teeth and then turn up at the dentist and expect everything to be okay.” With up to 70 vulnerabilities a day, it can really add up if left unaddressed, so it’s better to take care of issues as soon as they arise.
Can automation streamline your security compliance journey?
The more of the security compliance journey you can automate, the easier it will all become, and fortunately, there are a wealth of powerful tools available to you to make vulnerability management effective and straightforward.
Scanning is a key part of the process and Intruder can help you find your vulnerabilities quickly and easily. You can run scans daily, weekly or monthly, and Intruder also operates emerging threat scans which kick off automatically every time a new vulnerability is discovered.
Chris adds, “not every single vulnerability is critical or needs to be fixed and so the compliance frameworks state you need only fix the “criticals” or the “highs”. This means you also need a way of prioritizing your vulnerabilities”
Intruder can do this too, prioritizing things which are exposed to the internet but shouldn't be, to help you understand where your biggest risks lie so you can spend your time where it matters most.
There are also platforms that can help ensure you are audit ready. For example, Secureframe turns compliance from a complicated hurdle to overcome into a routine task by providing everything you need to prepare for an audit or set up security controls. You can even invite your people to Secureframe for security awareness training which is built into the platform, or assign certain policies to certain staff, allowing them to acknowledge and accept the policies they're responsible for.
Want to know more about security compliance?
- Watch a recording of the complete webinar on-demand
- Read Intruder’s essential guide to security compliance
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.