Security compliance 102: SOC 2 with Intruder and Drata
When navigating the complex world of cyber security compliance, SOC 2 stands out as an essential benchmark for modern businesses handling sensitive customer data. But what does SOC 2 require, and how can vulnerability management help you on your SOC 2 journey?
These were just two of the important questions about SOC 2 that were covered in our recent webinar, presented by Patrick Cranston, our CTO, and Pratik Bhat, Senior Product Manager at Drata - the leading automated compliance platform. Missed it? Read on to get the highlights of what was covered to get you up to speed.
What is SOC 2?
Trust is essential when it comes to managing customer data. Give your customers any cause for concern that your security isn’t up to scratch and you could lose their business. Fortunately, this is where SOC 2 comes in.
SOC 2 is a security framework created by AICPA (the American Institute of CPAs) to help businesses improve and demonstrate how they safeguard customer data based on five key areas: security, availability, processing integrity, confidentiality, and privacy. Visit the AICPA website to learn about these in more detail or read our in-depth guide.
But SOC 2 is more than just a technical audit. As Pratik explained, “It's a comprehensive requirement that ensures your information security policies and procedures are documented and followed.” It’s about going beyond the basics and meeting a complex set of controls that need to be reviewed, addressed, and monitored. And it's something you need to continuously monitor, invest in and prioritize for your business.
There are two types of SOC 2 report. Type 1 evaluates your controls at a single point in time, ensuring they're sufficient and correctly designed. Type 2 takes it a step further, checking the ongoing effectiveness of those controls over a period of three to twelve months.
As you might expect, Type 2 audits and reports are more detailed, and, therefore, more expensive, which is why staying compliant is crucial – and where automated compliance tools like Drata help save time, resource and expense.
7 reasons why SOC 2 is important
There’s no legal or regulatory requirement to comply with SOC 2, so you’d be forgiven for asking if the investment is worth it. But there are seven good reasons why you should consider SOC 2:
- It forces you to enhance and optimize your security processes and posture
- Customers expect you to protect their data – some won’t do business with you if you’re not SOC 2 compliant
- Compared to the cost of a data breach, compliance is pretty cheap. As Patrick pointed out, “in 2021, a single data breach costs businesses on average over $4 million”
- It gives you an advantage over competitors who aren’t compliant
- It builds trust with customers and stakeholders – “Some customers might even accept your SOC 2 report rather than asking you to fill out customer compliance questionnaires,” Patrick explained.
- SOC 2 overlaps with other compliance frameworks such as HIPAA and ISO 27001 so it can speed up further or future compliance efforts
- It gives you essential insights into your organization's risk profile and security status
Pretty compelling, right?
How Intruder gained SOC 2
As our CTO Patrick was tasked with ensuring Intruder was SOC 2 compliant, he explains that actually you don’t have to meet all five trust principles. Instead, you can focus on the ones that are relevant or appropriate for your business.
“For us at Intruder, but also for many of the big players in the industry, such as Google or Cloudflare, the focus is security, availability and confidentiality, and we made sure that we worked towards completing all the controls under those three trust principles.”
He continued, “There's no singular formula for SOC 2 compliance. Each report is tailored to the specific needs of your organization, and there are various tools and platforms that can help you automate, streamline and speed up the auditing process.”
These can be particularly helpful if you don’t have a dedicated information security or compliance officer in your team to manage the process. In fact, depending on whether you opt for a Type 1 or Type 2 report, there may be a number of people in your team involved. “It really has to be a co-ordinated effort between various policy owners. Depending on the type of the report, you'll have a different individual in the business who writes it. It could be the CEO, Head of People for organizational policies, or the CTO for technical policies. But it does require one person to keep on top of everything and make sure all that goes together,” he concluded.
How to simplify your journey to SOC 2
The biggest effort lies in collating all that evidence to show auditors that you are complying with the various controls. An example of this could be showing that you perform background checks on all new employees, or are monitoring for vulnerabilities. This requires a huge amount of admin, so the key to making the compliance process manageable is automation.
That's why we used Drata for our own SOC 2 report, and continue to use it on a continuous basis to make sure we stay compliant. With Drata you can use their integrations to automatically pull data from cloud providers, reducing the amount of manual evidence you have to collect. Once these cloud connectors are in place, you can simply forget about them because the integrations pull the information automatically. And if you ever lose access to a cloud account, they'll let you know.
Drata can also help handle your manual evidence. Simply upload it to the tool and set an expiry date, and Drata will remind you to update that evidence when the time comes. Staying on top of your evidence becomes a continuous, manageable job and everything is organized and easily accessible within the app. Then when the next audit period comes along, the auditor can simply log in to your Drata account and find everything they need. If you need help choosing an auditor, Drata’s auditor directory is an invaluable resource to help you find support to match your needs.
How Intruder can help your SOC 2 compliance
Three SOC 2 trust principles – confidentiality, privacy and security – require monitoring for weaknesses. Continuous vulnerability scanning with a tool like Intruder provides deep insights into both internal and external vulnerabilities, continuously searching for gaps and cracks in your systems and user behaviour that could lead to an attack. While penetration testing provides a deep dive, point-in-time assessment, automated vulnerability scanning monitors your systems continuously. But both are as essential to a robust security program as the basics like firewalls and VPNs.
Intruder is easy to buy, simple to use, and fully automated. Just sign up, pay by credit card, and you can tick the SOC 2 vulnerability management box in under 10 minutes.
Want to know more about SOC 2?
- Watch a recording of the complete webinar on-demand
- Read Intruder’s essential guide to SOC 2 compliance
- Try Intruder for free for 14-days and start your compliance journey today
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.