Don’t Just Ensure Cybersecurity Asset Compliance – Prove It
With cybersecurity asset compliance, it’s not enough to ensure your systems and processes are operating in accordance with security frameworks and regulations. Unless you can prove compliance, you’re still subject to failed audits and penalties. When you automate cybersecurity device assessment and policy enforcement with Forescout, passing compliance audits becomes a byproduct of security operations.
Organizations must meet device security requirements at every turn. They may stem from global certifications (ISO); voluntary frameworks (NIST, zero trust); regional regulations GDPR (EU/EUA); or industry-specific standards such as HIPAA (healthcare), PCI (financial services) and NERC CIP (utilities). The consequences of non-compliance are always top-of-mind: failed audits and data breaches can result in hefty fines and penalties, not to mention rejected bids and negative media exposure.
With cybersecurity asset compliance, it’s not enough to ensure your systems and processes are operating in accordance with security frameworks and regulations. Unless you can prove compliance, you’re still subject to failed audits and penalties. With automated device assessment and policy enforcement, satisfying audit and report requirements is a byproduct of security operations.
Common asset compliance challenges
With remote work now the norm and IoT, IoMT and OT assets adding increasing utility, the number of devices added to the network has grown substantially. Most IT teams lack the ability to assess, in real time, all assets and confirm that each one complies with security policies and regulatory mandates. Outdated, point-in-time compliance snapshots can’t be trusted. Even if IT staff can identify noncompliant devices, they have limited capacity to apply policy controls and enforce continuous asset compliance across a mix of network and security infrastructure technologies.
Compliance uncertainty has a negative domino effect. IT staff can’t mitigate vulnerabilities in real time because they lack the information needed to keep unmanaged, unpatched and potentially infected or rogue devices off the network. They can’t accurately document compliance due to incomplete information about all the assets and whether they are configured and accessed securely. The end result? Exposure to business disruptions, data breaches and audit failures.
Automated asset compliance
Achieving high levels of device compliance begins with 100% device visibility, or knowing what’s on your network. Visibility requires discovery, classification and assessment upon connect, and continuously thereafter. Continuous is the operative word. It only takes one misplaced or unknown asset for attackers to seize the opportunity to breach a network.
Likewise with compliance. A best-practice compliance strategy leverages automated tools that continuously and agentlessly (using agents by exception) query all connected assets to assess their compliance posture, then recommend actions using a policy engine that compares current state to written security policy. This approach uses minimal resources to answer critical questions:
- Is the asset managed or unmanaged?
- Can the asset be queried?
- Is the asset used by a guest or contractor?
- Is the asset encrypted?
- Is the asset antivirus compliant?
- Are security agents installed, running and updated on the asset?
Based on the answers, your asset compliance solution should recommend and automatically initiate the right policy-driven action, such as:
- Opening a ticket
- Remediating the asset
- Segmenting the asset
- Restricting the asset
Automated querying and policy-driven remediation leverages rich device context to efficiently ensure device compliance without human intervention. With Forescout, that context comprises more than 150 classification attributes that are referenced not only for asset compliance but also network access control, segmentation and incident response. When the Forescout solution is integrated with your other third-party security tools, a wealth of contextual data is automatically shared in real time with your configuration management database (CMDB), such as ServiceNow as well as security operations and help desk staff.
The four paths to asset compliance
Given the range of asset types, asset compliance enlists a variety of passive discovery and active scanning or integration techniques to assess compliance of all IP-connected devices. They fall into four categories:
- Compliance assessment via third-party integrations
- Compliance assessment via traffic monitoring
- Scanning for vulnerabilities
- Agent-based compliance assessment
There are a wealth of pre-built connectors and available integrations between security solutions for EPP/EDR, VA, SIEM, ATD, NGFW, PAM, CMT and ITSM. They can be fast and lightweight, enabling IT to glean new insights. Yet, when pre-built connectors don’t exist, integration can be costly and unpredictable. Whether pre-built or custom, third-party integrations rely on getting everything right, and they assume the third party has correct data. Your collected compliance data is only as accurate as the sum of all its parts.
Traffic monitoring tools determine if communications between assets is compliant. They can sometimes reveal other data, such as software and firmware versions. However, these tools can’t provide a full inventory of the processes, services and applications running on an asset. To capture full insight into asset compliance, the tools need to see unencrypted traffic, which isn’t the norm for many environments. Unencrypted traffic is still common in the OT/ICS domain, but that will likely diminish as OT/ICS environments become more connected.
Scanners can potentially determine what services are running on an asset, as well as the software and firmware versions (in certain IoT, IoMT and OT/ICS networks). However, depending on the environment, they can’t always do that with confidence. Many IT assets block scans that have not been whitelisted, and OT/ICS assets may stop performing critical functions, crash or experience other negative impacts from scans.
Agent-based compliance assessment has proven to be the most effective of the traditional solutions. It offers a complete compliance picture, integrates deeply with operating systems, provides superior malware detection and runs on devices while they are off the network. Agent-based integration may be necessary to assess the asset compliance posture of contractors, students and specific exceptional users.
There’s just one major obstacle: agents don’t work for devices that cannot run agents – a massive and growing number of devices that may include IoT, IoMT and OT/ICS. Issues also arise when agents are misconfigured or conflict with other agents, break due to an OS version update or depend on proper configuration of other systems.
Who is watching the watchers?
Used individually, each of these methods falls short of providing complete compliance assessment. They are often reactive or ad hoc, offering limited real-time visibility into assets and their interactions. As a result, IT staff are left with outdated, inconsistent data among multiple point solutions.
Forescout provides a combination of all four methods, plus agentless asset compliance assessment and remediation. Agentless OS integration is the best way to validate device ownership and the status of misconfigured agents. Somebody needs to watch the watchers to make sure agent-based solutions are installed and running on all connected agentable assets. Agentless integration, combined with scanning and traffic monitoring, is also the preferred mechanism to query or listen to unagentable devices for software/firmware version, applications, services, etc., and to test for the presence of default credentials.
Bottom line: go agentless wherever possible and use other methods to supplement. No one approach does it all, so you want a solution with a wide range of capabilities that can be flexibly deployed. Sure, you want to leverage your current security tools, but who is watching the watchers to ensure they’re installed and running properly? That requires an agentless visibility and compliance solution to protect your investment. Consider out-of-the box third-party integrations that can both pull and push compliance information to reconcile stale data.
What to look for in a device compliance solution
The ability to continuously assess all connected devices for compliance in real time requires a combination of the techniques described here. Solution vendors may spin the need for only one of them. Challenge that assertion to ensure network safety and compliance with frameworks and regulations.
Here are four qualifying questions to ask:
- Does the solution integrate easily with our existing infrastructure and tools? Network security is already complex. There’s no need to add more complexity.
- Is it technology agnostic, or do we have to buy a proprietary platform? A device compliance solution should build on the foundation of a device visibility solution. Both products should enhance the value of your current investments, not add unnecessary cost.
- How quick is the time to value? A comprehensive device compliance solution should deliver value within weeks of deployment. For large, complex environments, expect full value from continuous compliance assessment and remediation within three months, on average.
- Can it converge all information from our entire environment? The solution should enforce compliance for all devices across your digital terrain, whether they are in a campus, data center, cloud or OT environment.
First comes visibility, next compliance
As your organization matures, security initiatives become more complex and time consuming, so it’s important to build one upon the other. Once you have gained visibility into all the devices that touch your digital terrain, it’s time to manage compliance around each one of them.
Device compliance is one of the few areas where a test grade of 90% represents failure. Just a few noncompliant devices are all it takes to compromise financial data, personal health information, cardholder data and intellectual property. If you want to make the grade, adopt a continuous, automated and orchestrated compliance strategy.
NIST, SWIFT, GDPR, PHI – the Forescout Compliance Guide can help you power through audits and improve alignment with key frameworks and regulations.
About the Author
A. J. Dunham has deployed more than 150 Forescout installations and currently architects customer strategies to address growing IT, IoT, IoMT and OT/ICS challenges at enterprise scale. He holds a bachelor’s degree in computer networking and information security from NSA-accredited Champlain College and a master’s degree in information assurance from Northeastern University.