The Virtual Chief Information Security Officer (vCISO) is becoming a preferred solution for small, medium, and even some large businesses. For those who are not familiar with the vCISO I will share what this role actually is, and then step into what makes up an AvCISO.
What is a vCISO?
A good description of a vCISO is “a service designed to make top-tier security analysts available to your organization for security expertise and guidance.” Many small organizations often mistakenly think they don’t have the need for top-tier security analysts or that they’re too small to be targeted by attackers. The bad news, industry compliance requirements don’t agree and attackers view you as an easy target.
The vCISO was born out of the need to meet regulation and compliance standards mandated by many different industry compliance authorities. For example, the Department of Financial Services for the State of New York mandated certain documentation must submitted by a Chief Information Security Officer or designated authority in their CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES which makes up Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York.
Above the ‘Covered Entity’ is the regulated company, and they are required to provide a CISO that is “employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider”. Hence, the birth of the Virtual Chief Information Security Officer.
In case you’re wondering, “a vCISO is no different than a full-time chief information security officer except a vCISO is an outsourced security advisor and not onsite full time. A CISO is generally a senior-level executive who is responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.”
The CISO is typically responsible for:
- Providing the vision, strategy, direction, and implementation of the information security and compliance governance program
- Convey security goals to the organization’s Board of Directors
- Determining the proper security framework(s) with which the company must comply
- Understanding industry trends and leading the team in architecting security solutions
- Defining security budgets and most appropriate and cost effective security solutions
- Providing guidance and support in achieving compliance requirements the company may have
- Managing the Information Security team
- Defining, planning, writing, reviewing, and approving policies, procedures, standards, and processes
- Supporting or leading the Incident Response team
- Defining the acceptable level of risk and managing the organization’s risk
- Reviewing current internal security controls
- Guiding the annual security planning and training
The above list was harvested from here
When combining all of the expectations, roles, responsibilities, and expertise required of a CISO, it becomes clear that the need for a third party Virtual CISO is often an ideal solution. Smaller organizations often don’t have a need for a full time CISO, and the cost of a full time headcount can put this out of reach. However, this does not eliminate the need for developing solutions for remote teams, implementing managed services that can provide policy & compliance overview, close visibility gaps, identify & mitigate security vulnerabilities, and investigate breaches which are the roles that make up the building blocks of what we call the AvCISO or ‘Advanced Virtual Chief Information Security Officer’.
Wait…what’s an AvCISO again?
Let’s set some environmental expectations before we continue. Let’s assume an organization already has an internal information technology team or has hired an MSP (Managed Service Provider) to support the initial build out of their network infrastructure; computers, servers, routers, switches, phones, etc. However, security might just be an afterthought. Maybe assume a firewall, and email security filtering has been previously introduced into the environment as well.
Establishing security as a primary goal rather than an afterthought begins with the understanding of certain critical objectives. For instance establishing a resource baseline, understanding technical debt, developing proper asset management methodologies, and making a risk determination are all key steps in the process.
One of the best ways an organization can determine risk is to understand the Exploitation Lifecycle (shown below as Pentesting Methodologies) and then dividing that by the Asset Management List multiplied by identified Visibility Gaps.
The following items that make up the elements of an AvCISO are:
- An Installed Agent with full localized AV/DLP/and BDR capabilities
- Sector based Compliance & Policy Review
- Monthly Vulnerabilities Scans
- Quarterly Vulnerability Assessments
- Annual Penetration Test
- Monthly Security Roundups
Local AV (AntiVirus) installations are nothing new, but silently installing an AV and DLP (Data Loss Prevention), BDR (Backup Disaster Recovery), and anti-keylogging encryption methodologies under a remotely managed skin introduces a suite of solutions that increase security, close visibility gaps, and meet regulatory and compliance standards.
Remember, when selecting an integrated AV it is important to ensure it is shipped with many of the following capabilities:
- Baseline OS Configuration
- White list services, processes, registry keys, auto-run locations, executables (hash, size, & execution path)
- On-demand and scheduled threat scans
- Hunts for known threats using indicators of compromise (signatures)
- Real time malware protection
- Anti-Process Hallowing & Orphaned Processes Capabilities
- Real-time exploit and file-less attack protection
- Real-time ransomware protection
- Web Browsing Protection
- Application Hardening
- Exploit Mitigation
- Update/Patch Discovery & Management
- Anomaly Detection
- Payload Analysis
- Ransomware Mitigation
- Suspicious activity monitoring
- Cloud Sandbox Technologies
- Endpoint Isolation Capabilities
- Centralized Management Console w/ Threat Visibility Dashboard
- API & Syslog Integration
- Endpoint Log Management
- On Demand Reporting
- Asset Management Integration
- Ease of Access Deployment Capabilities
Sector Based Compliance & Policy Reviews
It is important to remember that different industries are regulated while others are not. There are different contractual obligations that carry with them certain compliance standards and regulations that must be maintained in order to be on an active contract.
Critical Infrastructure Sectors
Before we move into different regulatory standards & compliance authorities for different sectors, I’d like to spend a minute discussing the different sectors DHS (US Department of Homeland Security) identifies as critical, and share the various case studies associated with each. These are identified as critical, and the links attached to each sector below will take you to their respective case study. The following list is NOT presented in a categorical hierarchy of importance or criticality.
- Chemical Sector
- Communications Sector
- Dams Sector
- Emergency Services Sector
- Financial Services Sector
- Government Facilities Sector
- Information Technology Sector
- Transportation Systems Sector
- Commercial Facilities Sector
- Critical Manufacturing Sector
- Defense Industrial Base Sector
- Energy Sector
- Food and Agriculture Sector
- Healthcare and Public Health Sector
- Nuclear Reactors, Materials, and Waste Sector
- Water and Wastewater Systems Sector
Compliant Heavy Sectors
The following four sectors are known to be highly regulated.
The Government Services Administration (GSA) approves, governs, and provides policies and regulation standards for organizations that have or are pursuing active contracts with the Federal Government.
Some of the governing documentation or best practices for GSA compliant companies are:
FINRA & SEC
The Financial Sector is regulated with compliance, policy, implementation, audits, and processing standards & requirements. Some of these strict standards are listed below. It is important to note, while the regulatory compliance is often documented in the form of written policies, the financial sector undergoes regular audits to ensure the compliances standards are implemented properly in practice and production.
The Energy Sector is another highly regulated industry that encompasses many sub-sectors like oil and gas. The DOE (Department of Energy) maintains many high level strict compliance standards that must be met in order to operate in the United States. Below are a few examples of compliance databases, login portals, and energy best practices alignment processes.
Monthly Vulnerability Scans
These following three sections have caused quite a bit of disturbance in the force amongst information security professionals. These three are NOT the same, even though cybersecurity firms quite often produce one, while charging for and calling it by the other’s name.
Since there are all variations of definitions, we’ll use the standard definitions provided by NIST in the Security and Privacy Controls for Federal Information Systems and Organizations Publication.
A Vulnerability assessment is roughly defined as performing the following tasks and reporting the results:
(i) scanning for patch levels
(ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices
(iii) scanning for improperly configured or incorrectly operating information flow control mechanisms
Quarterly Vulnerability Assessments
The purpose of quarterly Vulnerability Assessments is to identify & close visibility gaps, and develop a solid baseline that provides a reasonable expectation of what is to come as a result of an annual Penetration Test.
NIST defines a Vulnerability Assessment as:
“Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.”
Annual Penetration Tests
NIST goes into some extensive detail defining a Penetration Test.
“Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls.”
It goes on to say:
“A standard method for penetration testing includes, for example:
(i) pretest analysis based on full knowledge of the target system
(ii) pretest identification of potential vulnerabilities based on pretest analysis
(iii) testing designed to determine exploitability of identified vulnerabilities.”
“All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.”
The art of Penetration Testing is regularly performed in a 6 step process as demonstrated in the following graphic.
Monthly Security Roundups
The ultimate goal of monthly security roundups is establishing your organization’s threshold for risk, and determining & updating your overall position in the Cybersecurity Maturity Model.
Determining risk and establishing a threshold for risk is important, and should be regularly approached as [(Impact * Probability) / Acceptable Loss = Risk Threshold].
Once your organization has determined organizational risk, and made a decision on the threshold of acceptable risk it can then move on to identify where it sits in the overall Cybersecurity Maturity Model.
This can be accomplished by using all of the above information including asset management , incident response & mitigation, visibility, vulnerability discovery, & determining an acceptable risk threshold.
The AvCISO provides companies of all sizes and within all industries the ability to mitigate risk, improve their security posture, and meet the regulatory and compliance standards they are faced with.
FIN for now.