In May 2021, the largest cyber-attack on U.S. infrastructure was orchestrated by a criminal extortion ring known as Dark Side. This resulted in patrons across southeastern United States flocking to gas stations to panic buy gas.
According to the New York Times , “for years, government officials and industry executives have run elaborate simulations of a targeted cyberattack on the power grid or gas pipelines in the United States, imagining how the country would respond”1. Despite spending years in preparation to prevent cyber-attacks and implementing processes to mitigate any potential fallout in case of an attack, the company operating the largest oil pipeline in the U.S. could not have predicted that its attackers would not have a political agenda or aim to disrupt the economy. In fact, their attackers turned out to be a criminal extortion ring holding corporate data for a ransom of $5 million1.
In the aftermath of the attack, the root of the breach turned out to be a compromised password which wasn’t protected by multi-factor authentication (MFA).
Similarly, in April 2020 news broke that a well-known teleconferencing platform experienced a data breach that exposed more than 500,000 login credentials. This breach occurred during a global pandemic when businesses were forced to shift to work-from-home policies and the company experienced exponential growth. This breach was characterized as a credential stuffing attack wherein attackers used previously leaked credentials to systematically attack the teleconferencing platform’s login and storing all successful login attempts before releasing them on the dark web2.
The aforementioned cyber-attacks could have been prevented if multi-factor authentication were implemented. MFA is a common control that organizations should implement according to industry leading cyber security frameworks. Yet it can easily be overlooked because organizations don’t have accurate, real-time insight into what controls they have implemented and whether implemented controls are functioning optimally. Monitoring the performance of existing controls, discovering control gaps, and identifying existing vulnerabilities are important pillars of continuous controls monitoring, which is necessary to take a proactive approach to cyber risk.
Continuous Controls Monitoring (CCM)
CCM is an automated mechanism used by management to monitor IT systems, transactions, and controls on a frequent or continuous basis, throughout a defined period. It provides management with relevant information on key performance metrics in close to real time, allowing them to have better insight into issues as they arise, thereby improving their ability to manage risks and opportunities.
For large organizations, one of the leading challenges in implementing CCM effectively is the inability to isolate risks and identify vulnerabilities due to security data being distributed across various tools. Over time, organizations have implemented a variety of security tools like authentication systems, end-point protection systems, and vulnerability scanners to mitigate cyber risk. As a result, security teams must sift through overlapping and conflicting data to identify vulnerabilities and control gaps. However, the risks identified through this process only provide a snapshot of an organization’s risk posture and high-risk vulnerabilities may go undetected for a while, thereby increasing organization’s vulnerability to a cyber-attack.
Ideally, a CCM solution would have the following capabilities:
Metrics to measure compliance by creating timestamped logs to verify regulatory compliance
Collect and clean data from all security tools implemented by an organization to create credible and reliable source of information that provides an organization’s leadership insight into their security risk in real time
Ability to integrate with an organization’s incident management solution to remediate vulnerabilities and compliance violations
Detailed information about existing vulnerabilities on on-prem and cloud based assets, applications, and databases
Customizable dashboards for stakeholders to review relevant information
Detailed information into current controls coverage and gaps, aligned to an organization’s choice of security framework. This allows organizations to place tighter controls if needed
A CCM solution with all or a combination of these capabilities would be a powerful way for an organization to transform their approach to managing cyber risk from reactive to proactive.
Successfully Implementing CCM
Continuous controls monitoring is the next step in enhancing an organization’s insight into their risk posture. However, every organization is unique and will need to evaluate its readiness to implement CCM. Below is a checklist that can be utilized by an organization to determine whether their organization has the maturity required to support the successful implementation of a CCM program.
- Calculate time and cost benefit of implementing CCM
- Develop a unified compliance vision
- Create a well-defined controls taxonomy
- Define control ownership and accountability
- Establish line of sight into integrated risk and issues management
- Create an integrated technical architecture
- Examine the purpose and effectiveness of existing security tools
- Implement CCM
Once readiness is determined, an organization is ready to implement CCM. Below is a suggested approach to CCM implementation:
1. Prioritize Existing Controls
Determine which controls are critical to business and IT processes
2. Define control objectives
Outline assurance assertions for controls identified in Step 1
3. Test Controls
Define automated tests that determine control compliance or violation
4. Test Frequency
Determine how often controls should be tested
5. Report and Remediate
Create a process to manage and remediate control violations
If implemented correctly, a mature CCM program can provide the following benefits:
- Improve reliability and credibility of data by providing all stakeholders access to clean and de-duplicated data
- Identify controls coverage gaps and enhance compliance by comparing existing controls against internal compliance policies and/or existing security frameworks
- Discover vulnerabilities on all assets and controls across databases, devices, and applications
- Improve operational efficiency and reduce the cost of audits
- Generate reports to make informed decisions on how to prioritize and remediate risks
To fully implement CCM, an organization can use this approach in phases by beginning with high priority controls and repeating the process for medium and low priority controls.
As cyber criminals become more sophisticated and organized, attacks become harder to detect. Furthermore, noncompliance with heightened reporting requirements driven by new regulations all over the world can lead to reputational harm and monetary impact. Therefore, organizations must take a proactive approach to cyber risk by exploring their readiness for continuous controls monitoring.
- The New York Times, Pipeline attack Yields urgent lessons About U.S. Cybersecurity, David E. Sanger, and Nicole Perlroth (May 14, 2021)
- Forbes, Zoom Gets Stuffed: Here’s How Hackers Got Hold Of 500,000 Passwords, Davey Winder (April 28, 2020)