Coalfire’s Adam Salerno discusses the process, effort and rewards of designing and implementing an automated compliance environment, as well as what organizations can do to automate security controls to meet specific compliance framework requirements.
Enterprises serving multiple highly regulated industries – and those overperformers wishing to demonstrate “above and beyond” security statures – can juggle 15 or more compliance frameworks. Many are dipping their toes in some level of security automation and others are diving right in, but few have taken the step of orchestrating automation throughout a coordinated compliance program. Perhaps this appears to be a complex undertaking — and in fairness, initially, it is. Each framework has a different set of environmental focuses, control parameters and requirements, so finding efficiencies means taking the time up front to fully understand each framework and the enterprise infrastructure and then architecting the optimal set of controls, automation approaches and tools to achieve the most efficient path forward. But is it worth the effort?
In many ways, enterprises must ask themselves, “can we afford not to?” Compliance frameworks are not going away. On the contrary, recent trends show an increase as more global and state-level privacy regulations (a topic that continually heats up and will not go away anytime soon) and IoT, AI and other industries join the regulations fray. Today, penalties can vary from an inconvenience to a loss of market access, heavy fines and jail time for responsible parties. Generally, the more frameworks one adds, the direr the consequences of not complying.
With the perennial cyber skills gap, enterprises should look to technology and better process to remove redundancies, manual work and unnecessary costs – all while improving both security and continual compliance – to meet current and future regulatory demands.
So how can technology help us achieve this? There are many powerful software suites that help with scanning environments for “current state” posture, tools that constrain technical configurations (e.g., configuration management and Group Policy Objects) and monitoring solutions that can provide visibility and response (e.g., SIEM and serverless functions). We can do so much when combining these building blocks into a cohesive solution; but the question remains, how do we begin?
When undertaking a build of a multi-regulatory environment, we must first understand the challenges and ultimate target. If the compliance team introduces a new regulation halfway into a build, it has a cascading effect on architectural decisions and individual tool configurations and sometimes calls into question whether a tool is even viable. So, the first step is deciding if the design must meet two, four or 10+ regulations.
Then, we must review the controls of these various regulations to determine which controls are technical and which are best handled by processes and procedures. Set the latter aside for now.
Once we have a better understanding of the controls environment we need to support through our build, we are in a better position to choose the building blocks. Understanding the underlying bare metal, hypervisors and public or private clouds is important to get a feel for the APIs that can be used to automate our system and make our lives easier. It’s beneficial to choose a base that has mature APIs that are actively supported.
Rising up the stack, we then look toward operating systems and software suites. These will eventually work hand in hand with security tools to handle compliance. For example, if I choose an antivirus product that doesn’t support heuristics monitoring on the key operating system I’m running, that negates the aim of my endpoint protection goals.
Layer on Security Tools: They Will Help Hold Everything in Check
Once all the tools are chosen and implemented to meet those compliance targets, we’re left with five or more different security vendor toolsets to manage. Many can be architected in a highly available configuration and are stable on the vendor-recommended operating system; free versions often neglect this feature. It’s not prudent to try to generate reports from each tool individually, so we should gather them in one place.
Monitoring Tools Will Allow for Quick Notification and Response
We can feed our logging solutions with all the necessary data to start to paint a live picture of our asset health. Syslog data from network devices, multifactor login successes and all other security posture data can be analyzed and displayed.
Automation at Work
Automation gets fun in a couple of ways: first, we can use our aptly chosen toolsets to auto-heal our environment. SIEM tools have tie-ins with orchestration suites that can reconfigure environments on the fly. Serverless functions, such as AWS Lambda, which can trigger off of many API-driven events to take actions or call custom scripts, are common in public clouds. These can then be displayed on a dashboard for your SOC team to consume in (near) real time.
Compliance Gets Easier
Now that we have our environment built and many tools in place to keep things running smoothly, we can focus on reducing our audit fatigue. Here are a few examples of how automation helps us:
Auditors will ask how changes to the environment are tracked; we can point to our infrastructure as code (Terraform, CloudFormation, etc.) to show them our source code repository for the running environment.
We can also show how configuration management tools are holding our servers in compliance with benchmarks via SIEM dashboards that are ingesting logs. I’ve seen clever dashboarding that even displays that data by a NIST control family to simplify even further for auditors.
As I stated earlier, automation helps us with the technical controls. I haven’t addressed policies and procedures, which still must be written to ensure your staff is following the letter of the regulation. These policies are often custom, based on potential overlap in policy or procedural requirements. We can consider ways technology may still help with the use of an ERP workflow that aligns with those developed procedures.
Overall, building and sustaining an environment that meets several laws, regulations or standards is not a simple task and often requires several staff to complete an audit lifecycle, yet you don’t need to do it all yourself. There are professional service provider firms that can help from the assessment through deployment. The long-term payoff is significant once you consider how much of this work may currently be conducted manually, redundantly and inefficiently. Technology can help us address many of the heavier lifts associated with compliance, and since regulations will only become more burdensome, it may well be time for many organizations to consider removing much of the manual lift.
Adam Salerno is Senior Director of Cyber Engineering practices at 
