BSidesAtlanta 2019 - Jason Hill - How to Create a Compliance Baseline

this is Jason Hill we'll be going over how do you create and compliance in a baseline for this show up today as I take time to thank our sponsors these are the State Department information systems the unity and poor security of health systems without this we don't have these sides so review now I'll go ahead and pologize because I found out this morning that I have structure and that's exactly the sickness you want to have when you're doing presentations take a break so like I said that my name is Jason Hill I as it says up on this screen right here the director of strategic services for cyber entity' we're in MSSP doing things like manage

soon we have I managed the teams that do the assessments the audits the penetration testing things like and so just to give you an idea of why I am talking about this why we kind of came up with making this a service and yes we are going to be talking about our secret sauce it's not really secret sauce it just seems that way to people that don't really have the capacity or the team to do this it seems like secret sauce but really it's stuff that's public well for Kobe but what what I've seen when I've gone and done audits I was a PC IQ to say as well and we're not going to an audit

I hear pretty much the same thing over and over which is man we just got complete ready for you to show up and we're good to go on PC I we think this year and you know as soon as you're out of here in a switch gears we're really going to go on fill in one of the alphabet soups if she'll be a mess whatever it happens right and so nine times out of ten never I do an assessment we're never done an audit what happens is it's going from one firefighting to another and so what we discovered over time is that the current process is broken how most people address their compliance where their

regulation whatever it happens to be most of the time it is let's look at the controls let's apply the control before the audit rush rush rush get it done oh we're done okay we don't do this again to make sure and then next year we'll talk about that something that is coming to a head is that we have more and more and more compliances that are right so we have glba that hit a few years ago Jean ERP and that hit a few years ago in 801 71 is now required for anybody who has any government data that includes schools because student loans technically a government date so all of these compliances are coming on the road

there's more and more that you have to address so that means more and more cars it was more and more rushing from one to the other and so I've seen this in large companies and I've seen this in small countries not all so some of you in here are going to be sitting through this and going wow yeah that's what we do great you are a very small minority okay a very small minority and so for the rest of you we have to worry about especially multiple this is something that we have successfully deployed at several customers and it's changed the way they do business but again it's not really anything that's that's secret and when

you see this you'll say wow that's completely hidden nobody knew this yeah it's out there just you have to know the process and so this is all they're going to be talking about here now you know let's be honest compliance is not something that is sexy right so when you go to a partner when you go to one of these events like this and you say I'm in compliant you get the glaze if somebody immediately starts thinking that's wonderful how do I get out of this when you say I'm a penetration tester you either get that's awesome I want to talk to you online or what is that well I'm essentially a hacker and there's people lined up but let's be

honest us getting hacker you ask any penetration tester of worth their salt what do you need to do in order to be secure and one they should tell you well you'll never be truly secure the only way you can be secure is to destroy the data so that's the first thing the second thing is they'll say the boring stuff all right so that's the other thing about this talk is they'll say you know like one of our top guys that we use they say look patch run for ability scans everything to make sure that you have complex passwords that's all boring stuff it's all compliance related people that's really what makes me more secure so let's talk

about what most people do when it comes to their

okay so what most people do this is I've seen it time and time again completely ignore the problem oh we've got blank compliance out you know back a few years ago it was well we've got to be myst compliant or by December 31st 2018 well that's like 18 months away okay so you ignore me then a month away two months away three months away you can't can you say oh this is coming a lot sooner than I thought was all these controls all this documentation I need to do all of this stuff that needs to happen in order for us to meet these compliance is in order to meet this checklist and that's what you do run around doing whatever

you can everybody stops everything projects are halted to get ready for the autumn or at least get ready for that stage now let's be honest a lot of times infinite occurs not showing up it's well we should probably do that it is a law but we'll get to it right that happens a lot too next you go into the process you look at what your current state is look at the requirements you start to make a list of here's all the things we've got to do you put in your budget all sorts of things that you want to purchase and you say it's required for the compliance because otherwise they wouldn't let you buy it and so you go down the list what

are we going to do what do we got to do and then we apply it and that is normally a fee Verte brush we're cut where users are upset because you're making changes so fast that you've got to make this documentation maybe you have to bring in a third party to get everything ready it's it's a fevered pitch then we put in all our security controls update our policies and procedures to match the security controls and often times we put in our policies and procedures the ideal world and then there's actually the real world that's separate from the ideal world and we run around again and so we mediate we put all these changes into place and we

then have the auditor show up the sacrifice' go to the audit gods because who knows whether or not we're actually going to be compliant because we've been brushing around like Complete Idiot's this last few months because we're not ready then you undergo the other and you say sweat and worry then we hope this is not a resume in generating event and then you repeat Wow that's over boo okay I need a vacation to go off I'm gonna drink lots of all the beverages and and we'll wait until next year again and that's how most companies deal with regularly dealing with compliance deal with regulations I've seen it time and time and time again I've gone into

environments where they were being fined fifteen twenty thirty thousand dollars a month because they were not PCI compliant because they did this and thought well two months is plenty enough time to get PCI compliant into your business into your March but wait there's more problems and that is the Russian Roulette of our the regulation roulette is what I like of all these different just give you an idea at the state level federal not local not international just the state level there's currently two hundred and sixty five bills and resolutions that addressed compliance at just the state level there's really becoming this point where unless you have a plan unless you have a mechanism from eating these

compliances you're not going to be just not or you've got a keep hiring more and more people to run around in a panic that's not really the right way to do anything not only that but we're having more breaches I don't know about you all but in in our business we've seen kind of an inflection point that happened about a year to two years ago where before that kind of a watershed before that we'd go talk to a company and they would say well compliance is just to drain on my income it just cuts into margin it doesn't really me anything it's kind of like insurance I do not really all that interested in it's not really something that I want to

do it's not really forced to do it and then we've had breach after breach after breach you all know who all the breaches you know target Equifax although all of that and most of those guess what because they didn't do the basic stuff come on that's not that hard yeah I was a system guy so I know that on the other side of the fence I'm going to be telling you as the compliance people I'm not touching my system it's okay I'm not touching it if they don't fall over and everything will be back right but you got it and so because of this because of these things that are happening we have more and more

in the situations that lead us to have to be compliant not only that but I don't know if you've noticed each regulation each compliance framework believes that they are the only one that exists in the universe and who cares if you're compliant with 17 other ones we want to know you you're watching your logs we want to know that you're you have passwords for your users we're we're complying with all the 800-53 controls every single one of them I'm not gonna believe that you're watching your boss okay so then you gotta show it every single time and so there's this mishmash of all these different compliances that we have to comply with now if you only have one or if you have

none to comply with good for you that's not going to last you're going to have to address this anyway so what we did was we basically said there's got to be a better way of course there is I've done nine figure security implementation for the Air Force whereas this and you learn quick that there is processes for everything you want to go to the bathroom that is a process and there's a regulation that is a form that you have to allow and while a lot of that is quite a bit tedious out what the intent is is to make sure that you don't miss any of this that's what we're going to talk about so we have a framework now

what a framework is if you're not familiar what you should be but if you're not it is it's basically a way that you can go and step by step make sure that you are doing all the things necessary to try to make sure your environment security now now notice what I said try to make your barn secure because as we all know compliance doesn't mean your security being secure doesn't mean your comply there's two different things now being compliant helps you get secure helps you down the road it does and again you know if you have a vendor if you have anybody come in and say this product this service makes you secure back away slowly get out bear spray and

run away because nothing makes you secure if if a state actor wants your data they're going going this though makes you a little higher up on the Echelon of things to have things to get into so the first thing is set up a for anyone pick one honestly it doesn't really matter they all kind of guide you towards the end result that's the same and we use NIST mostly because one again if you are doing anything with the government even remotely related to the government you have to there is tons and tons and tons of documentation if you want to go to sleep tonight baby try to read through some of the missed documentation it was painful but

it's complete and it is it gives you a lot of good recommendations and there's definitely rabbit holes you can go it's adaptable so I mentioned 853 if you're not familiar with that this is kind of like the Grand Poobah of security controls you have 53 this is basically saying all possible ramifications I not only do you monitor your audit logs but you monitor that your audit logs are still coming in and so you have Watchers that watch the Watchers things like that however you can go down to 171 this is just if you have government data and then you can customize 53 all the way down to think is something like 60 something controllers but what that

means is depending on the size of your organization depending on the security to be bad depending on the needs that you have you can start this now there's the cybersecurity framework that's gonna help you in guiding you as where where are you versus where you want to go if your maturity level and then if you really want to inflict some pain on yourself you can do the full of risk management framework and this is where you go in and you really define their security controls you make sure that you have your Enclave set up for particular things this is really much honestly this is for larger but it's adaptable and so we work with this because it's a good

baseline it sets your baseline now if you all know about nest and have an understanding of that have an understanding and frameworks that's great where a lot of people fall down and down is the next few steps we're going to talk about so when you establish the framework we'll talk about really getting it up you going we identify our scope we identified here's what we're going to talk about here what we're going to try to secure it right so that doesn't mean it has to be your entire environment you can start with a remote office and say okay we've gotten that one compliant now let's branch off like that's the flexibility of NIST there's like to do that as well you

identify your risk profiles how your do we need to make this what kind of data do we have how do we need to secure that data we created a process that's of course the framework now this this is where most people fall down because to most people framework when you hear the word framework when you're the word compliance what you think is here's a list of things I need to do in my environment that's what most people think it's not what a framework is it is parked for Frank that's like saying I have a car and I have four wheels so great I have a car I don't have anything else you know there's nothing else just for the wheels

but I'm not really this is obvious I think it should be where you have you're gonna get people involved and you select what you do that's like I said except for a few few specifics you pick what you want and you pick the security that your environment needs to be now in a lot of times it's going to be forced upon you so we use NIST however we've had several customers when we start with PCI is PCI great framework not really but if you have to be PCI compliant in six months and you're nowhere near that well that's what we start with and then we kind of meld it into this so that's where the magic catalyst setting up for

those of you who may not be familiar with frameworks and really honestly how they work not just here's all the controls let me afternoon this is what you gotta do but that's not really the magic it's done so at first we perform a risk assessment this again is something that a lot of people don't do quite frankly it is very valuable and again most people start with a penetration test that's going backwards you set up everything first you get all your ducks in a row then you perform a penetration tester it's like hiring a thief to break into your house and you forget to leave and you leave the front door open well you just paid this person a lot of

money to just say oh okay well thank you take everything you have it's the same thing you don't perform a risk assessment they know where you are you don't know where you're going so we identify all the missing documentation this looks familiar this is all the stuff that we do when we're preparing and we're in a rush right this is this is everything that that we do anyway but again not really really milk magic palette we establish compensating controls I always tell clients this is not compensating controls this is complicating controls because we try to implement compensating controls them this makes your life apart everybody wants to do complan everybody wants to do compensating controls

because they think it makes it easier no it actually makes it harder if you're doing things properly you then assess and this is where you get the audit and then you perform a risk assessment again because quite frankly this is probably either after you've performed the first one you need to go through it again just make sure you've actually implemented it for example we had a customer that we were doing in store we performed a risk assessment they weren't all that bad they had a lot of next-gen filming the blanket doesn't really matter they had a lot of next-gen stuff and so yeah you know the perimeter was kind of secured they had some you know endpoint

protection I was pretty good and so we went through this process help them establish the framework and did things like that and we're pretty hands-off about it because they wanted to do that most of them self so we perform a risk assessment again now this is a large law firm that has clients that you have heard of and while interviewing people we find out that the database administrator decided that all these controls really make my job difficult so I'm going to take a copy of the database on an unencrypted us being taken home for me to work on the database that's easy they were complying except for that one sir so you need a risk assessment I have

other stories a lot of other stories like that and so you've got to perform a risk assessment in order to understand where was I did I do a good job now this is where really what we do is something that a lot of people haven't seen they may have seen yes I know I need to set up a program I know I need to set up my policies and procedures and the thing is when you do that with NIST you have to you have to put that as part of your operating procedures that is the thing that 95% of all corporations that I've stepped foot into that is their problem where they fall that they have their

controls they put their controls into place and then they don't monitor it then they don't have change control that tracks it not only tracks that it happening if it has approvals but also you update your documentation you update your security plan you update your framework that that's where a lot of people fall down and so when they start to get audited they know an audit comes they're not ready because wait a minute the last time we updated our firewall configuration documentation was two years ago and we actually put in a new firewall and forgotten I've seen that so once you do that great you've got NIST what about the others how many of you in here have more than

one compliance we have to be up meet right so the thing is you don't have to reinvent the wheel now I just picked ECI miss because those are the ones I'm definitely most familiar with but you can really insert any acronym here that has to do with compliance and guess what you have to audit your logs have to watch make sure nobody's doing anything wet you've got to plan out your disaster recovery and business continuity you've got to look at your visible security now there may be nuances between the two between this and PCI and of course over here on this Venn diagram you're going to have do you have credit card information but realistically the vast

majority of PCI and NIST overlap so what then do you do well you don't go and start down a PCI and say okay are we monitoring our logs we're in S compliant so of course we honor let's go verify that no you already knew more and so you make that that's interesting okay so well okay I have a few blank slides so we perform a gap analysis this is going to say what about PCI what about HIPAA what about whatever is unique compared to the framework that I have and then you identify the missing documentation now guess what that take that takes PCI from this much work to this much work we have seen actually we have seen people

who are a piece who are Niska pliant we have helped become miss compliant they have properly implemented everything become PC on this is a multi-million dollar you're talking probably around 700 seats or so I've become PCI compliant in a month and a half because they they have the matrix set out so that all that's left is those little things you know do you do you have what do you the credit card information and we can add credit information things like that we then establish the complicating controls if we haven't we remediated and then we maintain now this is again somewhere where people fall down a lot if you maintain if you make it a point that all

your processes whenever the IT staff make a decision is that going to affect our compliance if so we need to put that into our friend we need to put make an adjustment every decision ok I'm going to you know rip out this database server and put in a new one because whatever version is great still got to go in and update it's cute now it's a lot of work yes but it means that when an audit comes on you're ready not to do any maintaining is going to be a huge part of that and that's constantly stay up today this is actually part of a lot of compliances that you have to maintain you know

articles but hopefully you're doing that anyway and then we test our security controls because guess what that's what the auditor is going to do we train employees on the security plan this happens two percent of the time where we have everything in place but the people performing the work the people making the changes don't actually know that when they do something they have to update the security person this is Oh whatever it happens to be that's happy and then we make adjustments like I was talking about that is what you've got to do now is any of this secret sauce that you've never heard no of course not but very few people actually do this

they think it's more complicated than rushing around to each compliance and saying well we've got to meet PCI and three months let's make that happen it's not we've actually had customers that we're planning on hiring customers that were planning on hiring compliance managers and and two or three people to make sure that they have everything and we've implemented this program for them using the standard stuff it's freely available just not many people dig into it we implemented this program for them and they don't have to hire because it's just part of the way they do business it's just a way that things happen and that takes out a lot of the stress you're able to

complete more projects were able to address a lot of the other needs in your environment if you just simply make sure that this is part of it and then you marry the outside of the Venn diagram together with that gives me two minutes any questions so there's a problem that I've seen companies face compliance is actually doing it Brad so that's not complying what is generating revenue I guess how do you keep the moneymaker that they need to do this all the time like NPC acts on it but right now for PCI times at the next patch for these they expose your entire networks its own ability so to do this so that's a great

question and that's something that we struggle with for a long time we have seen a dramatic dip in customers when they go out to win new business they immediately get a vendor questionnaire back and they say oh great we love your product we want to purchase it make sure you be with and then the people are saying if they're they've done this they said okay great here you go here's our security plan here's all our controls or tell me if they're not then they either lose the contract or they're going to have to run away run around and do all these things we've actually seen a large uptick it's really yeah we're not the only ones there's it's probably in the

last year or so has been huge where you have great we want to do business with you there's your vendor questionnaire and so if you are doing this on a daily basis you're doing and you're gonna go if you're not then you run around and say well we've kind of we'll get that to you in a week and then everybody works you know everybody works 25 hour days so that's we've actually we've actually seen it and it's it's going to spray they haven't seen it that will happen to the wind business in fact I was talking to somebody who runs the vendor compliance at one of the group classes and he said we give them two days if

they don't respond in two days we know they're not ready and so he said we've had named names but we've had you know vendors you've heard of and they they say well we'll take about a week to get up in your honor you're not doing this as part of your process not a question or comment that especially that or that piece I have the area calling these things unified controls matrix column control entry so I would curse you all I was working in Adobe so they made their just a little Dooley common controls matrix so that whole of us overlap how do I do one assessment but needed to do all right they made it open source so in just

Google Adobe comp you don't have to look at Google crosswalk so look at you know mist or whatever it happens to be crosswalk in fact mean is for example mist has there's actually a specification 800 - 66 but you don't even have to look it up they basically say here's all that extra you've got to do this let's say yeah you're exactly right people are providing that as a service but they're also there's a lot of them out there who are but but again and I'm sure you will agree with me on this that's only part of it just knowing what you have to do security controls wise it's only part the other part is actually implementing

it and putting it into daily practice and have some important I'm just saying do I have that yes or no okay we're good now you're not gonna get a point across I'm way over but if there's any other questions feel free to come down otherwise enjoy your watch [Applause]