Security measures are most effective when it is clear how assets are supposed to be used and by whom. When this information is documented in clearly written organizational policies, these policies can then be implemented in the form of enforceable security controls. In this third post in our series of blog posts on cyber situational awareness for the enterprise, I discuss how policies and controls contribute to asset protection and to the know what should be component of situational awareness. I also present three key principles that underscore the importance of effective policies and controls to the overall security posture of organizations.

The importance of policies and controls is evident in a review of the data breach at the Equifax credit-reporting agency in 2017. Aspects of the breach were apparently the result of poor adherence to and management of organizational policies:

...it failed to patch a basic vulnerability, despite having procedures in place to make sure such patches were applied promptly. And huge amounts of data was exfiltrated unnoticed because someone neglected to renew a security certificate. Equifax had spent millions on security gear, but it was poorly implemented and managed.

Equifax's databases could've been stingier in giving up their contents. For instance, users should only be given access to database content on a "need to know basis"; giving general access to any "trusted" users means that an attacker can seize control of those user accounts and run wild. And systems need to keep an eye out for weird behavior; the attackers executed up to 9,000 database queries very rapidly, which should've been a red flag.

An April, 2019 article in Computer Weekly discussed the problem of poor employee awareness of corporate data-sharing policies.

However, almost all (92%) of the employees surveyed as part of the study said they had not accidentally broken their company's data-sharing policy in the past 12 months, yet 55% admitted their employer did not provide them with tools needed to share data securely.

Three Key Principles of Effective Policies and Controls for Situational Awareness for Cybersecurity

In the remainder of this post, I present three key principles that summarize why policies and controls are so important and why they deserve the attention of everyone in organizations--large and small, government and industry--who is concerned about securing their organizations' assets.

Key Principle 1: Well-constructed policies help security analysts detect compromises. Vague, incomplete, or nonexistent policies reduce the likelihood that security analysts will find breaches.

Well-defined, comprehensive policies and governance in the form of controls are what make the protection of assets in organizations possible. The organization's expectations and business needs determine what activities are viewed as security issues within that organization. The tighter the rules, the easier it is to detect a breach of them and the easier it is to prevent a breach in the first place. To effect detection and prevention, however, policies and priorities must be made accessible to security practitioners. Access to&#8212and understanding of&#8212this information is necessary for personnel to determine

• • how to prevent security incidents and breaches
  • when an incident or breach occurs
  • how to respond to them

The better the understanding about how individual assets should be used, by whom, and when, the more likely it is that a breach can be prevented completely and the more quickly security breaches will be caught when they do occur.

Such policies should be documented in a combination of network-usage policies, identity and access-management policies and tools, and work policies. Clear guidance should be given on questions such as

• • When are people allowed to work? For example, are they allowed to work after defined business hours? On weekends? Holidays?
  • Where are people allowed to work? Office only? Home via virtual private network (VPN)? Home without a special connection? On mobile devices?

The usefulness of organizational policies goes beyond letting employees know about expected behavior and providing guidance on enforcement. Organizational policies help to inform the know what should be component of situational awareness. Policies define expected behavior and how that behavior should be controlled, thereby expressing the information that analysts need to know who has permission to do what, what assets are allowed to exist, and what should be considered acceptable use of those assets. These policies must therefore be well defined and easily accessible by all employees for reference.

The remainder of this blog post describes three types of policies and how they can help security practitioners.

Acceptable-Use Policies

Acceptable-use policies are usually fairly generic, stating, in summary, "users agree to use assets only for approved uses and will not engage in behaviors that will impact the confidentiality, integrity, or availability of assets." These policies are often written to cover all organizational assets and consequently do not state who the approved users are for any system. They also seldom explicitly state what are "approved uses," leaving open questions such as

• • Should users be streaming videos?
  • Is it a problem if a user is using cloud storage?
  • Is it reasonable for employees to access personal email from their desktops?

These policies also provide enforcement mechanisms for when major breaches occur. Documentation of a policy provides a basis to take action, such as termination of employees, depending on intent, or legal action against external parties.

Network-Usage Policies

Organizations may not have a dedicated network-usage policy, but may have equivalent firewall and web-proxy configuration policies. When organizations follow best practices in creating these policies, analysts are able to review the documents and change-control tickets to understand which users and assets should be using which protocols and services. These policies not only help analysts triage any network-traffic security alerts, but can also provide a starting point for threat hunting.

Well-documented network-usage policies enable analysts to detect threats with greater assurance and specificity. Threat hunting is typically based on anomaly detection, flagging activity that looks more or less frequent, more or less prevalent, newer, older, etc., and that consequently might indicate a security problem. The problem with simple anomaly detection, however, is that it is prone to flagging legitimate behavior or misconfigurations. On the other hand, with effective policies in place, analysts can begin with, "These things definitely violate a policy and therefore are definitely a security problem or indicate a misconfiguration."

When these policies are inadequate--for example, when they do not have a default deny policy or are not updated as changes are approved, security analysts spend extra time determining if traffic is allowed or not.

Key Principle 2: Detailed policies and documented security controls that security analysts can access mean that analysts rely less on inference and anomalies and consequently spend less time investigating events that are related to legitimate business needs or approved asset usage. Adhering to this principle allows analysts more time to investigate genuine security issues.

Acceptable-Software Policies

Anti-malware products can detect only a small portion of malware, and the question of whether some of the programs that they flag are acceptable may be ambiguous. For example, are cryptominers malware? Does the answer change if they run in the web browser as a method for the website owner to create revenue without using ads? Acceptable-software policies will reduce the number of judgments that analysts must make about such ambiguous cases. If the policy also requires that devices be locked down and can run only whitelisted programs, the organization can limit the types of malware to which they are susceptible. This can reduce the number of false alerts generated for analysts and allow them to focus on genuine security issues.

Unfortunately, in many organizations, policies--especially those directly pertaining to cyberspace--are vague, incomplete, or nonexistent. Both poorly written and missing policies can create problems if they result in analysts exercising too much discretion when developing procedures or implementing controls. An example of this problem is the cryptominer question mentioned above.

In the best case, in the absence of a policy or the failure of a policy to communicate expectations effectively, analysts refer to the organization's business objectives and authoritative standards, such as the National Institute of Standards and Technology (NIST) 800 series or the International Organization for Standardization (ISO) 27000 family. However, analysts may have an incomplete understanding of their organizations' risk-management strategies, and such incomplete understanding can result in analysts under-prioritizing or completely ignoring relevant risks.

Organizations have similar outcomes when people self-define security controls. In these situations, people implement controls based on their own views of what is important or acceptable. In addition to potentially misunderstanding the organization's risks, the implementers may fail to install the most effective or appropriate controls. For example, if an organization's policy states that only authorized applications should be allowed to execute on workstations, the policy could be satisfied with either application whitelisting or blacklisting.

In the absence of standards or clearer organizational direction, however, an implementer may default to their personal preference for blacklisting, even though whitelisting is considered the better practice. In particular, NIST and the European Network and Information Security Agency (ENISA) standards require whitelisting for critical assets, and several Australian government cyber guides specify it as essential.

Key Principle 3: When security controls are not documented or the documentation is not available to security analysts, analysts cannot verify that the controls are working.

Organizations that create, maintain, and document policies that clearly document expected treatment of all organizational assets are much more successful in securing their assets. They implement controls that limit risk to assets and are able to more quickly identify when those controls have failed. Moreover, they are better able to tune detection mechanisms to correspond to events they care about. Organizations that are having trouble addressing cybersecurity should review their policies and spend time making them concrete and comprehensive.

Looking Ahead

After an organization has a clear understanding of the know what should be component of situational awareness, they can be more effective in creating a cybersecurity architecture for tracking what is, which is the topic for the next four posts in this series. First we will discuss endpoint visibility, then network visibility, followed by monitoring and response components, and finally putting it all together.

Additional Resources

Read the first blog post in this series on situational awareness, Situational Awareness for Cybersecurity: An Introduction.

Read the second blog post in this series, Situational Awareness for Cybersecurity: Assets and Risk.

Read about the SEI's work in network situational awareness.

Read other SEI blog posts about network situational awareness.

Read the SEI blog post, Threat Modeling: 12 Available Methods.

Learn more about the CERT Resilience-Management Model (CERT-RMM).

Review the Asset Definition and Management (ADM) CERT-RMM process area.