What Boards Need to Know About GRC and Atomized Networks

Originally published by Netography.

Written by Martin Roesch, CEO, Netography.

New regulations proposed by the Security Exchange Commission (SEC) around cybersecurity governance, risk management, and compliance (GRC) are forcing CEOs and board members to take a hard look at their governance capabilities. Among the amendments, boards will be required to disclose their cybersecurity governance practices, including their oversight of cyber risk, which raises the question: are their networks being actively managed within their GRC frameworks?

Writing policies is one thing. But on the technology side, today’s Atomized Networks, which are dispersed, ephemeral, encrypted, and diverse, are hindering the ability of most organizations to make sure devices and systems are configured correctly, doing what they are supposed to be doing, and not doing anything they shouldn’t.

Knowing what you’ve got

Infrastructure is dispersed across multi-cloud, hybrid-cloud, on-premises, legacy, and edge environments and its components are ephemeral. Cloud instances can be spun up and down in a matter of minutes, and endpoints are fluid. Many devices connecting to organizations with Atomized Networks can’t be seen or are out of the control of those organizations – personal devices, critical infrastructure assets, and rogue smart devices. And as a chief information security officer (CISO) said to me about his cloud infrastructure concerns during the height of the pandemic, “the only thing that keeps me up at night is that I’ve got a thousand developers working from home, and they all have credit cards.”

We are capable of assessing the configuration of devices and services that we know about by interrogating them with tools such as cloud security posture management (CSPM), attack surface management (ASM), and vulnerability management systems. However, coverage across the Atomized Network is difficult to achieve and organizations are left wondering if they managed to get their hands around everything when they did their last compliance pass so that they can even try to bring it into compliance.

Knowing what it is doing

We’re also capable of assessing the configuration compliance of devices against policies and frameworks. However, since CSPM, ASM, and vulnerability management systems are primarily report-driven, we can only do so at a point in time. These systems cannot monitor the activity of devices in anything close to real-time to see if they are operationally compliant.

Monitoring the network to see abuse and exploitation of systems falls into the realm of traditional network security technologies and is the backstop for GRC efforts. Traditional network security tools – such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), and network detection and response (NDR) systems – that rely on deep packet inspection (DPI) and are primarily delivered on appliance-based architectures have their limitations as well. The pervasive use of encryption makes it difficult and expensive to see into the network traffic to inspect packets. And as a physical device, appliances have limited purview into modern dispersed network environments so there are gaps in coverage.

It’s a massive challenge to see if devices and services that have been brought under management into a GRC framework to minimize risk are continuing to behave the way they are supposed to and are remaining compliant.

Social media bans highlight the challenge

Banning the use of social media platforms is a timely example of the difference between policies and configurations and the operational activities of an environment.

Say you’ve taken the step of banning TikTok in your environment. And you have NGFWs deployed on your edges that you believe are capable of filtering out all TikTok traffic. You also have to consider how often TikTok’s network changes and how often your NGFW feeds are updated. TikTok’s ability to change how they deliver their applications can be pretty fluid – theoretically, IP addresses can change constantly. If you’re banning based on IP addresses, is the speed of change outstripping your ability to see and incorporate change into your firewall infrastructure, for example? Additionally, there are always new ways of gaining access to the platform. Can you see if people are using alternative routes (i.e., hot spots, alternative exits, or VPNs) to get access to things that are banned?

Your ability to see those types of activities and take action quickly may be very limited, which creates an ongoing governance problem. Without the ability to monitor for real-time compliance, your controls might be getting circumvented, and your risk profile elevated until your control configurations are brought up to date.

How to strengthen operational governance

With the SEC’s laser focus on governance, boards need to understand if they have the capabilities to assess and continuously manage cyber risks within their GRC framework so they can standup to the additional scrutiny.

It's important to truly comprehend the risk profile of your Atomized Network and effectively manage it using GRC mechanisms. Continuously monitor the entire composition of your environment and the activities of devices, applications, users, and data with context, so you have comprehensive visibility, can define specific compliance controls and monitor for acceptable behaviors, and can take action immediately when behaviors are not compliant. Organizations gain maximum value out of existing investments with an operational governance capability that can drive smarter, tighter GRC processes.