Compliance Optimization

Align Threat and Risk Management for Validated Compliance and Cybersecurity Readiness

Following an uptick in sophisticated cyberattacks, regulators are increasing their grip on compliance and risk management teams across sectors. Cybersecurity regulations help improve your security posture, but they also bring the burden of reporting. There is a new way to achieve better compliance by uniting threat and risk management through the practice of a threat-informed defense. By using AttackIQ’s Security Optimization Platform to run automated assessments aligned to the MITRE ATT&CK® framework, you are able to focus on the threats that matter most, test your controls continuously, and generate real-time data to validate your compliance to auditors.

Validating NIST 800-53 Compliance Readiness

The National Institute for Standards and Technology (NIST) 800-53 family of security controls is the de facto standard around which all other cybersecurity controls are built. This past year, AttackIQ worked in partnership with researchers at MITRE Engenuity’s Center for Threat-Informed Defense to map the adversary TTPs in the MITRE ATT&CK framework to the security controls in NIST 800-53. Using the AttackIQ Security Optimization Platform, you can now run automated tests and adversary emulations against your NIST controls to validate cybersecurity readiness with real-time performance data.

Validating DoD CMMC Compliance Readiness

On the basis of NIST 800-53, the U.S. Department of Defense recently launched its Cybersecurity Maturity Model Certification (CMMC), requiring that every DoD contractor that handles unclassified DoD-related information achieves security certification. The purpose is to ensure that contractors defend Defense Industrial Base data effectively, and the DoD certification consists largely of NIST 800-53 security controls. Using research from the Center for Threat-Informed Defense, the AttackIQ Security Optimization Platform tests and validates that your security controls are in compliance with the DoD CMMC.

When AttackIQ customer Morgan State University needs to be compliant with DoD’s CMMC, they use the AttackIQ Security Optimization Platform to validate compliance effectiveness.

“Every system affected by CMMC requires specific controls and validations, and a lot of systems could be in scope. If you get contact information through an email, that email system has to be in CMMC. Your contracting system is in scope because it contains contract numbers. We’ve put proper safeguards in place to keep CMMC projects isolated. But we’re very fortunate that our university leadership has the foresight to give us the means to strengthen our security technologies.”

Compliance Optimization Blueprint

For customers interested in learning about how to improve their overall compliance process, our beta Compliance Optimization Blueprint walks customers through the practical steps required to validate your compliance effectiveness through a threat-informed defense.

For more information on other blueprints and the journey towards security optimization, please visit our blueprints page.

Validating Additional Regulatory Frameworks

We have chosen our first two compliance frameworks for our platform — NIST and CMMC— on the basis of MITRE Engenuity’s research and the two frameworks’ global importance. With a threat-informed defense approach, we can help you and your teams achieve other cybersecurity compliance requirements for other compliance frameworks, to include New York City’s Department of Financial Services regulation, SWIFT, or the Payment Card Industry Data Security Standard (PCI DSS). At the root of compliance effectiveness is real performance data, and our team is available to work with you to achieve your compliance objectives through automated testing and security control validation.

Summary Steps for Achieving Compliance Optimization with AttackIQ

When a cybersecurity framework is integrated into AttackIQ’s Security Optimization Platform, security teams can measure and test the effectiveness of their internal controls in detecting and preventing the TTPs presented by ATT&CK against the framework (starting with NIST 800-53 and CMMC). The platform’s compliance functionality also provides evidence of controls’ effectiveness, which auditors can use to confirm the agency’s or company’s NIST and CMMC compliance.

Let’s walk through an example of how you might do this with the Security Optimization Platform. We will use the new Assessment Template to evaluate security technology performance using the tactics and techniques of the MITRE ATT&CK framework in accordance with NIST 800-53

1. Assessment.

Figure 1, below, is an Assessment Template showing MITRE ATT&CK Tactics and associated Scenarios in the Security Optimization Platform that are ready to run on your security technologies. You will note that the AttackIQ Security Optimization Platform offers broad coverage across all the MITRE ATT&CK Tactics that are relevant to the controls specified, with more delivered on a regular basis to our customers as the Security Optimization Platform evolves over time.

2. Prevention and Detection Results.

Figure 2, below, shows the Results Summary view of the AttackIQ Security Optimization Platform, and how your technologies fared against 111 unique techniques aligned with NIST 800-53.

3. MITRE ATT&CK Heatmap.

Figure 3, below, is a MITRE ATT&CK Matrix view showing how well your security technologies performed when evaluated against 111 techniques. In our hypothetical example below, a Carbon Black configuration was assessed using adversary behaviors that directly correspond to the controls specified in 800-53. Once you have had a chance to review the areas in your configuration that you would like to improve, the Security Optimization Platform generates more detail about specific steps you can take to improve your security effectiveness.

4. Remediation Report.

Figure 4.1 and 4.2, below, show a remediation report; it provides data and guidance to help you configure your technologies to produce a more effective result. In this case, you see how the Security Optimization Platform used encoded PowerShell commands to bypass local execution policies, a common technique used by PowerShell Empire (as well as other tools that adversaries use). The detail included here will help you improve how your technologies block adversary behavior, thereby achieving the objective of the 800-53 control and improving your overall security posture. It is also easy to schedule the Assessment to run on a continuous basis to produce visibility into how your security program performs—and your state of compliance—over time.

5. AttackIQ’s Security Optimization Platform validates CMMC compliance in a similar fashion.

Figure 5, below, is an Assessment Template showing MITRE ATT&CK Tactics and associated Scenarios in the Security Optimization Platform that are ready to run on your security technologies, aligned to CMMC capabilities on the left. The Security Optimization Platform produces identical analytic images to the above, showing security effectiveness, a MITRE ATT&CK heatmap, and producing reports for you to make adjustments to your security controls to achieve CMMC compliance.

Testing alone does not enable compliance — it takes continuous effort and expert analysis on the part of experienced professionals to ensure that regulatory requirements are met in full. Effective compliance therefore involves a layered interplay of people, processes, and technologies.

Yet the only way to know if you have adequately implemented a security control is to actively test that it works. Manual testing is a labor-intensive investment that can be difficult to scale across an enterprise. AttackIQ’s Security Optimization Platform tests your security controls continuously, at scale, and in production to generate real insights about your security program effectiveness.