Continuous compliance using data and code

Continuous Compliance via Data and Code
ERKANG ZHENG
Founder, JupiterOne | CISO, LifeOmic
November 2019
© 2019 JupiterOne

Pick assessor
Perform gap assessment
Implement remediation
Collect evidences
Assess and certify
Documented data flows
Conducted risk analysis
Wrote policies and
procedures
Created infrastructure
and security
architecture diagrams
REPEATMonitor, Manage, Optimize
START
Implemented 100+ controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data encryption
WAF + DDoS
protection
Asset inventory
and tagging
Activity and log
monitoring
SEC
COMP
AUDITOR
Our
Security
Program
HIPAA SOC 2 FDA FedRAMP ...COMPLIANCE

Now what?
How? Is 100% visibility possible?
“I don’t need more controls. I need to be able to effectively
and efficiently manage and prove what I have.”
“I need to full visibility so that I can make decisions
faster, with confidence.”

Steps to continuous compliance via code
1. Define compliance framework in JSON
2. Write policies and procedures in Markdown
3. Aggregate data from everywhere (infrastructure, controls,
endpoints, users, training, code, etc.) to a single source of truth
4. Write queries to generate evidence from data
5. Map policies and evidence to compliance requirements
Step 1
Step 2
Step 3
Step 4
Step 5

Define Compliance Framework in JSON
Step 1
{
"standard": "HIPAA",
"version": "2013",
"webLink": "https://www.hhs.gov/hipaa/for-professionals/index.html",
"sections": [
{
"title": "Administrative Safeguards",
"requirements": [
{
"ref": "164.308(a)(1)(i)",
"title": "Security management process",
"summary": "Implement policies and procedures to prevent, detect, contain and correct security violations.",
},
{
"ref": "164.308(a)(1)(ii)(A)",
"title": "Risk analysis",
"summary": "Conduct an accurate and thorough assessment of the potential ......"
},
...
]
},
{ ... }
]
}
HIPAA example with sections and requirements
HIPAA Example

Define Compliance Framework in JSON
Step 1
{
"standard": "SOC 2 Security",
"version": ”AICPA 2017",
"webLink": "https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-
services-criteria.pdf",
"domains": [
{
"title": "Control Environment",
"controls": [
{
"ref": "CC1.1",
"title": "COSO Principle 1",
"summary": "The entity demonstrates a commitment to integrity and ethical values."
},
{
"ref": "CC1.1 (a)",
"summary": "A code of conduct/employee manual are in place and approved by top management"
},
...
]
},
{ ... }
]
}
SOC 2 example with domains and controls
SOC 2 Example

Write Security Policy and Procedure Docs in Markdown
• Written in Markdown
• Small, individual files –
“micro-docs” like micro-services
• Linked together via config.json
• Document reviews and approvals via PRs
• Templatized and published in HTML
Step 2 Policies Markdown
{
"id": "rar",
"file": "policies/rar.md",
"name": "Roles, Responsibilities and Training",
"adopted": true,
"procedures": [
"cp-role-assignment",
"cp-training-policy",
"cp-training-awareness",
"cp-training-hipaa",
"cp-internal-comms"
]
},
config.json

Publish to HTML
Step 2 Policies HTML Site
• Written in Markdown
• Small, individual files –
“micro-docs” like micro-services
• Linked together via config.json
• Document reviews and approvals via PRs
• Templatized and published in HTML

Build a single source of truth
Aggregate data from
• Cloud Service Providers (AWS, Azure, GCP)
• Identity Providers (Okta, Azure AD / O365, G Suite)
• Code Repos (Github, Bitbucket)
• Issues and Ticketing (Jira)
• User Awareness Training (KnowBe4)
• Endpoint Agents (Carbon Black, Stethoscope)
• Vulnerability Scanners (Inspector, Nessus)
• Code Scanners (Snyk, Veracode)
• Network Alert Findings (GuardDuty)
• Pen Tests, Bug Bounty (HackerOne)
• Risk Assessments (Manual)
• Vendors (SAML SSO Apps, Manual)
Step 3
DATA
Cloud Service
Providers (AWS,
Azure, GCP) Identity
Providers
(Okta, Azure
AD / O365, G
Suite)
Code Repos
(Github,
Bitbucket)
Issues and
Ticketing (Jira)
User
Awareness
Training
(KnowBe4)
Endpoint
Agents
(Carbon
Black,
Stethoscope)
Vulnerability
Scanners
(Inspector,
Nessus)
Code
Scanners
(Snyk,
Veracode)
Network Alert
Findings
(GuardDuty)
Pen Tests,
Bug Bounty
(HackerOne)
Risk
Assessments
(Manual)
Vendors
(SAML SSO
Apps, Manual)
Aggregate Data

Ask questions and get answers by data queries
Step 4
- query: |
Find DataStore with
classification=('sensitive' or 'confidential' or 'critical')
What is the inventory of my sensitive data stores?
Query Data
- query: |
Find HostAgent with
firewall='ON' as agent
that (PROTECTS|MONITORS|MANAGES)
(user_endpoint|workstation|laptop|desktop|computer) as device
return
device.displayName, device.owner,
agent.firewall
Are my end-user workstations protected by hosted-based firewall?
- query: |
Find (Person | Organization | Vendor) as assessor
that performed Assessment with createdOn > date.now-1yr or updatedOn > date.now-1yr as assessment
return
assessor.name, assessment._type, assessment.name, assessment.summary, assessment.reportURL
What security assessments have been done in the past year and who performed them?

User queries to perform gap analysis
Step 4
- name: good
query: |
Find DataStore with
classification=('sensitive' or 'confidential' or 'critical’)
- name: bad
query: |
Find DataStore with
(classification='' or classification=undefined) and (production=true or tag.Production=true)
- name: unknown
query: |
Find DataStore with (classification='' or classification=undefined)
What is the inventory of my sensitive data stores?
Query Gaps
- name: good
query: |
Find DataStore with
classification=('sensitive' or 'confidential' or 'critical’) and encrypted = true
- name: bad
query: |
Find DataStore with
classification=('sensitive' or 'confidential' or 'critical’) and encrypted != true
Is my sensitive data encrypted?

Map control procedures and evidence to compliance
Step 5 Create Mappings
[
{
"id": "cp-role-assignment",
"implements": [
{
"standard": "HIPAA",
"requirements": [
"164.308(a)(2)"
]
},
{
"standard": "PCI DSS",
"requirements": [
"12.1",
"12.3",
"12.4",
"12.5"
]
},
{
"standard": ”SOC 2 Security",
”controls": [ ... ]
}
]
},
...
Controls Mapping (policies/procedures)
- id: managed-question-data-direct-access-to-phi
title:
Which user or group or network or host has
access to data stores containing PHI/ePHI?
description: ...
queries:
- query: |
Find (User | UserGroup | Network | Host) as entity
that allows DataStore with
tag.PHI=true or tag.ePHI=true as ds
return
entity._type, entity.displayName, entity.email,
ds._type, ds.displayName, ds.tag.AccountName
tags:
- data
- SecOps
- compliance
- HIPAA
compliance:
- standard: default
controls:
- cp-access-phi
- standard: HIPAA
requirements:
- 164.308(a)(3)(ii)(B)
- 164.308(a)(4)(ii)(B)
Evidence Mapping (questions/queries)

Result: Continuous Compliance Dashboard

DATA
+
GRAPH
+
QUERY
Pick assessor
Perform gap assessment
Implement remediation
Monitor, Manage, Optimize
Collect evidences
Assess and certify
Documented data flows
Conducted risk analysis
Wrote policies and
procedures
Created infrastructure
and security
REPEAT
START
Implemented 100+ controls
Endpoint
malware
protection
Server
vulnerability
scanning
Production
change
management
SSO + MFA
Application
code scanning +
pen testing
User training
Configuration
audit
Endpoint
compliance
agents
Vendor risk
management
Firewalls
and security
groups
Data encryption
WAF + DDoS
protection
Asset inventory
and tagging
Activity and log
monitoring
CSEC
AUDITOR
CA / CC
VISIBILITY
GOVERNANCE
ASSURANCE
Our
Security
Program
HIPAA SOC 2 FDA FedRAMP ...COMPLIANCE

Data
Graph
Query
Asset inventory
and CMDB
Cloud
configuration
visibility
Access analysis
Network and
application
architecture
diagrams
Vulnerability
management
Alerts /
monitoring
Metrics
reporting
User training
status
Incident
correlation
Policy and
procedure
docs
Vendor
management
Compliance
evidence
collection
What else can you do?
It’s not only about compliance. Additional use cases:
• Asset inventory and CMDB
• Cloud configuration visibility
• Access analysis
• Network and application
• Vulnerability management
• Alerts / monitoring
• Metrics reporting
• User training status
• Policies and procedures documentation
• Vendor management
• Compliance evidence collection

S3 Bucket
Access
Are there non-public S3 bucket
access granted to anybody
outside of its account?
Find aws_s3_bucket with
classification!='public' as bucket
that ALLOWS * as grantee
where
bucket.tag.AccountName !=
grantee.tag.AccountName
return tree

SSO Access
Which Okta user is assigned what
AWS IAM role?
find okta_user
that ASSIGNED aws_iam_role
return tree

Vulnerability
in Code
Which PRs / developer
introduced new vulnerability
findings this past week?
Find User that OPENED PR
with createdOn > date.now-7days
that RELATES TO CodeRepo
that HAS (Vulernability|Finding)
with _createdOn > date.now-7days
return tree

Use query to create alerts and trigger remediation
Alert rules from query with actions:
• Send Email
• Send Slack message
• Create Jira issue
• Capture Trend
Future remediation automation:
• Trigger Webhook
• Invoke Lambda Function
• etc.

Metrics and charts built with queries
Users
and Access

Knowledge is Power
Knowledge =
Information (data) +
Insights (understanding of that data)
The graph is now the core of our
entire security program.
A knowledgebase, a foundation that
allows me to take actions with
confidence, faster.
GRAPH
Asset inventory and
CMDB
Cloud configuration
visibility
Access analysis
Network and
application
Vulnerability
management

Questions? Demo?
jupiterone.com

Continuous compliance using data and code

More Related Content

What's hot (20)

Similar to Continuous compliance using data and code (20)

Recently uploaded (20)

Continuous compliance using data and code