DXC Technology : NIST releases guidance for risk assessment automation

Security professionals are stretched as thin as you can imagine.

Their environments are fragmenting from just their data centers to a multitude of cloud services. Meanwhile, they're having difficulty finding skilled staff, and their development teams have been busily dismantling traditional waterfall development lifecycles for continuously delivered pipelines. While cloud, mobile, containers, microservices, and serverless technologies are changing how applications and data are managed and consumed. And, of course, regulatory mandates aren't going to grow less demanding any time soon.

What can security pros do? They can't hire enough people, cost-effectively, to meet these challenges and their IT environments continue to grow more complex as their organizations digitize more business processes. That leaves only one viable option - to automate as many of their security controls as they can. That's where National Institute of Standards and Technology's (NIST's) recently published NISTIR 8011 Vol. 3 Automation Support for Security Control Assessments: Software Asset Management publication comes in.

To help security professionals more effectively manage risks and threats in their environments, NIST published guidance on how to operationalize and automate the security and privacy controls assessment framework detailed in Special Publication 800-53.

NIST Special Publication 800-53 (Currently, Revision 4), according to NIST, is written to facilitate security control assessments and privacy control assessments conducted within an effective risk management framework. The control assessment results provide organizational officials with:

• Evidence about the effectiveness of implemented controls
• An indication of the quality of the risk management processes employed within the organization
• Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.

The new publication provides insights into the Software Asset Management (SWAM) information security capability. According to NIST, SWAM helps organizations to better manage risk created by unmanaged or unauthorized software. 'Such software is a target that may be used by attackers as a platform from which to attack components on the network. A well-designed SWAM program helps to: prevent compromised software from being installed or staying deployed on the network; prevent attackers from gaining a foothold; prevent attacks from becoming persistent; and restore required and authorized software as needed,' the publication states.

By utilizing SWAM, and automating the processes, security teams can more readily identify rogue software on its network. This includes traditional productivity software, stored applications not yet installed, firmware and more. To help teams quickly get SWAM to work, the publication authors created templates that can be customized to specific networks.

From my perspective, unless enterprise IT environments simplify themselves, global security and privacy regulations do the same, and criminal adversaries stop evolving their tactics - automating security controls will be the best course of action security teams have in front of them.