Compliance is like an annual checkup at the dentist: Nothing good is likely to come of it and we want it to be as fast and painless as possible.

In the first of two blogs on compliance, we’ll consider how best to think about compliance intent, and how deception can play a valuable role. In a subsequent blog will look at how to avoid pitfalls related to compliance.

If you are unlucky enough to be subject to multiple compliance regimens (PCI DSS, NIST 800-171, internal mandates, etc.) you will quickly see that a) there’s a lot similarity between them, but b) some are more detailed than others. The key to resolving these down to a reasonable set of controls you can actually operationalize over time is to focus on the objective of the control. That is, what is the intended outcome? If you can demonstrate a good faith, risk-rated attempt to achieve the outcome, you are in position of strength to deal with an audit. This is more important than exactly matching the compliance text word for word.

Example from HIPAA Compliance

Let’s take an example from HIPAA, the healthcare records regulation. The follow requirement is part of that standard:

164.306 Security standards: General rules.
(a) General requirements. Covered entities and business associates must do the following:
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. [i.e., personal healthcare information]

Pretty vague right?! So how do you approach meeting the requirement? The way to think about this requirement is “If an auditor said ‘Show me how you have been protecting the data against any reasonably anticipated threats or hazards’, would I have a credible answer?”

If the answer is “Yes”, then you should be able to avoid a negative finding. For example you could say something like

We have the usual level of perimeter controls and can detail those for you. However since we have to assume the attacker may still get in, we implement deception technology on our in-scope data, and we have a documented process that specifies how we ingest, analyze, and respond to all alerts created by that system. We feel that control activity provides protection against threats we would reasonably expect. Would you like to audit that process?

Now you’re able to negotiate from a position of strength: you took the intent and desired outcome of the compliance objective to heart, and put a continuous control activity in place to achieve that outcome.

Deception – a very powerful compensating compliance

I should add that Deception is also is a very powerful compensating control, because its ability to detect threats is so broad. A compensating control is something you are doing that while not exactly matching a compliance requirement, lessens the likely impact of your failure to directly meet it. Let’s say for example that your database firewall wasn’t doing its job because someone mis-configured it or the firewall alerts weren’t being sent to the SIEM. You’ve got a problem and a possible audit finding. But you can argue that even though the firewall wasn’t protecting the data, you had a compensating control in the form of the deception solution, which likely would have detected unauthorized access attempts around the database. (Remember that unauthorized access using authorized channels wouldn’t have been caught by the firewall anyway).

You can also use a compensating control in situations where meeting the requirement exactly as stated is just not realistic. Let’s say the requirement is to “Review all logs on in-scope systems daily to search for evidence of compromise”. Sounds reasonable, but there are simply too many systems and too few eyeballs to make this viable in your shop. So instead, implement a compensating control using Deception to meet the intent of the requirement, that is, to search for evidence of compromise.

The bottom line with compliance audits is that there is a strong element of negotiation – they are not black and white. Focus on achieving outcomes that meet the intent of the regulations, truly reduce risk, and are realistic to operationalize continuously. And brush your teeth after every meal!