Problem solve Get help with specific problems with your technologies, process and projects.

Security beyond compliance: A proactive and customized security framework

Though compliance guidelines are a good place to start, they in no way guarantee the security of a network. Marcos Christodonte II explains how to create a unique and dynamic security framework that can stand up to even the most current threats.

Organizations must move away from being reactive, and instead take proactive steps to strengthen their security postures.

Security professionals are governed by many regulatory standards. Whether FISMA, HIPAA, GLBA, SOX or PCI DSS, these standards serve to provide a baseline for implementing and managing security. But the need to comply with these guidelines is not enough to keep enterprises safe. Organizations must go beyond compliance standards to create a stronger security posture. Most of these standards were created well over six years ago, and their purpose was to provide a minimal level of security to protect sensitive information, not an in-depth strategy to address all enterprises risks.

To stay ahead of evolving threats, organizations must take a more proactive approach by developing a security framework specific to their operations. Such a framework should range beyond compliance guidelines to encompass several other basic principles, including defense through diversity, proactive security strategies, addressing layer 8 (users), and defining the framework. In this tip, we'll review each of those concepts.

Defense-in-depth strategy
The principle of defense through diversity complements what is known as a defense-in-depth strategy. While defense-in-depth focuses on layers of protection (firewalls, proxies, antivirus, patch management, etc.), defense through diversity takes a more granular approach to implementing each layer. This involves not relying on a particular vendor or technology as a cure-all solution.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!

For instance, by assessing infrastructure (discussed below), a security team may determine that the integrity of email communications, or mail servers, is a critical business need for ongoing operations. As such, the principle of defense through diversity would suggest installing multiple mail safeguards and antivirus products that use different and varied heuristic and signature technologies.

Proactive security strategies
While many technologists still have the mindset that security is static and their controls will protect the network, attacks are becoming more sophisticated and targeted, meaning mitigation strategy must constantly adapt. To keep up with dynamic threats, organizations must move away from being reactive, and instead take proactive steps to strengthen their security postures. The following list provides a few entry-level proactive security strategies:

  • Log analysis and monitoring -- Whether from domain controllers, Web server firewalls or an IDS, logs should be monitored on a consistent basis. Do this by centrally managing logs with log correlation analysis to streamline monitoring. Start by reviewing logs for at least one hour per week. Also, ensure that all logs are protected with strict access control. Two vendors that offer log correlation are ArcSight Inc.'s log management suite and the log correlation engine by Tenable Network Security Inc.
  • Honeytokens -- They are hardly a new concept, but they aren't used as much as they should be. Honeytokens are essentially cleverly titled files that shouldn't be accessed, but set off an alarm when they are. They can provide administrators with an alert that someone or something has inappropriately accessed the network and may be attempting to exfiltrate data. This can be achieved by configuring an IDS to search all outgoing traffic for the file name, or by monitoring the "accessed" time stamp of the file.
  • Egress traffic monitoring -- While many organizations focus on what's allowed into their networks, few focus on what's going out. By monitoring traffic leaving the network, administrators may find various anomalies or clues that their systems may be a part of botnets or that data is being exfiltrated to unknown entities.
  • Data flow analysis -- Beyond monitoring inbound and outbound traffic, keeping up with a growing infrastructure is vital. As new servers and applications are added to the network, administrators must stay abreast of all network connections, the access control lists (ACLs) that govern them and hardware and software appliances that protect them. Documenting the topology with up-to-date diagrams that are reviewed on a continual basis can turn up loopholes in data flow.
  • Protection levels of external affiliates -- A solid security framework can easily become compromised through relationships with less-secure organizations. If external partners or service providers have lax security controls and unpatched systems, attackers may use them as a launching pad to attack the networks with which they're associated, networks that are otherwise secure. Therefore, it's important to know their protection levels and define common security goals in the SLA or partner arrangement.
  • Whitelisting -- A default "deny" policy on all applications and network traffic, while only allowing what's required as a business need, is the future. Organizations should assess their business needs and match their infrastructure to mirror only those requirements, nothing more.
  • Subscriptions -- Subscribe to multiple newsfeeds with updates on vendor patches and the latest security threats. US-CERT is a good one. Don't forget's news feed as well. Also register for feeds from vendors used within your organization.

Proactive security involves taking additional daily steps to improve defenses and learn the intricate details of your infrastructure. The next step to a personalized framework beyond compliance is to create a culture of security that gets, captures and maintains the attention of users.

Addressing layer 8
To involve users in security, they must understand the threats to the organization. Just as security requirements must be defined in an SLA with external affiliates, they must also be defined and understood by users. While employees often hear about policies, they frequently ignore them after an initial orientation. To effectively address layer 8, policies must be coupled with education and enforcement.

A policy that accurately details the organization's position on security is meaningless without continual user education on the principles and guidelines therein. Through education and training, users develop an understanding of threats and form an alliance with the organization to thwart them. Enforcement is usually done through user access controls, monitoring and filtering, but if users don't know the why behind controls, they will be slow to accept them.

The framework
Understanding an organization's unique infrastructure is vital to developing a customized security framework. To start, organizations must have documented baselines of all assets and configurations within their infrastructure. The complex designs and integrations of systems in heterogeneous environments are hardly addressed in compliance standards. Knowing what assets are on hand and the configuration required for operations will provide a clearer picture when assessing risks specific to one's operations.

For more information
Learn more about compliance frameworks in this expert tutorial video

Help your compliance efforts with penetration testing: Find out more

Read about managing SaaS risk for compliance

Once a thorough risk assessment is conducted for all valued assets, countermeasures and security steps should be documented. As technological changes and integrations occur, systems will degrade security over time. Therefore, it's imperative to continuously assess risk for all assets, even when a compliance audit isn't coming up.

Summarized steps to developing a personalized framework include:

  • Identify all asset baselines and configurations
  • Prioritize each asset and determine resource allocation based on risk assessment results
  • Develop potential scenario-based incidents to craft preplanned actions
  • Recalculate priorities and resources based on scenario assessments
  • Implement and continuously enhance proactive strategies

Once an organization's customized security framework is in place, it should serve as the basis for allocation of security resources, not just to meet baseline requirements of compliance standards. Enterprises too often try to protect everything, leaving critical assets to receive inadequate resources.

Simply meeting compliance standards can create a false sense of security. Being compliant is not synonymous with being secure. Organizations must look at their specific infrastructures and create a unique security framework that stretches beyond compliance mandates to address unique infrastructure issues. Maintaining a proactive posture is critical to staying abreast of current attack vectors.

About the author:
Marcos Christodonte II, CISSP, CCNA, is an information security professional working for the U.S. government. He maintains an information security blog at

This was last published in December 2008

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.