One can get overwhelmed reading about data breaches such as last year’s massive Equifax incident, which may have exposed 145.5 million customer records. The December Identity Theft Resource Center Report lists other big breaches in 2017 at America’s Joblink Alliance (5.5 million records), Sonic Drive-in (5 million), Dow Jones (2.2 million), Schoolzilla (1.3 million), and Washington State University’s Social & Economic Sciences Research Center (1 million). Accenture’s 2017 Cost of Cyber Crime Study notes such incidents increased 23 percent and cost on average $11.7 million in 2017. These findings suggest that current security methods are unsustainable.
Against this backdrop, Gartner introduced an alternative approach to cybersecurity, the Continuous Adaptive Risk and Trust Assessment (CARTA), as part of its Top 10 Strategic Technology Trends for 2018 report. The CARTA approach calls for real-time risk assessment and making trust-based decisions. This contrasts with previous information security strategies that revolved around periodic risk assessments and controlling users through single sign-on authentication. “Existing security decision-making based on initial one-time block/allow security assessments for access and protection is flawed,” the Gartner report explains. “It leaves organizations open to zero-day and targeted attacks, credential theft, and insider threats.” In this new paradigm, internal audit needs to determine how it will respond to the CARTA approach.
A Big Change in Thinking
The CARTA approach could become the model for organizations that are adopting the Development and Operations (DevOps) approach for rapid application delivery. It relies on using application program interfaces (APIs) for automation, moves away from simple rule-based systems, and puts greater emphasis on detection and response vs. prevention. At its core is a three-pronged strategy combining deception, continuous authentication, and a development security operations (DevSecOps) mindset.
That requires a big change in thinking about cybersecurity. “CARTA is good at the framework level, but the implementation of it will require a major shift for vendors, software developers, and the organizations, themselves,” says Sajay Rai, CEO of Securely Yours LLC in Bloomfield Hills, Mich. “Most organizations will have to deploy a different set of tools, technologies, people, and processes.”
Although CARTA can be a helpful approach, it should not be viewed as a standard against which to audit, says Jon West, chief information security officer at Kemper Corp. in Jacksonville, Fla. “Organizations should work toward maturing to that level, but many have a long way to go,” he explains. “The important thing is that business, IT, security, and audit leaders understand that security-by-design has to be embedded into strategies and requirements.”
Deploy Deception Security Technology
Today’s most common cybersecurity approach aims to block all unauthorized users. To this end, organizations deploy firewalls, divide the organization into different segmented networks, and set up demilitarized zones.
A “deception” approach assumes some unauthorized user eventually will enter the organization’s network, despite efforts to prevent bad traffic. When that happens, the organization uses deception to lure intruders to a special server containing files that appear to be valuable information. In reality, the server tricks the intruder into clicking on the files, which alerts the information security function to take action against the unauthorized user.
In assessing CARTA, internal audit needs to determine whether the information security function plans to deploy or is already using deception. Auditors should assess the possibility of a CARTA strategic change and the new risks it may bring.
Establish Continuous Authentication
Continuous authentication applications constantly monitor the user from login to sign out. Some of these solutions include deploying keystroke analysis and touch- or mouse-motion dynamics. The idea is to identify a user based on “who you are,” including biometrics and face recognition, rather than “what you know” such as a password.
Some organizations use voice recognition to authenticate users and alert the information security team when it detects a significant variance. For example, Capital One Bank allows customers who have Amazon’s Echo personal assistant to say: “Alexa, ask Capital One, what’s my balance?” or “Pay my credit card.”
Using various behind-the-scenes authentication methods enables continuous authentication of the user. However, this new technology can be challenging to deploy and raises privacy questions for some users. How will internal audit adapt its governance, risk, and control assessment to this new type of authentication?
Create a DevSecOps Approach
The demand for innovation and delivering technology faster leads many organizations to use a DevOps methodology to develop and deploy applications into operations. With DevOps, organizations seek to align technology with the business objectives and deploy new software releases faster.
CARTA inserts security into the DevOps model. This approach begins by making security people-centric and giving developers responsibility for security. Developers use automated tools to implement security during the development and testing of applications, and information security team members collaborate at key points during the process.
The challenge for internal auditors will be assessing the effectiveness of the DevSecOps approach. Will auditors require DevSecOps monitoring tools? Will IT auditors attend stand-up meetings and perform code reviews?
Internal audit can take three high-level steps to assess the DevSecOps approach:
- Determine where the organization is heading strategically with cybersecurity. Is it taking a CARTA approach? This means the auditor has a seat at the table when innovative strategies are under discussion.
- Assess the risk to successfully deploying deception technology. Internal audit should communicate with the chief information security officer to identify whether deception security is planned.
- Review the benefits and cost for continuous authentication. Beyond costs and benefits, auditors should learn and become familiar with how continuous authentication works.
New Approach, New Methods
With many organizations already deploying CARTA, it could become the future of cybersecurity alongside the U.S. National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework and NIST 800-137: Information Security Monitoring, and Microsoft’s outcome-based security. Before deploying CARTA, organizations need to prepare themselves, says Ravi Raghavan, vice president of Coalfire, a Westminster, Colo.-based cybersecurity advisory firm. “Risk management is most effective after first conducting initial risk identification, prioritization, and triage exercises,” he says. “You have to have a house to stand in before you can continuously improve and repair it.”
In this environment, internal audit needs to collaborate with its information security counterparts to research and consider the CARTA approach and the new risks it may bring for their organization. Moreover, internal audit will need new audit methods and skills to address CARTA, and assessing the related governance, risks, and controls may be challenging. Getting started now represents the important first step.