A Guide to Choosing and Automating Security Frameworks

With the growing number of security frameworks, acronyms, scoring systems, benchmarks and more, it’s often hard to understand how each frameworks differs, how and where they come into play with regards to modern cloud native systems. More than anything, how do we actually operationalize these frameworks to derive engineering benefits?

In the past we’ve written about everything from SOC2, to MVSP, to OWASP’s DSOMM, AWS’ FTR (foundational technical review) through their Well-Architected framework, among others.  

We believe with sufficient operationalization each and every one of these frameworks can ultimately map to a simple and automatable plan as code, that developers can use to comply with business-driven decisions for governance and compliance.  

In this post, we’ll dive into other popular cloud and systems engineering frameworks developers should at least know about, and consider aligning with as best practices––and good ways to start automating the engineering parts.  

Popular security frameworks that can help you prevent and respond to cyber attacks

When it comes to aligning with frameworks and standards, it’s critical to ensure you are selecting the parts that truly deliver engineering value, and aren’t just “ticking boxes” for the sake of theatrical governance and compliance.  

On the same note, due to many areas having similar requirements, you’ll find that alignment with one of these standards may bring you a long way towards complying with others. At the end of the day, many of the standards have overlap and uphold similar security hygiene.

In this post we’ll explore the frameworks you may have heard about, and even employ, but don’t necessarily know the specifics about.  We’ll highlight what’s important, and where these map to your actual systems. The frameworks we’ll look at include:

• NIST Cybersecurity Framework (CSF)

• CIS Controls & Benchmarks

• GDPR (General Data Protection Regulation)

• Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

• MITRE ATT&CK Framework

With Jit Security Plans, you can automatically implement all the required security controls and monitoring needed to fulfill common security frameworks like SOC2, with support for additional frameworks coming soon. These controls are delivered to developers with non-invasive integrations with GitHub and your IDE, so they can code quickly without being obstructed by security.

NIST Cybersecurity Framework (CSF)

Great for: comprehensive code-to-cloud security to proactively prevent malicious activity and reacting to ongoing attacks.

Developed by the National Institute of Standards and Technology, the NIST Cybersecurity Framework is used primarily by U.S. government agencies to manage and mitigate cybersecurity risk. However, it has also found common global applications across different business sectors. 

An entire blog post can be written just about the NIST CSF alone, but generally is provides a good baseline security checklist for the following areas of modern cloud environments:

• Identify

• Protect

• Detect

• Respond, and 

• Recover

We’ll dig into each of these individually and how they are applicable to engineers and modern developer workflows and environments. Just note, we are getting started with NIST, as this checklist comprises much of the considerations that the rest of the security frameworks focus on, and will provide a good baseline as a reference for those as well.

Identify

“Identify” refers to our ability to have a full understanding of all of the technologies running in our stack, and the risks they pose to our systems. This includes everything from the assets themselves, to the data they touch, process or analyze, through their actual capabilities in your systems.

Leverage the following practices to effectively identify and assess risk across your system:

• Asset Management: This covers the entire discipline focused on providing cloud-based tools for inventory management of resources. Asset Management includes tools like AWS Config to Azure Resource Graph, and even newer cloud-native tools like Firefly. These serve to continuously monitor and identify managed and unmanaged resources across your cloud environment.

• Risk Assessment: Implement regular security assessments of your cloud applications using cloud-native tools to evaluate the risks associated with identified assets and vulnerabilities.

Protect

Let’s be honest, protect is essentially the vague and full scope of the myriad cyber and cloud security concerns that hundreds of companies, like Jit, around the globe are trying to solve.  This isn’t a quick one liner, obviously.

To simplify security for cloud applications, the Jit approach can cover your code >> infrastructure >> CI/CD >> APIs and third-party tools >> to production and runtime security. With Product Security Plans, you can gain full coverage across your repos in a matter of minutes.

That said, there are indeed many additional aspects of security that should not be overlooked, including Access Control and Identity Management, data encryption, network security and much more. “Protect” involves the entire threat landscape as it applies to your systems based on the technologies you employ and know about from the “Identify” part.

Detect, Respond and Recover

While identifying cloud assets and protecting your systems refer to proactively preventing attacks, detecting, responding, and recovering shift the focus to defending against ongoing malicious activity:

• Detect is the phase where all of the security tools come in––from the network security, firewalls and perimeter security through the actual code scanning, infrastructure security scanning, container security and everything else happening in your stacks.  It’s the ability to have a real time understanding of a threat as it unfolds.  

• Respond is the ability to respond, as the category implies to the threats “detected” in the previous category, and ultimately block malicious activity & risk. This includes auto-remediation of known vulnerabilities in our code, traffic blocking when anomalous behavior is detected, or your incident response plan and forensics if a breach has occurred. 

• Recover focuses on everything from disaster recovery and incident response, to backup and restoration if there was data loss or denial of service. All of these categories together focus on the many and diverse areas that keep security engineers up at night when it comes to protecting mission critical systems.  These also provide a very good high-level way of thinking about comprehensive security, and the categories under which different security activities and practices fall.

CIS Controls and Benchmarks

Great for: understanding your attack surface and proactively managing risk cross cloud applications.

If we are to take the NIST framework as a good starting point when it comes to cloud native security, CIS Controls and Benchmarks, focus largely on the Identify and Protect categories.  The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The controls are divided into basic, foundational, and organizational categories, providing a comprehensive approach to security.

The focus on:

• Inventory and Control of Hardware Assets

• Secure Configuration for Hardware and Software

• Continuous Vulnerability Management

If we take specific examples, CIS controls and benchmarks provide good practical methods for securing everything from web servers to databases, clouds, containers and anything else running in modern cloud native stacks.  

Once we understand the different areas that need to be secured, and the right tools and techniques to do so, it becomes significantly easier to automate and continuously monitor that these security practices are being enforced.

GDPR (General Data Protection Regulation)

Great for: companies that handle customer data looking to do business in the EU.

GDPR, is a comprehensive data protection law that came into effect in the European Union (EU) on May 25, 2018. It aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. 

While this is a wide regulation that has a lot of stipulations, when we think about GDPR in the context of cloud applications, we’ll focus on the areas of data protection that also apply to the Protect & Detect categories. Plus, we’ll need to understand requirements following a breach in the Response and Recover categories.

GDPR requires companies processing and storing EU-citizen data to properly secure it including data encryption, anonymization, and access controls, utilizing cloud-native tools. 

It also focuses on prevention of transferring data out of the EU region and to have methods to detect breaches, and then also responsible disclosure procedures for data breaches.  

Cloud Security Alliance (CSA), Cloud Controls Matrix (CCM)

Great for: Those looking to implement least privilege access controls and segregation of duties using IAM services:

The Cloud Security Alliance is a well-respected cloud security organization that offers the Cloud Controls Matrix framework. This security framework gives detailed understanding of security concepts and principles relevant to cloud computing, aligning with other industry-accepted security standards. As a result, CSA and CCM facilitate regulatory compliance and risk management.  

The areas this control matrix focuses are in the areas of Protect, Respond & Recover categories. This includes areas related to Identity and Access Management (IAM), and in particular how to implement least privilege access controls and segregation of duties using IAM services. 

These frameworks also focus on Data Encryption & Key Management that dictates good practices for managing encryption keys and encrypt data at rest and in transit.  

If and when a security incident does occur, it also references aspects of Incident Response, and particularly cloud-specific incident response plans that include cloud services for rapid response, that can and should be automated when possible.

MITRE ATT&CK Framework

Great for: highlighting gaps in your security posture based on common threats and hacking techniques.

MITRE ATT&CK takes the Detect & Protect categories one step further through Tactic and Technique Mapping.  This essentially means, mapping your integrated security controls against specific ATT&CK tactics and techniques to identify potential gaps in cloud security posture. 

For example, using cloud access logs to detect potential credential access techniques like "Brute Force" or "Credential Dumping".  

It also focuses on cultural and skill-related elements such as Red Team/Blue Team Exercises, for simulating adversary techniques and testing the effectiveness of cloud security measures, helping to improve detection and response strategies.  

This is a good opportunity to also test automation procedures, such as automated playbooks,  and remediation to test for efficacy.  

Last, it also provides a great overview for Threat-Informed Defense. This means incorporating threat intelligence into cloud security monitoring solutions to help augment detection and tailor the response to tactics and techniques used in real-world attacks.

Automating Security Frameworks as the Key to Cloud Native Security

After examining some of the most popular security frameworks available today, it’s hard to overlook that many of them focus on very similar topics and practices as good methods for improving security posture. 

When we realize that many parts of these frameworks can be automated through security plans, it makes it substantially easier to operationalize practical security.

With the many open source and commercial security tools available today, it’s possible to automate everything from the scanning of the many layers (Identify, Protect & Detect). 

This includes code, cloud configurations, data, access management policies, runtime alongside the many other security considerations noted above.  Incident response playbooks also make it possible to operationalize and automate the Respond and Recover areas. 

But which tools are needed to fulfill these frameworks? How are they integrated into the SDLC? How can we ensure developers will use them to improve security posture?

These are the questions we’re answering with Jit’s Security Plans, which automatically implement the required controls and monitoring throughout the SDLC. We aim to help drive your development team towards building systems in compliance with common security standards.

The more we automate, the better prepared we’ll be when real attacks and incidents arise.  We should also continue to hone our security skills through security gamification, as suggested in MITRE ATT&CK and in previous posts.  

In the grand scheme of things, many security risks are well-researched and well-defined, and the gap remains in automation and operationalization.  Security Plans as code will come in to fill this gap and provide off the shelf simple automated plans as code to help level up security for the cloud native evolution.