No security strategy is foolproof. Whether it’s a natural disaster, an error by a well-meaning employee, or ransomware — bad things happen. There’s no way to guarantee that your organization is totally safe from a cybersecurity event, but you can minimize the impact through the judicious use of security controls.
Applied correctly, security controls help stop threats in their tracks before they can transform into disasters. And while there are many different types of security controls – each using different processes and technologies – knowing when and where to apply them can make the difference between a minor disruption and a complete business shutdown. In this article, we break down the major types of controls and discuss how they work with one another to prevent incidents – and ultimately reduce the damage when they occur.
What is a Security Control?
Security controls are the most fundamental component of any security program. They are the steps taken, or the protections added to your IT ecosystem, to minimize risks. They include a range of measures from preventing or identifying potentially dangerous activity to taking countermeasures that stop attacks when they occur. They’re employed to minimize security risks — whether to physical property, information, computer systems, or digital assets.
In the context of cybersecurity, it’s often assumed that security controls only work to protect organizations against hackers. But security controls also exist to protect against system failures, insider threats, and even natural disasters. Controls preserve the confidentiality, integrity, and availability of information.
How Security Controls Work
Each security control generally targets a specific task or problem. One of the most common examples is a disaster recovery plan designed for situations where files may be lost or damaged in the event of a natural disaster or system failure. The disaster recovery plan implementation consists of a set of controls including (but not limited to) consistent backups, recovery testing, and offsite media storage. These same controls can also address and minimize the damage from a ransomware attack. Types of common security controls include:
Because the IT landscape is constantly evolving, security controls must change with it. New threats and attacks are discovered every day. Take malware for example. Malware variants are exploding, with over 82 million new malware discovered in 2021 already. This was the main driver for older antivirus (AV) systems to move away from signature-based identification where malware was matched with known signatures to heuristic-based and machine learning identification where malware is identified by its behavior. Updating and distributing signature files to keep up with the increase in new malware strains was not sustainable, so the control had to evolve.
Examples like this demonstrate that security controls aren’t a “set it and forget it” policy. Instead, they need to adapt as the threat landscape evolves to ensure organizations continuously improve their security posture.
Defense in Depth
It’s important to keep in mind that no control is perfect, and many can fail or be circumvented. When designing effective security, it is essential to apply controls in layers with overlapping functionalities to protect against the same threat. This way, if one fails, the others can work as a backup. Utilizing detective controls to identify threats, preventative controls to minimize or stop their impact, and control enablers to help both types of controls to be more effective. This approach and model is foundational to Zero Trust security, which has focused on recent government security mandates.
Preventative controls are implemented before a threat event takes place. They are designed to either eliminate the threat or decrease its impact. These may be technological, physical, or process-based, and may include:
- Physical barriers
- Antivirus software
- Least Privilege Access
Controls not only protect against threats but also can provide information about active threats and attacks in your IT systems. These controls are your eyes and ears into the health and well-being of your IT environment. Without adequate detective controls, attacks can be actively taking place right under your nose and will not become evident until something catastrophic happens.
While necessary for understanding the actual health of the environment on their own, detective controls do not stop the attack. Instead, they work to make the other controls more effective. Using data gathered from detective controls, preventative controls can more quickly take action to mitigate active threats.
Effective detective controls are crucial for providing the intelligence needed to understand the status of your IT ecosystem at any given time. The information gathered by detective controls track the effectiveness of preventative controls. It can be used to develop metrics to determine how quickly and efficiently various controls dealt with a given threat. Additionally, they also provide evidence to show that a threat has been contained and is no longer an issue.
In the same way that detective controls enhance preventative controls, control enablers make each type of control more effective. These controls focus on how businesses operate their technology and integrate them with security.
Preventative control enablers focus on the processes and making sure that the best practices are maintained. These controls include the different policies, procedures, access controls, and automation that dictate how the preventative controls operate.
Enablers for detective controls provide the functional output from the controls. These enablers include reports, alerts, logs, and dashboards that technicians use to visualize and interpret the data they collect. The enablers require the detective controls to provide them with data. They take this data that would otherwise be overwhelming and simplify it so that a human can quickly understand it and take action.
Controls by the Standards
Industry standards and government regulations help to drive which controls are implemented or chosen by an organization. Healthcare organizations will have different industry standards and adhere to different rules than financial organizations. While some standards and regulations are specific to certain industries, there is also overlap where specific regulations apply across different industry verticals. For example, Payment Card Industry (PCI) standards can apply to healthcare, financial, construction, and any industry where payment cards are taken. Whereas Sarbanes-Oxley (SoX) only applies to publicly traded companies., so many startups don’t have to deal with this regulation.
There are also times where two regulations may have different definitions or wordings that result in the same requirements. For instance, a control to scan for vulnerabilities, which is required by PCI for all payment systems, will help an organization meet the requirements for ISO 27000.1 or NIST 800-53. So by implementing a single control, organizations can meet multiple compliance requirements. Crosswalk tables such as one from NIST help map controls between multiple frameworks.
Maturing Your Security Model
Maturing your security model involves more than meeting compliance and security requirements. Controls need to be customized to meet the actual business environment. Implementing a control such as role-based access control is ineffective without understanding the business needs and data. Using this information to customize your model creates roles that fit the business. This allows granular enough control to effectively limit data access.
Using automation, businesses can configure controls to function continuously. Automation removes the risk of inconsistency that is inherent to manual processes. When controls are automated, evidence is created proving that controls are working. This makes it harder for bad actors to circumvent controls and improves overall security posture. Automation is especially useful for times when security professionals may not actively monitor systems, such as holidays, and bad actors tend to strike.
Auditing Your Security Controls
Audits help organizations mature their security controls. While many think of audits as an obstacle, they are vital to helping organizations understand where gaps may exist and how effective their program is. Using the evidence-driven assessment of controls, audits can quantitatively grade your organization’s control maturity.
Detective controls create the evidence that audit needs to do their job. Without effective detection controls generating and collecting data, finding sufficient evidence to prove compliance is challenging. By integrating with automation software, organizations can move to a state of continual compliance and eliminate gaps in the control implementation.
Going Beyond Implementation
Effective security is about more than simply implementing controls to meet compliance requirements. Controls must be implemented to target your business needs and threat landscape. Using controls that create synergy and continually re-evaluating them to ensure they are appropriate differentiates mature organizations from the rest of the pack.