Is Compliance Scanning Still Relevant?

Compliance scanning is the method used to ensure that system configuration is compliant with security policy controls. Unlike vulnerability scanning, which picks up on Common Vulnerabilities and Exposures (CVE), and out-of-date software patches, many cybersecurity vendors also offer compliance scanning tools that measure compliance based on a third-party template. However, these scans are typically a source of pain within IT because compliance scanning regularly reports false positives and often misses gaping security configuration issues that weren’t designed to protect against. The result is a general mistrust and disregard for compliance, which manifests operationally through: 

  1. Alert Fatigue – Unintentionally encouraging administrators to ignore reports or mark too many findings as false positives without proper review. 
  2. Shadow IT – Correcting glitches through custom scripts and manual manipulation, which solves the problem temporarily but quickly deprecates and fails to scale. 

Although rooted in good intention, compliance scanning’s broad acceptance can often cause a disparity between compliance and system management. To put it bluntly, periodic compliance scanning is a broken process and a headache for all those forced to participate. Instead, organizations should seek to code compliance right into modern deployment and configuration management practices to make all the security compliance controls part of the actual config file. You may then manage compliance drift the same way you currently manage with other drift — using source control, deployment configs, automated testing, etc.

Despite automation’s ability toĀ enforceĀ complianceĀ with code,Ā the business willĀ likelyĀ requireĀ some sort ofĀ validationĀ toĀ verify the actions of an execution engine.Ā Even aĀ human-readableĀ language likeĀ YAML requires someĀ level of experienceĀ to interpret, so trying to pass an audit onĀ your scriptsĀ alone willĀ be difficult.Ā Currently,Ā the process is to config your system, then scan, then manually comb through the report to identify exceptions, false positives, and items needingĀ mitigation.Ā AtĀ A-Kar,Ā weĀ knowĀ thisĀ processĀ all too wellĀ and strive to ā€œtuneā€ our baselines to align withĀ the validation and scoring process.Ā More specifically, weĀ take the default scripts withinĀ Lockdown and re-configure theĀ variablesĀ toĀ match the compliance profileĀ ofĀ theĀ scanĀ tool adopted within the organization.Ā SinceĀ tasksĀ in Lockdown scriptsĀ matchĀ to a corresponding baseline control,Ā it’s possible toĀ quicklyĀ modify a scriptĀ to satisfy organizational exceptionsĀ and add new controls as necessary.Ā Ā 

In the future, we’d like to build an execution engine that features a policy builder, validation scanner, and scoring function to further streamline the process and abstract away the code from policy automation to make these tools available to all. This idea was the logical next step to the Testing Pipeline already being built into the Lockdown Enterprise Roles. This testing framework helps clients trigger Scan->Config ->Scan workflows that collect, diff, and score the system config before and after the baseline implementation. It strengthens compliance reporting because it provides:  

  1. Scanner scoring before and after baseline implementation. 
  2. Changed configuration details, including a mapping to specific security controls. 
  3. Lists of settings that remained the same or did not require changes. 
  4. Enumerated tasks that failed and how they map back to individual baseline controls. 

As a we audit to see that configuration management processes adequately enforce and report compliance. If we are provided scan results, we will typically ask to observe and test a sample system because we can’t be sure that the scan provided accurately reflects reality. Automated configuration management of compliance ensures consistent, secure, repeatable results and cuts down on managing config drift with shadow IT processes.  

Next Steps 

More from Our Cybersecurity Experts

Scroll to Top