Countercept MDR can help you to fulfil the requirements for ISO 27001 accreditation
WithSecure teams often work with customers who are accredited or are trying to become accredited in ISO 27001.
This standard is about managing information security—obviously a broad and complex topic. Having the accreditation can prove to customers and vendors that you are committed to security, and indeed the certificate is often a prerequisite in many contracts.
Our customers are often surprised to learn how far the WithSecure Countercept managed detection and response (MDR) service can help to support and provide evidence of ISO27001 security controls.
Countercept MDR acts as an extension to security teams by triaging and investigating alerts through to taking response actions, where necessary, as a closed loop process. Outside of incident scenarios, the detection and response team develop a partnership by sharing threat hunting expertise, helping customers’ teams learn and grow, and supporting the continual improvement of their security posture. However, there are many less-advertised benefits and features that contribute towards the ISO 27001 controls.
When it comes to ISO 27001, Countercept can help in five main areas.
Asset management is about understanding what exists on your estate and how those assets contribute to risk exposure.
The Countercept service deploys endpoint agents to devices, domain controllers, and servers within your environment. This means that we can map assets interacting with your domain and ensure that you have excellent visibility of your estate.
Often, the Countercept agent will detect assets that are not listed in our client’s asset database or CMDB, and we will work with our customers to understand why that gap exists and ensure that all databases are up-to-date and accurate.
This accuracy is crucial because ISO 27001 specifies controls designed to identify and protect assets. This includes maintaining an asset inventory; however, where in the past simply having an inventory was enough, auditors are now asking for proof that the inventory is correct. This can be difficult to achieve, but the Countercept service can help to fulfil those requirements. Customers can compare their records with the live deployment status of the agent, and therefore prove that their asset list is complete and updated.
Another benefit of the oversight that Countercept can have over an environment is that, because it gathers data from thousands of endpoints, the agent can spot signs of Acceptable Use Policy violations, such as illegal activity. Examples include piracy or downloads of suspicious software. When this happens, we can raise the issue with the client as part of our peacetime value offering.
ISO 27001 also includes controls about being able to manage and restrict who has access to certain assets, and what privileges they have.
Controlling access is crucial: it is one of the major methods of slowing down attackers, who can propagate very quickly through a network if the account that they are using has access to everything. Utilizing the Principle of Least Privilege and segmenting the network is a fundamental element of security.
Again, the Countercept agent can help you to fulfil this requirement. Through the data the agent collects from domain controllers, servers, and workstations, we can detect the use of overprivileged accounts. We can highlight, for example, instances where too many people seem to have administrative privileges so that the client can investigate areas that have been missed or misconfigured.
We will also analyze user behavior to spot outliers. For example, a user in the marketing team might be flagged up for investigation if they start accessing development servers or network administration tools, as they would have no reason to use them in the normal course of their work.
Operations security is the bread and butter of the WithSecure MDR Countercept service. The core elements of the service are detecting and responding to threats, including investigating suspicious activity in the client’s network as an extension of their security team.
This also includes ensuring that you have exceptional visibility of those activities at every step of the process, and that every activity and action is documented and reported on.
Countercept is perfectly placed to support the fulfillment of the clauses around operations security in ISO 27001, which stipulates that organizations should be able to detect, assess, and mitigate threats to information security.
ISO 27001 mandates several controls around incident management. These include:
- establishing responsibilities and procedures for responding to incidents
- responding appropriately to incidents
- collecting appropriate evidence for incidents and incident response.
The Countercept service includes skilled incident responders from the WithSecure team as standard, and the service is ideally equipped to support these controls. WithSecure incident responders can perform remote forensic analysis, which means they can fully investigate incidents without needing to call in secondary teams or external specialists.
They also use human-loop decision making, which means that nothing is automated without good reason. This means that they minimize false positives when responding to attacks. Our tooling was built by incident responders for their own use, so it is perfectly designed and tailored to do the job.
The incident response retained service that is included with the Countercept service as standard is also instrumental in enabling business continuity, as they will work with customers who have experienced an incident to do whatever is necessary to enable normal work as quickly as possible (including major incident and crisis management, and on-site support).
This is important because ISO 27001 specifies that organizations must ensure the continuity of information security in the event of a crisis or disaster.
Other relevant ISO 27001 controls
Although the Countercept service contributes the most to the fulfillment of the five ISO controls described above, there are other controls which can be affected positively by the service. These include:
- Internal organization This control requires that information security responsibilities should be defined and allocated. As standard, the Countercept service includes a playbook and an escalation matrix, which documents the external team’s responsibilities. This playbook can easily be expanded to include the internal team’s responsibilities.
- During employment This control specifies that employees and relevant contractors should receive training and updates about information security policies and procedures. The Countercept service supports this by offering in-house training sessions and awareness programs, which can be evidenced in an audit.
- Cryptographic controls This control requires that the organization has a policy on the use of cryptographic controls. As part of the Countercept service, we can evidence the use of clear text credentials and, if information is being passed unencrypted, report violations of the policy.
- Protection from malware This control specifies that you should be able to detect, prevent, and recover from malware. The Countercept service supports this goal from many angles, but especially by correlating with antivirus tools to spot malware that has evaded standard protection packages.
- Logging and monitoring and information backup These controls indicate that information should be backed up regularly and that events such as incidents should be logged and those logs should be protected. As part of the Countercept service, we store data from customers’ estates for two years for use during incident investigations, somewhat like an off-site back up.
- Technical vulnerability management This control requires that organizations are informed about vulnerabilities and measures are taken to protect against risk. Countercept can support by providing information about major vulnerabilities and helping customers to understand how they might be affected. At the same time, if we get visibility of outdated systems, we will raise that to the client and advise that they are updated to minimize vulnerabilities.