Towards Automated Assessment of Organizational Cybersecurity Posture in Cloud

Abstract

In a world where reliance on digital services becomes more critical every year with billions of dollars in penalties being levied annually by regulators and the impacts from security control failures growing, the potential consequence of organizations being unable to determine the completeness of their cybersecurity strategy and control environment are worsening. Established standards such as NIST 800-53, Cloud Security Alliance Cloud Controls Matrix (CSA-CCM) and CIS 20 Security Controls offer baselines against which organizations can mandate compliance, in the support of managing their security control environment and meeting risk and regulatory expectations. While there is increased security and compliance automation, it is hampered by the fact that control requirements are expressed in natural language text. With large organizations often needing to comply with several thousand security requirements across their IT enterprise, it becomes humanly impossible to assess coverage and identify potential gaps. In this paper, we present a system that enables performing a coarse-grained assessment of an organization's security posture, against a standard control framework. We propose an AI-based model for performing the mapping automatically and evaluate its performance empirically. We further develop the idea and employ a novel domain-specific taxonomy that enhances the granularity of the coverage assessment while providing explainability. We also describe how this system is being used in production.