Evidence-Based Audits
Evidence-based audits in cybersecurity are a systematic examination of an organization's security controls and practices, where the audit findings are directly supported by objective evidence. This approach emphasizes verifiable data and records over subjective assessments.
Here's a breakdown of the key characteristics:
Objective Evidence: The cornerstone of evidence-based audits is the reliance on tangible evidence. This can include:
Logs and records of system activity.
Configuration files and system settings.
Network traffic captures.
Vulnerability scan results.
Policy documents and procedures.
Incident reports.
Verifiable Findings: Audit conclusions are directly traceable to the evidence collected. Auditors document the evidence they reviewed and how it supports their findings.
Reproducibility: Where possible, the evidence and audit procedures should allow reproducibility. This means another auditor could review the same evidence and arrive at similar conclusions.
Systematic Approach: Evidence-based audits follow a structured methodology, including:
Planning the audit scope and objectives.
Identifying relevant controls.
Gathering and analyzing evidence.
Documenting findings and recommendations.
Focus on Controls: The audit assesses the design and effectiveness of security controls. Evidence is used to determine whether controls are implemented as intended and are operating effectively to mitigate risks.
Risk-Based Approach: Evidence is often gathered and analyzed in the organization's risk assessment context. This helps prioritize audit efforts and focus on the most critical areas.
Here's how ThreatNG supports evidence-based audits in cybersecurity:
ThreatNG's external discovery capabilities provide foundational evidence for audits by systematically identifying and cataloging an organization's external-facing assets.
The data gathered, such as domain records, subdomains, and exposed services, is objective evidence of the organization's attack surface.
For example, the Domain Intelligence module provides concrete evidence in DNS records and WHOIS data, showing the organization's control and configuration of its domains.
ThreatNG's external assessment modules generate evidence-based findings by analyzing the external attack surface and digital risk intelligence.
The susceptibility ratings are derived from observable data and provide quantifiable evidence of security risks.
Examples:
Cyber Risk Exposure: ThreatNG uses parameters from its Domain Intelligence module, including certificates, subdomain headers, vulnerabilities, and sensitive ports, to determine cyber risk exposure. This provides auditors with specific, technical evidence supporting the risk assessment.
Code Secret Exposure: ThreatNG's discovery of code repositories and investigation of their contents for sensitive data provides direct evidence of potential data leaks.
Mobile App Exposure: ThreatNG's analysis of mobile apps in marketplaces, looking for exposed credentials and security vulnerabilities, yields concrete evidence of security risks.
3. Reporting
ThreatNG's reporting functionality delivers audit-ready reports with evidence-backed findings.
The reports include detailed information and context, allowing auditors to trace findings to the supporting evidence.
The reports contain risk levels, reasoning, and reference links.
ThreatNG's continuous monitoring capabilities provide ongoing evidence regarding the organization's external security posture.
This continuous monitoring creates a timeline of security-related data, enabling auditors to assess trends and changes over time.
ThreatNG's investigation modules offer detailed evidence that auditors can use to validate findings and gain a deeper understanding of security issues.
Examples:
Domain Intelligence: This module provides evidence like DNS records, WHOIS data, and subdomain information, enabling auditors to verify domain-related security configurations and risks independently.
Sensitive Code Exposure: This module gives auditors access to evidence of exposed code repositories and the specific sensitive information they contain, allowing for a thorough evaluation of code security practices.
ThreatNG's intelligence repositories serve as valuable sources of evidence for audits.
These repositories contain data on dark web activity, compromised credentials, ransomware events, and known vulnerabilities, providing auditors with objective information to assess the organization's risk exposure and threat landscape.
7. Working with Complementary Solutions
ThreatNG's evidence-based data can be used to enhance other security tools and provide more comprehensive audit evidence.
For example, ThreatNG's vulnerability data can be integrated with vulnerability management systems, providing auditors with a consolidated view of external and internal vulnerabilities.
ThreatNG supports evidence-based audits by providing objective, verifiable data on an organization's external security posture.
