Category: Uncategorized

Software engineers call it refactoring. Every solution starts simple and grows to a point of unmanageability. Legacy security technology companies are struggling to refactor to remain relevant as clients demand more for less. Small to medium-sized companies have even smaller budgets and have traditionally come up short. In 2015, Todyl was founded to deliver a simple, yet extendable solution, providing a unique option for small to medium-sized companies.

In the early 2000s, Splunk transformed the SEIM market by providing meaningful value to IT roles and Cybersecurity roles from a single platform. Unlike other vendors which required extensive professional services to deliver to a single use case, Splunk provided standard seats satisfying mainstream needs. Todyl has a similar vision by striving for simplicity and empowering ownership yet offers a modular and extendable platform with more capability. 

Clients save in two ways, cost to implement and cost to maintain,

BUSINESS ALLIGNMENT – Every security program must align to the business context, risks, and governance structure of the organization. Todyl offers a Governance, Risk, and Compliance (GRC) module to address this need.

SECURITY OPERATIONS – Business context and operational context are two entirely different things. Todyl offers three modules to bolster the manageability of Security Operations. Its Security Information and Event Management (SIEM) ingests data from across the IT environment, normalizing, aggregating, and displaying it in one pane of glass for security teams to gain insights into activities. Security Orchestration, Automation, and Response (SOAR) streamlines response processes and create repeatable playbooks for dealing with potential threats and protecting their organization. Last, clients have the option to add Managed eXtended Detection and Response to get 24×7 management of some or all of their devices.

INFRASTRUCTURE SECURITY – Infrastructure Security detects and responds to threats to the Endpoint and Network. Todyl offers Endpoint Security through a single Endpoint Detection and Response / Next-Generation Anti-Virus agent. Network access/filtering often comes up short, allowing threats to the ‘crown jewels’. Totyl offers Secure Access Service Edge (SASE) to bolster this Network Security weakness.

FINAL THOUGHTS – In the assessment of the author, Todyl’s single platform has significant coverage within the Cybersecurity Ecosystem. It provides Endpoint and Network Security; Governance, Risk, and Compliance; Monitoring and Operations; and Managed Services. Todyl provides a newfound option for SMB and Mid-Cap organizations, and return-on-investment option to all clients regardless of size.

Exposure to validated threats present undeniable risk to the enterprise. Such actionable information improves cyber Threat intelligence (CTI), enables holistic Vulnerability Management (VM), minimizes impact, and maximizes the performance of Offensive Threat (OT) activities. Clients should consider adaption of emerging exposure Management (EM) technologies to migrate to a high-performance Continuous Threat Exposure Management (CTEM) program.

Managing vulnerability and being aware of the threats is good enough – right? Unfortunately, not. There are too many siloed vulnerability assessment services and divergent threat intelligence sources. Over a year ago, Gartner raised the issue and loudly predicted a shift from mere Threat Management to Exposure Management. The new focus now shifts to Continuous Threat Exposure Management (CTEM)!

For years, the goal has been to act upon Cyber Threat Intelligence. Tools did evolve to serve the Operational and Technical stakeholders of CTI. Unfortunately, little actionable information has been available to Strategic and Tactical stakeholders. According to Gartner, CTEM sits at the
intersection of Threat Detection and Incident Response (TDIR) and Governance, Risk, and Compliance (GRC) – exactly where Strategic and Tactical stakeholders operate.

In our last article, we learnt that an IT Security Plan should consider Emerging technologies. Luckily Continuous Threat Exposure Management programs are evolving, and Exposure
Management (EM) tools have emerged. EM is one of only two tool categories viewed as TRANSFORMATIONAL to Security Operations! iv EM is also to be in the MAINSTREAM in 5-10 years.
Early adopters may gain significant benefit depending on where they are in terms of vulnerability and threat management. Consider EM technologies if your organization wants additional validation of its security posture, is looking for more automation in running attack scenarios, and/or wants to establish a red team with limited training or experience.

Hive Pro, a Continuous Threat Exposure Management solution, has been added to Cyber Buyer’s portfolio. Read their article to learn more about CTEM and advise if you want an introductory
meeting on their solution.

References:

1. Gartner – Predicts 2023: Enterprises Must Expand From Threat to Exposure Management – https://www.gartner.com/en/documents/4021605
2. SOCRadar – What is Tactical Cyber Threat Intelligence and How to Use it – https://socradar.io/what-is-tactical-cyber-threat-intelligence-and-how-to-use-it/
3. Gartner – Hype Cycle for Security Operations, 2023 – https://www.gartner.com/en/documents/4547399

Companies must prudently gather evidence of their control over Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in support of 2025 defense contracts. 

While the timeframe of applicability of CMMC to any given company varies sharply, there is NO REASON to wait.  Waiting will decrease your likelihood of demonstrating compliance!

Most security programs are born in reaction to compliance requirements.  The best programs evolve a culture proactively safeguarding protected information and processing facilities well beyond compliance.  The Military Industrial Base (MIB) has companies with security programs in the full spectrum of maturity.  Where each company falls is unknown.  The Department of Defense hasn’t measured program capabilities – but will do so shortly.  It is time to get prepared to demonstrate to required maturity levels.

Fifty years have passed waiting for an auditable framework.  In 1984, attestation started with the Federal Acquisition Regulation (FAR).  In 2019, the Department of Defense (DoD) added the Defense Federal Acquisition Regulation Supplement (DFARS).  In 2020, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) to replace DFARS.   Companies now need verified evidence of their controls.

According to a study performed by Merrill Research, “the majority of contractors do not have the people, processes and technologies in place to meet the minimum cybersecurity requirements for doing business with the DoD, but often assess their companies as compliant when conducting their self-assessments”.[i]  Up until now, the government has merely accepted the contracting organization’s attestations to controls.  Unvalidated attestations could be off by an order of magnitude.  Evidence backing up statements may not exist or might even contradict those assertions.  An independent review now would likely identify issues and enable proactive remediation.

Many in the MIB have fallen asleep waiting for CMMC to be implemented.  The first delay in CMMC was due to the design of the model itself.  The change was significant.  Version 1.0 was released in September 2020 and was almost immediately replaced with CMMC 2.0 in just over a year.  CMMC 1.0 had 5 performance tiers with 2.0 only having 3 – Foundational, Advanced, and Expert.  Contracted responsibilities dictate the required performance level. 

The biggest delay has been in the verification and enforcement of rules – what the DoD calls Rulemaking.  As of July 17, 2024, the DoD forecasted publishing of the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program in the Federal Register by October 26, 2024.  That is just weeks away!  The DoD wants to apply the rule almost immediately – late Q3 or early Q4 2024. The rule, 32 CFR 170[ii], is considered a “Major” rule and will be subject to a Congressional review of up to 120 days before it can be published. Once published, the rule will not be effective for at least 60 days.   That puts applicability roughly six months out.  A gap assessment can identify the remediation needed to get to your desired level before CMMC is mandated.

Two options exist.  All companies in the Military Industrial Base should at least be performing a self-assessment.  Many are taking the added step to be independently certified. 

For decades, compliance was done manually using spreadsheets to capture attestations, evidence, findings, and action plans.  Companies managed their organization one way while reporting compliance another way.  This approach leads to more compliance issues and inefficiencies.  Consider choosing an audit firm that offers an AI-enabled platform to manage your controls and audit them.  Choosing an independent audit firm is a non-trivial exercise.  The 2024 Compliance Benchmark Report[iii] offers some considerations before proceeding.  Almost half (45%) of survey respondents have found their compliance process to be cumbersome and would switch audit providers for efficiency.  Many firms (44%) are using AI to optimize the compliance process.   Clients choose their auditor due to their experience (32%), report quality (19%), and ability to audit using tools and technologies (22).

Our moto is to Trust But Verify.  The DoD will adopt that motto soon.  Let us help you efficiently create verifiable security now in preparation for CMMC!

---

[i] BREAKING: Few Companies Ready for CMMC Compliance, Study Finds – https://www.nationaldefensemagazine.org/articles/2024/10/1/few-companies-ready-for-cmmc-compliance-study-finds

[ii] Cybersecurity Maturity Model Certification (CMMC) Program – https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program

[iii] The A-LIGN 2024 Compliance Benchmark Report – https://go.a-lign.com/Benchmark-Report-2024?_ga=2.264079822.310205026.1724775344-1179027787.1724289118&_gac=1.22166217.1724775344.CjwKCAjw8rW2BhAgEiwAoRO5rEAeqLSA1sELyTey0JBOfYQFqCrKl7pVKDNFSXQHQ2MzoM2D-iX7tBoC1d8QAvD_BwE