Automação de controles de segurança em ambientes de computação na nuvem: abordagem para conformidade contínua no gerenciamento de vulnerabilidades.

Abstract

The current security landscape demands efficient processes that correspond to the advancement of techniques employed in cyber attacks. From this perspective, process automation is seen as an alternative to meet the security needs required in information systems, benefiting manual activities with optimizations and providing scalability. Observing security standards or often legislation that require shaping a security posture for maintaining data privacy or specific areas of operation, compliance is present as a means of proving the good practices implemented. Compliance, often obtained through audit processes by certifying bodies, can also be achieved through the use of security frameworks. Thus, CIS Controls V8 and the NIST Cybersecurity Framework have widely used security controls. In this study, we define how to use these security frameworks as a basis for security recommendations to provide compliance for vulnerability management processes. We use CIS Controls V8 to extract relevant keywords with the use of machine learning algorithms that enable the discovery of security tools, thus supporting our technical cybersecurity implementations. We operationalize compliance by using methods to measure compliance using vulnerability verification metrics and security recommendation coverage. Finally, we aggregate all our learning from the operationalization of compliance to propose a continuous compliance model. This model considers process automation for the execution of vulnerability verification tools to collect security evidence about the system architecture. It also includes the analysis of vulnerabilities harmful to security using our verification metric that defines the exploitability and impact related to the assets verified in our processes.