Automation of Security Controls for Continuous Compliance in Vulnerability Management

Resumo

The current security landscape demands efficient processes that match the advancement of cyberattacks techniques. Therefore, the automation of processes encompassing security activities is considered an alternative to meet the protection needs at the pace required by information systems, benefiting manual activities with optimizations, automation, and enabling scalability and cost reduction. In this work, we propose a vulnerability management process that supports continuous compliance verification, specifically targeting security challenges in IaaS cloud systems, and focusing on addressing vulnerabilities in components under the responsibility of cloud service users. For this purpose, we defined the operationalization of compliance considering a base of recommendations using security frameworks from CIS and NIST to support the creation of security policies and mechanisms, as well as the technical resources for implementing recommendations alongside the automated execution of security tools. Additionally, we established the key factors needed to measure compliance using CVSS-based metrics defined as Node Verification Metric (NVM) and the decomposition of security recommendations into actions and conditions that structurally constitute them for defining evidence.