TIPS #30: The Compensating Controls Conundrum

Editor’s note: This TIPS post is part two of a special two-blog miniseries on tech debt, patching, compensating controls, and risk management. Read the first post here.

Issue: “Paper controls” lead to a false sense of security.

As discussed in TIPS #29, for many systems and software with long and short-term debt, patches are unavailable due to unsupported tech or impractical due to resource constraints. In these cases, compensating controls are necessary: security controls that build procedural or technical wrappers in order to manage security risks where patches are infeasible.

The problem is that in practice, many companies use compensating controls to meet security compliance mandates- such as GDPR, DORA, FINRA, and SEC requirements- but fail to address known threat actor tactics, techniques, and procedures (TTPs). Audit-driven security programs often do not properly validate and test “paper” compensating controls within the broader context of security posture, leading to a false sense of security.

Operations vs. security: A strategic dilemma

This phenomenon stems from the same tension at the root of many patching delays: conflicting mandates between security and operations teams.

The CIO is responsible for maintaining continuous services and their main goal is operational stability. From this perspective, every new patch or compensating control could involve an incompatibility or faulty update and is a potential source of disruption.

Conversely, the CISO is responsible for mitigating and managing security risks. Their primary goal is to protect the organization from threats. From this perspective, implementing comprehensive patches and robust, multi-layered security controls is essential.

However, there is some shared ground. Both leaders seek a defensible, objective, and operationally realistic solution that will satisfy auditors, regulators, and the board. A compliance-focused compensating control is often the path of least resistance, offering a predictable, well-understood security benchmark that checks the box from a compliance perspective, satisfies governance demands, and is less likely to cause system disruptions compared to a more complex solution.

Impact: “Paper controls” create opportunities for threat actors to infiltrate networks, steal data, and commit fraud.

When companies rely upon unvalidated but compliant controls, they miscalculate risk and leave themselves vulnerable. For example:

• Multi-Factor Authentication (MFA) is a commonly accepted compensating control but is not a complete identity security solution on its own. Threat actors can bypass MFA with methods including social engineering, SIM swapping, and session hijacking.
• Two-person integrity (2PI) is often used as a compensating control for access management and payment authorization. However, it is typically facilitated via email or messaging applications, technologies that are routinely compromised through phishing and Business Email Compromise (BEC) attacks.
• Network segmentation is a standard compensating control which limits lateral movement and isolates threats to subsections of the broader network. However, firewall misconfigurations are common and leave gaps that threat actors can capitalize upon, using techniques like Living off the Land to move through network segments undetected.

The following case studies demonstrate the impact of failed compensating controls:

Arup deepfake scam (2024)

A finance employee at British multinational design firm Arup was duped into transferring $25 million to attackers, who used AI deepfakes of the company’s CFO and other employees during a video conference call. This incident demonstrates a modern threat- AI deepfakes- bypassing an established financial approval process.

MOVEit breach (2023)

The MOVEit breach is a powerful example of attackers capitalizing on a single-day vulnerability and failed compensating controls. The patch for the initial MOVEit zero-day required human intervention. The Clop ransomware gang moved with remarkable speed to exploit the lag between the patch’s release and its adoption. Most existing compensating controls were insufficient to cover this gap and mitigate the breach, which ultimately impacted over 60 million people. Notably, MOVEit was not a widespread utility and the vulnerability was a high-impact, low-probability risk that many companies miscalculated and were unprepared for.

JBS ransomware breach (2021)

The 2021 JBS meat packing cyber breach, a ransomware attack attributed to the REvil group, caused the shutdown of multiple beef, pork, and poultry plants in North America and Australia. A few years before to the incident, JBS had declined to implement advanced endpoint detection and response (EDR) tools recommended via a penetration test, instead continuing to rely upon basic firewalls, antivirus, and log monitoring. Former employees also reported that some production-line computers ran outdated software, were connected to the corporate network, and were not isolated from internet-facing assets- highlighting a lack of effective patch management and compensating controls. These conditions enabled the attackers to compromise operations. JBS halted production and ultimately paid an $11 million ransom in Bitcoin.

Action: Reframe risk management and continuously test and validate compensating controls.

1) Reframe the CISO-CIO risk management negotiation

CISOs and CIOs need a shared, practical framework for making better risk decisions. CISOs must apply critical thinking to prioritize requests and avoid unrealistic demands that the infrastructure team cannot meet without causing significant disruptions. CIOs must consider long-term security in addition to short-term business disruptions. Both must move beyond compliance to address threat actor TTPs.

Two risk management frameworks can be applied here to appropriately balance security and operational needs:

ALARP

ALARP (As Low as Reasonably Practicable) is a risk management model which is often used in health and safety systems and can be adapted to cybersecurity. ALARP assesses risks and the costs associated with mitigating those risks, with the goal of reducing risk as much as possible within reason. It’s often visualized with a funnel to show unacceptable versus acceptable risks and risks that are tolerable if they are as low as reasonably practicable- meaning the costs of mitigating a risk further would outweigh the benefits:

A more practical threat/risk matrix

Pair ALARP with a threat/risk matrix to zoom in on the dimensions of probability, impact, and risk mitigation via compensating controls.

Traditionally, risks and threats are calculated based on probability and impact:

Threat/Risk = Probability x Impact

However, this does not account for the role of compensating controls. A weak or unvalidated control dramatically increases the real-world value of a threat or risk, while a strong compensating control decreases it.

Use the following revised formula and threat matrix to consider the impact of relevant compensating controls:

Threat/Risk = (Probability x Impact) / Compensating Controls

2. Identify where you need compensating controls

Once you have adapted the above risk management frameworks, you will have a strong starting point to determine which risks require mitigation via compensating controls. When selecting the appropriate tools to protect your systems, ensure that your security posture is oriented towards mitigating demonstrated risks and threats in addition to meeting compliance requirements.

Hyperproof provides an intelligent compliance operations platform that helps you continuously map tools to requirements, manage risks, and test controls to develop trust with your customers.

3. Implement compensating controls

Huntress provides critical compensating controls for endpoint security. Its managed Endpoint Detection and Response (EDR) is designed to detect and eliminate persistent footholds that attackers establish by exploiting unpatched systems and insufficient preventative measures. This is essential for addressing the “validation gap” where a patch was delivered but failed to execute, leaving the endpoint vulnerable.

Symmetry Systems offers critical data-centric controls including Data Security Posture Management (DSPM), Data Detection and Response (DDR), and Data Access Governance (DAG) to protect your data when attackers bypass other perimeter controls.

SPHERE‘s platform delivers continuous identity risk intelligence, giving you visibility over your identity environment and helping you remediate overprivileged access to protect valuable business assets when perimeter defenses fail.

ReversingLabs helps you secure the Continuous Integration and Continuous Delivery (CI/CD) pipeline where vulnerabilities are often introduced, mitigating short-term tech debt and stopping threats embedded in software components, libraries, scripts, and artifacts.

GetReal Security provides advanced content verification to counter emerging AI-driven threats like deepfakes which bypass traditional 2PI and other controls.

3) Continuously test and validate controls

Finally, take steps to test and validate your compensating controls based on demonstrated threat actor TTPs, not just compliance standards.

Bishop Fox’s Attack Surface Testing (AST) directly validates the efficacy of compensating controls by actively testing defenses against real-world attack techniques.

Surefire Cyber helps you validate and strengthen detection, incident response, and process controls with executive tabletop exercises based on real-world threat actor TTPs.