The “you’re sued” part is part of what ensures that the forms get filled out honestly and comprehensively.
Depending on the kind of audit you do, the actual deliverable you give your auditor may just be a spreadsheet with a bunch of Y/N answers to hundreds of questions like “Do all workstations have endpoint protection software”, “Do all servers have intrusion detection software”, etc. with screenshots of dashboards as supporting evidence for some of them.
But regardless of how much evidence an external auditor asks for, at large companies doing important audits, every single thing you say to the auditor will be backed internally with supporting evidence and justification for each answer you give.
At a bank you might have an “internal audit” department that has lots of meetings and back-and-forth with your IT department; at an airline it might be a consulting firm that you bring in to modernize your IT and help you handle the audit, or, depending on your relationship with your auditor and the nature of the audit, it might be someone from the audit firm itself that is advising you. In each case, their purpose is to make sure that every machine across your firm really does have correctly configured EDR, fully up to date security patches, firewalled, etc. before you claim that officially to an auditor.
Maybe you have some random box used to show news headlines on TVs in the hallways—turns out these are technically in-scope for having EDR and all sorts of other endpoint controls, but they’re not compatible with or not correctly configured to run Microsoft Defender, or something. Your IT department will say that there are various compensating / mitigating controls or justifications for why they’re out of scope, e.g. the firewall blocks all network access except the one website they need to show the news, the hardware itself is in a locked IT closet, they don’t even have a mouse / keyboard plugged in, etc. These justifications will usually be accepted unless you get a real stickler (or have an obstinate “internal auditor”). But it’s a lot easier to just say “they all run CrowdStrike” than it is to keep track of all these rationales and compensating controls, and indeed ease-of-deployment is literally the first bullet in CrowdStrike’s marketing vs. Microsoft Defender:
CrowdStrike: Deploy instantly with a single, lightweight agent — no OS prerequisites, complex configuration, or fine tuning required. Microsoft: Complicated deployment hinders security. All endpoints require the premium edition of the latest version of Windows, requiring upfront OS and hardware upgrades for full security functionality.
You wrote in a sibling reply:
Further, the larger implication of the above tweet is that companies use Crowdstrike because of regulatory failure, and this is also simply untrue. There are lots of reasons people sort of unthinkingly go with the name brand option in security, but that’s a normal enterprise software thing and not anything specific to compliance.
I agree that this has little to do with “regulatory failure” and don’t know / don’t have an opinion on whether that’s what the original tweet author was actually trying to communicate. But my point is that firms absolutely do make purchasing decisions about security software for compliance reasons, and a selling point of CrowdStrike (and Carbon Black, and SentinelOne) is that they make 100% compliance easier to achieve and demonstrate vs. alternative solutions. That’s not a regulatory failure or even necessarily problematic, but it does result in somewhat different outcomes compared to a decision process of “unthinkingly going with the name brand option” or “carefully evaluate and consider only which solutions provide the best actual security vs. which are theater”.
The “you’re sued” part is part of what ensures that the forms get filled out honestly and comprehensively.
Depending on the kind of audit you do, the actual deliverable you give your auditor may just be a spreadsheet with a bunch of Y/N answers to hundreds of questions like “Do all workstations have endpoint protection software”, “Do all servers have intrusion detection software”, etc. with screenshots of dashboards as supporting evidence for some of them.
But regardless of how much evidence an external auditor asks for, at large companies doing important audits, every single thing you say to the auditor will be backed internally with supporting evidence and justification for each answer you give.
At a bank you might have an “internal audit” department that has lots of meetings and back-and-forth with your IT department; at an airline it might be a consulting firm that you bring in to modernize your IT and help you handle the audit, or, depending on your relationship with your auditor and the nature of the audit, it might be someone from the audit firm itself that is advising you. In each case, their purpose is to make sure that every machine across your firm really does have correctly configured EDR, fully up to date security patches, firewalled, etc. before you claim that officially to an auditor.
Maybe you have some random box used to show news headlines on TVs in the hallways—turns out these are technically in-scope for having EDR and all sorts of other endpoint controls, but they’re not compatible with or not correctly configured to run Microsoft Defender, or something. Your IT department will say that there are various compensating / mitigating controls or justifications for why they’re out of scope, e.g. the firewall blocks all network access except the one website they need to show the news, the hardware itself is in a locked IT closet, they don’t even have a mouse / keyboard plugged in, etc. These justifications will usually be accepted unless you get a real stickler (or have an obstinate “internal auditor”). But it’s a lot easier to just say “they all run CrowdStrike” than it is to keep track of all these rationales and compensating controls, and indeed ease-of-deployment is literally the first bullet in CrowdStrike’s marketing vs. Microsoft Defender:
You wrote in a sibling reply:
I agree that this has little to do with “regulatory failure” and don’t know / don’t have an opinion on whether that’s what the original tweet author was actually trying to communicate. But my point is that firms absolutely do make purchasing decisions about security software for compliance reasons, and a selling point of CrowdStrike (and Carbon Black, and SentinelOne) is that they make 100% compliance easier to achieve and demonstrate vs. alternative solutions. That’s not a regulatory failure or even necessarily problematic, but it does result in somewhat different outcomes compared to a decision process of “unthinkingly going with the name brand option” or “carefully evaluate and consider only which solutions provide the best actual security vs. which are theater”.