How JupiterOne's Security Team Manages "Meeting Evidence" as Code

by

If you're anything like me (which I hope you're not), or let's say if you're anything like my mind, you spend 75% of your time overthinking. You reach for the closest pen and paper to write down a thought before it becomes obsolete, or you'll write it down in some app on your phone. My brain will jump from baking cookies to, "I really need to learn sign language", to "I need to read the next chapter of 'Modern Cybersecurity, Tales from the Near Distant Future'", all in the span of two seconds. Then one ... two ... poof! My brain hits eject and I'm back to reality questioning what I was doing.

Situations will arise in which those notes could benefit me, but because my thoughts weren't housed in one place, I spent an excessive amount of time locating the information. This could be bothersome, but over the years I've learned to organize my thoughts in a more practical manner.

All this brings me to the point of the importance of proper documentation methods. New regulations around security and data privacy are constantly being implemented to manage ongoing cyber threats. These regulations have led to frameworks such as SOC 2 and NIST, which require companies to provide evidence that their policies and processes are in compliance with its requirements.

The Problem with Providing Audit Evidence of Meetings

Auditors will always want to see evidence of meetings as part of audit evidence for any framework, from PCI DSS to ISO 27001 to SOC 2. Each audit framework requires a set of meetings  - like, most frameworks require regular security meetings, ISO requires executive leadership meetings, and PCI DSS requires a "charter meeting."

Without this work-around, it's time consuming to provide this evidence to auditors, forcing you to go through the team's Google calendar and take a million screenshots. 

Jasmine Henry was a pretty decent JupiterOne user before she worked here, but she didn't know about a work-around the J1 team uses for managing evidence. Between screenshots of Google calendar, confluence pages with meeting agendas, and zoom screenshots, she spent as much as 12 hours gathering meeting evidence for auditors in order to 'prove' the list of who attended.

How to Provide Meeting Evidence as Code

The JupiterOne security team manages evidence of meetings by creating and storing the evidence as code. We do this by submitting meeting notes as an update to a markdown document and then merging using a pull request on Github. One approving review from a meeting attendee is needed to merge the pull request into the security meeting main branch. Doing this creates searchable artifacts in JupiterOne of our weekly meetings, along with a timestamp of when updates occur.

This streamlined approach makes it easier to track and manage evidence for security assessments and regulatory audits. It's a clever tactic that has proved beneficial in many ways. 

As an example, here is an overview of our Github security tracking repository:

2022-02-07 Meeting Evidence as Code - JupiterOne

The security team member who is currently on-call is responsible for taking notes and for creating a PR in GitHub. 

2022-02-07 Meeting Evidence as Code - JupiterOne

One approving review from a team member is needed to merge the pull request into the main branch. 

2022-02-07 Meeting Evidence as Code - JupiterOne

How to Retrieve Meeting Evidence Via JupiterOne

Here is a screenshot, using JupiterOne to search for meeting evidence - both the query you type in, and the results.

2022-02-07 Meeting Evidence as Code - JupiterOne

Results:

2022-02-07 Meeting Evidence as Code 05a

Conclusion

This is an approach that can be used for nearly ANYTHING that JupiterOne can ingest.  Even if JupiterOne doesn't have an integration to automatically pull metadata from a certain data source (like GitHub), users can still use the API to put entities to the graph for custom data sets that they want to be searchable.

Theoretically, all evidence necessary to complete any audit should be consumable and able to be represented in the graph, and that makes it a one-stop shop for compliance, reducing work hours, complexity, and increasing the confidence of auditors in your adherence to standards, policies, and controls.

Want to take things one step further? Learn how to automate some of these steps in this blog.

Yvie Djieya
Yvie Djieya

Yvie is a Cybersecurity Assurance and Risk Analyst at Jupiter One with a passion for teamwork, technology, as well as diversity and inclusion. She is also a baking enthusiast, and an avid lover of the arts and Afrobeats. Her background is in data privacy and healthcare management.

Keep Reading

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

Get easy answers to complex questions with AI-powered natural language search in JupiterOne
August 22, 2023
Blog
Get easy answers to complex questions with AI-powered natural language search in JupiterOne

Natural language search leverages AI to bring ease of use to the forefront of the JupiterOne platform.

Black Hat, BSides, and DEFCON Wrap Up: Hacker Summer Camp 2023
August 15, 2023
Blog
Black Hat, BSides, and DEFCON Wrap Up: Hacker Summer Camp 2023

Here’s our recap of Black Hat, BSides and DEFCON, otherwise known as Hacker Summer Camp 2023!

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.