Governance, Risk Management & Compliance (GRC)
Security Operations, Analytics & Reporting (SOAR)
The real and present threat of a cyber breach demands real-time risk management Simon Marvell Partner Acuity Risk Management www.acuityrm.com Governance, Risk Management & Compliance / Security Operations, Analytics & Reporting
Agenda
1. The need for real-time, threat-based
cyber security risk management
2. Threat and control modelling
3. Measuring cyber security risk
4. Outputs and benefits from cyber security
risk management
The real and present threat
Data, information and knowledge
Plenty of data Vulnerability scanning reports
Penetration test reports
SIEM
Security analytics
Audit reports
Compliance assessments
Threat intelligence
Incidents and near-misses
Indicators of compromise
Risk assessments
But how much information and knowledge? Often operating independently
Often technology, rather than business focussed
Visibility of cyber security status
Business leaders want answers:
What are our current measured levels of cyber security
risk across the Enterprise from the multiple threats that
we face?
Are these cyber security risks tolerable?
If not, what is our justified and prioritized plan for
managing these risks down to tolerable levels?
Who is responsible and by when?
These are Risk Management questions
Cyber security risk management
Risk management is the ongoing process of identifying,
assessing, and responding to risk
To manage risk, organizations should understand the
likelihood that an event will occur and the resulting
impact
With this information, organizations can determine the
acceptable level of risk for delivery of services and can
express this as their risk tolerance
National Institute of Standards and Technology (NIST) Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014
Threat – driven risk management
It is increasingly accepted that cyber security risk
management should be threat – driven:
“Contemporary cyber security risk management practices are
largely driven by compliance requirements, which force
organizations to focus on security controls and vulnerabilities”.
“The unbalanced focus on controls and vulnerabilities prevents
organizations from combating the most critical element in risk
management: the threats”.
“When this threat-driven approach is implemented along with
tailored compliance processes, organizations can produce
information systems that are both compliant and more secure”.
A Threat – Driven Approach to Cyber Security, Michael Muckin, Scott C. Fitch,
Lockheed Martin Corporation
Threat and control modelling
Expanded controls layer
Example threats
Source: Verizon 2015 Data Breach Investigations Report (DBIR) Fig. 24 –
Frequency of incident classification patterns across security incidents
Other example threat lists:
ISO 27005
Information Security
Forum (ISF)
Microsoft STRIDE
methodology
Mitre Corporation
Common Attack Pattern
Enumeration and
Classification (CAPEC)
Threat actors
Source: Verizon 2015 Data Breach Investigations Report (DBIR) Fig. 28 –
Relative frequency of data breaches by incident patterns and threat actor with
bar charts showing a 3 year trend
Threat and control mappings
Source: Verizon 2014 Data Breach Investigations Report (DBIR) Fig. 69 – Top
20 Critical Security Controls for Cyber Defense mapped to incident patterns
Other example mappings:
Microsoft STRIDE
methodology
Mitre Corporation
Common Attack Pattern
Enumeration and
Classification (CAPEC)
Information Security
Forum IRAM2
methodology
National Security Agency
Attack mitigation priorities
for the Top 20 Critical
Security Controls
Measuring cyber security risk
To manage risk, organizations should understand the
likelihood that an event will occur and the resulting
impact. National Institute of Standards and Technology (NIST) Framework for
Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014
The likelihood that a cyber breach will occur is a
function of the level of Threat compared to the ability of
Controls to resist the Threat
To evaluate cyber security risk and investments in
business terms we need to quantify it in financial
terms and we need to use probabilistic measurement
for likelihood of an event
Probability needs to be related to a time period
Threat event frequency
Source: Verizon 2015 Data Breach Investigations Report (DBIR) Fig. 28 –
Relative frequency of data disclosures by incident patterns and victim industry
with bar charts showing a 3 year trend
Other example sources:
Threat intelligence
services
Incident databases
Scenario analysis
Potential impact
Source: Verizon 2015 Data Breach Investigations Report (DBIR) Figure 23 –
Range of expected loss by number of records
Note that we need to be aware of the uncertainty in risk
measurements
Losses can include lost business from: reputational
damage, loss of goodwill, increased customer acquisition
costs and increased customer churn
Assessing cyber security risk (1)
Assessing cyber security risk (2)
Source: Acuity STREAM – Example dashboard showing the status of Top 20
Critical Security Controls which are mapped to the threat of Organized Crime –
Crimeware to the On-line Payments Environment
Assessing cyber security risk (3)
Source: Acuity STREAM – Example assessment of Top 20 Critical Security
Control 13.07, Require all remote log-in access to use two factor authentication
Assessing cyber security risk (4)
Source: Acuity STREAM – Current residual risk status for threats to the On-
line Payments Environment
Evaluating cyber security risk (1)
There may be opportunities to Avoid or Transfer the risk,
or to Reduce the risk by reducing the potential impact,
e.g. in the Health Sector by separating personally
identifiable and clinical data
However, in many cases we will need to reduce the risk
by applying / improving and maintaining appropriate
controls to mitigate the specific threats
Evaluating cyber security risk (2)
Source: Acuity STREAM – Example dashboard showing the status of Top 20
Critical Security Controls which are mapped to the threat of Organized Crime –
Crimeware to the On-line Payments Environment
Evaluating cyber security risk (3)
Source: Acuity STREAM – Estimated risk improvement (Risk Delta) which
could be achieved by full deployment of Two Factor Authentication
Many controls will mitigate multiple threats and we will want
to prioritize control improvements on those controls which
are mitigating multiple high risks
Evaluating cyber security risk (4)
Source: Acuity STREAM – Risk–based priority (Risk Delta) for all non-
optimized controls or open vulnerabilities
Reacting to change
Change Risk management
components affected
Effects of change / Action
Threat intelligence received New threats / attack patterns
may be identified
Likelihood of a threat event
may increase
May need to model new threats and mitigating controls.
Risks may increase and may exceed tolerance. Identify
assets that may be affected and review the status of
controls for those assets. If necessary, initiate
improvements and additional controls. Identify and
notify Business Units that may be affected.
Performance of critical
controls deteriorates, e.g.
patch status on certain
assets
Performance of critical controls Risk levels will increase and may exceed tolerance.
Initiate actions to restore the performance of the
controls.
SIEM or data analytics
solutions identify suspicious
activity
May indicate new threat / attack
patterns, increased threat event
likelihood or weak controls
Risk levels may increase and exceed tolerance. May
need to initiate actions to model threats and controls and
/ or improve the performance of controls.
Vulnerability scanners
identify vulnerabilities on
certain assets
Will highlight weaknesses
which could be exploited by a
threat actor
Risk levels may increase and exceed tolerance,
especially if the vulnerability aligns with attack patterns
used in current campaigns. Prioritize remediation based
on the risk delta.
Control non-compliances
raised from self-
assessments or audit
reports
Indicates weaknesses in
controls which may previously
have been considered to be
well deployed
Risk levels will increase and exceed tolerance. Initiate
actions to improve the performance of controls.
Proposal to delay a cyber
security project, perhaps
due to lack of resources or
budget restrictions
Data and Assets which are
known to require additional
protection will remain at risk for
longer
Anticipated reductions in risk will be delayed and
potentially leave the Organization exposed to intolerable
levels of risk for longer than would otherwise have been
the case. This ‘risk delta from delay’ can be quantified
and used to inform debate on the proposal.
Reporting to Business Leaders
Source: Acuity STREAM – Top level Risk Dashboard summarizing cyber risk
status alongside other Enterprise risks
Summary (1)
The questions of ‘how secure are we?’ and ‘what are our
cyber security priorities?’ are ‘Risk Management’
questions
We need a consistent risk-based approach for
prioritizing remediation and investigative activity and for
reporting up to business leaders
Our cyber security risk management approach needs to
be ‘Threat’ driven within the framework of tailored
compliance processes
Identify and model Threats and Attack Patterns
Measure Risk
Prioritize actions based on ‘Risk Delta’
Summary (2)
The general threat level is high, ‘…not if but when …’
Specific threats can change very quickly, i.e. a threat
actor could suddenly target you, or change their tactics
Your risk goes up if the performance of critical controls
deteriorates, so you need to ensure the continuing good
performance of critical risk mitigating controls and
measure at an appropriate frequency, e.g.
Daily, e.g. patch status
Event driven, e.g. testing web applications for
common security weaknesses following changes
Monthly or annually, e.g. gap analysis of staff security
awareness
Cyber security risk management is now a critical real-
time facilitator in the battle against cyber breaches
Benefits
Reduce the likelihood of a damaging cyber security
breach
Allow us to control our costs by targeting resources at
intolerable risks and avoiding over-control of tolerable
risks
Help us to prioritize and justify cyber security
investments by focusing on those cyber security
solutions which will provide the greatest risk-based
return on investment
Demonstrate to shareholders, customers, regulators and
other stakeholders that we have our cyber security under
control
Liberty House, 222 Regent Street, London W1B 5TR
www.acuityrm.com [email protected]
https://www.acuityrm.com/whitepapers
Whitepaper