Governance, Risk Management & Compliance (GRC)

Security Operations, Analytics & Reporting (SOAR)

The real and present threat of a cyber breach demands real-time risk management Simon Marvell Partner Acuity Risk Management www.acuityrm.com Governance, Risk Management & Compliance / Security Operations, Analytics & Reporting

Agenda

1. The need for real-time, threat-based

cyber security risk management

2. Threat and control modelling

3. Measuring cyber security risk

4. Outputs and benefits from cyber security

risk management

The real and present threat

Data, information and knowledge

Plenty of data Vulnerability scanning reports

Penetration test reports

SIEM

Security analytics

Audit reports

Compliance assessments

Threat intelligence

Incidents and near-misses

Indicators of compromise

Risk assessments

But how much information and knowledge? Often operating independently

Often technology, rather than business focussed

Visibility of cyber security status

Business leaders want answers:

What are our current measured levels of cyber security

risk across the Enterprise from the multiple threats that

we face?

Are these cyber security risks tolerable?

If not, what is our justified and prioritized plan for

managing these risks down to tolerable levels?

Who is responsible and by when?

These are Risk Management questions

Cyber security risk management

Risk management is the ongoing process of identifying,

assessing, and responding to risk

To manage risk, organizations should understand the

likelihood that an event will occur and the resulting

impact

With this information, organizations can determine the

acceptable level of risk for delivery of services and can

express this as their risk tolerance

National Institute of Standards and Technology (NIST) Framework for

Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014

Threat – driven risk management

It is increasingly accepted that cyber security risk

management should be threat – driven:

“Contemporary cyber security risk management practices are

largely driven by compliance requirements, which force

organizations to focus on security controls and vulnerabilities”.

“The unbalanced focus on controls and vulnerabilities prevents

organizations from combating the most critical element in risk

management: the threats”.

“When this threat-driven approach is implemented along with

tailored compliance processes, organizations can produce

information systems that are both compliant and more secure”.

A Threat – Driven Approach to Cyber Security, Michael Muckin, Scott C. Fitch,

Lockheed Martin Corporation

Threat and control modelling

Expanded controls layer

Example threats

Source: Verizon 2015 Data Breach Investigations Report (DBIR) Fig. 24 –

Frequency of incident classification patterns across security incidents

Other example threat lists:

ISO 27005

Information Security

Forum (ISF)

Microsoft STRIDE

methodology

Mitre Corporation

Common Attack Pattern

Enumeration and

Classification (CAPEC)

Threat actors

Source: Verizon 2015 Data Breach Investigations Report (DBIR) Fig. 28 –

Relative frequency of data breaches by incident patterns and threat actor with

bar charts showing a 3 year trend

Threat and control mappings

Source: Verizon 2014 Data Breach Investigations Report (DBIR) Fig. 69 – Top

20 Critical Security Controls for Cyber Defense mapped to incident patterns

Other example mappings:

Microsoft STRIDE

methodology

Mitre Corporation

Common Attack Pattern

Enumeration and

Classification (CAPEC)

Information Security

Forum IRAM2

methodology

National Security Agency

Attack mitigation priorities

for the Top 20 Critical

Security Controls

Measuring cyber security risk

To manage risk, organizations should understand the

likelihood that an event will occur and the resulting

impact. National Institute of Standards and Technology (NIST) Framework for

Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014

The likelihood that a cyber breach will occur is a

function of the level of Threat compared to the ability of

Controls to resist the Threat

To evaluate cyber security risk and investments in

business terms we need to quantify it in financial

terms and we need to use probabilistic measurement

for likelihood of an event

Probability needs to be related to a time period

Threat event frequency

Source: Verizon 2015 Data Breach Investigations Report (DBIR) Fig. 28 –

Relative frequency of data disclosures by incident patterns and victim industry

with bar charts showing a 3 year trend

Other example sources:

Threat intelligence

services

Incident databases

Scenario analysis

Potential impact

Source: Verizon 2015 Data Breach Investigations Report (DBIR) Figure 23 –

Range of expected loss by number of records

Note that we need to be aware of the uncertainty in risk

measurements

Losses can include lost business from: reputational

damage, loss of goodwill, increased customer acquisition

costs and increased customer churn

Assessing cyber security risk (1)

Assessing cyber security risk (2)

Source: Acuity STREAM – Example dashboard showing the status of Top 20

Critical Security Controls which are mapped to the threat of Organized Crime –

Crimeware to the On-line Payments Environment

Assessing cyber security risk (3)

Source: Acuity STREAM – Example assessment of Top 20 Critical Security

Control 13.07, Require all remote log-in access to use two factor authentication

Assessing cyber security risk (4)

Source: Acuity STREAM – Current residual risk status for threats to the On-

line Payments Environment

Evaluating cyber security risk (1)

There may be opportunities to Avoid or Transfer the risk,

or to Reduce the risk by reducing the potential impact,

e.g. in the Health Sector by separating personally

identifiable and clinical data

However, in many cases we will need to reduce the risk

by applying / improving and maintaining appropriate

controls to mitigate the specific threats

Evaluating cyber security risk (2)

Source: Acuity STREAM – Example dashboard showing the status of Top 20

Critical Security Controls which are mapped to the threat of Organized Crime –

Crimeware to the On-line Payments Environment

Evaluating cyber security risk (3)

Source: Acuity STREAM – Estimated risk improvement (Risk Delta) which

could be achieved by full deployment of Two Factor Authentication

Many controls will mitigate multiple threats and we will want

to prioritize control improvements on those controls which

are mitigating multiple high risks

Evaluating cyber security risk (4)

Source: Acuity STREAM – Risk–based priority (Risk Delta) for all non-

optimized controls or open vulnerabilities

Reacting to change

Change Risk management

components affected

Effects of change / Action

Threat intelligence received New threats / attack patterns

may be identified

Likelihood of a threat event

may increase

May need to model new threats and mitigating controls.

Risks may increase and may exceed tolerance. Identify

assets that may be affected and review the status of

controls for those assets. If necessary, initiate

improvements and additional controls. Identify and

notify Business Units that may be affected.

Performance of critical

controls deteriorates, e.g.

patch status on certain

assets

Performance of critical controls Risk levels will increase and may exceed tolerance.

Initiate actions to restore the performance of the

controls.

SIEM or data analytics

solutions identify suspicious

activity

May indicate new threat / attack

patterns, increased threat event

likelihood or weak controls

Risk levels may increase and exceed tolerance. May

need to initiate actions to model threats and controls and

/ or improve the performance of controls.

Vulnerability scanners

identify vulnerabilities on

certain assets

Will highlight weaknesses

which could be exploited by a

threat actor

Risk levels may increase and exceed tolerance,

especially if the vulnerability aligns with attack patterns

used in current campaigns. Prioritize remediation based

on the risk delta.

Control non-compliances

raised from self-

assessments or audit

reports

Indicates weaknesses in

controls which may previously

have been considered to be

well deployed

Risk levels will increase and exceed tolerance. Initiate

actions to improve the performance of controls.

Proposal to delay a cyber

security project, perhaps

due to lack of resources or

budget restrictions

Data and Assets which are

known to require additional

protection will remain at risk for

longer

Anticipated reductions in risk will be delayed and

potentially leave the Organization exposed to intolerable

levels of risk for longer than would otherwise have been

the case. This ‘risk delta from delay’ can be quantified

and used to inform debate on the proposal.

Reporting to Business Leaders

Source: Acuity STREAM – Top level Risk Dashboard summarizing cyber risk

status alongside other Enterprise risks

Summary (1)

The questions of ‘how secure are we?’ and ‘what are our

cyber security priorities?’ are ‘Risk Management’

questions

We need a consistent risk-based approach for

prioritizing remediation and investigative activity and for

reporting up to business leaders

Our cyber security risk management approach needs to

be ‘Threat’ driven within the framework of tailored

compliance processes

Identify and model Threats and Attack Patterns

Measure Risk

Prioritize actions based on ‘Risk Delta’

Summary (2)

The general threat level is high, ‘…not if but when …’

Specific threats can change very quickly, i.e. a threat

actor could suddenly target you, or change their tactics

Your risk goes up if the performance of critical controls

deteriorates, so you need to ensure the continuing good

performance of critical risk mitigating controls and

measure at an appropriate frequency, e.g.

Daily, e.g. patch status

Event driven, e.g. testing web applications for

common security weaknesses following changes

Monthly or annually, e.g. gap analysis of staff security

awareness

Cyber security risk management is now a critical real-

time facilitator in the battle against cyber breaches

Benefits

Reduce the likelihood of a damaging cyber security

breach

Allow us to control our costs by targeting resources at

intolerable risks and avoiding over-control of tolerable

risks

Help us to prioritize and justify cyber security

investments by focusing on those cyber security

solutions which will provide the greatest risk-based

return on investment

Demonstrate to shareholders, customers, regulators and

other stakeholders that we have our cyber security under

control

Liberty House, 222 Regent Street, London W1B 5TR

www.acuityrm.com info@acuityrm.com

https://www.acuityrm.com/whitepapers

Whitepaper