Cyber Security as an Exercise in Risk Management
It’s worth beginning with some perspective we received from Ntrepid's Chief Scientist Lance Cottrell, especially given the attention paid at the conference to flashy demonstrations of vulnerabilities, like car hacking.
Cottrell noted that many of the things people worry about are Hollywood hacks. Reflecting on his participation in panels on Internet-of-things security, he said, "We tend to look for the extreme movie plot threat scenarios. What if they hacked your car and drove you off a cliff?" And how likely is it that someone would go after you in such a "Rube Goldberg" fashion? If they were rationally evil, and not in it for the baroque, Blofeldian lulz, wouldn't they just hire a hitman?
Cottrell suggested that it's useful to think about what he called the attackers "mindspace." "What are their goals? They want to generate money. Why is ransomware suddenly a thing? Because it's hugely lucrative. Why DDoS? Because it works, and can be easily monetized." And, he noted, some once common attacks are fading because of black market forces. There are fewer attempts to steal credit cards in part because stolen paycard numbers have now been so commoditized that it's hard to make money from them.
Develop a realistic understanding of what you have that might be of value to an attacker and then manage your risk accordingly. Not every attack is out of "Skyfall." Whenever an enterprise is breached, Cottrell noted, the first press release talks about how extremely sophisticated the attackers were. Of course it would: "You don't want to say some script kiddie used a well-known exploit against our unpatched browser from two years ago to own us, but that's actually what's happening most of the time."
Understanding, assessing, quantifying, and communicating risk are essential to any enterprise seriously engaged in managing it. Cyber risk management remains a maturing area. The insurance industry has historically driven the maturation of risk management in the sectors whose risk it underwrites (consider the history of fire safety standards and practices, to take one example) and the market for cyber insurance, while growing rapidly, is still relatively immature. Some companies, like PivotPoint Risk Analytics, are seeking to provide one of the missing elements—actuarial data on cyber losses—to the industry. Other companies are also working toward the sort of assessment and quantification risk managers need.
Steven Grossman, Vice President of Program Management at Bay Dynamics, said his company looks at its customers in terms of asset value “connecting the dots between the tech infrastructure and applications, understanding the value of apps, and making risk-based judgments with respect to threats and vulnerabilities.”
Some of this work involves the consumption and processing of threat data. Bay Dynamics uses out-of-the-box connectors to pull in threat and vulnerability data (“the traditional stuff”) on a fairly automatic basis. The “tough stuff” is found in the applications, their ownership, their value, their metadata, their position on the endpoints. This information tends to be scattered, and there’s much disagreement over it: “Everyone has their own view of application value.”
Who owns risk can be a complex question for any enterprise. The Denim Group’s John Dickson told us, “One trend I think I can definitively see is that there's a broader realization that most security teams are still ill-equipped to deal with software security. Most CISOs have network security backgrounds. Most security people (myself included) have network security backgrounds. Virtually every organization out there has an issue around security owning the software risk component. Software risk, the net function, still doesn't live in the development team.” This produces an imbalance in the appreciation of risk. There are thousands on development teams. There are perhaps five to ten on the typical security team.
For its part, Bay Dynamics seeks to enable risk management by, Grossman said, “making security everybody's business.” They push dashboards to CISOs, operators, and responders. They move application owners into the process. Their background in behavior analytics and anomaly detection plays a role here. “We identify broken business processes based on people's behavior.”
Companies at different scales have different needs, Grossman finds. “We play best in the regulated industries--financial services, large media, healthcare, energy--but really anyone who needs to understand the posture of their organization works well with us. It's not so much an organization’s size as it is a minimal level of maturity.”
We hear a lot about translating technical risk into business risk. Grossman agreed that "the industry overall is suffering from language difficulties." Boards understands risk, but they may not be as confident of their grasp of technology. If you communicate in the language of risk, you help the Board manage it.
FourV Systems concentrates on translating cyber risk into business risk. We spoke with FourV’s Casey Corcoran and Derek Gabbard about their understanding of and approach to the challenge. They noted the way the insurance industry itself is coming to address cyber risk. “A telling thing is that even the experts in the insurance companies are still doing a dozen checklist items and then underwriting on the basis of that. It's the more sophisticated insurance companies that are actually starting to embrace a three-tier model, in which they come in to help prepare an organization to underwrite risk, then underwrite, and then they're there when the breach happens to help manage the damage. It's because they can't just underwrite the risk. The next step would be to put a monitoring system in place to monitor threat intelligence around your company to help you proactively manage your risk.” Increasing computing power is enabling this kind of measurement.
Corcoran and Gabbard think the market's ready. “Technical people are ready to embrace something that gives an easy-to-understand marker for the things they've done. And boards and executive leadership teams are definitely at a point where they understand that they need to know more and have a little more accountability about where they stand from a cyber security perspective. The highly regulated sectors are already there. Other sectors are coming along.”
FourV sees risk scoring as facilitating the conversations essential to risk management. They calculate such scores in a way designed to make it possible to instrument an enterprise for effective risk management. They break the data into components they call "facts”—there are threat facts, vulnerability facts, and so on—and then combine them for easier explanation. --and we recombine them into a new type of information that's very easy to explain. “At the end of the day we turn it into scores, 0-100,” Corcoran and Gabbard said. “That's something executives who don't have the technical understanding of security ops can understand. If we're pledging to keep our risk score between, say 80 and 85, and we're outside of that, it's easy for an executive to ask what's driving this, and what investments or training are necessary to pull it back into the band that we expect. That's the level we feel that we're managing risk at the appropriate point. It's simple, plain-language English up the chain with the ability to drive down into the data on the technical side so you can answer questions about what's moving the scores.”
Being able to actually manage the priorities of your cyber security defenses based on actual business risk will give you the ability to cut out technologies and practices that aren't effective. FourV, like other companies in this space, sees highly regulated industries (like financial services) who face substantial compliance risk as early adopters. They’re also targeting managed security service providers as customers. MSSPs need to be able to show their customers what they’re getting for their money, and being able to demonstrate that risk is kept within band.