September 10, 2017 | Author: Jack Amos Palmer | Category: N/A
1 The New Enterprise Security Model: How to Operationalize Cyber Risk Management in Today s Dynamic Threat Landscape Jul...
The New Enterprise Security Model: How to Operationalize Cyber Risk Management in Today’s Dynamic Threat Landscape July 2016
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P2
Executive Summary While companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats, daily reports of new data breaches are raising doubts about the effectiveness of these investments.
One of the biggest challenges in cyber security today is how to manage the volume, velocity, and complexity of data generated by the myriad of IT security tools. The feeds from these disconnected, siloed tools must be analyzed, normalized, and remediation efforts prioritized. The more tools, the more difficult the challenge. This security model requires legions of staff to comb through huge amounts of data to connect the dots and find the needle in the haystack. These efforts can take months, during which time attackers can exploit vulnerabilities and extract data.
Rather than adding more tools, organizations need to implement a new, more efficient enterprise security model. According to analyst firm Gartner, cyber risk management that uses intelligence-driven analytics can help organizations operationalize cyber security practices, break down silos, and enhance security operations tasks through automation.
This white paper explores the emerging discipline of intelligence-driven cyber risk management as a response to the mounting cyber-attacks, advanced persistent threats, and insider leaks. It outlines not only today’s cyber security challenges, but provides practical advice of how to operationalize an organization’s cyber security practices across a growing attack surface.
About RiskSense RiskSense®, Inc., is the pioneer and market leader in pro-active cyber risk management. The company enables enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results. This is done by unifying and contextualizing internal security intelligence, external threat data, and business criticality across a growing attack surface.
The company’s Software-as-a-Service (SaaS) platform transforms cyber risk management into a more pro-active, collaborative, and real-time discipline. The RiskSense Platform™ embodies the expertise and intimate knowledge gained from real world experience in defending critical networks from the world’s most dangerous cyber adversaries. As part of a team that collaborated with the U.S. Department of Defense and U.S. Intelligence Community, RiskSense founders developed Computational Analysis of Cyber Terrorism against the U.S. (CACTUS), Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables (BRAVE), and the Strike Team Program.
By leveraging RiskSense cyber risk management solutions, organizations can significantly shorten time-to-remediation, increase operational efficiency, strengthen their security programs, heighten response readiness, reduce costs, and ultimately minimize cyber risks. For more information, please visit www.risksense.com or follow us on Twitter at @RiskSense.
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P3
Table of Contents Executive Summary ................................................................................................................................................... 2 About RiskSense ........................................................................................................................................................ 2 1.0
Cyber Security Challenges ................................................................................................................................ 4 1.1 A Growing Attack Surface .......................................................................................................................... 4 1.2 Silo-Based Security Tools ........................................................................................................................... 5 1.3 Manual Data Aggregation and Analysis ..................................................................................................... 5 1.4 Lack of Context ........................................................................................................................................... 6
2.0
The New Enterprise Security Model: Cyber Risk Management ..................................................................... 7
3.0
The Pillars of Cyber Risk Management ............................................................................................................ 8 3.1 Identify ....................................................................................................................................................... 8 3.2 Prioritize ..................................................................................................................................................... 9 3.3 Orchestration ........................................................................................................................................... 10
4.0
Conclusion ...................................................................................................................................................... 11
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P4
1.0 Cyber Security Challenges Over the last few years, cyber threats have emerged as one of the most significant business risks facing organizations. For many, the Target breach was a watershed event. The subsequent law suits and settlements that totaled in the tens of millions of dollars revealed the scale of the financial impact associated with cyber-attacks. Since boards of directors have a fiduciary responsibility to preserve corporate financial value, these breaches were a rude wake up call. Meanwhile, the courts are holding businesses accountable for implementing appropriate security practices to protect consumers’ personal information. The Home Depot, which booked $161 million of its pre-tax expenses to cover the breach, including $19.5 million for the consumer settlement, is a good example.
In response, companies are spending huge sums of money every year to maintain a security perimeter Global IT security spend will grow to by designed to fend off cyber and insider threats. 2019. According to Gartner Inc., global IT security spend Gartner Inc. will reach $92 billion in 2016 and is expected to grow to $116 billion by 2019. However, mounting security incidents and data breaches of massive scale at companies such as Hyatt, DNC, Twitter, and SWIFT are raising doubts about the effectiveness of these investments.
$116 billion
In this context, Gartner (“Designing an Adaptive Security Architecture for Protection from Advanced Attacks”) believes that “enterprises are overly dependent on blocking and prevention mechanisms that are decreasingly effective against advanced attacks.” This begs the question: “What are the real expectations for a successful cyber security practice”?
1.1
A Growing Attack Surface
Organizations face an uphill battle, as the attack surface they have to protect has grown of cyber-attacks today target the application layer. significantly and is expected to balloon even further. While it was sufficient in the past to focus Global Risk Management Survey on network and endpoint protection, nowadays applications, cloud services, mobile devices (e.g., tablets, mobile phones, Bluetooth devices, and smart watches), and the Internet of Things (e.g., physical security systems, lights, appliances, as well as heating and air conditioning systems) represent a broadly extended attack surface. According to the 2015 Global Risk Management Survey, 84% of cyber-attacks today target the application layer and not network layer, requiring a more holistic approach to cyber security.
84%
Unfortunately, many organizations as well as technology vendors are still focusing their attention on the network and endpoints.
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
1.2
P5
Silo-Based Security Tools
One of the biggest problems in cyber security today is how to manage the volume, velocity, and complexity of data generated by the myriad of IT and security tools in an organization’s network. The feeds from these disconnected systems must be analyzed, normalized, and remediation efforts prioritized. The more tools, the more difficult the challenge. And the broader the attack surface, the more data you have to analyze.
The amount of data analyzed by enterprise IT security will double every year through 2016. Gartner Inc.
According to Gartner (“Information Security Is Becoming a Big Data Analytics Problem”) “the amount of data analyzed by enterprise information security organizations will double every year through 2016. By 2016, 40% of enterprises will actively analyze at least 10 terabytes of data for information security
intelligence, up from less than 3% in 2011.”
In turn, organizations must find ways to break down the silos as cyber-attackers are moving both vertically and horizontally across the entire attack surface and don’t experience the same limitations as your security team.
1.3
Manual Data Aggregation and Analysis
It requires legions of staff to comb through the huge amount of data to connect the dots and find of data breaches are preventable by applying the needle in the haystack. These efforts can take proper cyber hygiene and pro-active risk management. months, during which time attackers can exploit vulnerabilities and extract data. In fact, the Global Risk Management Survey limitations of manual cyber security operations have created a major risk in itself. Research studies show that 94 percent of data breaches are preventable by applying proper cyber hygiene and pro-active risk management.
94%
Furthermore, relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion. According to the Verizon Data Breach Investigations Report, 69% of breaches were discovered by a third-party and not through internal resources. The Target data breach was a good example. Despite the fact that best-of-breed tools were in place and detected the initial breach, the outsourced security operations team did not respond to the alert in a timely fashion. They were simply overwhelmed by the data coming their way and therefore could not decipher what was really having the biggest impact on their business. Ultimately, the data breach was revealed by an outsider and not by the company’s security operations team.
This situation is being aggravated by the fact that, according to ISACA, a global IT association, the industry is facing a shortfall of a million security professionals globally. For most organizations, the prospects of hiring the staff needed to aggregate, normalize, and analyze the vast amount of data needed to assess cyber risk exposures are slim.
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P6
Breaking down existing silos and automating traditional security operations tasks with the help of technology is a forcemultiplier for increasingly scarce cyber security operations talent.
1.4
Lack of Context
According to Gartner ("Security and Risk Management Scenario Planning, 2020"), by 2020, of global 2000 companies will have been directly 30% of global 2000 companies will have been compromised by 2020. directly compromised by an independent group of cyber activists or cyber criminals. This prediction is Gartner Inc. not surprising, considering the fact that leading risk indicators are difficult to identify when cyber attackers, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account.
30%
Focusing solely on findings from internal security intelligence such as vulnerability scanners, configuration management databases, and SIEM systems can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources. The POODLE Vulnerability in 2014 is a good example. The National Vulnerability Database (NVD) assigned this vulnerability at 5.5 CVSS score out of 10, which led most organizations to not remediate it. On average, organizations only act upon security flaws that are rated 7 or higher -- to be able to deal with the onslaught of vulnerabilities in their environment. However, if those organizations had known that hundreds of thousands of POODLE exploits were being carried out, they likely would have changed their risk assessment of the vulnerability.
As we all know, two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.
Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments. However, as the volume of vulnerabilities has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why dedicate resources to fixing vulnerabilities that have no threat associated with them and are not even reachable?
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P7
Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams leverage threat intelligence to gather insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate current and future threats.
Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business.
2.0 The New Enterprise Security Model: Cyber Risk Management In response to these challenges, many boards of directors have started changing their view of cyber of directors of boards are worried about cyber security as being a core function of IT security risk. management, and are now demanding that CEisnerAmper suites treat cyber threats as an enterprise risk that should be addressed from a strategic, companywide, and economic perspective. They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans. As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).
70%
Considering the ongoing skill and expertise shortage, and increasing frequency and sophistication in threat activities, many organizations are rethinking their enterprise security model. The objective is to move to full and/or semi-automation of operational activities. At the same time, they seek to enable a truly adaptive and risk-based response to advanced threats, which assures continuous, pervasive monitoring and analysis across the entire attack surface, not just the network or endpoints.
In this context, intelligence-driven cyber risk management is often seen as a clear path for organizations to operationalize cyber security practices, breaking down silos, and enhancing security operations tasks through automation.
FIGURE 1: Cyber Risk Defined
Cyber risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. Fortunately, new technology – cyber risk management – is emerging that helps to not only to aggregate internal security intelligence and external threat data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is automated, contextualized security metrics that
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P8
align with business objectives. Figure 2 below illustrates this new enterprise security model, which is labeled intelligencedriven cyber risk management.
FIGURE 2: The Pro-Active Cyber Risk Management Concept
Besides the operational advantages that cyber risk management brings to the table, it also propagates better collaboration among otherwise siloed stakeholders across the organization, ranging from the board, C-suite, business stakeholders, as well as security and IT operations teams to internal/external auditors.
3.0 The Pillars of Cyber Risk Management Overall, cyber risk management is built upon three main pillars, consisting of identification, prioritization, and orchestration of remediation actions.
3.1
Identify
In order to understand what "act" (a.k.a. remediation actions) is needed to minimize an organization’s cyber risk exposure, identification is the first step. With so many organizations being overwhelmed with the volume, velocity, and complexity of internal security data, it has become crucial to streamline the identification process. For many organizations, data overload has become the Achilles heel of day-to-day security operations. The intelligence-driven cyber risk management concept calls for automated aggregation of data across different data types; mapping of assessment data to compliance requirements; and normalization for ruling out false-positives, duplicates, and to enrich data attributes.
FIGURE 3: Input Sources Across the Attack Surface
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
3.2
P9
Prioritize
In the past, the majority of organizations primarily focused on their internal security posture when it comes to cyber security and therefore had a difficult time prioritizing their remediation actions based on business criticality. By leveraging emerging cyber risk management tools organizations can place internal security intelligence, external threat data, and business criticality into context to derive a holistic view of risk posture across networks, applications, mobile devices, etc. In this way, security teams can determine what imminent threats they face from cyber adversaries, and which ones really have the highest impact to the business or mission.
FIGURE 4: Risk-Based Vulnerability View with Direct Threat Attribution
In cyber war, decisions need to be made swiftly. The cyber risk management concept therefore calls for applying advanced risk scoring and human-guided, machine-learning technology to classify the severity level that individual threats pose to assets, applications, and business processes.
The Cyber Risk Score continuously measures, monitors, and tracks your organization’s overall exposure to risk and generates a score and visual representation of cyber risk posture at both the organization and asset level.
FIGURE 5: Credit Card-Like Cyber Risk Score
The score accounts for your internal security findings, external threats, and business criticality. It enables security and IT teams to quickly answer questions from regulators, insurers, auditors, boards, and the C-suite.
This approach can also be used to drill-down and visualize correlated data and application attack paths. Applying intelligence-driven analysis enables security operations teams to focus on risks that threaten the business and in turn significantly speed up the decision process.
FIGURE 6: Application Attack Path Analysis Views
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P 10
In addition, the intelligence-driven cyber risk management concept applies a time-based approach to threats, since it is essential for an organization to keep track of its success metrics, align investments and resources efficiently, and more importantly leverage predictive analytics to minimize cyber risk.
FIGURE 7: Time-Based Analytics Views
3.3
Orchestration
Increasing collaboration between security and IT operations teams, with one being responsible for identifying security gaps and the other focused on remediating them, continues to be a challenge for many organizations. In this context, the intelligence-driven cyber risk management concept calls for combining workflow, ticketing, and remediation capabilities, assigning detailed remediation steps for each vulnerability, and automating real-time risk management.
Using the cyber risk management concept as a blueprint, it’s possible to implement automated processes for pro-active security incident notification and human-guided loop intervention. By establishing thresholds and pre-defined rules, organizations can also orchestrate remediation actions to fix security gaps. Meanwhile, cyber risk management provides a way to measure the effectiveness of remediation actions and ensure risks have been successfully eliminated.
To increase remediation effectiveness, emerging cyber risk management tools also provide playbooks that include step-bystep instructions on how to tackle the most critical vulnerabilities.
The intelligence-driven cyber risk management concept also mandates a closed-loop remediation process, which assures that a ticket is only closed once the effectiveness of a patch has been revalidated by an organization’s internal security tools. Unfortunately, many organizations close out tickets as soon as they applied a patch without testing if it was really effective. This leaves them vulnerable to a big blind spot if the patch failed.
To implement the intelligence-driven cyber risk management concept, progressive organizations are using cyber risk management software as an overlay to their existing security infrastructures. This approach provides the necessary aggregation, intelligence-based analysis, and orchestration capabilities to identify and respond to cyber threats early in the kill chain.
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P 11
4.0 Conclusion Cyber risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. Fortunately, new technology – intelligence-driven cyber risk management – is emerging that helps to not only aggregate internal security intelligence and external threat data, but more importantly correlate these data feeds with its business criticality or risk to the organization. The end result is automated, contextualized security metrics that align with business objectives.
Besides leveraging cyber risk management tools, organizations should also consider the following measures to ensure they’re operationalizing security intelligence as effectively as possible:
Assure ongoing categorization of assets within the organization to establish a benchmark for determining the business impact of threats and prioritization of remediation actions.
Apply best practices outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework; especially their referenced security controls library.
Increase the frequency of vulnerability scans and other methods to gather more timely security intelligence, which can assist in the detection of security gaps, control failures, and also verify if remediation actions were effective.
By implementing these measures, while correlating and contextualizing external threat data with internal security intelligence and business criticality, organizations can operationalize their cyber security practices to shorten time-to-detection and ultimately, time-to-remediation of cyber threats.
RiskSense pioneered the category of cyber risk management in response to the increasing challenges of extracting actionable intelligence from the massive volume of data generated by the patchwork of cyber security products, including vulnerability scanners, threat intelligences feeds, and other complex security systems. Organizations are seeking solutions to unify and contextualize the feeds from these disconnected, siloed tools and then prioritize and remediate those cyber risks that pose the biggest business impact. Rather than adding more tools, organizations are recognizing the need to implement a new, more efficient enterprise security model.
To address these challenges, RiskSense provides a new, more pro-active approach to cyber risk management that identifies, visualizes, prioritizes, and orchestrates the remediation of cyber risks across a growing attack surface. The RiskSense Platform enables organizations to manage their cyber risk by unifying and contextualizing internal and external security intelligence into a single view, and then correlating these findings with business criticality to drive risk-based remediation.
Manual approaches can take months, during which time attackers can exploit vulnerabilities, causing damaging cyber breaches and loss of valuable data. RiskSense automates these processes, empowering organizations to uncover imminent cyber risks, increase the productivity of their scarce cyber security staff, and minimize attack surface exposure.
© 2016 RiskSense. All rights reserved.
RiskSense White Paper | The New Enterprise Security Model: Cyber Risk Management
P 12
The RiskSense Platform transforms cyber risk management into a pro-active, collaborative, and real-time discipline. The platform embodies the expertise and deep knowledge RiskSense has gained from defending critical networks against the world’s most dangerous cyber adversaries. As former advisors to the U.S. Department of Defense and U.S. Intelligence Community, RiskSense founders developed Computational Analysis of Cyber Terrorism against the U.S., Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables, and the Strike Team Program.
The RiskSense Platform uses patented technology and leverages existing technology investments to contextualize internal security intelligence (e.g., from SIEM systems, vulnerability scanners, configuration management systems), external threat data (e.g., exploits, malware, threat actors, reputational intelligence), and business criticality to identify FIGURE 8: The RiskSense Cyber Risk Management Platform imminent cyber risks and prioritize remediation actions for physical and virtual assets within an organization’s infrastructure. It provides organizations a risk-prioritized view of the gaps that need to be mitigated first based on their business impact.
RiskSense enables true continuous diagnostics and mitigation, reducing manual efforts costing tens of millions of dollars, and makes security risk posture trending possible to report transparently to internal stakeholders and regulators. Some of the largest Global 2000 companies and government agencies rely on RiskSense for real-time, end-to-end security risk alerting, prevention, and remediation. With RiskSense organizations are finally able to gain near real time insight into their security risk posture and align remediation actions with business objectives. By leveraging RiskSense cyber risk management solutions, organizations can significantly shorten time-to-remediation, increase operational efficiency, strengthen their security programs, improve cyber hygiene, heighten response readiness, reduce costs, and ultimately minimize cyber risks.
Based on the company’s innovation in the cyber risk management space, Gartner recently named RiskSense one of the leading vendors in their report on Security Operations, Analysis, and Reporting. Furthermore, the company and its cyber risk management platform have been named Best Risk Management Solution of 2016 by Cyber Defense Magazine, 2016 Cybersecurity Excellence Awards Finalist for Most Innovative Cybersecurity Company and Most Innovative Vulnerability Management Solution of the Year, 2016 Silver Stevie Awards Winner for Most Innovative Tech Company by the American Business Awards (ABA), 2016 Silver Stevie Awards Winner for Best Security Software Solution by ABA, 2016 IT World Gold Award Winner for Best Information Security and Risk Management Solution, 2016 IT World Silver Award Winner for Security Software, and many more.
© 2016 RiskSense. All rights reserved.
RiskSense Worldwide Headquarters 4200 Osuna Road NE, Suite 3-300 Albuquerque, NM 87109 United States
General Inquiries
RiskSense Silicon Valley 530 Lakeside Drive, Suite 170 Sunnyvale, CA 94085 United States
Media Inquiries
+1 505.217.9422 +1 844.234.RISK (toll free)
[email protected]
[email protected]
© 2016 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Confidential. Do not distribute without written permission. The information contained herein is subject to change and we do not offer any warranty on this information.
