Updated: Feb 12, 2020
Risk, Governance, and Compliance are the fundamental elements of cybersecurity framework. In this blog we will primarily focus on Risk and ways to measure it.
Risk measurement is the bedrock to some Industries like insurance where there is a dedicated practice called Actuarial science to measure different elements of risk. Similarly, there are established frameworks to measure the credit risk of companies and even individuals like Moody's rating and FICO score. But measuring cybersecurity risk has been hard and in many cases non-existent.
Image Credits: cafecredit.com
For some Enterprises, cybersecurity incident measurement is a good proxy for risk. While security experts argue that Enterprise might be doing such a bad job monitoring that they don't even detect ongoing risk and APT (Advanced Persistent Threats) and think they are doing a good job.
What makes cybersecurity risk measurement so hard compared to its peer industry like insurance? Few things to consider:
The flywheel of technology is accelerating - every few years we see a new wave of technology that disrupts the industry. Some examples in the last two decades are VMs, DevOps automation, Cloud (IaaS, PaaS), containers, Kubernetes and Serverless to name a few. This makes it very hard to build model and quantify risks. In comparison, the insurance industry models have been relatively stable over the last century
Nation-states - countries are modernizing their infrastructure and increasing efficiencies through technology. This creates a fertile ground for cyber attack and state-sponsored espionage as it can destabilize nations without putting the lives of soldiers at risk. This is also a very effective strategy for countries to hit adversities where it matters the most. A lot of State sponsor events are Black Swans, it happens rarely but when it does it puts a big portion of Enterprise at risk (e.g., recent Equifax attack, and Stuxnet). In comparison, the insurance industry doesn’t see state-sponsored black swan events.
People and processes - as technology stocks have evolved, so has the need to cut costs and bring more Automation in place. This has led to companies adopting new operational practices over time. Anytime, new people and processes have evolved there is a ramp-up time and if resources are in constraint they're bound to create errors leading to unnecessary risk. Also, with the complexity of Technology stack, it is humanly impossible to understand all different configurations and associated risks and deploy the most optimal and risk-averse solutions specially in current IaaS solutions.
So what are some of the basic things and Enterprise can do to reduce risk and increase resilience:
Prioritize assets based on business risk
Protect based on prioritized asset
Integrate security into the Dev environment. Train developers to become risk aware by exposing them to basic tools to help them understand business risk associated with that everyday activity
Deploy proactive defense and monitoring system to alert you about the asset at risk as well as about compromising events
Deploy incident response to enable your team to take infected assets offline or quarantine them to prevent expansion of the blast radius
We at Araali Networks, are helping Enterprises to understand the risk through Araali Gamma Visibility and reduce risk by protecting and fortifying prioritized assets. We also monitor apps and assets at a very granular level for incidents and proactively alert you on new things while automatically taking care of lateral spread, zero-day events, and quarantining assets.