Risk bridges business and security

1. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Why is risk the bridge between business & security worlds? I s a i a h M c G o w a n # A T L S e c C o n 2 0 1 7

2. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . It’s ‘medium-high’ because it highly effects operations! The risk is ‘high’ because it’s easy to conduct the attack! It’s ‘medium’ because we have compensating controls!

3. The Goal of Cybersecurity Symptoms of Failure Treating Root Causes The Way Forward

4. The Goal of Cybersecurity

5. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •All business functions dealing with adverse events share our goal: •To cost-effectively manage to an acceptable level of risk. •We are not here to make the business ‘secure’! “The value of information security is our ability to affect exposure to loss.” -Jack Jones, Inventor of FAIR

6. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . The Board of Directors Responsible for all opportunities and risks Executive Management Responsible for executing priorities set by the board CISO Responsible for managing cybersecurity risk to an acceptable level Cybersecurity Operations Responsible for executing security initiatives to aﬀect the frequency and/or magnitude of adverse events

7. Symptoms of Failure

8. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •Unicorn syndrom •Failing to address underlying assumptions •Leveraging poor models of the problem space •Expecting the business to speak our language •Mixing cybersecurity jargon with business terms Common symptoms affecting our ability to manage risk:

9. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . What’s the risk of this bald tire? •What were your assumptions? •How did you define ‘risk’?

10. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . f a i r i n s t i t u t e . o r g / b l o g / f i x i n g - n i s t - 8 0 0 - 3 0 Broken models are broken

11. Would you go to the moon if…

12. The Risk Register!! It’s out of control!!

13. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . A disease resulting in a Denial of Service attack on an organization attempting to prioritize cybersecurity issues. Risk-register-itis /risk/ˈrejəstər/itis noun •Putting any possible issue into a risk register •A signal-to-noise ratio too great to overcome Common conditions include:

14. Treating Root Causes

15. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Risk is the probable frequency & probable magnitude of future loss. erm… How likely will adverse events occur and how unfavorable are they likely to be.

16. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Cloud Computing Unexpired passwords Privileged Insiders SQLi Mobile Devices Ransomware Weak VPN encryption Asset Control condition Threat Attack technique Asset Threat Control condition Can you spot the risks?

17. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Vulns Findings Exceptions Control Gaps Missing Policies Please Stop!

18. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . “Treat risk as a science, not a dark art. Use scenario analysis. Think things through all the way to the end. Then come back to the beginning and ask yourself "what if?". While predicting the future is hard, formal risk models like FAIR and bow-tie can help tremendously.” -Dr. Ramzan, CTO, RSA

19. Risk Loss Event Frequency (LEF) Loss Magnitude (LM) Threat Event Frequency (TEF) Vulnerability Contact Frequency Probability of Action (PoA) Threat Capability (TCap) Resistance Strength (RS) Random Regular Intentional Value Level of Effort Risk Skills -- Knowledge -- Experience Resources -- Time -- Materials Primary Loss Secondary Risk Secondary Loss Event Frequency Secondary Loss Magnitude Factor Analysis of Information Risk (FAIR) Analysis Scoping 1. Identify the asset(s) 2. Identify relevant threat(s) 3. Deﬁne Loss Type: C - I - A Productivity Loss - Loss that results from an operational inability to deliver products or services Response Costs - Loss associated with the costs of managing an event Risk - The probable frequency and probable magnitude of future loss Loss Event Frequency - The frequency, within a given timeframe, that loss is expected to occur

20. Data-driven risk analysis Risk-oriented Cybersecurity Operations Formal risk models Incorporating terms that aligns to the business •Classification patterns •VDBIR •Attack trends •Threat profiles •Threat modeling •STRIDE Threat Intelligence •Incident classification alignment •VERIS •MITRE •Reusable data Incident Management

21. •Security posture •Vulnerabilities •Conﬁguration ﬂaws •Variance in compliance Auditing & Scanning Node Telemetry •Asset inventory •Data at risk •Automated •Manual •Outsourced •Red Team Testing

22. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Risk management is an analytical discipline Enterprise risk Uncover key risk drivers Systematic analysis Analyses become repeatable and operationalized Scientiﬁc analysis results drive better recommendations to the business, resulting in cost- eﬀectively managing risk to an acceptable level. Risk Management Goal Data (telemetry) Feeds analysis to drive objective results

23. The Way Forward

24. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •The FAIR Institute •fairinstitute.org (membership is free) •Measuring & Managing Information Risk: A FAIR Approach •Amazon •‘Getting Started’ reading list •fairinstitute.org/blog/5-must-read-books-to-jumpstart-your-career-in-risk- management Resources:

25. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Questions?!

Risk bridges business and security

Du liest eine Vorschau.

Hier ansehen

Risk bridges business and security

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Risk bridges business and security (20)

Aktuellste (20)