Deep Thoughts on Enterprise Cyber Risk
Fake Risk Graphs generated from http://sporkforge.com
I started writing this blog right after the release of Senator Warren’s report on Equifax and completely failed. I tried to pack every relevant anecdote I had experienced while meeting cyber risk companies, being CEO of Tenable, running an intrusion detection company and being a penetration tester.
Cyber risk means a lot of different things to people based on their experience with compliance, if they were in security operations and if they are outside of the cyber workforce. There is no really good definition that everyone agrees upon. Rather than attempt that, I’ve listed some very high level lightning rod or debatable concepts as questions which are often discussed in enterprise organizations about managing or measuring cyber risk and then answered them with some brief points and comments.
Can all Cyber Risk Be Removed?
Of course not. In a perfect simplistic world, when everything is patched, every user is vetted, all of our defenses are deployed correctly, we still have users who go bad, zero day vulnerabilities and attacks that evade detection. This is also why we have cyber insurance. Even if we do everything right, there are still lots of things we don’t have control over.
Can Cyber Risk be Modeled?
My preference is to measure, but you can build models. Models are very useful for communicating to non-cyber executives and to help build strategic priorities.
For imprecise models, I recommend attempting to fill in your organization’s investments in the NIST Cyber Security Framework as charted against your devices, applications, network, data and users. This can give you a very easy to understand and visual representation of gaps in your cyber risk.
For more detailed and the ability to model potential dollar losses, I recommend considering a variety of commercial tools. Enterprise cyber risk models should compute potential losses and outages and any compliance or revenue impacts associated. It should be used as a guide for how much and what type of cyber insurance you should have.
Doing this can modeling can become insanely complex on your own. You should use a sophisticated solution like RiskLens, Nehemiah’s RQ, Emergent, X Analytics from SSiC or CyVAR from CyberPoint. Each of these takes a combination of measured actual technical input, self answered questions, input from threat feeds and input from industry indexes of cyber risk to produce a literal “dollar amount” of cyber risk that you have.
A major benefit of these tools is to ensure that you have a security apparatus in place that meets your desired risk tolerance. A secondary benefit is to be able to reduce the amount of spend you have in an area where you’ve deployed two or three solutions where only one is needed.
Can Cyber Risk be Measured or Simulated?
Yes, but it is called a lot of different things in practice.
Automated Breach Simulation — Penetration tests and audits of your disparate enterprise security monitoring apparatus are great, but there is no substitute for automating some sort of attack, every day, and seeing if it shows up in your monitoring. Span ports go away with reconfiguration, agents get disabled, firewall rule changes impact event flows, .etc. Our investment in this space is ThreatCare, and other companies with different approaches include Crossbow from Scythe and Verodin.
Attack Path Modeling — Can you model the network and vulnerabilities, and simulate likely paths attackers can take? Yes — check out tools like RedSeal or FireMon. Make sure the solution models client-side breaches as these tools started out with only modeling direct server attacks.
Compliance Auditing — A compliant network can be harder to attack than a non-compliant network. Maintaining a compliant network continuously is also better than periodically fixing things to pass an audit.
Cyber Exposure — Not surprisingly, I really like Tenable’s approach here. If you say “vulnerability scanning”, I find that people immediately think of a type of scan, such as a port scan or a Windows patch audit and they don’t think about continuously discovering and testing your IOT, BYOD, SaaS, IT, AWS, .etc. Having said that, we don’t have any industry standards on what good hygiene is. Is 30 day patch window good compared to peers in my organization? How about other organizations?
Penetration Testing and “Crowd” web app auditing efforts — Paying a team to break into your network is distinct from auditing your network because of two ways. One, you can see if your security team detects them. Two, Not every type of cyber exposure is equal and knowing what the penetration test team targeted can help you prioritize what to remediate.
Can Third Party Cyber Risk be Measured?
Many organizations treat third party risk differently from the “on premise” network because they are very different and we may not have the right to really look deep under the hood of a SalesForce or NetSuite as we’d like to. If you put data in a SaaS app like Dropbox, Office 365, .etc, you still have to worry about the cyber risk associated with that platform, so how can you do that?
One way is to ask them about their security posture. Many SaaS and “third party” vendors publish service level agreements, have bug bounty programs, have realtime status indication web sites and so on. This can be really difficult to manage if you have many different vendors. A company in this space that makes tracking all of this easy and powered by the crowd is CyberGRX. If someone conducts an audit of Salesforce under CyberGRX, all of their users benefit.
Another way is to scan them, however, we’re not talking about firing up a Nessus scanner and pointing it toward Salesforce.com. All major cloud or SaaS applications have a footprint on the Internet which may have some insight to actual vulnerabilities which could imply cyber risk. A company in this space that I think embodies this concept is RiskRecon. They help make sense of encryption lapses, vulnerabilities and other information that could impact your relationship with them. I am somewhat concerned with back porting of vulnerabilities (the old vulnerable banner stays put even after a system like Apache is patched) which could lead to false positives.
And lastly is to not only do this type of scanning, but pull in any and all data we can get about the third party and make an overall assessment score — can we harvest browser vulnerabilities from URL shorteners, can we see IP addresses from an entity in one or more threat feeds, is there a passive DNS feed we can infer internal vulnerabilities from, have there been actual incidents from the company, .etc. Compared to an internal vulnerability or compliance audit, I always found these types of reports questionable at best, but they all said that Equifax had major issues. Senator Warren’s report on Equifax (if you go to page five) specifically highlighted the leading vendors in this space including Cyence, Security Scorecard and BitSight.
Overall, it would be better for the industry if more organizations were required to disclose their general programs, perhaps showing how cyber risk is measured through the eyes of the NIST Cyber Security Framework.
Bottom Line — Defense is hard, Offense is Easier
If you get a chance to speak with penetration testers or incident responders and ask them how they would recommend measuring cyber risk, you will hear many of the items I’ve discussed.
What you won’t hear is that for $500k, you can break into most organizations. This is a very general statement, but if you think about it, you can hire a few penetration testers and a reverse engineer for that amount of money for a full year — and it would cost less outside of the US. They can sit back and wait for an opportunity to watch an organization and pick a path to get in undetected or be the first to leverage a disclosed zero day.
I mention this in closing, as I think it is really important to have a range of real and probable adversaries in mind as we model and measure our cyber risk, otherwise, cyber risk is so complex, you may put more focus on the cyber risk process, than in keeping adversaries out.