Risk Management — It might be more complex than you think

In the dynamic landscape of cybersecurity, the continuous influx of vulnerability disclosures and the rapid dissemination of the latest cyber techniques and tactics through various channels pose a significant challenge for Cyber Threat Intelligence (CTI) specialists. In cybersecurity risk management, identifying and assessing relevant cyber threats are critical tasks, and effective strategy must be employed to navigate this constant flow of information.

But first, some basics. One can describe cybersecurity risk management as: ‘Cybersecurity risk management identifies, evaluates, and mitigates potential threats and vulnerabilities to an organization’s information systems, networks, and data. It aims to protect sensitive information, maintain the confidentiality, integrity, and availability of data, and ensure the overall security of digital assets. This process involves a systematic approach to understanding, managing, and reducing the impact of cybersecurity risks.’

The term ‘identifying’ can be explained as: ‘Cybersecurity risk identification is the process of systematically identifying and documenting potential threats, vulnerabilities, and risks that could threaten an organization’s information systems, networks, and data. This phase is a crucial element of the broader cybersecurity risk management process, providing the foundation for subsequent risk assessment and mitigation efforts.’.

The term ‘evaluating’ can be explained as: ‘Cybersecurity risk evaluation is a critical component of the broader risk management process and involves assessing and analyzing the potential risks to an organization’s information systems and data. The primary purpose of cybersecurity risk evaluation is to determine the likelihood and impact of identified risks, enabling organizations to make informed decisions about managing and mitigating those risks effectively.’

The effectiveness of the CTI team within the security department hinges on its ability to systematically identify and evaluate potential threats. However, the team relies heavily on comprehensive information about the organization’s hardware and software infrastructure, core business operations, and IT architecture for optimal success. This critical contextual information is the foundation upon which the CTI team can adeptly identify and assess cybersecurity threats, providing a nuanced understanding of the threats’ likelihood and potential impact on the organization. The synergy between detailed organizational insights and the CTI team’s analytical capabilities forms a strategic nexus, empowering the team to safeguard the organization against evolving cyber threats proactively.

But how can you assess the likelihood and impact of a cybersecurity threat?

From these 2, the last one (impact) is the most straightforward to answer by asking, ‘What are the costs per hour if the asset/application/data becomes unavailable?’. However, determining the likelihood is more difficult because you have to deal with multiple variables like ‘From where the attack is initiated?’, ‘Which security controls are placed between the source and the target?’, and ‘Which of these security controls can block/detect when the attack?’.

For your CTI team to assess the likelihood of cybersecurity threats effectively, a profound understanding of the network architecture and the intricacies of active security controls is paramount. This entails a comprehensive grasp of the organization’s digital infrastructure and the efficacy of deployed security measures, hence the need for contextual information. However, the complexity arises from the need for a universal framework for conducting this intricate calculation. Numerous frameworks exist, each offering unique methodologies.

Therefore, it becomes imperative for the organization to adhere to a singular framework, mitigating the risk of excessive discussions and fostering a unified approach to threat likelihood assessment. A consistent and standardized framework streamlines the evaluation process and ensures a cohesive understanding across the organization, facilitating more targeted and effective risk mitigation strategies.

• Factor Analysis of Information Risk (FAIR)
• Committee of Sponsoring Organizations (COSO)
• Control Objectives for Information and Related Technology (COBIT)
• Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
• Risk Management Guide for Information Technology Systems (NIST)
• Threat Agent Risk Assessment (TARA)

Part of cybersecurity risk management is also to focus on risk monitoring, described as ‘Cybersecurity risk monitoring is a continuous and proactive process of observing, assessing, and analyzing the security posture of an organization’s information systems to identify and respond to potential threats and vulnerabilities. The primary goal of cybersecurity risk monitoring is to maintain situational awareness and promptly detect any abnormal or suspicious activities that could risk the confidentiality, integrity, and availability of data and systems.’

Many organizations’ prevailing approach to bolstering cybersecurity risk monitoring involves channeling all security data toward a central hub, typically a SIEM solution. While this centralized aggregation is instrumental in consolidating data streams, it introduces a nuanced challenge that extends beyond the technical realm, delving into the intricacies of processes and procedures. How do you deal with all the incoming alerts?

• Overcoming Alert Overload: Converting diverse security data into a central point invariably leads to an avalanche of alerts. Addressing this challenge requires strategically refining processes to effectively manage, prioritize, and respond to alerts.
• Optimizing Triage and Response: Optimizing the triage and response mechanisms emerges as the core procedural hurdle. Establishing well-defined procedures for handling alerts, complete with prioritization criteria and automated responses, becomes pivotal to navigating this procedural challenge.
• Tailoring to Organizational Objectives: Tailor processes to align with organizational objectives and risk tolerance. The incident response workflow becomes more agile and purpose-driven by customizing procedures based on the organization’s unique security requirements and priorities.
• Continuous Process Refinement: It is imperative to institute a culture of continuous improvement. Regularly assess and refine processes based on the evolving threat landscape, technological advancements, and insights from incident response experiences.
• Automating Routine Procedures: Automate routine and repetitive procedures to streamline the incident response workflow. Automated playbooks can handle specific low-level alerts, allowing human resources to focus on more intricate threat detection and response aspects.
• Incident Documentation and Analysis: Institute meticulous incident documentation practices. Analyzing past incidents and documenting lessons learned aids in refining processes, identifying bottlenecks, and optimizing the overall incident response lifecycle.
• Balancing Alert Precision and Volume: Strike a delicate balance between alert precision and volume. Fine-tune alerting rules and thresholds to minimize false positives, ensuring the alerts generated are relevant and indicative of actual security incidents.

When orchestrating the processes for cybersecurity risk monitoring, the pivotal consideration revolves around incident response. The thought process extends beyond mere detection and alerting; it delves into the crucial decisions surrounding the immediate actions once a specific alert, let’s say, “Alert X,” is triggered. Questions arise: Should the response be limited to monitoring and alerting, or does it escalate to incident containment? Is the conclusion of the incident containment sufficient, or should the response persist until the incident is entirely eradicated?

In a proactive Security Operation Center (SOC) environment, operational continuity is paramount, often necessitating 24/7 staffing. The SOC responds swiftly upon detecting an alert, initiating the incident response protocols. However, a critical facet to ponder is the operational availability of the response organization itself. Is the incident response team accessible round the clock, or are their services restricted to standard business hours? Some of the things you need to consider when thinking about incident response:

• Real-Time Responsiveness: Establish clear protocols for real-time response once an alert is triggered. Define specific actions, responsibilities, and escalation paths for a swift and coordinated reaction.
• Incident Containment Strategies: Consider the threshold for incident containment. Determine whether containment efforts should be pursued immediately upon detection or if a comprehensive assessment is required before initiating containment measures.
• Eradication Protocols: Clearly outline procedures for incident eradication. Identify the steps and measures needed to eliminate the incident’s root cause, ensuring a thorough and effective eradication process.
• Availability of Response Organization: Assess the operational hours and availability of the incident response team. If the response organization is confined to business hours, formulate contingency plans for handling security incidents outside these hours.
• Automated Response Mechanisms: Explore the integration of automated response mechanisms, especially for routine and low-level incidents. Automation can provide initial responses, reducing the dependency on human intervention for non-complex incidents.

By thoroughly addressing these considerations, organizations can fortify their incident response capabilities, ensuring a resilient and adaptive approach to cybersecurity risk monitoring. A comprehensive incident response strategy focuses on immediate actions and encompasses the readiness to handle incidents beyond standard business hours, contributing to a robust security posture.

In the contemporary cybersecurity landscape, an imperative question arises when contemplating incident response strategies: how can we adapt to the escalating speed at which adversaries operate to achieve their objectives? As malicious actors continually refine their tactics, it becomes crucial to reassess and optimize our incident response methodologies. One avenue worth exploring is the automation of certain aspects within the incident response framework to mitigate potential damage more effectively.

The ever-evolving nature of cyber threats demands a proactive and dynamic approach to incident response. Adversaries armed with sophisticated tools and techniques often exploit vulnerabilities with remarkable speed, necessitating a rapid and well-coordinated response. I realize this urgency prompts a critical examination of the elements within the incident response that can be automated to make it more efficient and effective.

Automation in incident response promises to reduce response time, a pivotal factor in minimizing the impact of a security incident. Routine and repetitive tasks, such as data collection, initial analysis, and preliminary mitigation steps, can be seamlessly executed by automated systems. By automating these facets, security teams can free up valuable human resources to focus on more complex and strategic aspects of incident response, including threat hunting, attribution, and advanced forensic analysis.

Furthermore, implementing automated incident response mechanisms contributes to consistency and accuracy in executing predefined actions. Human intervention, while indispensable, may introduce variability and potential errors during high-pressure situations. Automation can ensure a standardized response by following predefined playbooks and best practices, thereby reducing the risk of oversight and enhancing overall response efficacy.

I would like to emphasize that while automation can significantly boost incident response capabilities, a balanced approach is essential. Human expertise remains irreplaceable in navigating the intricacies of cyber threats, devising nuanced strategies, and making informed decisions based on context and experience. Therefore, organizations must carefully delineate the boundaries between automated processes and human intervention to maximize the synergy between technology and human intelligence.