25th June 2020 A Risk-based approach to Cybersecurity: a … · 4 About CRMG Cyber Risk Management...
Transcript of 25th June 2020 A Risk-based approach to Cybersecurity: a … · 4 About CRMG Cyber Risk Management...
Getting cyber security right. First time.
25th June 2020
A Risk-based approach to Cybersecurity: a masterclass on what to do and how to do it
Proud to be a Member:
2 Copyright Cyber Risk Management Group Limited 2020
Housekeeping
• Today’s session will be 2 hours in total, with breaks throughout and time to take questions
• Please submit your questions through the Q&A panel on your Zoom console
• This session will be recorded. We will send a copy of the recording and slides to all attendees
About the masterclass
This masterclass is a deep dive session, aiming to provide clarity on what a ‘good’ cyber risk management capability looks like, and a pragmatic approach to delivering an effective risk assessment.
The session is a knowledge share based on real practitioners experience who have worked for many years’ in different industries and organisations, using tried and tested models and frameworks.
3
Your speakers
Copyright Cyber Risk Management Group Limited 2020
Martin TullyPrincipal ConsultantCRMG
Nick FrostCo-Founder & DirectorCRMG
Simon LaceyFormer Information Security Policy Manager at the Bank of EnglandCRMG
4
About CRMG
Cyber Risk Management Group (CRMG) is a leading provider of cybersecurity and information risk consultancy services and training courses.
We cut through complexity by focusing solely on what matters – protecting your business sufficiently with minimum fuss and disruption. We pride ourselves on the delivery of pragmatic approaches that protect your organisation in line with your true risk profile, at a sensible price point.
Consultancy Services Tools & Solutions Education & Training Partners
5
This masterclass is supported by
The Chartered Institute of Information Security (CIISec) is the only pure play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security.
www.ciisec.org
Galvanize builds security, risk management, compliance, and audit software to drive change in some of the world’s largest organisations.
www.wegalvanize.com
6
Objectives & agenda over the next two hours
Copyright Cyber Risk Management Group Limited 2020
1. Set out the foundations that are needed before you start assessing risk2. Determine what a risk assessment process MUST cover3. Walk through a plan for establishing a risk capability and a process for evolving one4. Recognise the future for cyber risk assessment in the context of cyber security.
Agenda
1. Setting the scene2. Getting the basics right3. Building on solid foundations4. Case studies from the trenches5. Cyber risk and the future.
Objectives
7 Copyright Cyber Risk Management Group Limited 2020
Introduction – Cyber risk webinar series
In the cyber risk webinar series with Galvanize and CRMG, we hosted 3 webinars on the topic of cyber risk management:
Total number attended = 500>
Co
mp
lian
ce t
o r
isk Essential for an
effective programme
Must be tied to business goals
Serves to highlight rationale behind investment M
ind
of
the
Bo
ard Boards are aware of
their responsibility for risk management
Cyber literacy is increasing
Get in the mind of YOUR Board
Tell a story to get attention
End
uri
ng
a cr
isis Prioritise risk
Understand business critical functions
Simplify and reduce complexity to manage risks
Stick to basics: People, Process, Technology
Getting cyber security right. First time.
1. Setting the scene
9 Copyright Cyber Risk Management Group Limited 2020
Pros and cons of a compliance-based approach
Compliance to meet security requirements
CAN
UK
IC
FR
Meeting requirements
Not meeting requirements
Benefits of a compliance led approach:
• Easy to understand and follow• Approach adopted across many areas (Legal,
HR, Finance)• Works well in a relatively static environment
Limitations of a compliance led approach:
• Difficult to update for dynamic environments (e.g. cyber security)
• Over-engineering of controls (excessive costs against risk)
• Under-engineering of controls (under investment and increasing exposure to attack)
10 Copyright Cyber Risk Management Group Limited 2020
Why is a risk based approach key to managing cyber security?
• Compliance-based approaches do not typically adequately identify the risks
• Risk identification is vital for today’s cyber security management
• Risk-based approaches are better at targeting investment
• Risk-based approaches achieve greater transparency and rationale as to why controls for managing security are needed
• Risk-based approaches enable the business to make better informed judgements about whether investment is needed or not
At the end of the day – it is all about reducing risk, and this is why it usually means we must take the harder route to defining security controls.
11
Acknowledgement: The Cyber Security Hub
Risk in a nutshell…
12
It’s still all about the information
13 Copyright Cyber Risk Management Group Limited 2020
Fundamentals of a risk-based approach
Framework for conducting risk
assessments
Training and education to
equip staff with skills
Easy to follow process
Approved data sets (threat lists, control libraries)
Plan for delivery and execution
Agreement on reporting
Stakeholders identified
Assets identified
Getting cyber security right. First time.
2. Getting the basics right
15
Cyber Risk Assessment (CRA) Approach
Copyright Cyber Risk Management Group Limited 2020
1
2
3
4
5
6
7
16 Copyright Cyber Risk Management Group Limited 2020
DESCRIPTION OF THE STEP
Structure of the slides
Who to involve Role A Role B Role C Role D
Their role in this step
Contribute Contribute Listen Facilitate
Inputs
Agenda
Data type examples
Understanding of the system
EST.TIME
• Description of key activities• Key points for consideration
17 Copyright Cyber Risk Management Group Limited 2020
CREATE THE TARGET PROFILE
Cyber Risk Assessment Step 1
Who to involve System owner Business owner
IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Listen Facilitate
Inputs to this Step
Identify the stakeholders
Organise the workshop and Agenda
Brief all parties on the objectives and process
1 HOUR
1. Goal is to define exactly what is being assessed2. Avoid being over complex when it comes to the scope of
the assessment3. Visualise the system and environment under review 4. Understand the data types and how the data flows (e.g.
Inbound and/or outbound systems involved)
18
Cyber Risk Assessment Step 2
Copyright Cyber Risk Management Group Limited 2020
DETERMINE BUSINESS IMPACT
1. Goal is to gain an understanding of impact 2. Present realistic scenarios based on your knowledge of the
scope3. Reach a consensus of the ‘possible’ impact for C, I and A4. Use a reference framework to challenge and make informed
Who to involve System owner Business owner
IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Listen Facilitate
Inputs
Agenda for workshop
Data type examples
Understanding of the system2
HOURS
19
Determine business impact (basic example)
Low Moderate High Very High
Financial <£100,000 £100,001 - £500,000 £500,001 - £1.5 million >£1.5 million
Reputational No or low media coverage
Moderate adverse coverage (e.g story runs over 1-2 days)
Significant adverse coverage >2 days, main focus of attention
Adverse coverage sustained over more than 1 week
Regulatory No increased regulatory focus
Slight increase in regulatory focus / impact
Significant attention from regulator / Notified single breach
Multiple breaches / License withdrawn
Health / Safety Very minor injury / No ongoing effect
Non-critical injury requiring medical intervention / No prolonged effect
Critical injury requiring hospitalisation / medium term effect
Death / Long term debilitation
* Consider running this as a workshop
Once a business impact assessment has been completed: ‘Go / No Go’ to next step?
CONSIDER RISK APPETITE!
20
Cyber Risk Assessment Step 3
Copyright Cyber Risk Management Group Limited 2020
1. Goal is to assess the threats that are relevant to your environment2. Knowledge of threats is imperative to assessing cyber risk3. Organisations have to understand what is going on in the threat space4. Agree on a standard threat list before conducting a threat assessment5. Today we must reflect on actions of the organisation and possibly
changes in geopolitics
Who to involve Security analyst
System owner IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Listen Facilitate
Inputs
Agenda for workshop
Understand the system under review
Use the agreed threat list and sources of threat data
4 HOURS
Possible one off activity
ASSESS CYBER THREAT
21
Assess cyber threats
Examples of threats:
• Unauthorised access• Misuse of systems by staff• Introduction of unauthorized code• User error• Denial of service• Compromise of third-party partner
Consider:
• Intent (malicious orunintended?)
• Capability• Strength• Likelihood• Timescale
Remember: The initiator (agent / source / actor) , is different from the action!
* Use a standard list of threats as your starting point* Consider running this as a workshop
HOW RELEVANT ARE DIFFERENT THREATS TO YOUR ENVIRONMENT, AND WHAT’S THEIR POTENTIAL CAPABILITY?
22
Cyber Risk Assessment Step 4
Copyright Cyber Risk Management Group Limited 2020
ASSESS CYBER VULNERABILITY
Who to involve Security analyst
System owner IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Listen Facilitate
Inputs
Agreement of the control library to be used
Approved matrix
Review of the ratings – do they feel right
2 HOURS
1. Goal is to understand your capability to mitigate previously identified threats
2. Semi-automate the selection of control questions based on threats
3. Self-assessment or workshop approach4. Template control sets or use them at the
application/system level (be aware of elapsed time!)
Control templates
23
In assessing vulnerabilities:
• Identify controls that are most relevant, given the prioritised threats identified at the previous stage
• Focuses on identifying control weaknesses• Consider a range of techniques (automated / interviews / evidential)• Align with a recognized framework where possible
(e.g. NIST, ISO 27002, ISF 2020 Standard of Good Practice)• Fast track by referring back to recently completed audits / assessments
Assess cyber vulnerability
24
Cyber Risk Assessment Step 5
Copyright Cyber Risk Management Group Limited 2020
DETERMINE CYBER RISK
Who to involve Security analyst
IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Facilitate
Inputs
Approved risk matrix
Impact and Likelihood ratings to determine risk
2 HOURS
1. Goal is to determine the final risk rating using a risk matrix2. Involves review and decision by the risk analyst and system
owner3. ‘Moderated’ versus ‘Calculated’ rating using the matrix4. Often included with the next step (Identifying cyber risk
remediation) in a single workshop
PROBABILITY
25
PROBABILITY X IMPACT = RISK
In understanding probability:How likely is it to happen in the first place? (from Step 3)How likely is it to overwhelm our controls if it does happen? (from Step 4)
In understanding impact:What’s the potential damage to the business? (from Step 2)To what extent will our controls reduce damage? (from Step 4)
PROBABILITY
Determine cyber risk
26
Cyber Risk Assessment Step 6
Copyright Cyber Risk Management Group Limited 2020
IDENTIFY CYBER RISK
REMEDIATION
Who to involve Business owner
System owner IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Contribute Facilitate
Inputs
Draft Agreement of the risks
Draft report
Draft risk ratings and recommended options to remediate risks
2 HOURS
1. Goal is (usually!) to identify the prioritised controls for each prioritised risk
2. Assess themes for controls for this or multiple risk assessments3. Review the context of the business, budget and criticality of the
system before finalising the remediation controls4. Prepare the draft remediation strategy to discuss with stakeholders
27
Getting your mix of remediation controls right
Think about:
• Cost
• Capability
• Complexity
• Integration
• Timescale to implement
• Maintenance
• Business obstacles (e.g. need to gain ‘buy in’)
• Efficiency opportunities across environments
• Testing and Assurance
LEVEL OF PROTECTION
DEFEND DETECT & RESIST DETER
28
Cyber Risk Assessment Step 7
Copyright Cyber Risk Management Group Limited 2020
REPORT CYBER RISK
Who to involve Business owner
System owner IT Rep. Cyber risk analyst (you!)
Their role Contribute Contribute Contribute Facilitate
Inputs
Agreement of the risks and risk ratings
Draft report for review and feedback
More than one option for remediation
1 HOUR
1. Goal is to report risk in a way that focuses on prioritised risk and recommended remediation, is concise and has impact
2. Common language for reporting risk is essential3. Understand the type of audience that will receive the report4. Illustrations of the risks for establishing a dialogue5. Iterations of the first report will be necessary but aim for a
standard format
29
Example 1: Criteria for generation actionable cyber risk reports
1. Must provide a narrative that features all the key elements from the assessment
The likelihood of a DDoS attack targeting the EMEA billing system is very high, as controls in place are poorly implemented. If an attack occurs over 72 hours, the primary impact to the organisation would be loss of availability -which could equate to a cash flow loss for the month of between $350,000 and $500,000.
Secondary impacts would include; delayed payments, disgruntled customers and increase in competition.Recommended remediation controls to reduce the risk to within appetite are set out below in prioritised order.
CAPEX cost OPEX costs to maintain
Disruption to finance department
Control description $20,000 to $30,000 $20,000 (Eqiv. .25 FTE)
Control description $15,000 to $25,000 $10,000 (MSSP)
30
Example 2: Criteria for generation of actionable cyber risk reports
2. Illustrate the risks to establish a dialogue – create situational awareness
ARisk description
Identified impacts Recommended controls
Control owners
Unauthorised access to sales database by disgruntled employee
Loss to competition = HighRegulatory impact = High
2-factor authentication
N. Jones
Review of access rights
M. Schmidt
M. SchmidtImplementation of DLP
B
A
B
Current risk profile
Reviewed risk profile if recommendations introduced
31
Sample reports from HighBond (Galvanize)
Copyright Cyber Risk Management Group Limited 2020
32
Questions?
We will take a pause to cover any questions on this section of the masterclass.
Please submit questions through the Q&A panel in the Zoom console.
Copyright Cyber Risk Management Group Limited 2020
Getting cyber security right. First time.
3. Building on solid foundations
34 Copyright Cyber Risk Management Group Limited 2020
A plan for enterprise-wide risk assessments
Business awareness
Customisation (BIA ratings, control libraries, threat lists for different tech)
Conduct multiple pilot assessments
Training and education
Risk review board
GRC evaluation
Project 1
Project 2
Project 3
Project 4
Data feedsProject 5
Time
35 Copyright Cyber Risk Management Group Limited 2020
Identifying key themes from the risk data
Finance dept. Sales and marketing Manufacturing Ops.
Key controls Risk remediated
2 Factor Authen. Unauthorised access
Access rights review Internal data theft
Encrypt. In transit Man in middle attacks
Key controls Risk remediated
Encryption at rest Data loss
Access rights review Internal data theft
Remote wipe Data loss
Key controls Risk remediated
Data backups Loss of key systems
Access rights review Internal data theft
2 Factor Authen. Unauthorised access
Enterprise viewPrioritised risks to the enterprise1. Data loss2. Unauthorised access
Security transformation
project
36 Copyright Cyber Risk Management Group Limited 2020
Incorporating risk themes into the broader roadmap
TARGETED AWARENESS
SECURITY AUDIT FRAMEWORK
PROCUREMENT AND SUPPLIER
CONTRACTS
SCENARIO PLANNING / CRISIS M’GT
UPDATING POLICIES AND STANDARDS
INPUT TO THE SOC
SOURCE OF RISK DATA
37 Copyright Cyber Risk Management Group Limited 2020
Incorporating risk themes into the broader roadmap
Policy for cyber security
1.1 Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do
1.2 Sed ut perspiciatis unde omnis iste natus
1.3 At vero eos et accusamus et iusto odio dignissimos ducimus
Policy for cyber security
1.1 Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do
1.2 Sed ut perspiciatis unde omnis iste natus
1.3 At vero eos et accusamus et iusto odio dignissimos ducimus
Criticality
High
Critical
Nice to have
38 Copyright Cyber Risk Management Group Limited 2020
Risk triggers for assessment or re-assessment
NEW TECHNOLOGIES
CHANGE IN MANAGEMENT SITUATIONAL AWARENESS REGULATORY
REQUIREMENT
ACCESS TO SUPPLIER / 3RD PARTY
SIGNIFICANTBUSINESSCHANGE
MAJOR CYBER SECURITY INCIDENT
TRIGGERS FOR CONDUCTING RISK
ASSESSMENTS
39
Questions?
Copyright Cyber Risk Management Group Limited 2020
We will take a pause to cover any questions on this section of the masterclass.
Please submit questions through the Q&A panel in the Zoom console.
Getting cyber security right. First time.
4. Case studies from the trenches
41 Copyright Cyber Risk Management Group Limited 2020
Case Study 1 – Background to the organisation
Profile: Manufacturing SME based in Europe
Challenge: Implement a structured risk assessment across a large number of systems and applications.
Considerations:• The availability of their systems and applications is very important• Large number of applications to be risk assessed• Building a strong brand and reputation, becoming more widely known in the industry• Largely immature in cybersecurity and risk assessments• Requirement to enhance risk assessment to win supplier contracts• Part of a wider supply chain with various third parties• Only previous risk assessments were paper (and opinion) based but now need to
implement a formal, structured risk assessment process.
NOTE: IMAGE IS ILLUSTRATIVE ONLY AND NOT INDICATIVE OFIDENTITY OR SECTOR OF CASE STUDY ORGANISATION
42 Copyright Cyber Risk Management Group Limited 2020
Case Study 1 – Summary of the approach
Objectives:
• The cybersecurity team have been tasked to risk assess a large number of systems and applications
• Priority is to focus on the availability of the systems and applications
• Establish similarities across the applications and create categories of information types
• Understand the business processes and define the scope of the risk assessments
• Evaluate the possibility of applying ‘threat templates’ for each category
• Identify controls offering the best ‘bang per buck’ in mitigating threats that are common to multiple applications
• Present a snapshot of the results on a single page, showing separate ‘BAU’ controls from those requiring additional investment based on risk
• Identify findings that should be recorded in a risk register, with date of completion and identifying an owner to report progress for mitigation.
43 Copyright Cyber Risk Management Group Limited 2020
Case Study 2 – Background to the organisation
Profile: Financial services SME, with Headquarters in the UK
Challenge: Identifying critical controls based on the organisation’s key threats
Considerations:• Confidentiality of information regarded as the most important attribute • Risk assessment based on understanding the key threats and the critical security
controls• Significant compliance obligations• Small but effective cybersecurity team that have identified their main cyber threats• Requirement to demonstrate that these cyber threats are being managed effectively
and that this can be demonstrated to the regulators as part of a wider review of cybersecurity.
44 Copyright Cyber Risk Management Group Limited 2020
Case Study 2 – Summary of the approach
Objectives:
• Identify the key organisational risks that are reported on a monthly basis
• These risks should come from discussions with the Red Team, Blue Team, Threat Intelligence specialists and the wider cyber team
• Map these controls to threats to identify ‘Critical’ controls (those controls that map to the greatest number of threats)
• Assess the effectiveness of those controls in terms of how well they have been implemented (obtain evidence to support this assessment)
• Highlight control gaps and those that need to be improved based on the type and number of risks that have been mapped
• Update security policies, standards and third-party agreements with no exceptions for controls that are ‘Critical’.
45
Questions?
We will take a pause to cover any questions on this section of the masterclass.
Please submit questions through the Q&A panel in the Zoom console.
Getting cyber security right. First time.
5. Cyber risk and the future
47 Copyright Cyber Risk Management Group Limited 2020
30 years of risky business
1990
Driven by notoriety
2000
Media attention
and first real
signs of concern
2010
Financially driven
2020
Nation state
attacks
Largest DDoS
Cyber risk
“To know your future you must know your past” – George Santayana
48 Copyright Cyber Risk Management Group Limited 2020 http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
Cyber attacks
49 Copyright Cyber Risk Management Group Limited 2020
CRMG’s cyber risk predictions
Business analysts for cyber security
Regulation and legislation explicitly covering cyber risk
Quantitative approaches will develop fast
Time 1 yr 2 yr 3 yr
Increasing integration with enterprise risk
CIRO or CRO with deep cyber risk knowledge
Fully developed real-time cyber risk capability
Capital Adequacy
50 Copyright Cyber Risk Management Group Limited 2020
A model for real-time cyber risk assessment
Connect to
disparate data
Sources
Extraction of
Contextual Data
Objectives > Criteria >
Risk > Frequency
> Data Requirements
Automated
monitoring
Threat
detected
Remove the operational burden using automation
Alert
stakeholders
Human InsightFlexible Scheduling
51 Copyright Cyber Risk Management Group Limited 2020
Lets talk Quant! – Observations from industry
Cyber security community
divided
Increasing interest in Quant for cyber security
Approaches needed to
transition from Qualitative to Quantitative
Good data and informed
decisions are still required to get
value
Many key principles apply
Impact (monetary loss) and
Frequency
Focus Quant modelling on
prioritised risks
Avoid the Quantum physics
conundrum
52 Copyright Cyber Risk Management Group Limited 2020
What could a transition model look like
Key systems / environments to
assess
Determine the technique to apply
Assess the applicability of the
data
What to include in the scope
Good data is required for modelling / simulations.
Retailers website
FS Settlement systems
ALE (Annual Loss Expectancy)
Monte Carlo simulations
Bayesian networks
Compare and contrast to Qualitative
Understand when and where to use
Is it informing better decisions?
Select prioritised risks from qualitative
assessments
Select an area / system that has accurate data
53 Copyright Cyber Risk Management Group Limited 2020
20 years into one slide
Focus on those systems and data assets that are business-critical
Establish a practical process that incorporates the fundamentals of information risk
Evaluate GRC products to help streamline and semi-automate the cyber risk process to minimize staff utilisation
Present the business argument to help establish a cyber risk approach (e.g. target investment, quick wins, best practice)
Establish a phased approach (do not attempt to boil the ocean)
Extrapolate risk insights to other areas of the security programme (e.g. policy update, awareness and education)
Start to investigate the Quantitative approaches but figure out when the time is right.
54
Questions?
Copyright Cyber Risk Management Group Limited 2020
We will take a pause to cover any questions on this section of the masterclass.
Please submit questions through the Q&A panel in the Zoom console.
55
Thank you for joining us today
Connect with the speakers:
Nick [email protected]://www.linkedin.com/in/nickfrost/
Martin [email protected]
https://www.linkedin.com/in/martin-tully-a050378/
Simon [email protected]
https://www.linkedin.com/in/simon-oliver-lacey/
For more pragmatic guidance on cyber risk management, please contact the speakers or
email [email protected]
Getting cyber security right. First time.
Thank you
Visit us at www.crmg-consult.com or follow us:
Twitter: @ConsultingCrmgLinkedIn: cyber-risk-management-group