At ClearArmor, we maintain that a fully interconnected approach to Risk Management, CyberSecurity, Audit, Compliance, and Governance is the best approach. For many organization, they may not be ready for that journey. In those cases, a pragmatic approach can significantly improve their risk reduction and CyberSecurity postures by building momentum.
2. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
2
Introduction
Presenter: Bruce Hafner
President, ClearArmor Corporation
Website: ClearArmor Corporation (https://cleararmor.com)
Contact Info: info@cleararmor.com
Genesis for Presentation:
Organizations overwhelmingly need to improve upon their CyberSecurity posture. The single most effective
method is to adopt a mature framework such as the NIST CyberSecurity Framework. False starts, limited
authority, resource deficiencies, and leadership focus conspire to impede CyberSecurity improvement.
Under these circumstances, a pragmatic approach can build momentum. Organizations that are just
beginning their Cyber Posture improvement journey may benefit from taking a pragmatic approach to risk
reduction.
3. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
3
Some terms we will be using to bring the conversation forward
Business is
from Mars
Technology
is from
Venus
CyberSecurity & Risk Language Barriers
4. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
4
‘Lead, follow, or get out of the way’
Risk
is the potential of gaining or losing
something of value
Risk Mitigation
to lessen the impact of a risk event
through technology, process,
training, etc
Risk Prevention
Removes the ability for a specific
trigger an impacting event
Risk Event
is caused by a trigger and impacts
one or more assets, systems, data
types, and or business functions
Risk Trigger
Is the what causes a risk event to
occur
Risk Trigger Probability
Is the likelihood that a trigger
would occur, that causes an event,
impacting assets
Asset Value
Assets have value that can be
distilled down to financial and
other measures
Asset Data
Is the type of data that may be
stored, transmitted, interacted with
by people, systems, process
Asset System
a set of endpoints (Servers,
storage, network, external
systems) that fulfill a need
Asset Landscape
Systems may consist of various
isolated groups (Dev, Test, QA)
that serve isolated functionality
Asset Endpoint
A System Landscape may consist
of one or more endpoints
Asset Software
is distributed to various endpoints,
that perform some function
required by the system
Detection
Is the ability to monitor, report, and
alert to an event
Detection Tool
Is a technical, business, process
that is able to detect a trigger to, or
impacting event
Detection Method
Is the specifics on how the
detection tool can identify the
impacting event
Trigger Detection
Is the Tools, methods related to
detection of a trigger related to an
impacting event
Detection Confidence
Speaks to the likelihood that a
trigger would successfully be able
to be monitored
Detection Audit
Validates that the detection
method would be successful
Response Scenario
Is the situation surrounding
response to an impacting event
Response Roles
Are the roles required to be
engaged during various events
Response Team
The team roles, people, vendors,
etc. that are required to be
involved during a response.
Response Schedule
Identifies the time durations that
should elapse from the time of
event to execute tasks
Response Execution
Are the actual work items that will
be executed by roles/people
during the schedule
Response Simulation
Testing through mechanical and/or
team collaborative meetings the
response, with all required roles
and team members
Recovery
Of systems, operations,
processes, and other areas after
an impacting Event
Recovery Method
Is how recovery will occur.
Movement to a DR system, tape
restoration, operations relocation
Recovery Testing
Simulating the method of recovery
to validate that the method could
successfully occur
Recovery Event
Is the circumstance that a recovery
effort will occur
Recovery Point
Objective (RPO) is the amount of
data expected to be lost
Recovery Time
Objective (RTO) is the expected
time to recover
Some terms that will allow business and technology team members to communicate effectively
(Lido Anthony Iacocca). General Patton said something like this, ….and maybe Thomas Pain.
Communication – A Cyber & Risk Requirement
5. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
5
Risk is everywhere. Risk can be ignored, accepted, transferred, mitigated, or remediated.
Understanding of Risk Related Conflict
Driving a Car
vs
No Job
(mitigated) Babies on
Planes
Vs
Injury
(accepted)
6. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
6
Identify Risk
What is at Risk
Manifestation of Risk
Prioritize Risk
Impact Value of Risk
Cost to Reduce Risk
Risk Event Scenario Planning
Who is involved
When they get involved
Why they get involved
Who does what
Scenario Simulation
Scheduling table top sessions
Frequency of tests
Results of test
Improvement of plans
In some things, an incomplete or immature process method is better than inaction
There is always a more effective way. There is always a less effective way.
Results Leading to Risk Reduction
7. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
7
Follow a Process
Create processes you
can commit to. Not when
convenient, but part of
the organizational culture
Prioritize
If everything is Priority 1,
nothing is Priority 1
Involve Everyone
Everyone is a participant, at some
level. Prepare the Organization
Adopt a Standard
You Don’t have to boil the ocean to
start. You do need to embrace a
standard.
Change takes deliberate choices. Not difficult, just deliberate. Create a Plan
Execute
Treat CyberSecurity and Risk
Reduction on par with revenue
generation, compliance,
Measure & Communicate
Along the Way
Elements to Building Momentum
8. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
8
There are a lot of options when structuring a CyberSecurity Program. Frameworks, Compliance
Requirements,
• The Center for Internet Security Critical Security Controls
• ISO 27001
• New York State Department for Financial Services Rule 500
• NIST 800-53 and NIST 800-171
• The NIST CyberSecurity Framework – A Risk Based
Approach
Selection of a Path to Reducing Risk
NIST CSF
Risk Based Approach
Framework of What to
Do
Not How to Do it
CIS Controls
Technical Approach
More Specific
Categories of Activities
Various frameworks / controls / regulations have different benefits or compliance requirements
10. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
Leading to Risk and CyberSecurity maturity
Pragmatic
Risk
Assets
Detection
Recovery
Things to Consider
11. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
11
Groups needed for success
Executive
• CEO
• GC
• CFO
• COO
Technical
• CIO & CISO
• Network Team
• IT Admin
• Service Team
Business
• Business Heads
• Customer
Mgmt.
• Accounts Mgmt.
• Service Team
Additional
• Facilities
• Risk
• Audit &
Compliance
• Board
Risk Reduction Requires Team Engagement
13. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
13
Breaking the plan into achievable steps, with multiple teams
Risk Reduction Method
Risk Objectives
Impacts to Risk
Objective
What Systems Are
Involved?
Does the Business
Know the Value of
the Systems?
Does IT know the
relationship between
Systems,
Landscapes, and
Endpoints?
Identifying Risk
Events, Triggers,
and Probabilities
Calculating the
Value of Risk
Events
Cost of Risk
Reduction
Identifying Risk
Event Mitigations &
Remediations
Cost vs Value
Prioritizing Action
Creating Scenario
Plans
Testing your Plans
14. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
14
Context for your plan. Ultimately, what are you trying to protect?
Identification of What You are Protecting
Risk
Objectives
Intellectual
Property
Reputation
Client
Trust
15. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
15
Employee
Data
• Human Resources
• Facilities
• IT Administration
Can be
Impacted By
What Functions Impact Risk Objectives
Process Requires Identification Activities
Impacts to
Risk
Objective
16. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
16
Employee
Data
• Human Resources
• Facilities
• IT Administration
Can be
Impacted By • HRIS
• Payroll
• 401K
• Medical Insurance
• Access Control
• Annual Review
• Training Management
Using
Getting Context – What Business Functions are Involved
Process Identifies Impacted Things
Systems
Involved
17. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
17
Employee
Data
• Human Resources
• Facilities
• IT Administration
Can be
Impacted By • HRIS
• Payroll
• 401K
• Medical Insurance
• Access Control
• Annual Review
• Training Management
Using
• HRIS Outage = $22K / Day
• HRIS Data Breach = $100K
/ Incident
Value
Digging Deeper – Bringing in Technical and Subject Matter Experts
Process Identifies Value of Those Things
System
Value
18. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
18
• Ransomware Infects the email
system
• Patient Data is breached and
made public
• Intellectual Property is stolen
and published on the Web
• Client Credit card theft from
Web based system
Risk ‘A’ Event
• Web App servers– poor
internal security
• Web App Servers not Patched
• Code injected into app
• Payment processor breach
Event 4 Could
be triggered by
ID concerns of events that could impact the organization and what could trigger them
Process Identifies Events that Cause Impact
Risk
Events
Risk
Triggers
19. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
19
•Ransomware Infects the email system
•Patient Data is breached and made public
•Intellectual Property is stolen and published on
the Web
•Client Credit card theft from Web based system
Risk ‘A’ Event
•Web App servers– poor internal security
•Web App Servers not Patched
•Code injected into app
•Payment processor breach
Event 4 Could
be triggered by • The organization believes that Poor security on
Web Applications presents a 2.5% chance of
triggering an event in any given year
•Latency in patching cycles present a 7.5 %
chance of triggering an event in any given year
•A 2% chance that modified code could cause
the event is estimated.
•Poor user authentication creates a 5% risk of
triggering an event. to hack into web
applications code base.
Having annual
probabilities of
The systems impacted by risk events drive value calculations
Process Includes Probability & Likelihood
Trigger
Probabilities
20. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
20
• Ransomware Infects the email
system
• Patient Data is breached and
made public
• Intellectual Property is stolen
and published on the Web
• Client Credit card theft from
Web based system
Risk ‘A’ Event
• Web App servers– poor
internal security
• Web App Servers not Patched
• Code injected into app
• Payment processor breach
Event 4 Could be
triggered by • OrderSys2020
And potentially
impact these
systems
The systems impacted by risk events help to automate the value of the impact
Process Ties Risk Events to Triggers to Systems
Identify
Impact
21. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
21
Risk Events have a real financial impact to your organization, direct and indirect
- Follow a Process – Risk Events Have a Value
Risk Event
Cost
System Event Trigger Probability Restoration
Time
Daily
Value
Direct Impact
OrderSys202
0
Client Credit card theft from Web
based system
Web App servers– poor
internal security
2.5% 1.25 $845,000 $26,406.25
OrderSys202
0
Client Credit card theft from Web
based system
Web App Servers not Patched 7.5% 1.25 $845,000 $79,218.75
OrderSys202
0
Client Credit card theft from Web
based system
Code injected into app 2% 1.25 $845,000 $21,125.00
OrderSys202
0
Client Credit card theft from Web
based system
Payment processor breach 5% 1.25 $845,000 $52,812.50
Total Risk Event Value $179,562.50
If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the
next year, based on your $845,000 daily value, that would equate to an indirect impact of
$7,710,625
22. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
22
• Poor Security on the Web
Application
• Unpatched Servers
• Lack of baselining systems exposes
organizations for code modifications
to go undetected
• Weak user authentication polices
Risk ‘4’
Triggers
• Implement code to limit external
communications to certain functions
• Adopt a practice of Patching test
servers within 1 week, and
production servers within 3.
• Implement Dial Factor
Authentication on the web
application
Mitigations • Technology - Once Code changes
have passed testing, and prior to
migration to production, baseline
system to ensure integrity of code
against a known good image.
Validate continuously
• Business – No App changes are
accepted into production until audit
confirm policy has been followed
Remediations
Identifying Mitigations and Remediations
- Mitigation & Remediation Reduces Risk &
ImpactMitigations &
Remediation
23. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
23
Risk Events have a real financial impact to your organization, direct and indirect
- Follow a Process – Risk Events have a Value
Risk Event
Cost
System Event Trigger Probability Restoration
Time
Daily
Value
Direct Impact
OrderSys202
0
Code injected into the web based
customer order system is stealing
client credit card information
Poor security on Web
Application Servers
2.5% 1.25 $845,000 $26,406.25
OrderSys202
0
Code injected into the web based
customer order system is stealing
client credit card information
Modified Application Code 7.5% 1.25 $845,000 $79,218.75
OrderSys202
0
Code injected into the web based
customer order system is stealing
client credit card information
Modified application code 2% 1.25 $845,000 $21,125.00
OrderSys202
0
Code injected into the web based
customer order system is stealing
client credit card information
Poor user authentication
creates a 5% risk of triggering
an event. to hack into web
applications code base.
5% 1.25 $845,000 $52,812.50
Total Risk Event Value $179,562.50
If This Event caused an erosion of trust that impacted new orders by .25% (1/4 of 1%) over the
next year, based on your $845,000 daily value, that would equate to an indirect impact of
$7,710,625
24. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
24
Risk Events have a real financial impact to your organization, direct and indirect
- Follow a Process – Risk Remediation has a Cost
Risk Event
Cost
System Trigger Counter Measure Cost Duration
OrderSys202
0
Web App servers– poor internal
security
Mitigate – Limit Access $7,500 1 Week
OrderSys202
0
Web App Servers not Patched Mitigate - Force patching policy. Reduce
patching latency
$25,000 2 Months
OrderSys202
0
Code injected into app Remediate - Baseline Application Code $12,000 2 Weeks
OrderSys202
0
Payment processor breach Mitigate – Vendor Risk Assessment.
Vendor Audit.
$12,000 2 Months
OrderSys202
0
Payment processor breach Transfer – Insurance $75,000 4 Months
Total Risk Event Value $131,500 4 Months
Remediations can take multiple paths, by multiple teams, with varying degrees of impact
25. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
25
Prioritization – Weighing Impact and Probability
Risk Events
High
Probability
Low
Impact
High
Impact
Low
Probability
High
Probability
High
Impact
High
Probability
Low
Impact
Low
Probability
High
Impact
Low
Probability
Low
Impact
26. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
26
- Prioritization Through Constraints
Prioritize
Impact Value
vs
Cost
Time
Expertise
Availability
Regulatory
Prioritize
27. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
27
- Scenario Planning – The Plan
Scenario
Plans
The best-laid plans of mice and men
often go awry. (Robert Burns)
And In
what
order?
By whom?
When
would it
need to be
done
What
would
need to be
done?
Who
would
need to be
involved?
What if ‘X’ happened
28. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
28
- Scenario Planning – The What if Plan
Scenario
Plans
The best-laid plans of mice and men
often go awry. (Robert Burns)
Expected
Results Deviate
Dependencies
Fail
Communications
Fail
Team Members
are Unavailable
What would you do if ‘Y’ Also Happened
29. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
29
- Scenario Planning – Building the Plan
Scenario
Plans
Identify Team
• Executive
• Legal
• Business Line
• Technical
• Cyber
• Vendor
• Partner
• Client
Scenario Response Setup
• Overall Objective
• Response Steps
• Step Objectives
• Step Communications
• Step Owners
• Step Schedule
• Step Approver
• Re Evaluation of Team
• Re Evaluation of
Objectives
• Re Evaluation of Steps
Leadership Approves
• Objective
• Team
• Steps
• Communications
• Schedules
• Role that can call and event
• Role that can accept results
30. ClearArmor Corporation – Pragmatic CyberSecurity and Risk Reduction
30
- Scenario Planning – Testing the Plan
Scenario
Plans
Tabletop Decisions
• Will the exercise be scheduled
• Will the exercise by unscheduled
• What data will be recorded
• Will the exercise use deviations
• Will the exercise remove participants
• Will the exercise have time constraints
• Will the exercise limit resources
• Who will be the scribe
Run the Exercise
• Call the Event
• Assemble the team
• Follow the schedule
• Follow the steps
• Communicate as planned
• Simulate tests
• Simulate results
• Record issues
• Lessons Learned
• Plan Updates