SlideShare une entreprise Scribd logo

Cyber Risk Quantification | Safe Security

Rahul Tyagi
Rahul Tyagi

Today, the delegation of risk decisions to the IT team cannot be the only solution and has to be a shared responsibility. The board and business executives are expected to incorporate the management of cyber risk as part of their business strategy since they are accountable to stakeholders, regulators and customers. For the CROs, CISOs, and Security and Risk Management Professionals to be on the same page, there has to be a single source of truth for communicating the impact that cyber risk has on business outcomes, in a language that everyone can understand.

Technologie
1  sur  10
Télécharger pour lire hors ligne
White Paper How do you cyber risk? Measure & Mitigate All rights reserved
Increasing Cyber Threats Business Impact of Cyber Threats What are the challenges with traditional cybersecurity approach? As businesses continue to invest in digital transformation and base their business model on technology, cyber threats only become more imminent. Cyber attacks are growing more sophisticated, occurring once every 39 seconds, the IBM Cost of Data Breach Report, 2020 reports an average cost of data breach to be $3.86 million annually. In such a volatile environment, a robust cyber security plan becomes imperative. It aids organisations to make better decisions, improve their cyber security risk posture, mitigate the consequences of cyber crime, gain more visibility into their threat landscape and finally, improve their cyber resilience. Cyber Risk is now a board-room concern. With cyberattacks disrupting business continuity, they pose a direct impact on the top and bottom line of an organization’s balance sheet. Thus, making cybersecurity as one of the top priorities of every organization According to Forbes, lack of Cyber Resilience is the top global business risk in 2020. In 2019 alone, an estimated 8.5 billion accounts were compromised. The CISO Benchmark Report 2020 states that the most impacted business areas after a security breach are operations and brand reputation; followed by finances, intellectual property, and customer retention. The evolving breach trends verify that complying to frameworks alone can no longer holistically safeguard organizations. Frameworks such as ISO, NIST, PCI DSS and others are used as reference checklists for cybersecurity and risk management practices, however, provide limited visibility. Cybersecurity must be aligned with every organization's threats and mission-critical business needs, provided by products that deliver holistic and actionable insights. The Frameworks approach to risk-posture assessments are subjective, labor-intensive, and only offer point-in-time snapshots/assessments. They rely on a qualitative scale without any objective and quantitative measure to assess the security posture of an organization. Similarly, Security Rating Services represent an independent source of publicly accessible data to support some use cases. However, these services don't provide a complete assessment of security controls, as their information is primarily sourced from publicly accessing internet IP addresses, honeypots, analyzing Deep and Dark web content, and individual proprietary data warehouses. Executive Summary 01
Cyber Risk is everyone’s responsibility Continuous Assessment of Cyber Security is the need of the hour Objectivity and simplicity should be at the core of your cybersecurity strategy Today, the delegation of risk decisions to the IT team cannot be the only solution and has to be a shared responsibility. The board and business executives are expected to incorporate the management of cyber risk as part of their business strategy since they are accountable to stakeholders, regulators and customers. For the CROs, CISOs, and Security and Risk Management Professionals to be on the same page, there has to be a single source of truth for communicating the impact that cyber risk has on business outcomes, in a language that everyone can understand. This is where Cyber Risk Quantification comes in as a game-changer. There is a need for a solution which integrates with the entire security stack and gives a measurable analysis that supplements decision making. This comprehensive information empowers CISOs and executives to make informed and timely decisions to ensure the cybersecurity of the Compliance and government guidelines mandate the move to go beyond periodic assessments and into continuous monitoring of sensitive and critical information. In such situations, a CISO may often be unable to quantify the maturity of the Information Security measures deployed in the organization. Continuous Assessment of Cyber Security lets an organization prioritize the key focus areas across their Critical Assets and most vulnerable technology verticals. This ensures that adequate measures towards holistic Cyber Security maturity are adopted throughout the organization. Cybersecurity posture cannot be represented by lengthy reports only. It needs to become objective and help decision makers truly understand the risk posture and the dollar value risk that the organization faces. It also needs to be free from IT jargon to enable the boardroom to have a clearer view of the risk posture, thereby facilitating data driven and informed decisions. Executives can get overwhelmed with excruciating details from multiple tools or people. They can now rely on all the data that has been collected and converted from these sources into a simple yet comprehensive score that they can use to track and build their trust on. The new approach of looking at cybersecurity! 02
Our 5 vector approach People Policy The Security Assessment Framework for Enterprises (SAFE) attributes an enterprise-wise, unified, objective and real time score which empowers organizations to understand and improve their cyber risk posture. Designed from the ground up with simplicity, standardization and compliance guidelines in mind, SAFE provides a quantitative dimension to cyber risk management.. The SAFE score ranges from 0.00 to 5.00 and rates the breach likelihood of an organisation at both macro (enterprise/ location) and micro (individual IP/ asset) levels. 03 SAFE Approach A zero-permission mobile application that helps users protect their phones against hacking by monitoring its cybersecurity controls. It also allows the enterprise to run cybersecurity awareness campaigns from a library of over 100 nano cybersecurity training videos and quiz along with monitoring if the employee's personal information/passwords are leaked in the deep and dark web. This data is then put together in our Scoring Engine to give a score per employee Policies wrap around the entire digital infrastructure to safeguard the security hygiene encompassing all functions in an organisation. With over ten years of experience, we have formulated a vast repository of over 40 policies broken into 4500 controls which are derived from globally accepted compliances like ISO, NIST, HIPAA, PCI DSS and others, that could be applied to your enterprise. People SCORE PER PERSON SCORE PER IP/APPLICATIONS SCORE PER SECURITY PRODUCT SCORE PER CYBER SECURITY POLICY SCORE PER THIRD PARTY External Policy Cyber Security Products (CSP) Technology SAFE ENTERPRISE
Technology Cyber Security Products (CSP) 04 SAFE covers your entire technology stack- its applications, cloud services, databases, Network and security nodes, end points and a lot more. It assesses the cyber security posture of each asset based on CIS benchmarks for configuration, NVD for vulnerabilities and threat intelligence from internal and external sources. This gives a true picture of how secure your internal technology set-up is. There is potentially a cyber security product for every niche requirement. Investing in, using, collecting and analysing the ‘relevant’ information becomes a mammoth task for the security team. SAFE provides guidance into procuring must-have and good-to-have products based on your organization’s geography, industry and size. Based on the usage, SAFE provides a score to solve your cyber security problem. SAFE acts as a unified dashboard that sifts through the already existing data and gives you a real-time holistic view with prioritised actionables. SAFE Use Cases Understanding cybersecurity posture of an Configuration assessment and Vulnerability Management of the technology stack. Ensure Compliance with industry- recognized standard Visibility and configuration assessment of cyber security products. Deep and Dark Web Monitoring Outside-in assessment of third-parties Measure and improve Cybersecurity awareness of your employees. External 53% of organizations have experienced one or more data breaches caused by a third party. SAFE can automatically assess all the organisation’s third parties and provide a cyber risk posture assessment. SAFE can also scan the deep and dark web to provide visibility into leaked credentials for the first and third party.
05 How does SAFE measure cyber risk? 0 1 SAFE scores and provides actionable insights as an outcome SAFE Scoring Model “Likelihood of Breach” for an enterprise is a direct function of gaps in People, Process, and Technology. The SAFE score is, therefore, a function of “Likelihood of Breach” both at a macro (organization level) and at micro-level (per employee, policy, and asset). Suggestions from subject matter experts (SME) are taken into consideration while selecting inputs for the scoring model and information which satisfy the following criteria : Clear Everybody/anybody knows what that means. Observable The decomposed object should be observable and one should be clear, what would happen when we observe more of that object/vulnerability. Useful Taking into consideration only those things that really matter in decision making. Enterprise's SAFE Score Overall SAFE Score for the Enterprise clubbed to $ Value Risk SAFE Score for Business Units SAFE Score for Internal Technologies (per IP/Applications) SAFE Score for External Technologies SAFE Score for Policies / Processes SAFE Score for Employees SAFE Score for Third Parties SAFE Score for Compliance Management SAFE Score for Custom Asset Groups Reputation Risk Regulatory Risk Financial Risk
06 Expected Loss In the SAFE Scoring model, the Scores are provided at the following levels SAFE Score with confidence metric for a group of employees SAFE Score per employee Overall SAFE Score is the function of breach likelihood at a macro (organization SAFE Score) and micro (per employee, policy, and asset) level. SAFE Score with confidence metric for a group of policies SAFE Score per asset SAFE Score with confidence SAFE Score per policy The overall risk (expected loss) faced by an organization is a direct function of Breach Likelihood & Breach Impact (based on extensive study of average breach cost). The overall likelihood of a breach is used as an input in Poisson distribution to calculate the Breach Frequency Distribution. Poisson distribution is popularly used in: Insurance sector to estimate the claims count. Insurance sector to estimate the claims count E-Commerce Industry to estimate number sales in a given time period Micro Level Macro Level Overall Level External Third-Party SAFE Score with confidence metric for the third party considering the assessment of only external controls. Output
07 The Breach frequency distribution and breach impact inputs are then combined using Monte-Carlo simulation to get the expected loss or the Risk the company is facing. Likelihood of breach from People Overall Breach Livelihood / Safe Score LB and UB of Breach Impact Expected $ loss (Risk) Likelihood of breach from Process Likelihood of breach from Technology Likelihood of breach from Third Party
08 SAFE Benefits & Key Highlights SAFE brings the entire cybersecurity assessment to one platform, improving work efficiency by eliminating the need to monitor multiple applications & platforms. SAFE provides an estimate for improving the cybersecurity posture of an organization by keeping the current security posture as a benchmark and defining the roadmap whilst prioritizing key areas of concern. Enables the Board, CISO & Security Analysts to be aligned with an objective risk metric that takes into account both, technical & the business context and gives prioritized actionables. SAFE is proactive and alerts organizations in real-time towards security gaps with 100% IT infrastructure coverage. Measure, Monitor and Mitigate Risks per LoB (Business Unit) / Crown Jewels.
All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Lucideus. No part of this document may be reproduced in any form or by any means without the prior written authorization of Lucideus. While every precaution has been taken in the preparation of this document, Lucideus assumes no responsibility for errors or omissions 2020 Lucideus Inc. All rights reserved Lucideus Inc. Stanford Research Park, 3260 Hillview Avenue, Palo Alto, CA - 94304 INDIA Lucideus House Plot no. 15, Okhla Phase III New Delhi 110020 www.safe.security | info@safe.security Standford Research Park, 3260 Hillview Avenue, Palo Alto, CA - 94304

Recommandé

How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentation
Ajai Srivastava
 

Recommandé

How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
Rahul Tyagi
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
Information Technology Vendor Risk Management
Information Technology Vendor Risk ManagementInformation Technology Vendor Risk Management
Information Technology Vendor Risk Management
Deepak Bansal, CPA CISSP
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015Hewlett-Packard Enterprise- State of Security Operations 2015
Hewlett-Packard Enterprise- State of Security Operations 2015
Kim Jensen
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
Abhishek Sood
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentation
Ajai Srivastava
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
Belinda Edwards
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
Steve Arnold
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
EnterpriseGRC Solutions, Inc.
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
Graham Mann
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Proofpoint
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Happiest Minds Technologies
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures
Steven Aiello
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 

Contenu connexe

Tendances

security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
Steve Arnold
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
FireEye, Inc.
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
at MicroFocus Italy ❖✔
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
FireEye, Inc.
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
Jeremiah Grossman
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 

Tendances (20)

HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...State of Security Operations 2016 report of capabilities and maturity of cybe...
State of Security Operations 2016 report of capabilities and maturity of cybe...
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
 
SOC for Cybersecurity Overview
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Building securable infrastructures
Building securable infrastructures Building securable infrastructures
Building securable infrastructures
 

Similaire à Cyber Risk Quantification | Safe Security

A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 
BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
CBIZ, Inc.
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
Rachel Anne Carter
 

Similaire à Cyber Risk Quantification | Safe Security (20)

Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOUHOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
HOW TO MEASURE WHAT HACKERS KNOW ABOUT YOU
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
What is CIS Benchmark
What is CIS BenchmarkWhat is CIS Benchmark
What is CIS Benchmark
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Big Data Analytics Solutions
Big Data Analytics SolutionsBig Data Analytics Solutions
Big Data Analytics Solutions
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022Top Cyber News Magazine - Oct 2022
Top Cyber News Magazine - Oct 2022
 
Cybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lensCybersecurity through the Deloitte lens
Cybersecurity through the Deloitte lens
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Cyber Risk Quantification | Safe Security

  • 1. White Paper How do you cyber risk? Measure & Mitigate All rights reserved
  • 2. Increasing Cyber Threats Business Impact of Cyber Threats What are the challenges with traditional cybersecurity approach? As businesses continue to invest in digital transformation and base their business model on technology, cyber threats only become more imminent. Cyber attacks are growing more sophisticated, occurring once every 39 seconds, the IBM Cost of Data Breach Report, 2020 reports an average cost of data breach to be $3.86 million annually. In such a volatile environment, a robust cyber security plan becomes imperative. It aids organisations to make better decisions, improve their cyber security risk posture, mitigate the consequences of cyber crime, gain more visibility into their threat landscape and finally, improve their cyber resilience. Cyber Risk is now a board-room concern. With cyberattacks disrupting business continuity, they pose a direct impact on the top and bottom line of an organization’s balance sheet. Thus, making cybersecurity as one of the top priorities of every organization According to Forbes, lack of Cyber Resilience is the top global business risk in 2020. In 2019 alone, an estimated 8.5 billion accounts were compromised. The CISO Benchmark Report 2020 states that the most impacted business areas after a security breach are operations and brand reputation; followed by finances, intellectual property, and customer retention. The evolving breach trends verify that complying to frameworks alone can no longer holistically safeguard organizations. Frameworks such as ISO, NIST, PCI DSS and others are used as reference checklists for cybersecurity and risk management practices, however, provide limited visibility. Cybersecurity must be aligned with every organization's threats and mission-critical business needs, provided by products that deliver holistic and actionable insights. The Frameworks approach to risk-posture assessments are subjective, labor-intensive, and only offer point-in-time snapshots/assessments. They rely on a qualitative scale without any objective and quantitative measure to assess the security posture of an organization. Similarly, Security Rating Services represent an independent source of publicly accessible data to support some use cases. However, these services don't provide a complete assessment of security controls, as their information is primarily sourced from publicly accessing internet IP addresses, honeypots, analyzing Deep and Dark web content, and individual proprietary data warehouses. Executive Summary 01
  • 3. Cyber Risk is everyone’s responsibility Continuous Assessment of Cyber Security is the need of the hour Objectivity and simplicity should be at the core of your cybersecurity strategy Today, the delegation of risk decisions to the IT team cannot be the only solution and has to be a shared responsibility. The board and business executives are expected to incorporate the management of cyber risk as part of their business strategy since they are accountable to stakeholders, regulators and customers. For the CROs, CISOs, and Security and Risk Management Professionals to be on the same page, there has to be a single source of truth for communicating the impact that cyber risk has on business outcomes, in a language that everyone can understand. This is where Cyber Risk Quantification comes in as a game-changer. There is a need for a solution which integrates with the entire security stack and gives a measurable analysis that supplements decision making. This comprehensive information empowers CISOs and executives to make informed and timely decisions to ensure the cybersecurity of the Compliance and government guidelines mandate the move to go beyond periodic assessments and into continuous monitoring of sensitive and critical information. In such situations, a CISO may often be unable to quantify the maturity of the Information Security measures deployed in the organization. Continuous Assessment of Cyber Security lets an organization prioritize the key focus areas across their Critical Assets and most vulnerable technology verticals. This ensures that adequate measures towards holistic Cyber Security maturity are adopted throughout the organization. Cybersecurity posture cannot be represented by lengthy reports only. It needs to become objective and help decision makers truly understand the risk posture and the dollar value risk that the organization faces. It also needs to be free from IT jargon to enable the boardroom to have a clearer view of the risk posture, thereby facilitating data driven and informed decisions. Executives can get overwhelmed with excruciating details from multiple tools or people. They can now rely on all the data that has been collected and converted from these sources into a simple yet comprehensive score that they can use to track and build their trust on. The new approach of looking at cybersecurity! 02
  • 4. Our 5 vector approach People Policy The Security Assessment Framework for Enterprises (SAFE) attributes an enterprise-wise, unified, objective and real time score which empowers organizations to understand and improve their cyber risk posture. Designed from the ground up with simplicity, standardization and compliance guidelines in mind, SAFE provides a quantitative dimension to cyber risk management.. The SAFE score ranges from 0.00 to 5.00 and rates the breach likelihood of an organisation at both macro (enterprise/ location) and micro (individual IP/ asset) levels. 03 SAFE Approach A zero-permission mobile application that helps users protect their phones against hacking by monitoring its cybersecurity controls. It also allows the enterprise to run cybersecurity awareness campaigns from a library of over 100 nano cybersecurity training videos and quiz along with monitoring if the employee's personal information/passwords are leaked in the deep and dark web. This data is then put together in our Scoring Engine to give a score per employee Policies wrap around the entire digital infrastructure to safeguard the security hygiene encompassing all functions in an organisation. With over ten years of experience, we have formulated a vast repository of over 40 policies broken into 4500 controls which are derived from globally accepted compliances like ISO, NIST, HIPAA, PCI DSS and others, that could be applied to your enterprise. People SCORE PER PERSON SCORE PER IP/APPLICATIONS SCORE PER SECURITY PRODUCT SCORE PER CYBER SECURITY POLICY SCORE PER THIRD PARTY External Policy Cyber Security Products (CSP) Technology SAFE ENTERPRISE
  • 5. Technology Cyber Security Products (CSP) 04 SAFE covers your entire technology stack- its applications, cloud services, databases, Network and security nodes, end points and a lot more. It assesses the cyber security posture of each asset based on CIS benchmarks for configuration, NVD for vulnerabilities and threat intelligence from internal and external sources. This gives a true picture of how secure your internal technology set-up is. There is potentially a cyber security product for every niche requirement. Investing in, using, collecting and analysing the ‘relevant’ information becomes a mammoth task for the security team. SAFE provides guidance into procuring must-have and good-to-have products based on your organization’s geography, industry and size. Based on the usage, SAFE provides a score to solve your cyber security problem. SAFE acts as a unified dashboard that sifts through the already existing data and gives you a real-time holistic view with prioritised actionables. SAFE Use Cases Understanding cybersecurity posture of an Configuration assessment and Vulnerability Management of the technology stack. Ensure Compliance with industry- recognized standard Visibility and configuration assessment of cyber security products. Deep and Dark Web Monitoring Outside-in assessment of third-parties Measure and improve Cybersecurity awareness of your employees. External 53% of organizations have experienced one or more data breaches caused by a third party. SAFE can automatically assess all the organisation’s third parties and provide a cyber risk posture assessment. SAFE can also scan the deep and dark web to provide visibility into leaked credentials for the first and third party.
  • 6. 05 How does SAFE measure cyber risk? 0 1 SAFE scores and provides actionable insights as an outcome SAFE Scoring Model “Likelihood of Breach” for an enterprise is a direct function of gaps in People, Process, and Technology. The SAFE score is, therefore, a function of “Likelihood of Breach” both at a macro (organization level) and at micro-level (per employee, policy, and asset). Suggestions from subject matter experts (SME) are taken into consideration while selecting inputs for the scoring model and information which satisfy the following criteria : Clear Everybody/anybody knows what that means. Observable The decomposed object should be observable and one should be clear, what would happen when we observe more of that object/vulnerability. Useful Taking into consideration only those things that really matter in decision making. Enterprise's SAFE Score Overall SAFE Score for the Enterprise clubbed to $ Value Risk SAFE Score for Business Units SAFE Score for Internal Technologies (per IP/Applications) SAFE Score for External Technologies SAFE Score for Policies / Processes SAFE Score for Employees SAFE Score for Third Parties SAFE Score for Compliance Management SAFE Score for Custom Asset Groups Reputation Risk Regulatory Risk Financial Risk
  • 7. 06 Expected Loss In the SAFE Scoring model, the Scores are provided at the following levels SAFE Score with confidence metric for a group of employees SAFE Score per employee Overall SAFE Score is the function of breach likelihood at a macro (organization SAFE Score) and micro (per employee, policy, and asset) level. SAFE Score with confidence metric for a group of policies SAFE Score per asset SAFE Score with confidence SAFE Score per policy The overall risk (expected loss) faced by an organization is a direct function of Breach Likelihood & Breach Impact (based on extensive study of average breach cost). The overall likelihood of a breach is used as an input in Poisson distribution to calculate the Breach Frequency Distribution. Poisson distribution is popularly used in: Insurance sector to estimate the claims count. Insurance sector to estimate the claims count E-Commerce Industry to estimate number sales in a given time period Micro Level Macro Level Overall Level External Third-Party SAFE Score with confidence metric for the third party considering the assessment of only external controls. Output
  • 8. 07 The Breach frequency distribution and breach impact inputs are then combined using Monte-Carlo simulation to get the expected loss or the Risk the company is facing. Likelihood of breach from People Overall Breach Livelihood / Safe Score LB and UB of Breach Impact Expected $ loss (Risk) Likelihood of breach from Process Likelihood of breach from Technology Likelihood of breach from Third Party
  • 9. 08 SAFE Benefits & Key Highlights SAFE brings the entire cybersecurity assessment to one platform, improving work efficiency by eliminating the need to monitor multiple applications & platforms. SAFE provides an estimate for improving the cybersecurity posture of an organization by keeping the current security posture as a benchmark and defining the roadmap whilst prioritizing key areas of concern. Enables the Board, CISO & Security Analysts to be aligned with an objective risk metric that takes into account both, technical & the business context and gives prioritized actionables. SAFE is proactive and alerts organizations in real-time towards security gaps with 100% IT infrastructure coverage. Measure, Monitor and Mitigate Risks per LoB (Business Unit) / Crown Jewels.
  • 10. All rights reserved. This document is protected by copyright and any distribution, reproduction, copying, or decompilation is strictly prohibited without the prior written consent of Lucideus. No part of this document may be reproduced in any form or by any means without the prior written authorization of Lucideus. While every precaution has been taken in the preparation of this document, Lucideus assumes no responsibility for errors or omissions 2020 Lucideus Inc. All rights reserved Lucideus Inc. Stanford Research Park, 3260 Hillview Avenue, Palo Alto, CA - 94304 INDIA Lucideus House Plot no. 15, Okhla Phase III New Delhi 110020 www.safe.security | info@safe.security Standford Research Park, 3260 Hillview Avenue, Palo Alto, CA - 94304