Embed Size (px)
Citation preview
1
13-06-2018
Cyber Risk Quantification: Translating technical risks into business terms
Jesper Sachmann
RSA Denmark
2
CYBER RISK QUANTIFICATION: TRANSLATING TECHNICAL RISKS INTO BUSINESS TERMS Jesper Sachmann GRCP GRCA
Atos Cyber Security Day
June 13, 2018
3
IF YOUR CEO ASKED YOU…
How much risk do we have?
How much less risk will we have if…?
How would you answer?
3
4
THE COMMUNICATION CHALLENGE
4
CISO
“Eχουμε πάνω από δέκα
χιλιάδες τρωτά σημεία , είναι
συμβατό
με το ογδόντα
τοις εκατό”
CFO
“How much risk do we have? Are we
spending too little or too much on
mitigation?” CIO
“Are we spending our
cybersecurity budget on the
right things? What is the ROI?”
AUDIT
“Did you fix those high
priority issues?”
BOARD/CEO
“We don’t want to be the next news
headline cybercrime victims. Are we
doing enough to minimize risk?”
5
BALD TIRE
How much risk?
6
THERE WILL ALWAYS BE
ASSUMPTIONS IN ANY ANALYSIS.
THE KEY IS TO SURFACE THEM.
7
COMPLIANT… BUT STILL IN THE DARK
The way most cybersecurity
professionals measure risk
today fails to quantify cyber
risk in terms the business can
understand and use
Qualitative Checklists & Excel
Governance, Risk & Compliance Tools
Very Low
Low
Moderate
High
Very High
1
2
3
4
5
= =
1
2
No embedded risk analytics capabilities
in most GRC tools
8
W H I C H O N E D E S E RV E S M O R E AT TE N T I O N ?
SIDE EFFECT OF THE QUALITATIVE APPROACH
Can you compare them? How can you take a decision based on this report?
9
THE RISK LANDSCAPE IN A NUTSHELL…
Complex
Dynamic
Limited Resources
Which means…
10
ORGANIZATIONS MUST EXCEL AT PRIORITIZING
THEIR CYBER RISK PROBLEMS AND
SOLUTIONS.
11
PRIORITIZATION REQUIRES…
Comparing their various concerns and solution options, which requires…
Measurement
12
THE RISK MANAGEMENT STACK
Effective Risk
Management
Well informed
decisions
enabled by
Comparisons
require
Measurements
require
Risk Model
require
13
TH E TO P 1 0 O P E R ATI O N AL R I S K R AN K I N G F O R 2 0 1 8 O F
CYBER RISK RELEVANCE IS ON THE RISE
New Entry
14
IN A TYPICAL ORGANIZATION, 70% TO 90% OF
“HIGH RISK” ISSUES, AREN’T
Why?
15
RISK MODELS MATTER
POINT OF SALE
ATTACKS
CLOUD COMPUTING
INSIDER THREAT(S)
CYBER CRIMINALS
APPLICATION
VULNERABILITIES
HACKTIVISTS
PHISHING / SOCIAL
ENGINEERING
MOBILE MALWARE
BUSINESS
CONTINUITY
THIRD-PARTY RISK
Typical
Top 10 Risk List
Which Of These Are Risks?
16
NONE OF THESE ARE RISKS!
APPLICATION VULNERABILITIES
CLOUD COMPUTING
INSIDER THREAT(S)
PHISHING / SOCIAL
ENGINEERING
CONTROL DEFIC.
ASSET
THREAT
METHOD
“THEFT OF CUSTOMER PII DATA THROUGH APPLICATION ATTACKS”
“LOSS OF AVAILABILITY OF SYSTEMS DUE TO MALICIOUS INSIDER”
APPLICATION
VULNERABILITIES
INSIDER THREAT(S)
WE CAN ONLY ASSESS THE RISK OF LOSS EVENTS
17
FACTOR ANALYSIS OF INFORMATION RISK (FAIR) OVERVIEW
1
7
18
FAI R – FAC TO R AN A LY S I S F O R I N F O R M ATI O N R I S K
A "FAIR DEFINITION" OF RISK
(*) associated with a specific event
The RISK is
the probable frequency and probable magnitude of future loss (*)
Risk is a derived (calculated) value
To address the inherent uncertainty of risk, probabilistic distributions are used
The risk is defined in terms of "financial loss exposure"
19
FAIR: THE ANALYTICS MODEL
Accredited as an
Industry Standard by
Complementary to
Risk Frameworks
Supported by a Fast
Growing Community
FAIR Book Inducted
in Cybersecurity Canon
20
FAIR: THE METHODOLOGY
Scope the
scenarios 1 Risk Scenario
Controls
Threat Effect Assets
Gather Data: use available data or
estimate the ranges for the risk factors
SCALE: chose the level to work at 2
Run the FAIR model:
apply the calculations
Manual or Automatic (more efficient) 3
Reporting 4
21
C Y B E R R I S K I S E X P R E S S E D I N F I N AN C I A L TE R M S :
THE OUTCOME: WHAT YOU GET
Now you can answer
many more questions!
22
RSA ARCHER CYBER RISK QUANTIFICATION
Key Features • Built-in risk calibration and analysis engine for cyber
risk calculation
• Templated workflow for easy scenario modeling
• On-demand risk analytics for answers to questions on the fly
• Mathematical simulations to build your risk profile with limited data
• Existing loss tables based on industry data
• Easy-to-use SaaS application
• User-friendly interface
23
• IT and Security Policy Program Management
• IT Controls Assurance
• IT Risk Management
Cyber Risk Quantification
• Cyber Incident & Breach Response
• IT Security Vulnerabilities Program
• IT Regulatory Management
• PCI Management
• Information Security Management System (ISMS)
RSA ARCHER CYBER RISK QUANTIFICATION A N E W U S E C AS E W I T H I N R S A AR C H E R I T & S E C U R I T Y R I S K
NOTE: the "Cyber Risk Quantification" use case is
powered in the backend by the tool
which is a (SaaS) product integrated with RSA Archer.
24
RSA PORTFOLIO
RSA CYBER ANALYTICS PLATFORM
26
30,000+ customers
50+ million identities
97%
94%
Consumer product
Financial institutions
Healthcare institutions
Transportation
Manufacturing
19 of the
TOP 20
20 of the
TOP 20 18 of the TOP 20 Telecom
16 of the TOP 20 Energy
All branches of US Military
13 of the 15 Executive Departments
of U.S. Government
10 of the TOP 10 Technology
1 billion consumers
RSA CUSTOMER LEADERSHIP
27
Fraud detection rates
400,000+ Malware samples analyzed per week
Phishing attack identified every 30 seconds
$60+ billion Value of transactions protected per year
$8+ billion Value of fraudulent losses prevented per year
95%~
Of malicious
sites blocked
in less than
30 minutes
97%
1+ million Advanced
attacks
detected and
stopped
Leaders quadrants
6
Technology Awards
2016, 2015, 2014, 2013, 2012
GSN Homeland Security
Award 2015
~510 issued patents
~240 pending patents across current product portfolio
Indicators of compromise
actively maintained in RSA Live Threat Intelligence
4M
RSA INDUSTRY LEADERSHIP
28
THANK YOU C O N TA C T S : A N D E R S G R E V E , T L F : 3 0 9 6 4 9 9 9 , E M A I L : A N D E R S . G R E V E @ R S A . C O M J E S P E R S A C H M A N N , T L F : 6 1 2 0 7 0 2 2 , E M A I L : J E S P E R . S A C H M A N N @ R S A . C O M
