Being Prepared and Risk Informed

The methods employed by criminals now compel organisations to adopt a more proactive approach to the security of digital assets and the processes that handle them. The nature of advanced threats negates the efficacy of reactive measures to defending against cyber attacks, and severely complicates incident response options. Consequently the process of security is becoming increasingly complex as it now must integrate different facets of the organisation’s preparedness & planning into an overarching security framework to include systems, processes and management practices.
 
For example, security decision-making must be risk-informed, and many firms struggle with methodologies for evaluating and quantifying risk involving digital assets & processes. Similarly, the requirement for physical and cyber security domains to collaborate in combatting the converged nature of sophisticated threats challenges both functions to dovetail capabilities effectively, and many struggle with identifying interdependencies and vulnerabilities. Finally in the majority of cases, organisations rely heavily on the deployment of security measures and tend to neglect the testing of defensive and response capabilities against different scenarios, which ultimately hampers their ability to handle the unexpected or unfamiliar aspects of their ‘next threat’.
 
The principles of pre-emptive forensics are evolving, but the essence of a pre-emptive approach should be based upon developing foresight. Applying a forensic approach to doing so, is key to developing insight into both probable, and plausible outcomes of a breach. The enduring adage that being ‘forearmed is forewarned’ justifies the testing and exercising of an organisation’s capabilities, which is chronically under-valued by most firms.
 
The process of simulating real-world attacks and analyzing the performance of security apparatus forensically to determine its strengths and weaknesses is a key platform of organizational preparedness, not only because ‘practice makes perfect’ but because it develops an organizational preoccupation with ‘what if’ scenarios, and the failure to deal with them effectively. The forensic benefits of dissecting an attack provide an organization with the opportunities to examine its own response to incidents, and develop great precision in its actions and reactions to events as well as a clear demonstration of vulnerabilities.
 
Ultimately, the justification for adopting a pre-emptive and proactive approach must be to enable better risk-informed decision-taking. A comprehensive evaluation of cyber risk requires a meticulous approach to mapping an organisation’s assets and processes before modeling risk against them, and there are few methodologies that are fully evolved to accomplish this. The mapping process is complex in itself, but it is an imperative in order to assess vulnerabilities. A methodology like FAIR – Factor Analysis of Information Risk, then builds on an overlay of the threat landscape, based on up-to-date intelligence requires a fusion of different types of intelligence and sources in order to highlight exposure to specific types of threat, and is central to a forensic approach to analysis. These steps all enable the modeling of risk in quantitative terms, producing hard data points for probabilities, the financial implications of different events, and the deterrence vs. cost assessment of different security measures, alongside alternatives for impacting the risk posture. For more information about FAIR see http://www.optimalrisk.com/Cyber-Security/FAIR-Methodology
 
First published in Acquisition International October 2013
 
Posted: 28 November 2013 by Optimal Risk Admin | with 0 comments
Filed under: advanced, analysis, APTs, awareness, cyber, defence, exercises, factor, FAIR, forensics, information, modelling, of, pre-emptive, red, risk, scenarios, security, team, threat