a quantitative approach to evaluating cyber risk quantification final.pdf · a quantitative...
TRANSCRIPT
A Quantitative Approach to Evaluating Cyber RiskPresented by:
Tom Walheim, CISSPChief Technology Officer - Cyber Systems
L3 Technologies
www.L3CyberQ.com 1
Objective
Describe a network behavior model, based on factual evidence and advanced analytics techniques.
Demonstrate how network behavior models enable accurate and quantitative evaluation of cyber risk, specific to your institution, increasing executive control.
www.L3CyberQ.com 2
Agenda
o Qualities of effective measurement
o Layers of Complexity – the technical challenge
o Current Challenges for cyber risk executives
o Overview of Network Behavior Model
o Benefits of Network Behavior Model in cyber risk management
www.L3CyberQ.com 3
Qualities of effective measurement
o Evidence based with traceability from attack to enterprise consequence
o Measures against holistic view of your network
o Exhaustive evaluation of adversaries and scenarios
o Addresses all compromise types
o Mathematically Coherent and Repeatable
www.L3CyberQ.com 4
“To be better positioned to make sound investment and risk mitigation decisions, [firms] need to be able to quantify cyber risk.” – World Economic Forum
Layers of Complexity - Adversaries
www.L3CyberQ.com 5
Financials
Personal Info
Intellectual Property
InternalKnowledge
Tools
Stealthiness
Technical
Funding
Actual Adversary Model has many more dimensionsand more granularity
Insider
Hacktivist
Org. Criminal
Terrorist
Nation State
Capabilities
Motivations
www.L3CyberQ.com 6
Networks
Platforms
Software
Information Systems
Network Protection
Host Protection
Data Protection
Cyber Defense BusinessOperations
Compromises
HostileNations
Criminals Terrorists Hacktivists Insiders Adversaries
$$ Information Assets $$
Confidentiality Integrity
Availability
Layers of Complexity – System-of-Systems
Current Challenges for the risk executive
o Boards lack data to develop Risk Appetite Statements
o Boards must shift to consequence-driven cyber risk management (not technology-driven). But how?
www.L3CyberQ.com 7
“A covered entity also would be required to … manage cyber risk appropriate to the nature of the operations of the firm.” – enhanced standard ANPR
o Regulations require more from Boards and risk executives in cyber risk governance without explaining how
Overview of Network Behavior Model
How Network Behavior Models tame complexity to facilitate quantitative cyber risk measurement
www.L3CyberQ.com 8
Network Behavior Model in risk management
www.L3CyberQ.com 9
Department Impacts
Prioritized Cyber Risk Expenditures
Adversary/Threat Profiles
Network Discovery
Model Buildout
C.I.A. Business Impact Analyses
• Operations
• Trading
• Corporate
• Marketing Enterprise Risk Analyses
• EPS
• Capital
• Volatility
• Client/Shareholder Confidence
Attack Scenarios Eroded Information Assets
Can this model be realized?
Critical skills to create a model:
o Adversary intelligence and experience
o Complex systems expertise
o Evidence-based, mathematical modeling of multi-dimensional systems-of-systems
o Enterprise Risk Management proficiency
www.L3CyberQ.com 10
Can this model be realized?Network Behavior Model accurately represents your enterprise under simulated attack. It includes: o Physical Connections
o Logical Flows of data
o Software interactions
o Specific Information Assets
o Component Vulnerabilities
o Adversary and attack simulation
www.L3CyberQ.com 11
Network Behavior Model Essentials
Financial consequence, aligned to information erosion, complex systems, vulnerabilities and adversaries
www.L3CyberQ.com 12
“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.” – Theodore Roosevelt
Network Behavior Model Essentials
Use adversary intelligence to evaluate all scenarios, including complex APT attack scenarios:
o Sophisticated
o Well planned / Multi-stage
o Stealthy / Patient
o Use any available access
www.L3CyberQ.com 13
“All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” - Sun Tzu
Network Behavior Model Essentials
Mathematical Integrity based on consistent, repeatable and empirical evidence - not surveys, opinions or anecdotes
www.L3CyberQ.com 14
“If you’re a scientist, and you have to have an answer, even in the absence of data, you’re not going to be a good scientist.” – Neil deGrasse Tyson, Astrophysicist
Facilitating stronger risk management
Improve Decisions with consequences measured across multiple dimensions such as:
o Information Asset
o Department
o Consequence Type
o Adversary / Threat
www.L3CyberQ.com 15
“If you don't know the risk, you can't develop a strategy to mitigate the risk.” – Kelly King, BB&T Chairman and CEO
Departments
AssetsConfidentiality
49.7%
Integrity28.7%
Availability21.6%
What a model enables…
www.L3CyberQ.com 16
CCAR/CLAR – Bank Stress Test
Contain Expenditures commensurate with exposure
Preserve Capitalpursuant to “Stress Test” requirements
Establish Confidence & Trust for Stakeholders, Allies and the Public
0
50
100
150
200
250
1 9
17
25
33
41
49
57
65
73
81
89
97
10
5
11
3
12
1
12
9
0
50
100
150
200
250
1 9
17
25
33
41
49
57
65
73
81
89
97
10
5
11
3
12
1
12
9
EPS ImpactVolatility Impact
Reputation Impact
Capital ImpactValueat
Risk
Reputation & Volatility
Resource Allocations
Risk Weighted Assets
Quantified modeling of Cyber Attacks extrapolates to enterprise measures to …
Network Behavior Model approach is…
o Evidence based with traceability from attack to enterprise consequence
o Measures against holistic view of your network
o Exhaustive evaluation of adversaries and scenarios
o Addresses all compromise types
o Mathematically Coherent and Repeatable
www.L3CyberQ.com 17
A Quantitative Approach to Evaluating Cyber Risk
Removing the Uncertainty behind Cyber Risk
www.L3CyberQ.com 18
Questions?
Tom Walheim, CISSPChief Technology Officer – Cyber SystemsL3 Communication Systems – [email protected]