communicating risk to executive leadership

intelligent information securityANITIAN

COMMUNICATING RISK TO EXECUTIVE LEADERSHIP


Overview

Intent • Define the challenges of discussing risk with executives• Outline some strategies for communicating risk more effectively

to leadership

Outline1. The risk challenge2. Business risk intelligence – a new way to communicate risk3. Risk reporting4. Final thoughts and best practices


Meet the Speaker: Andrew Plato• President / CEO of Anitian • 20 years of experience in IT and security• Completed thousands of security assessments and projects• Discovered SQL injection attack tactic in 1995• Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information

security solutions


Vision: Security makes the world a better place. Mission: Build great security leaders.

We deliver security and threat intelligence via a range of services:• Compliance (PCI, HIPAA, NERC, etc.)• Risk assessment • Penetration testing• Incident response • Operationalization of security controls

ANITIAN


THE RISK CHALLENGE


Something Is Not Right Here

Leadership is frustrated with security: “Why does this take so long?”“Why don’t the technologies we bought last year work any more? ”“What am I supposed to do with this big report?”“What are the real problems?” “I don’t care about the details, just tell me how to fix it!” “Are we really in danger?”“What do all these numbers, charts and worksheets mean?”“This is just a meaningless regulatory requirement!” “I just want to know what do we have to do to avoid being on Krebs’ blog?”


The Problem• Current risk assessment techniques are…• Too slow Executives need it now• Too complex Executives need to understand• Process-centric Executives need results• Lack clarity Executives need intelligence

• We need a new way to discuss risk with leadership


Risk Management Must Move at the Speed of Business• Leaders are forward thinkers, they want to know where to go• Answers must be timely and definitive

• IT risk is volatile, dynamic and has a short shelf life • Any risk assessment over 90-180 days old is stale • NIST, OCTAVE, FAIR are too time consuming and complex• Risk assessment is not a consensus of opinions• GRC portals are helpful, but can create an immense amount of

busywork • Do not let perfection become the enemy of good• Remediation must be clear, definitive, and have costs


Simplicity Fuels Comprehension• Leaders don’t care about arbitrary risk rankings• Risk data must be quickly accessible, digestible, and usable

• Using big, complex formulas does not make analysis more “true”• All risk analysis is ultimately subjective• Nobody will read complex worksheets• It’s impossible to establish true value for IT assets• Leaders want to understand how their business compares to

other companies, not to arbitrary frameworks• If you cannot explain it simply, then you don’t understand it well

enough. - Albert Einstein


So What? • Leaders have highly attenuated baloney sensors• Evidence builds trust and credibility

• Most risk assessment methodologies overemphasize process and policy

• People lie on questionnaires and surveys• Technical testing cuts through conjecture and answers the

important question: so what? • Vulnerability scanning, penetration testing, and configuration

analysis produce clear, empirical evidence• Without testing, the entire analysis is one-sided


Less is More • Leadership needs risk expressed in simple, concise, definitive

language • Risk must be understood to be managed

• Language affects not only comprehension, but also acceptance• Overly complex, arcane language is inefficient and inaccessible • Nitpicking paperwork busywork that nobody reads• Definition from OCTAVE for Defined Evaluation Activities:

Implementing defined evaluation activities helps to institutionalize the evaluation process in the organization, ensuring some level of consistency in the application of the process. It also provides a basis upon which the activities can be tailored to fit the needs of a particular business line or group.


The Challenge• We must improve risk management to it more…• Accurate• Relevant• Actionable• Timely…to business leadership?


BUSINESS RISK INTELLIGENCEA NEW WAY TO COMMUNICATE RISK


Business Risk Intelligence• Business needs more than big data, they need intelligence • Threats and risk metrics must be distilled down to something

leadership can quickly consume• Business Risk Intelligence is: • A strategy for communicating risk more effectively• Risk expressed in business language• A tool that facilitates data-driven risk decision-making


Business Risk Intelligence Principles

1. Clarify2. Contextualize3. Personalize4. Simplify5. Rationalize 6. Actionable


Clarify: The Core Six• Risk is an over-used word that is often misunderstood

• Get everybody using proper risk terminology

Threat: Something bad that might happen

Vulnerability: A weakness a threat could exploit

Impact: How bad a threat can damage the business

Probability: How likely a threat is in a given timeframe

Control: Something that mitigates threat

Risk: An assessment of a threat based upon itsprobability and impact in relation to therelevant controls


Contextualize: Organize the Data• Complex environments are too difficult to understand as a whole• Organize assets into categories and then apply threat analysis to

the category rather than to individual items• Common categories include: • Data type• Systems • Business unit • Applications • Regulations • User groups


Asset Category Example – Data Type• Confidential Data: User passwords, social security numbers,

payroll information, financial records• Personally Identifiable Information (PII): Health care records• PCI Data: Payment card numbers• Restricted Data: Price lists, business plans, product designs• Public Data: Website contents, marketing documents

• What threats apply to confidential data? PII? public data?


Personalize: Chase the Rabbit• Talk with your people: leadership, IT, HR, Dev Ops, etc. • Focus the discussions on harm and weakness• Ask big, open-ended questions:• How would you harm this company? • What are you most concerned about? • Where are the weaknesses? • What is valuable to us? • How do you do your job? Why do you do it that way? • What would happen if…

• Avoid “forward-looking statements” – focus on the now• What is the person’s intention and feelings?


Simplify: Focus on Threat• What was the answer to: “How would you harm this company?” • Simplify the replies into the core harm• Categorize the threats to help organize them and focus your

efforts:• Technical – threat to systems, hardware, applications, etc. • Operational – threats that affect practices, procedures, or

business functions• Relational – threats to a relationship between groups, people

or third parties • Physical – threats to facilities, offices, etc. • Reputational – threats to the organization’s reputation,

perception, or public opinion


Threat Examples

Good Threat Definitions• Malware infection• Data is leaked to a competitor• Sensitive authentication data is stolen• Dependent upon third party resources that are unavailable

Bad Threat Definitions• Lack of alignment to organizational policies with guidelines set

forth by the security committee means staff is not properly implementing security controls

• Use of telnet among staff is threatening PCI compliance requirements

• Missing patches on systems


Rationalize: Get Technical Data• Where are you weak? What would allow that bad stuff to

happen?• Get real data on the environment (it’s plentiful!)• Penetration tests• Configuration analysis• Vulnerability scans• Incident reports• SIEM reports

• Connect vulnerabilities to threats• How easy is the vulnerability to exploit?• Compare the data with what people said, and look for

inconsistencies


Actionable: Fix the Problem• No theories, concepts, or conjecture – how do you reduce the

probability or impact of a threat? • People• Process• Products

• Why do you need it?• What will it do? • How will it reduce risk?• How much will it cost (time, money, effort)?• Do not be wishy-washy, fix the problem


BUSINESS RISK INTELLIGENCE REPORTING


Business Risk Intelligence Reporting• Business Risk Intelligence Report • Business Risk Intelligence Brief• Threat Intelligence Brief• Action Plan

• Threat Matrix • Technical Appendices


Build a Threat Matrix• A spreadsheet that defines each threat with the following

attributes:

• This document is not for leadership, it’s just for you to document the threats you have found

• Threat name• Threat type• Affected assets• Vulnerabilities• Impact• Impact type

• Mitigating controls• Control strength (maturity)• Probability• Risk• Risk Mitigation• Residual Risk


Threat Matrix - Example

Threat ID Threat Threat Type

AffectedAssets Vulnerabilities Existing Controls

Existing Control Maturity Impact Type Impact Probability Risk

Primary Risk Type Recommended Controls

Recommended Control Maturity Residual Risk

T01 Platform compromise • Technical• Operational• Relational

• All Infrastructure • All parts of the platform use a shared management network, which is connected to the corporate LAN• No physical separation of non-NL platform networks• All network infrastructure uses local accounts• No breach notification guidelines

• Only having Layer 2 traffic dramatically reduces the value to a hostile entity, such as a foreign government • NL platform networks are physically separate• Configuration review of route servers indicated they are well secured with only minor issues with SSH ciphers• MAC security on the platform ports minimizes risk of man in the middle (MITM) attack

ML 1 • Availability Severe Medium High • Reputational• Financial• Legal• Regulatory

• Segment management network from LAN with robust ACL, consider requiring two-factor authentication for access• Prohibit use of plain-text password storage• Prohibit use of production accounts in test lab• Deploy AV for all servers• Implement formal patch management for OSes and applications for all servers• Implement formal host-hardening standards for all server distributions• Implement perimeter firewalls with on-board IPS and AV

ML 3 Low

T02 Undetected LAN breach • Technical• Operational

• All IT • No perimeter firewall on LAN• Flat LAN with no segmentation• No private LAN IPs• No host-hardening standards• Ad-hoc patch management • All endpoint users are local admins • No antivirus• No network IPS• No in-line network AV• No automated security event log parsing• No incident response program

• Most server logs aggregated in syslog server ML 1 • Confidentiality• Integrity• Availability

High High High • Reputational• Financial• Legal

• Implement and regularly test incident response plan (IRP)• Provide training to designated incident handlers • For all critical security event logs, aggregate, automatically parse and alert (consider using a SIEM)• Implement perimeter firewalls with on-board IPS, web filtering and AV• Segment LAN to isolate end-users from servers, with only the Internet-facing systems NATed into the DMZs• Implement formal host-hardening standards for laptops and servers• Implement formal patch management for OSes and applications for all systems• Deploy AV on all systems

ML 3 Low

T03 Undetected data tampering or leakage

• Technical• Operational

• All IT • No formal data classification scheme• No data loss prevention technologies• No data handling procedures, such as what technical data can be shared by sales• No formal provisioning or deprovisioning procedures• No procedure for tracking or reviewing access rights (including numerous cloud apps)• No email encryption• No formal disaster recovery plan (DRP)• No incident response plan (IRP)

• Ad-hoc disaster recovery, with proven resiliency in cases of data loss or tampering

ML 1 • Confidentiality• Integrity• Availability

High High High • Reputational• Financial• Legal• Regulatory

• Create data classification scheme and data inventory• Implement data loss prevention technologies at perimeter (such as part of UTM firewall deployment)• Formally document and implement account provisioning and deprovisioning process for all IT resources, including cloud apps• Document role-based user rights for all IT resources; track and regularly review granting of rights for all users based on business need• Implement and regularly test a DRP• Deploy a user-friendly mail encryption solution• Ensure usage of all shared password repositories is audited for individual access, and aggregate audit logs in syslog or SIEM

ML 3 Low

T04 Employee user account and access provisioning / deprovisioning failure

• Operational • All IT • No formal provisioning or deprovisioning procedures• No procedure for tracking or reviewing access rights (including numerous cloud apps)• Dependency on culture of trust amongst employees

• Provisioning process initiated by HR via informal communication with system administrators

ML 1 • Confidentiality• Integrity• Availability

High High High • Reputational• Financial

• Formally document and implement account provisioning and deprovisioning process for all IT resources, including cloud apps• Document role-based user rights for all IT resources; track and regularly review granting of rights for all users based on business need

ML 3 Low

ANITIAN Risk Assessment - Threat Matrix

• Define Impact scale• Define probability scale (with timeframe)


Threat Intelligence Briefing• Take the top 10 most serious threats and simplify the data into

these attributes: • Threat• Vulnerabilities (weaknesses)• Impact (harm)• Probability (likelihood)• Risk• Remediation (optional)

• Simplify overall risk analysis into a single, concise narrative on each risk type


Sample Threat Intelligence Briefing

Threat Vulnerabilities Recommendations

Impact

Probability

Risk

1. Platform compromise

– All IXs in the platform use a shared management network, which is connected to the corporate LAN

– No physical separation of non-NL platform networks

– All network infrastructure uses local accounts– Local passwords in multiple places beyond the

PGP encrypted password file (such as unencrypted file used by RANCID)

– Production scripts (including accounts) are used in lab environment`

– SSH private keys stored on IT admin laptops with no passwords

– Brocade support issues for SSH requires use of plain-text telnet, which can lead to trivial credential compromise

– SLAs with IX members that have a fixed amount of compensation for the outages (this can be a bigger issue once implemented on the US IXs, such as any financial trading firms in Chicago)

– TSC Data Center Standard is focused on availability, with minimal security controls

– No breach notification guidelines

– Segment management network from LAN with robust ACL, consider requiring two-factor authentication for access

– Use RADIUS for network device authentication– Prohibit use of plain-text password storage– Prohibit use of production accounts in test lab– Update TSC Data Center Standard to expand

emphasis on physical security controls– Work with Legal to understand all breach

notification requirements; document and disseminate these requirements to all relevant personnel

– Deploy AV for all servers– Implement formal patch management for OSes

and applications for all servers– Implement formal host-hardening standards for

all server distributions– Implement perimeter firewalls with on-board

IPS and AV

S M H


Risk Intelligence Briefing• Roll up risk into very brief description for each category that is

relevant to the scope of the assessment:• Technical• Operational• Regulatory• Financial• Physical• Relational• Reputational

• Describe the overall risk in very simple, definitive statements• No more than 2 or 3 sentences, less is more


Sample Risk Intelligence Briefing

Issues Risk DescriptionRegulatory Risk

High Company faces extensive HIPAA regulatory risk due to significant non-compliance, both in technical information security and privacy matters, and in general business process requirements.

Legal Risk Medium The global security risks throughout the IT infrastructure expose the Company to potential risk of lawsuits from patients and their employees if PHI is stolen or corrupted.

Reputational Risk

High Insufficient controls protecting ePHI expose Company to a high degree of reputational risk. Enforcement actions resulting from a failing OCR HIPAA assessment also have a high potential for negative reputational impact.


Develop an Action Plan• Define exactly what must be done to reduce/eliminate risk• Be specific; no vague hopes• Define the effort to implement the fix

# Action Description Estimate EffortA1

Integrate all critical devices with SIEM

Complete the SIEM deployment, aggregating system- and application-level logs for all critical application and security monitoring devices.

Tune event correlation, incident thresholds and alerting.

Integrate alerting with incident response plan. This work is critical because currently little to no

automated review or alerting for unauthorized access to PHI occurs.

200-280 hours

High


FINAL THOUGHTS& BEST PRACTICES


Do You Need a GRC Tool?• Archer, Allgress, Metricstream, Lockpath, etc.• Nice to have, not a must-have• Good at organizing vulnerability, asset, and compliance data• Marginally good at assessing risk• Risk (threat) registers are very useful• Questionnaires = bad• They take a LOT of work to make them useful• Make the GRC fit your risk program, not the other way around


Do Not…• Try to change the culture of the business• Let perfection become the enemy of good• Cite any kind of risk management theory; nobody cares• Rely exclusively on questionnaires or surveys; people lie• Use a lot of risk terminology; nobody understands it• Document indecision; it shows weakness• Try to sound “official” and important; nobody is impressed• Create phony numbers or equations• Use inaccessible matrices, worksheets, or process flows• Waste time with sensationalist threats; erodes trust• Involve anybody who sells you equipment in the process


Do• Keep things in the order an executive thinks

1. Threats2. Vulnerabilities3. Risk4. Remediation

• Stay true to the “Core Six”• Establish authority with decisive, simple language• Identify tangible, actionable recommendations• Use simple business language


Business Risk Intelligence Enables• A rational response to threat• Understanding of the organizational strengths and weaknesses• Effective prioritization of investments• Informed decision-making based on data• Compliance initiatives that go beyond compliance box-checking,

to improve security systemically• An incident response program that focuses on the actual threats

to the business, and not made-up sensationalist nonsense


Thank YouEMAIL: [email protected]: @andrewplato

@AnitianSecurityWEB: www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN