CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE

SIMON CRUMPLIN, FOUNDER & CEO

INFORMATION SECURITY PAINS

RESPONSIBILITY WITHOUT AUTHORITY AUTHORITY WITHOUT UNDERSTANDING

INVENTORY TO MANAGE BUSINESS FUNCTIONS TO MANAGE

ALERTS WITHOUT MEANING THREATS WITHOUT CONTEXT

ASSETS SPREAD ACROSS MULTI-CLOUD, MULTI-SERVICE ENVIRONMENTS BREACHES, & THEIR COST, INCREASING

LEGACY TOOLS ARE STATIC, VERTICAL & SILOED

REGULATIONS, & THEIR CONSEQUENCES, INCREASING

SERVICES ON BARE METAL, VIRTUAL, CONTAINER, SERVER-LESS BUSINESS RISK INCREASING

MISALIGNED

CISO BUSINESS

BUSINESS RISK INTELLIGENCE?

Security has to connect to the business as it is a business risk.

Bringing anomalous business practices into governance brings control. Embed operational

security into IT operations, forming control frameworks that don’t inhibit the

business.

If we can define normal, and reduce the ‘noise', we can operate an effective security service and inform the business of risk that relates to them.

Gaining accountability in the business for

their behaviours.

THE PROBLEM

1

3

2

4

5

6

7

Too much tech; not

enough budget for one

of everything!

What are my risks?

EVIDENCE is needed

to validate risk.

How do we (IT)

engage with the

business?

What is my SOC

missing, why is it so

reactive?

Which business function

is generating the most

RISK?Are all these threats

RELEVANT?

SECURITY is not just

about BAD; how do I

know what WRONG is?

CLEAR FRAMEWORK TO CATEGORISE AND COMMUNICATE RISK

Determine priorities for remediation.

Engage with the business to govern risk.

Define appropriate response playbook’s and SLA’s with the business.

Inform stage of attack.

Identify gaps in visibility and control.

Operate a security service that informs business risk.

Data Movement

User Privilege

Network Communications

Software Configurations

Build

SERVER-01 and SERVER-02 exposed to the internet.

RISK CATEG

ORIES / KILL CH

AIN

STAG

ES

PC Hunter and SQL installed and run on multiple hosts.

Brute force attack begins on SERVER-01.

BIOS account adds other accounts to various privileged groups.

Ransomware Distributed and Executed.

Cylance Uninstalled.

Type 10 and 12 connections from external (Russian and British) IP’s.

Account enumeration conducted by SERVICE account.

INCIDENT TIMELINE AGAINST KILL CHAIN

SMART APPLICATION & CYBER RISK AUDITGAINING CONTROL - APPROACH

NEAR INCIDENT RESPONSE (NIR)

SECURE BY DESIGN = OPERATIONALLY SECURE

If we can help people get control of hygiene, posture and operational risk through the CRA process, we can embed security within IT operations rather than as an overlay.

I. Continuous improvement.II. System Admin priorities.III. Alerting framework to catch

misuse.IV. Benchmarking business functions

by risk. V. Reduction of operational risk.VI. Reduction of attack surface.VII. Policy, Controls and Procedures.

AUDIT APPROACH - CYBER MATURITY JOURNEY

IDENTIFY PREVENT DEFEND RESPOND RECOVER

DATA Tools Movement Access Investigate Restore

USER Rights Abuse Credentials Limit ACL

NETWORK Anomalies Communications Services Restrict Provision

SERVICE RAT Creation Use Control Baseline

BUILD Vulnerabilities Exploitation Change Patch Rebuild

AUDIT INTERPRET CONTROL REMEDIATE POLICY

Kill

Chai

n / R

isk C

ateg

orie

s

NIST 800 / ISO 27002

CRA OUTPUT – SMART ANALYTICS

The results are delivered through SMART, our interactive analytics tool that packages your data by user, host, business unit, operating system, software versions, risk category etc. to provide valuable insight into current posture and IT Hygiene.

CYBER RISK AUDIT

CRA ENDPOINT CRA NETWORK CRA LIVE

SCOPE

Endpoint (Workstation & Server)AD Objects (Computer, User & Groups)Anti-Virus Logs

Communications(Firewall, IDS, ADDS, DHCP, VPN)

AD AuthenticationCommunicationsExternal IntelligenceCASB Logs

OUTPUT

Hosts of Interest (HOI)HOI RemediationPosture & Hygiene Remediation Work PackagesPolicy Remediation & AugmentationAsset InventoryAlerting with context for SIEM/SOCValidation of Current Investments versus Priorities for Security Strategy

BehavioursPolicy Violations3rd Party RiskAnomaliesInsider / MisuseLive Data and Analyses Hygiene Work Packages

Security Operations

RED TEAM EXERCISESValidation of progress & controls.

AUDIT to identify risk,

determine posture &

compromise.

ALERTING FRAMEWORK

to inform on reoccurrence.

AUGMENT SOC/SIEM

REMEDIAL ACTIONS

HOI investigation, hygiene &

posture activities and good practice.

Re-Audit User, Network, Data Movement, Policy

Violation.Optional enrichment to

monitor behaviour.

CONTINUOUS IMPROVEMENT & ASSURANCE

WIN A FREE CYBER RISK AUDIT

Drop your business card at the front for a chance to win…

A GILL SAILING JACKET FOR

ALL THE RUNNERS UP

ANY QUESTIONS?

WHAT IS THE SMART APPLICATION?

ASSURANCE

COMPLIANCE

POSTURE

STANDARDS HYGIENE

THE SMART APPLICATION PROVIDES INSIGHT INTO…