CA3070685A1 - Cyber risk segmentation, quantification and visualization methodology - Google Patents
Cyber risk segmentation, quantification and visualization methodology Download PDFInfo
- Publication number
- CA3070685A1 CA3070685A1 CA3070685A CA3070685A CA3070685A1 CA 3070685 A1 CA3070685 A1 CA 3070685A1 CA 3070685 A CA3070685 A CA 3070685A CA 3070685 A CA3070685 A CA 3070685A CA 3070685 A1 CA3070685 A1 CA 3070685A1
- Authority
- CA
- Canada
- Prior art keywords
- organization
- risk
- data
- elements
- asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Educational Administration (AREA)
- General Business, Economics & Management (AREA)
- Tourism & Hospitality (AREA)
- Quality & Reliability (AREA)
- Operations Research (AREA)
- Marketing (AREA)
- Computing Systems (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Patent Description - Cyber risk segmentation, quantification and visualization methodology Abstract The invention is a method of performing dynamic system modeling to enable the automated measurement, calculation and representation of inherent and residual risks across an organization's set of assets and related attack surfaces and broader ecosystem (e.g. 3iri party service providers). This is based on defining a relational model representing the organization's most important assets (e.g. mission critical processes), attack surface (e.g.
applications and.
supporting infrastructure), controls, relevant threats, the associated logic enabling qualitative and quantitative risk scoring and the required data inputs (moving from one time entry to ongoing feeds to enable continuous monitoring).
Background of the invention 1. Field of the invention a. This invention relates generally to cyber security as a sub-set of operational risk, and more particularly the measurement and presentation of cyber risk for an organization and related entities, be it a business segment/line of business, organization or business ecosystem.
b. There are many urgently needed applications of this method, including:
i. Providing efficient and consistent automated risk and control assessments that reduce manual effort and increase comparability (e.g. which business unit holds more inherent vs. residual risk) and lays the foundation for greater situational awareness via ongoing monitoring.
ii. Enabling highly configurable, comprehensive and data driven views of inherent and residual risk that can be communicated to business, IT and information security professionals in both qualitative (e.g. heat map scoring) and quantifiable (e.g. dollar value) terms. One specific application would be the creation of a "digital twin" for risk management to visually depict an organization and show areas of higher risk(e.g. failure of a critical system leading to injury or loss of life) vs. lower risk (e.g. limited financial loss).
iii. Allowing for dynamic and interactive planning of cyber security related initiatives - e.g. modelling what impact a given initiative will have the cyber resiliency of an organization, but expressed in terms of financial impact and return-on-investment (e.g. $2 million investment in new customer identity and management solution will lead to a potential risk reduction of $10 million dollars) 2. Description of the related art a) The measurement, quantification and representation of cyber risk is a relatively new and inconsistently defined practice, with the following observed issues:
i. First, while there are existing methods for defining, measuring and articulating risk through measurement of control conditions and assigning likelihood and impact, these methods do not formally relate the control conditions to the services and technology solutions of the organization (i.e. calculating the amount of coverage of protective controls such as data loss protection tools across all the endpoints of an organization), or to clearly state the financial impact of the data loss related to the failure of the control due to a threat actor compromising the endpoint. Put another way, there is no clearly defined methodology to align the threat (e.g. cyber criminals looking to steal data), surface (e.g. system endpoints such as a laptop), control (e.g. firewalls, data loss protection systems) and asset components (e.g. sensitive client data) in a consistent and practical manner.
applications and.
supporting infrastructure), controls, relevant threats, the associated logic enabling qualitative and quantitative risk scoring and the required data inputs (moving from one time entry to ongoing feeds to enable continuous monitoring).
Background of the invention 1. Field of the invention a. This invention relates generally to cyber security as a sub-set of operational risk, and more particularly the measurement and presentation of cyber risk for an organization and related entities, be it a business segment/line of business, organization or business ecosystem.
b. There are many urgently needed applications of this method, including:
i. Providing efficient and consistent automated risk and control assessments that reduce manual effort and increase comparability (e.g. which business unit holds more inherent vs. residual risk) and lays the foundation for greater situational awareness via ongoing monitoring.
ii. Enabling highly configurable, comprehensive and data driven views of inherent and residual risk that can be communicated to business, IT and information security professionals in both qualitative (e.g. heat map scoring) and quantifiable (e.g. dollar value) terms. One specific application would be the creation of a "digital twin" for risk management to visually depict an organization and show areas of higher risk(e.g. failure of a critical system leading to injury or loss of life) vs. lower risk (e.g. limited financial loss).
iii. Allowing for dynamic and interactive planning of cyber security related initiatives - e.g. modelling what impact a given initiative will have the cyber resiliency of an organization, but expressed in terms of financial impact and return-on-investment (e.g. $2 million investment in new customer identity and management solution will lead to a potential risk reduction of $10 million dollars) 2. Description of the related art a) The measurement, quantification and representation of cyber risk is a relatively new and inconsistently defined practice, with the following observed issues:
i. First, while there are existing methods for defining, measuring and articulating risk through measurement of control conditions and assigning likelihood and impact, these methods do not formally relate the control conditions to the services and technology solutions of the organization (i.e. calculating the amount of coverage of protective controls such as data loss protection tools across all the endpoints of an organization), or to clearly state the financial impact of the data loss related to the failure of the control due to a threat actor compromising the endpoint. Put another way, there is no clearly defined methodology to align the threat (e.g. cyber criminals looking to steal data), surface (e.g. system endpoints such as a laptop), control (e.g. firewalls, data loss protection systems) and asset components (e.g. sensitive client data) in a consistent and practical manner.
Description
Patent Description - Cyber risk segmentation, quantification and visualization methodology Abstract The invention is a method of performing dynamic system modeling to enable the automated measurement, calculation and representation of inherent and residual risks across an organization's set of assets and related attack surfaces and broader ecosystem (e.g. 3rd party service providers). This is based on defining a relational model representing the organization's most important assets (e.g. mission critical processes), attack surface (e.g.
applications and.
supporting infrastructure), controls, relevant threats, the associated logic enabling qualitative and quantitative risk scoring and the required data inputs (moving from one time entry to ongoing feeds to enable continuous monitoring).
Background of the invention 1. Field of the invention a. This invention relates generally to cyber security as a sub-set of operational risk, and more particularly the measurement and presentation of cyber risk for an organization and related entities, be it a business segment/line of business, organization or business ecosystem.
b. There are many urgently needed applications of this method, including:
i. Providing efficient and consistent automated risk and control assessments that reduce manual effort and increase comparability (e.g. which business unit holds more inherent vs. residual risk) and lays the foundation for greater situational awareness via ongoing monitoring.
ii. Enabling highly configurable, comprehensive and data driven views of inherent and residual risk that can be communicated to business, IT and information security professionals in both qualitative (e.g. heat map scoring) and quantifiable (e.g. dollar value) terms. One specific application would be the creation of a "digital twin" for risk management to visually depict an organization and show areas of higher risk(e.g. failure of a critical system leading to injury or loss of life) vs. lower risk (e.g. limited financial loss).
iii. Allowing for dynamic and interactive planning of cyber security related initiatives - e.g. modelling what impact a given initiative will have the cyber resiliency of an organization, but expressed in terms of financial impact and return-on-investment (e.g. $2 million investment in new customer identity and management solution will lead to a potential risk reduction of $10 million dollars)
applications and.
supporting infrastructure), controls, relevant threats, the associated logic enabling qualitative and quantitative risk scoring and the required data inputs (moving from one time entry to ongoing feeds to enable continuous monitoring).
Background of the invention 1. Field of the invention a. This invention relates generally to cyber security as a sub-set of operational risk, and more particularly the measurement and presentation of cyber risk for an organization and related entities, be it a business segment/line of business, organization or business ecosystem.
b. There are many urgently needed applications of this method, including:
i. Providing efficient and consistent automated risk and control assessments that reduce manual effort and increase comparability (e.g. which business unit holds more inherent vs. residual risk) and lays the foundation for greater situational awareness via ongoing monitoring.
ii. Enabling highly configurable, comprehensive and data driven views of inherent and residual risk that can be communicated to business, IT and information security professionals in both qualitative (e.g. heat map scoring) and quantifiable (e.g. dollar value) terms. One specific application would be the creation of a "digital twin" for risk management to visually depict an organization and show areas of higher risk(e.g. failure of a critical system leading to injury or loss of life) vs. lower risk (e.g. limited financial loss).
iii. Allowing for dynamic and interactive planning of cyber security related initiatives - e.g. modelling what impact a given initiative will have the cyber resiliency of an organization, but expressed in terms of financial impact and return-on-investment (e.g. $2 million investment in new customer identity and management solution will lead to a potential risk reduction of $10 million dollars)
2. Description of the related art a) The measurement, quantification and representation of cyber risk is a relatively new and inconsistently defined practice, with the following observed issues:
i. First, while there are existing methods for defining, measuring and articulating risk through measurement of control conditions and assigning likelihood and impact, these methods do not formally relate the control conditions to the services and technology solutions of the organization (i.e. calculating the amount of coverage of protective controls such as data loss protection tools across all the endpoints of an organization), or to clearly state the financial impact of the data loss related to the failure of the control due to a threat actor compromising the endpoint. Put another way, there is no clearly defined methodology to align the threat (e.g. cyber criminals looking to steal data), surface (e.g. system endpoints such as a laptop), control (e.g. firewalls, data loss protection systems) and asset components (e.g. sensitive client data) in a consistent and practical manner.
ii. Second, while there is a growing multitude of data available for risk measurement and reporting, this data is disparate in nature with no common taxonomy or logic to assign consistent values (e.g. application log data vs.
application risk assessment outputs).
iii. Third, the practices of collecting and analyzing cyber risk related data is highly manual and inconsistent.
iv. Fourth, while there are existing standards for technology and security architecture (e.g. TOGAF), they do not lend themselves to an easy to understand view of logical and physical architecture and the related inherent and residual risk and overall organization performance.
v. Fifth, the rate of change in the external threat environment, evolution of the technology landscape, increased reliance on 3rd party vendors and the proliferation of data in organizations makes it even more imperative that organizations possess an end to end view of their most critical assets, the related attack surface and coverage of controls as they change over time b) The claimed invention describes the method and components that form the organizational environment and the relational elements that govern the interaction between them to drive specific outcomes (e.g. consistent quantification of cyber risk and ability to visualize how changes in the organizations' technology infrastructure impact risk) to address the needs and challenges listed above. The way the method has been defined allows for a progressive (i.e. increasing fidelity and timeliness based on quality and frequency of data and maturity of practices) approach for threat/risk quantification and visualization across different industries and organization types (e.g.
modelling an ecosystem of vendors for financial organizations dependent on outsourcers for payment processing vs. oil and gas distribution companies that have outsourced their fuel distribution fleet). There at least three specific innovations here:
i. Definition of models that are specific enough to operationalize (e.g. the ability to identify, collect, derive and represent risk through the interaction of threat, surface and control elements in a progressive manner) but be flexible and adaptive enough, moving from one-time population of data inputs to ongoing real time threat and risk monitoring. This method can be performed in a manual fashion or using a platform that allows for the ingestion of different data inputs and more sophisticated calculation and monitoring.
ii. The architecture of the organization and visualization elements to enable a practical and interactive model for different stakeholders in an organization to examine relevant elements ¨ e.g for CIO to see how their proposed IoT
expansion will increase inherent risk.
iii. The related innovation is the translation of risk into financial values ¨
e.g. for a CISO at the same organization to visualize and communicate the required additional investment in controls to secure the expanded IoT footprint.
Summary of the invention = For the intent of describing the invention's method, the purpose of threat modelling as defined here is to model a set of threats (comprised of an actor and technique) against a model of an organization's assets (e.g. customer chequeing account, manufacturing facility), related attack surface (e.g. online web portal, 3rd party provider) and respective controls (protective, detective, corrective) to provide a quantifiable value of inherent and residual risk that can be ascribed to a surface or asset.
= In order to achieve these outcomes, the method is founded on the following interrelated elements:
Organizational Elements:
o Asset model that allows for industry specific identification and grouping of organizational assets (such as applications and servers) based on different criteria ¨
e.g. highest confidentiality-based impact, highest availability impact which allows for clear and straightforward definition and quantification of impacts and risk appetite/tolerance.
o Surface model to categorize the key assets of the organization (e.g database containing customer personal information), exposure of the assets (e.g.
Internet facing application to access this database) and interdependencies with 3r1 parties.
Diagram E contains a sample structure.
o Control model(s), flexible enough to align to standards such as ISO and NIST, that allows for recording of discrete data points (e.g. maturity assessment, penetration test) from separate exercises conducted at different points in time. The model allows for different assessment regimes (e.g ISO) aligned to a common set of measures (e.g.
formally documented process, presence of defined metrics) to produce a quantifiable view of how well the control is operating over time. Correspondingly, for controls that are deficient, the ability to identify drivers of deficiencies and suggestions to improve the control. These control models can be aligned to one another through the addition of integrated requirement libraries and tied back to a capability model /
service catalogue as defined per the individual organization. This model can also be tied back to an existing control catalogue used in the organization's GRC (governance, risk and compliance) platform.
Quantification Elements:
o Risk logic model (the manner in which the models are tied together to produce a risk view based on the defined taxonomy).
o Data mapping, which includes the identification and categorization of data elements including asset databases, security operations data, operational risk assessments.
Visualization / Interactive Elements:
o Depiction of threat, surface, control and asset components and related data via different narrative models to support risk logic and enable visualization;
e.g. linking together surface elements and key controls via business process flows, customer journeys, data flows and threat models with the ability to incorporate multiple approaches and standards (e.g. ATT&CK). The visualization can take on various forms, from static canned reports through to fully interactive models. Diagram G
contains a sample narrative.
= With these framework elements in place, the second step is the ingestion and population of the data based on the defined taxonomy, taking into account most organizations have incomplete or inconsistent data sets.
= Once this data is ingested, the third step is the calculation of risk, as performed, for instance, by running multiple threat scenarios through the integrated (i.e. linking threats to surfaces to controls) logic model and using mathematically sound statistical analysis to determine risk.
= The final step is the representation of the inherent and residual risk both in quantitative terms and through visualization methodologies e.g. topographic map to show control maturity against attack surface model.
Key benefits of the method include:
= Consistent categorization of organizational risk, threat, asset and control data = The ability to organize, measure and communicate an organization's surface and control elements in a flexible and sustainable manner
i. First, while there are existing methods for defining, measuring and articulating risk through measurement of control conditions and assigning likelihood and impact, these methods do not formally relate the control conditions to the services and technology solutions of the organization (i.e. calculating the amount of coverage of protective controls such as data loss protection tools across all the endpoints of an organization), or to clearly state the financial impact of the data loss related to the failure of the control due to a threat actor compromising the endpoint. Put another way, there is no clearly defined methodology to align the threat (e.g. cyber criminals looking to steal data), surface (e.g. system endpoints such as a laptop), control (e.g. firewalls, data loss protection systems) and asset components (e.g. sensitive client data) in a consistent and practical manner.
ii. Second, while there is a growing multitude of data available for risk measurement and reporting, this data is disparate in nature with no common taxonomy or logic to assign consistent values (e.g. application log data vs.
application risk assessment outputs).
iii. Third, the practices of collecting and analyzing cyber risk related data is highly manual and inconsistent.
iv. Fourth, while there are existing standards for technology and security architecture (e.g. TOGAF), they do not lend themselves to an easy to understand view of logical and physical architecture and the related inherent and residual risk and overall organization performance.
v. Fifth, the rate of change in the external threat environment, evolution of the technology landscape, increased reliance on 3rd party vendors and the proliferation of data in organizations makes it even more imperative that organizations possess an end to end view of their most critical assets, the related attack surface and coverage of controls as they change over time b) The claimed invention describes the method and components that form the organizational environment and the relational elements that govern the interaction between them to drive specific outcomes (e.g. consistent quantification of cyber risk and ability to visualize how changes in the organizations' technology infrastructure impact risk) to address the needs and challenges listed above. The way the method has been defined allows for a progressive (i.e. increasing fidelity and timeliness based on quality and frequency of data and maturity of practices) approach for threat/risk quantification and visualization across different industries and organization types (e.g.
modelling an ecosystem of vendors for financial organizations dependent on outsourcers for payment processing vs. oil and gas distribution companies that have outsourced their fuel distribution fleet). There at least three specific innovations here:
i. Definition of models that are specific enough to operationalize (e.g. the ability to identify, collect, derive and represent risk through the interaction of threat, surface and control elements in a progressive manner) but be flexible and adaptive enough, moving from one-time population of data inputs to ongoing real time threat and risk monitoring. This method can be performed in a manual fashion or using a platform that allows for the ingestion of different data inputs and more sophisticated calculation and monitoring.
ii. The architecture of the organization and visualization elements to enable a practical and interactive model for different stakeholders in an organization to examine relevant elements ¨ e.g for CIO to see how their proposed IoT
expansion will increase inherent risk.
iii. The related innovation is the translation of risk into financial values ¨
e.g. for a CISO at the same organization to visualize and communicate the required additional investment in controls to secure the expanded IoT footprint.
Summary of the invention = For the intent of describing the invention's method, the purpose of threat modelling as defined here is to model a set of threats (comprised of an actor and technique) against a model of an organization's assets (e.g. customer chequeing account, manufacturing facility), related attack surface (e.g. online web portal, 3rd party provider) and respective controls (protective, detective, corrective) to provide a quantifiable value of inherent and residual risk that can be ascribed to a surface or asset.
= In order to achieve these outcomes, the method is founded on the following interrelated elements:
Organizational Elements:
o Asset model that allows for industry specific identification and grouping of organizational assets (such as applications and servers) based on different criteria ¨
e.g. highest confidentiality-based impact, highest availability impact which allows for clear and straightforward definition and quantification of impacts and risk appetite/tolerance.
o Surface model to categorize the key assets of the organization (e.g database containing customer personal information), exposure of the assets (e.g.
Internet facing application to access this database) and interdependencies with 3r1 parties.
Diagram E contains a sample structure.
o Control model(s), flexible enough to align to standards such as ISO and NIST, that allows for recording of discrete data points (e.g. maturity assessment, penetration test) from separate exercises conducted at different points in time. The model allows for different assessment regimes (e.g ISO) aligned to a common set of measures (e.g.
formally documented process, presence of defined metrics) to produce a quantifiable view of how well the control is operating over time. Correspondingly, for controls that are deficient, the ability to identify drivers of deficiencies and suggestions to improve the control. These control models can be aligned to one another through the addition of integrated requirement libraries and tied back to a capability model /
service catalogue as defined per the individual organization. This model can also be tied back to an existing control catalogue used in the organization's GRC (governance, risk and compliance) platform.
Quantification Elements:
o Risk logic model (the manner in which the models are tied together to produce a risk view based on the defined taxonomy).
o Data mapping, which includes the identification and categorization of data elements including asset databases, security operations data, operational risk assessments.
Visualization / Interactive Elements:
o Depiction of threat, surface, control and asset components and related data via different narrative models to support risk logic and enable visualization;
e.g. linking together surface elements and key controls via business process flows, customer journeys, data flows and threat models with the ability to incorporate multiple approaches and standards (e.g. ATT&CK). The visualization can take on various forms, from static canned reports through to fully interactive models. Diagram G
contains a sample narrative.
= With these framework elements in place, the second step is the ingestion and population of the data based on the defined taxonomy, taking into account most organizations have incomplete or inconsistent data sets.
= Once this data is ingested, the third step is the calculation of risk, as performed, for instance, by running multiple threat scenarios through the integrated (i.e. linking threats to surfaces to controls) logic model and using mathematically sound statistical analysis to determine risk.
= The final step is the representation of the inherent and residual risk both in quantitative terms and through visualization methodologies e.g. topographic map to show control maturity against attack surface model.
Key benefits of the method include:
= Consistent categorization of organizational risk, threat, asset and control data = The ability to organize, measure and communicate an organization's surface and control elements in a flexible and sustainable manner
3 = Enable a complete end to end technology footprint view, including 3rd parties and overlay a view of threats and control strength = Create a scaleable, agile and re-usable model of organizational elements that can be used for applications for related areas (e.g. IT performance) Potential applications include:
= Visualizing the status of threats, incidents, events and control status for enhanced detection and response activities (e.g. SOC monitoring and incident response) against the organizations attack surface = Developing related security (e.g. cloud integration) strategies (i.e.
visualize key surface integration points, how surface changes with SaaS, PaaS) and control gaps = Quantifying the risk impact of the organization's digital innovation strategy and communication via topographic visualization = Automation of risk assessments and reporting to reduce manual effort = Prioritization and tracking control issues = Consistent risk quantification to inform decision making around investments and required coverage for cyber insurance A high-level schematic of the invention can be found in Diagram A
Claims The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:
1. Methodology to organize and depict an organization at different levels (e.g. enterprise, business unit, function) by using the concept of an asset cluster, defined herein. For a given industry, an organization can be depicted as a series of asset clusters that are aligned to business segments, products, service and/or processes depending on how the organization is structured. For example, for a financial institution asset clusters cloud be defined as the lines of business (e.g. wealth management). Alternatively, the asset clusters could be developed to reflect critical functions such as real-time high value payments processing vs. batch payments.
These clusters can be modelled at a different degrees of detail. For example, within the given example of payments functions, the supporting applications, infrastructure and data can be defined within that cluster.
The benefit of grouping assets in this way include:
- Ability to depict large and complex organizations in terms of their value generating assets and controls to secure them against evolving threats for organization - Ability to model organization as part of broader ecosystem including 3rd parties and identify systemic dependencies - Design (i.e. security architecture) and analytical purposes; model can be specified at industry level or organization level - Ability to drill down as required from the enterprise to segment parts and related data through a common data taxonomy - Ability to depict assets in terms of value chain, process flow, data flow, kill chain - View your organization in a modular fashion and identify distinct infrastructure and opportunities to consolidate (efficiency) and render distinct (security) elements -e.g. network segmentation 2. The specifics of defining an organization and related systems in terms of asset clusters is listed below a. An asset cluster is defined as a logic grouping of assets (e.g. databases, infrastructure, people that are on-premise, in the cloud or 3rd party vendor) that is scoped based on defined criteria (e.g. part of the same business unit, servicing a business-critical process, dependent on same critical infrastructure). The grouping logic can vary based
= Visualizing the status of threats, incidents, events and control status for enhanced detection and response activities (e.g. SOC monitoring and incident response) against the organizations attack surface = Developing related security (e.g. cloud integration) strategies (i.e.
visualize key surface integration points, how surface changes with SaaS, PaaS) and control gaps = Quantifying the risk impact of the organization's digital innovation strategy and communication via topographic visualization = Automation of risk assessments and reporting to reduce manual effort = Prioritization and tracking control issues = Consistent risk quantification to inform decision making around investments and required coverage for cyber insurance A high-level schematic of the invention can be found in Diagram A
Claims The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:
1. Methodology to organize and depict an organization at different levels (e.g. enterprise, business unit, function) by using the concept of an asset cluster, defined herein. For a given industry, an organization can be depicted as a series of asset clusters that are aligned to business segments, products, service and/or processes depending on how the organization is structured. For example, for a financial institution asset clusters cloud be defined as the lines of business (e.g. wealth management). Alternatively, the asset clusters could be developed to reflect critical functions such as real-time high value payments processing vs. batch payments.
These clusters can be modelled at a different degrees of detail. For example, within the given example of payments functions, the supporting applications, infrastructure and data can be defined within that cluster.
The benefit of grouping assets in this way include:
- Ability to depict large and complex organizations in terms of their value generating assets and controls to secure them against evolving threats for organization - Ability to model organization as part of broader ecosystem including 3rd parties and identify systemic dependencies - Design (i.e. security architecture) and analytical purposes; model can be specified at industry level or organization level - Ability to drill down as required from the enterprise to segment parts and related data through a common data taxonomy - Ability to depict assets in terms of value chain, process flow, data flow, kill chain - View your organization in a modular fashion and identify distinct infrastructure and opportunities to consolidate (efficiency) and render distinct (security) elements -e.g. network segmentation 2. The specifics of defining an organization and related systems in terms of asset clusters is listed below a. An asset cluster is defined as a logic grouping of assets (e.g. databases, infrastructure, people that are on-premise, in the cloud or 3rd party vendor) that is scoped based on defined criteria (e.g. part of the same business unit, servicing a business-critical process, dependent on same critical infrastructure). The grouping logic can vary based
4 on need. For instance, an asset cluster could be an entire enterprise or a grouping of critical assets (e.g. payment center).
b. For a given logical grouping, each asset cluster has five primary set of characteristics:
first, its functional grouping (i.e. what products/services does it represent), second its attack surface (i.e. channels, applications, infrastructure, people, locations, suppliers), third, the most critical assets (e.g. applications, data) fourth, the related controls (e.g.
identity, detect, protect, respond and recover) and fifth, the risk profile, which can be broken down into confidentiality, integrity, availability and loss of life/injury risks. See Diagram B for more details c. The components comprising the surface element can be divided into six different categories: Channels, Applications, Infrastructure, People, Locations and Suppliers, defined as below.
i. Channels ¨ different ways in which a customer can interact with an organization, such as a call center ii. Applications ¨ the programs an organization uses to conduct work ¨ e.g.
web facing customer application iii. Infrastructure ¨ the servers supporting applications and network infrastructure iv. People ¨ employees and contractors working for the organization, customers v. Locations ¨ physical location of where a channel, application, infrastructure, person and/or supplier is based vi. Suppliers ¨ third/fourth party provider of services These surface elements provide a taxonomy to describe "how" an organization can be breached/compromised by a threat actors. As such, these elements can be easily related to concepts such as kill chain and the required compensating controls.
Another critical element is understanding that these surface elements are related to each other ¨ e.g. an application (customer portal) is accessed via a channel (online) and is enabled by infrastructure (server) hosted in a location (Toronto) provided by a supplier (Cloud provider) and is operated by people (employees and contractors).
d. The attack surface and control elements of the asset cluster can be organized in different ways for different purposes. For example, the attack surface elements can be aligned to a business process (e.g. call center complaint handling) to show the flow of data across the different attack surface elements. See Diagram B for more details.
Similarly, these elements can be used to structure the narrative around a cyber attack in terms of an attacker's actions and an organization's response. See Diagram G for an example e. The characteristics of an asset cluster can be expressed at different levels ¨ for example for controls, data protection related control can be expressed at a capability level (data protection) or a given technology that is enabling the control for the organization (e.g. software product A). Similarly, the attack surface can be depicted at a category level ¨ e.g. "Application" and then at a sub-category level ¨ e.g.
in-house vs. vendor operated. See Diagram B for more details f. The relationship between these described elements is critical for quantification of risk, as seen below g. For each of these characteristics described at different levels, there are different associated data points for each of these elements. For instance, the number internet-facing applications operated by an Fl can be recorded and mapped against the asset cluster.
h. These data points can be used for multiple purposes. Primarily, they can be used to inform inherent and residual risk. For example, in the case of an application, the fact that it is internet-facing will increase its inherent risk profile of the attack surface of an organization.
i. For capabilities and controls, there are also associated characteristics and measurements. For instance, the self-assessed maturity of a data loss protection capability or related tool can be used to inform the residual risk profile of an organization.
j. Note that it is possible to align some elements of the above definition of an asset cluster to existing methodologies such as the COSO Integrated Framework.
However, the specific innovation detailed in this methodology is the explicitly defined relationships to attack surface and control elements and how these are defined, measured and used for risk calculation purposes on a one-time and ongoing basis.
3. Once defined as above, asset clusters can be used to calculate inherent and residual risk as per the following methodology:
a. To enable risk quantification, the concept of threats can be introduced for an asset cluster and the relational model to the surface, controls and critical assets.
For this given process and attack surface, a specific threat actor and technique can be specified to show how data can be compromised in different Ways, for example employing a kill chain. This can be used to highlight where certain types of controls are most beneficial to reduce risk. This view is further enhanced by the inclusion of the current status of the controls (e.g. where controls are reported as deficient) to highlight the key gaps the organization needs to close. This threat axis is important for the calculation of Inherent and Residual risk, as seen below. See Diagram C
for more details b. Defining the relational model as such enables the straightforward calculation of the following, as per Diagram D below:
i. Scoping/sizing of the asset cluster ¨ e.g. high value transaction processing systems; can be done at a broader scale such as ii. Inherent Risk (IR)¨ at its most basic level, the inherent risk of a given asset cluster can be expressed as the following:
Sum of loss of:
1. Confidentiality ¨ cost per record lost, potential regulatory and legal fines ($) 2. Integrity ¨ maximum potential or historical value of lost funds ($) 3. Availability ¨ outage cost ($) iii. (optional) Relevancy (R) ¨ an additional aspect that can be introduced when estimating the potential impact of a threat on a given attack surface, but requires additional data points (e.g. technology footprint of the organization) iv. Applicability (A)¨ Captures the relationship between the threat technique and the corresponding control ¨ e.g. there would be a high degree of applicability of a 3rd party governance related control to mitigating a 3rd party related threat v. Coverage (C)¨ measures to what extent the control covers the organization's attack surface vi. Effectiveness (E) ¨ expresses the overall health of the control from both a design and operating effectiveness perspective vii. Residual Risk (RR)¨ in simplest form, can be expressed as the following, recognizing the baseline calculation requires the least amount of data points:
RR = IR ¨ (CxE).
This activity can be performed both on a one-time and more progressively be linked to data feeds to provide ongoing monitoring.
Diagrams Diagram A- Methodology Overview Diagram B ¨ Asset Cluster Components Diagram C ¨ Residual Risk Calculation Elements Diagram D ¨ Residual Risk Calculation Methodology Diagram E - Surface Model example for Banking Diagram F - Reporting example for Banking Diagram G - Depiction of cyber attack narrative using surface and control elements
b. For a given logical grouping, each asset cluster has five primary set of characteristics:
first, its functional grouping (i.e. what products/services does it represent), second its attack surface (i.e. channels, applications, infrastructure, people, locations, suppliers), third, the most critical assets (e.g. applications, data) fourth, the related controls (e.g.
identity, detect, protect, respond and recover) and fifth, the risk profile, which can be broken down into confidentiality, integrity, availability and loss of life/injury risks. See Diagram B for more details c. The components comprising the surface element can be divided into six different categories: Channels, Applications, Infrastructure, People, Locations and Suppliers, defined as below.
i. Channels ¨ different ways in which a customer can interact with an organization, such as a call center ii. Applications ¨ the programs an organization uses to conduct work ¨ e.g.
web facing customer application iii. Infrastructure ¨ the servers supporting applications and network infrastructure iv. People ¨ employees and contractors working for the organization, customers v. Locations ¨ physical location of where a channel, application, infrastructure, person and/or supplier is based vi. Suppliers ¨ third/fourth party provider of services These surface elements provide a taxonomy to describe "how" an organization can be breached/compromised by a threat actors. As such, these elements can be easily related to concepts such as kill chain and the required compensating controls.
Another critical element is understanding that these surface elements are related to each other ¨ e.g. an application (customer portal) is accessed via a channel (online) and is enabled by infrastructure (server) hosted in a location (Toronto) provided by a supplier (Cloud provider) and is operated by people (employees and contractors).
d. The attack surface and control elements of the asset cluster can be organized in different ways for different purposes. For example, the attack surface elements can be aligned to a business process (e.g. call center complaint handling) to show the flow of data across the different attack surface elements. See Diagram B for more details.
Similarly, these elements can be used to structure the narrative around a cyber attack in terms of an attacker's actions and an organization's response. See Diagram G for an example e. The characteristics of an asset cluster can be expressed at different levels ¨ for example for controls, data protection related control can be expressed at a capability level (data protection) or a given technology that is enabling the control for the organization (e.g. software product A). Similarly, the attack surface can be depicted at a category level ¨ e.g. "Application" and then at a sub-category level ¨ e.g.
in-house vs. vendor operated. See Diagram B for more details f. The relationship between these described elements is critical for quantification of risk, as seen below g. For each of these characteristics described at different levels, there are different associated data points for each of these elements. For instance, the number internet-facing applications operated by an Fl can be recorded and mapped against the asset cluster.
h. These data points can be used for multiple purposes. Primarily, they can be used to inform inherent and residual risk. For example, in the case of an application, the fact that it is internet-facing will increase its inherent risk profile of the attack surface of an organization.
i. For capabilities and controls, there are also associated characteristics and measurements. For instance, the self-assessed maturity of a data loss protection capability or related tool can be used to inform the residual risk profile of an organization.
j. Note that it is possible to align some elements of the above definition of an asset cluster to existing methodologies such as the COSO Integrated Framework.
However, the specific innovation detailed in this methodology is the explicitly defined relationships to attack surface and control elements and how these are defined, measured and used for risk calculation purposes on a one-time and ongoing basis.
3. Once defined as above, asset clusters can be used to calculate inherent and residual risk as per the following methodology:
a. To enable risk quantification, the concept of threats can be introduced for an asset cluster and the relational model to the surface, controls and critical assets.
For this given process and attack surface, a specific threat actor and technique can be specified to show how data can be compromised in different Ways, for example employing a kill chain. This can be used to highlight where certain types of controls are most beneficial to reduce risk. This view is further enhanced by the inclusion of the current status of the controls (e.g. where controls are reported as deficient) to highlight the key gaps the organization needs to close. This threat axis is important for the calculation of Inherent and Residual risk, as seen below. See Diagram C
for more details b. Defining the relational model as such enables the straightforward calculation of the following, as per Diagram D below:
i. Scoping/sizing of the asset cluster ¨ e.g. high value transaction processing systems; can be done at a broader scale such as ii. Inherent Risk (IR)¨ at its most basic level, the inherent risk of a given asset cluster can be expressed as the following:
Sum of loss of:
1. Confidentiality ¨ cost per record lost, potential regulatory and legal fines ($) 2. Integrity ¨ maximum potential or historical value of lost funds ($) 3. Availability ¨ outage cost ($) iii. (optional) Relevancy (R) ¨ an additional aspect that can be introduced when estimating the potential impact of a threat on a given attack surface, but requires additional data points (e.g. technology footprint of the organization) iv. Applicability (A)¨ Captures the relationship between the threat technique and the corresponding control ¨ e.g. there would be a high degree of applicability of a 3rd party governance related control to mitigating a 3rd party related threat v. Coverage (C)¨ measures to what extent the control covers the organization's attack surface vi. Effectiveness (E) ¨ expresses the overall health of the control from both a design and operating effectiveness perspective vii. Residual Risk (RR)¨ in simplest form, can be expressed as the following, recognizing the baseline calculation requires the least amount of data points:
RR = IR ¨ (CxE).
This activity can be performed both on a one-time and more progressively be linked to data feeds to provide ongoing monitoring.
Diagrams Diagram A- Methodology Overview Diagram B ¨ Asset Cluster Components Diagram C ¨ Residual Risk Calculation Elements Diagram D ¨ Residual Risk Calculation Methodology Diagram E - Surface Model example for Banking Diagram F - Reporting example for Banking Diagram G - Depiction of cyber attack narrative using surface and control elements
Claims (3)
= Visualizing the status of threats, incidents, events and control status for enhanced detection and response activities (e.g. SOC monitoring and incident response) against the organizations attack surface = Developing related security (e.g. cloud integration) strategies (i.e.
visualize key surface integration points, how surface changes with SaaS, PaaS) and control gaps = Quantifying the risk impact of the organization's digital innovation strategy and communication via topographic visualization = Automation of risk assessments and reporting to reduce manual effort = Prioritization and tracking control issues = Consistent risk quantification to inform decision making around investments and required coverage for cyber insurance A high-level schematic of the invention can be found in Diagram A
Claims The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:
1. Methodology to organize and depict an organization at different levels (e.g. enterprise, business unit, function) by using the concept of an asset cluster, defined herein. For a given industry, an organization can be depicted as a series of asset clusters that are aligned to business segments, products, service and/or processes depending on how the organization is structured. For example, for a financial institution asset clusters cloud be defined as the lines of business (e.g. wealth management). Alternatively, the asset clusters could be developed to reflect critical functions such as real-time high value payments processing vs. batch payments.
These clusters can be modelled at a different degrees of detail. For example, within the given example of payments functions, the supporting applications, infrastructure and data can be defined within that cluster.
The benefit of grouping assets in this way include:
- Ability to depict large and complex organizations in terms of their value generating assets and controls to secure them against evolving threats for organization - Ability to model organization as part of broader ecosystem including 3rd parties and identify systemic dependencies - Design (i.e. security architecture) and analytical purposes; model can be specified at industry level or organization level - Ability to drill down as required from the enterprise to segment parts and related data through a common data taxonomy - Ability to depict assets in terms of value chain, process flow, data flow, kill chain - View your organization in a modular fashion and identify distinct infrastructure and opportunities to consolidate (efficiency) and render distinct (security) elements -e.g. network segmentation 2. The specifics of defining an organization and related systems in terms of asset clusters is listed below a. An asset cluster is defined as a logic grouping of assets (e.g. databases, infrastructure, people that are on-premise, in the cloud or 3rd party vendor) that is scoped based on defined criteria (e.g. part of the same business unit, servicing a business-critical process, dependent on same critical infrastructure). The grouping logic can vary based on need. For instance, an asset cluster could be an entire enterprise or a grouping of critical assets (e.g. payment center).
b. For a given logical grouping, each asset cluster has five primary set of characteristics:
first, its functional grouping (i.e. what products/services does it represent), second its attack surface (i.e. channels, applications, infrastructure, people, locations, suppliers), third, the most critical assets (e.g. applications, data) fourth, the related controls (e.g.
identity, detect, protect, respond and recover) and fifth, the risk profile, which can be broken down into confidentiality, integrity, availability and loss of life/injury risks. See Diagram B for more details c. The components comprising the surface element can be divided into six different categories: Channels, Applications, Infrastructure, People, Locations and Suppliers, defined as below.
i. Channels - different ways in which a customer can interact with an organization, such as a call center ii. Applications - the programs an organization uses to conduct work - e.g.
web facing customer application iii. Infrastructure - the servers supporting applications and network infrastructure iv. People - employees and contractors working for the organization, customers v. Locations - physical location of where a channel, application, infrastructure, person and/or supplier is based vi. Suppliers - third/fourth party provider of services These surface elements provide a taxonomy to describe "how" an organization can be breached/compromised by a threat actors. As such, these elements can be easily related to concepts such as kill chain and the required compensating controls.
Another critical element is understanding that these surface elements are related to each other - e.g. an application (customer portal) is accessed via a channel (online) and is enabled by infrastructure (server) hosted in a location (Toronto) provided by a supplier (Cloud provider) and is operated by people (employees and contractors).
d. The attack surface and control elements of the asset cluster can be organized in different ways for different purposes. For example, the attack surface elements can be aligned to a business process (e.g. call center complaint handling) to show the flow of data across the different attack surface elements. See Diagram B for more details.
Similarly, these elements can be used to structure the narrative around a cyber attack in terms of an attacker's actions and an organization's response. See Diagram G for an example e. The characteristics of an asset cluster can be expressed at different levels - for example for controls, data protection related control can be expressed at a capability level (data protection) or a given technology that is enabling the control for the organization (e.g. software product A). Similarly, the attack surface can be depicted at a category level - e.g. "Application" and then at a sub-category level - e.g.
in-house vs. vendor operated. See Diagram B for more details f. The relationship between these described elements is critical for quantification of risk, as seen below g. For each of these characteristics described at different levels, there are different associated data points for each of these elements. For instance, the number internet-facing applications operated by an FI can be recorded and mapped against the asset cluster.
h. These data points can be used for multiple purposes. Primarily, they can be used to inform inherent and residual risk. For example, in the case of an application, the fact that it is internet-facing will increase its inherent risk profile of the attack surface of an=
organization.
i. For capabilities and controls, there are also associated characteristics and measurements. For instance, the self-assessed maturity of a data loss protection capability or related tool can be used to inform the residual risk profile of an organization.
j. Note that it is possible to align some elements of the above definition of an asset cluster to existing methodologies such as the COSO Integrated Framework.
However, the specific innovation detailed in this methodology is the explicitly defined relationships to attack surface and control elements and how these are defined, measured and used for risk calculation purposes on a one-time and ongoing basis.
3. Once defined as above, asset clusters can be used to calculate inherent and residual risk as per the following methodology:
a. To enable risk quantification, the concept of threats can be introduced for an asset cluster and the relational model to the surface, controls and critical assets.
For this given process and attack surface, a specific threat actor and technique can be specified to show how data can be compromised in different Ways, for example employing a kill chain. This can be used to highlight where certain types of controls are most beneficial to reduce risk. This view is further enhanced by the inclusion of the current status of the controls (e.g. where controls are reported as deficient) to highlight the key gaps the organization needs to close. This threat axis is important for the calculation of Inherent and Residual risk, as seen below. See Diagram C
for more details b. Defining the relational model as such enables the straightforward calculation of the following, as per Diagram D below:
i. Scoping/sizing of the asset cluster - e.g. high value transaction processing systems; can be done at a broader scale such as ii. Inherent Risk (IR)- at its most basic level, the inherent risk of a given asset cluster can be expressed as the following:
Sum of loss of:
1. Confidentiality - cost per record lost, potential regulatory and legal fines ($)
2. Integrity - maximum potential or historical value of lost funds ($)
3. Availability - outage cost ($) iii. (optional) Relevancy (R) - an additional aspect that can be introduced when estimating the potential impact of a threat on a given attack surface, but requires additional data points (e.g. technology footprint of the organization) iv. Applicability (A)- Captures the relationship between the threat technique and the corresponding control - e.g. there would be a high degree of applicability of a 3rd party governance related control to mitigating a 3( party related threat v. Coverage (C)- measures to what extent the control covers the organization's attack surface vi. Effectiveness (E) - expresses the overall health of the control from both a design and operating effectiveness perspective vii. Residual Risk (RR)- in simplest form, can be expressed as the following, recognizing the baseline calculation requires the least amount of data points:
RR = IR - (CxE).
This activity can be performed both on a one-time and more progressively be linked to data feeds to provide ongoing monitoring.
Diagrams Diagram A- Methodology Overview Diagram B - Asset Cluster Components Diagram C - Residual Risk Calculation Elements Diagram D - Residual Risk Calculation Methodology Diagram E - Surface Model example for Banking Diagram F - Reporting example for Banking Diagram G - Depiction of cyber attack narrative using surface and control elements
RR = IR - (CxE).
This activity can be performed both on a one-time and more progressively be linked to data feeds to provide ongoing monitoring.
Diagrams Diagram A- Methodology Overview Diagram B - Asset Cluster Components Diagram C - Residual Risk Calculation Elements Diagram D - Residual Risk Calculation Methodology Diagram E - Surface Model example for Banking Diagram F - Reporting example for Banking Diagram G - Depiction of cyber attack narrative using surface and control elements
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA3070685A CA3070685A1 (en) | 2020-02-02 | 2020-02-02 | Cyber risk segmentation, quantification and visualization methodology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA3070685A CA3070685A1 (en) | 2020-02-02 | 2020-02-02 | Cyber risk segmentation, quantification and visualization methodology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA3070685A1 true CA3070685A1 (en) | 2021-08-02 |
Family
ID=77176706
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA3070685A Abandoned CA3070685A1 (en) | 2020-02-02 | 2020-02-02 | Cyber risk segmentation, quantification and visualization methodology |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA3070685A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745171A (en) * | 2022-04-08 | 2022-07-12 | 深圳市魔方安全科技有限公司 | External attack surface visualization analysis method and system based on graph technology |
-
2020
- 2020-02-02 CA CA3070685A patent/CA3070685A1/en not_active Abandoned
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114745171A (en) * | 2022-04-08 | 2022-07-12 | 深圳市魔方安全科技有限公司 | External attack surface visualization analysis method and system based on graph technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rozario et al. | Auditing with Smart Contracts. | |
| Schlackl et al. | Antecedents and consequences of data breaches: A systematic review | |
| Dai et al. | Imagineering Audit 4.0 | |
| US10630713B2 (en) | Method and tool to quantify the enterprise consequences of cyber risk | |
| US11611590B1 (en) | System and methods for reducing the cybersecurity risk of an organization by verifying compliance status of vendors, products and services | |
| US20210112101A1 (en) | Data set and algorithm validation, bias characterization, and valuation | |
| Radziwill et al. | Cybersecurity cost of quality: Managing the costs of cybersecurity risk management | |
| Kahyaoğlu et al. | Continuous auditing as a strategic tool in public sector internal audit: The Turkish case | |
| Zhang et al. | Lab | |
| WO2004079539A2 (en) | System and method for generating and using a pooled knowledge base | |
| Singh et al. | Design and implementation of continuous monitoring and auditing in SAP enterprise resource planning | |
| US20230061234A1 (en) | System and method for integrating a data risk management engine and an intelligent graph platform | |
| Adebiyi | Exploring the impact of predictive analytics on accounting and auditing expertise: A regression analysis of LinkedIn survey data | |
| Ardil | Software product quality evaluation model with multiple criteria decision making analysis | |
| Salunkhe et al. | Optimizing Cloud-Based Clinical Platforms Best Practices for HIPAA and HITRUST Compliance | |
| CA3070685A1 (en) | Cyber risk segmentation, quantification and visualization methodology | |
| US10771347B2 (en) | Method, apparatus, and computer-readable medium for data breach simulation and impact analysis in a computer network | |
| Matejka et al. | A framework for the definition and analysis of cyber insurance requirements | |
| Krajka et al. | The impact of blockchain technology on operational and strategic risks in the supply chain-a systematic literature review | |
| Kirss et al. | Using Blockchain Technology to Redesign Know-Your-Customer Processes Within the Banking Industry | |
| Skanderson | Managing Discrimination Risk of Machine Learning and AI Models | |
| Radu et al. | Analyzing risk evaluation frameworks and risk assessment methods | |
| Kaur et al. | Information Technology Risk Management | |
| Al Hadad et al. | A Comprehensive Review of COBIT and ISO 27001: Approaches to Auditing Credit Bureau Automation System (CBAS) at PT XYZ | |
| Wen et al. | An introduction of transaction session‐induced security scheme using blockchain technology: Understanding the features of Internet of Things–based financial security systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |
Effective date: 20230802 |