In the television series “Person of Interest”, Harold Finch built a machine that observed everyone - it collected data about everything - and then figured out patterns using artificial intelligence to predict crimes before they happened. While that imaginary world was science fiction when it was created, today’s managed security services need to pursue proactive risk management rather than being reactive to security incidents. We touched upon this a little in our last post, and we'll dive a little deeper this time.
This is the second article in a 3-part series focused on the rise of risk management over traditional threat hunting provided by MSSPs through Managed Security Services (MSS).
Read the first article “The Next Generation of Managed Security Services: Beyond IT” here.
First, let’s start off by defining what we mean by “risk” in the whole notion of “Risk Management”.
The English dictionary defines risk as “something involving exposure to danger”. If we put that in the context of an organization, what is a risk by the very fundamental definition of the term? Everything.
It’s not just your usual suspects like IT infrastructure, or networks. It is also things like operational infrastructure, but most importantly, it also includes the people (employees, visitors, etc.). Managing risk means managing IT security, physical security, operational technology security, and Internet of Things (IoT) security in an organization.
Risk Management is a three-pronged, iterative approach that contains 3 principal elements:
Identification of risk involves taking full inventory of the infrastructure in an organization.
A simple list is not enough - this inventory not only must involve all existing configurations of various systems but also changes of these configurations over time. This information is typically stored in something known as a configuration management database (CMDB). The CMDB allows security platforms to understand changes and states of various components that exist in an organization’s infrastructure. Once there is visibility of all possible assets in an environment, we can identify what assets are critical and what are not.
►►Important: Even a non-critical asset may be a high risk as an attacker could target a non-critical asset to enter the environment knowing that monitoring may be less for such an asset. After assets are classified, a thorough analysis must be carried out to pinpoint risks across the entire infrastructure to identify various risks.
Once the risks are identified, they must be evaluated.
Each risk must be analyzed thoroughly to understand its consequences, mitigations, and its effect on rest of the infrastructure. There are risk assessment frameworks that can be used to evaluate various risks for threats and vulnerabilities.
A few examples of such frameworks are listed below.
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) is developed by the Carnegie Mellon University and is a holistic framework that defines risk to include hardware, software, information systems, and people.
FAIR (Factor Analysis of Information Risk) is a risk assessment framework built by the Nationwide Mutual Insurance company and relies heavily on the experience and historical evidences at hand by the evaluator. It also has a very detailed taxonomy of the definitions of various risks’ threats and vulnerabilities.
The National Institute of Standards and Technology (NIST) has what is known as the Risk Management Framework (RMF or NIST-RMF) that can be used to evaluate risks. This framework aims to not only evaluate risks but to also manage them.
The last example framework in our list is TARA (Threat Agent Risk Assessment) developed by chipmaker, Intel. It focuses on threats that are most likely to occur, and is a relatively newer and nascent framework compared to the other three mentioned in this post.
After the risks are evaluated, they would then need to be prioritized based on their criticality, probability of occurrence, and potential impact.
Finally, once we have prioritized risks, we would monitor and act on them depending on situations that may occur over the course of time.
The entire risk management approach is very iterative, regardless of the framework chosen, because threat landscapes continuously change, new attacks emerge very frequently, and an organization’s infrastructure is very dynamic and organic over time.
All of this talk on risk management, risk assessment frameworks, threats and vulnerabilities makes for great reading and is very useful today when reacting to security incidents that have become far too commonplace for the comfort of organizations worldwide, and it may not be sufficient anymore.
Today, we are heavily focused on reacting rather than proacting.
And that is largely because a lot of security practices involve a lot of manual work and analysis. As humans, we have a lot of limits when it comes to cognitive abilities and prediction. Even managed security service providers (MSSPs) today rely heavily on monitoring environments and reacting to security incidents after they occur.
But this is not enough going forward. As technology advances, it becomes paramount that we automate our entire approach to risk management. The pace at which organizations are becoming vulnerable to threats requires technology itself to become a very essential part of the risk management process.
Just like Finch’s “Machine”, MSS platforms of the next generation would need to incorporate all possible risk assessment frameworks and then proactively seek out patterns and insights from continuous streams of incoming data. These would then be used by the platforms to almost literally predict attacks before they happen. After all, being forewarned is being forearmed, as they say.
Such advancements in MSS platforms would turn the tables when it comes to keeping organizations secure. By being proactive and being able to mitigate risks before they become a danger, the security of an organization would reach a completely different, much higher level.
Getting there involves leveraging technologies like Big Data, and Artificial Intelligence – something we will cover in the next post of this series.
Even as the whole notion of proactive risk management and predictive threat analysis may seem to be a part of the distant future, it is not. The transformation of MSS platforms is surely happening – it’s no longer just a figment of a science fiction writer’s imagination – it’s the new reality.
And at the forefront of this transformation is ArkAngel, our time-tested, industry-leading, and cutting-edge MSS platform, driven by our top-notch service offerings.
Reach out to us today to see how we can enable your organization to be on top of the game when it comes to security – not just IT security, but total and complete converged proactive security.
