Maxim Annenkov, Security Vision
Security Vision RM is a comprehensive enterprise information security risk management system that provides a wide range of opportunities for organisations of any size and industry.
The product is designed to meet the requirements of domestic and international standards in the field of information security risk management, such as:
- ISO 27005:2022 Information security, cybersecurity and privacy protection - Guidance on managing information security risks;
- GOST R ISO/IEC 27005 Information security, cybersecurity and privacy protection. Guidance on managing information security risks. Requirements and guidelines;
- FSTEC Information Security Threat Assessment Methodology dated 5 February 2021.
- FAIR (Factor Analysis of Information Risk)
Security Vision RM enables the implementation of the risk management process at all stages of its life cycle:
Information Security Risk Management Process according to GOST R ISO/IEC 27005
Security Vision RM covers the entire life cycle of the risk management process, starting from the stage of defining the environment. Using the resource-service model, the system allows a detailed description of business and IT infrastructure components. At the risk identification stage, the product integrates the FSTEC methodology, enabling threat modelling using an extensive vulnerability database.
Subsequent stages of risk analysis and assessment support qualitative and quantitative assessment methods. Security Vision RM gives the analyst the option to conduct the assessment completely independently or to collect data from experts using questionnaires.
In the risk processing phase, users can simulate different configurations of implementing protection measures in order to select the optimal set in terms of cost-effectiveness and efficiency, as well as create and manage tasks aimed at minimising risks.
As part of risk monitoring and revision, the product includes a mechanism of key risk indicators and risk reassessment functionality.
Further we will consider the listed aspects of the product in more detail.
Resource and service model
The product is based on the resource-service model, which allows you to create a model of the enterprise with the desired level of decomposition, starting from business processes and information systems and ending with specific hosts, equipment or even peripherals.
In this way, it is possible to perform risk assessments both at a high level for aggregates of objects and in detail for a specific workstation, printer or phone. With a visual graph view, you can trace the relationships between objects to the level of detail you need.
Built-in directories
The system includes all directories from the FSTEC Information Security Threat Data Bank, allowing users to create threat models and risk scenarios based on a ready-made and interconnected set of data. These directories consist of the following elements:
- Negative consequences
- Types of intruders
- Threats
- Impact components
- Ways in which threats are realised
- Defence measures
Users can also edit the directories by removing irrelevant items or supplementing them with, for example, techniques from MITRE ATT&CK.
This makes it possible to create a complete threat model for the set of assets being analysed. The built threat model then becomes the basis for risk realisation scenarios, which are a combination of consequences, threats, perpetrator and methods of realisation available to the perpetrator.
Risk Assessment
The product allows analysts to perform the assessment themselves or to collect data from experts using questionnaires. Different questionnaires can be created for different experts depending on their competences and areas of responsibility. For example, you can collect data from business units about the potential damage from the realisation of certain threats, and from technical experts you can get data about the probability of the realisation of a certain scenario in a certain infrastructure.
The assessment can be carried out both fully online and partially offline due to the functionality of importing and exporting data to a file (preparation of questionnaires, assessment methods, formation of standards, information collection stage), which is useful for working with remote locations.
All qualitative assessments are converted into a point system, within which the assessment results can be calculated taking into account the practices adopted in a particular organisation (average, median, maximum, etc.). Due to this, qualitative and quantitative assessments are calculated using the same formulas.
Risk processing
After all data are collected and risk indicators are calculated, the system provides the functionality of risk processing, in which the user can simulate the effect of implementing certain protection measures and compare their cost with the degree of risk reduction in their implementation. Thus, in the interface of the system it is possible to choose the most adequate set of measures on the ratio ‘Price and efficiency’.
From the same window the user can create tasks for risk processing. The mechanism of tasks for implementation of protection measures provides an opportunity to monitor the fulfilment of deadlines for work and execution, reassign responsible persons, accept/send tasks for revision. The life cycle of tasks can be customised.
Once the tasks to implement patches and protection measures are completed, all changes are automatically reflected in the assets of the resource and service model and are subsequently taken into account during regular assessments.
Risk monitoring
The Security Vision RM module includes the functionality of key risk indicators, which significantly expands the possibilities of risk management and monitoring. The system enables automated collection and aggregation of data from various external sources such as SOAR, vulnerability management and asset management systems, allowing you to see a complete picture of current risks in real time. Furthermore, the product automatically notifies when all indicator-related risks exceed specified thresholds.
The user can precisely configure for which risks a particular indicator is relevant, as well as set filters for automatic selection of risks. This allows, for example, indicators that track the emergence of unpatched critical vulnerabilities to dynamically report on the increase of risks associated with the use of known vulnerabilities by attackers. This approach provides a faster and more accurate response to potential threats, improving an organisation's overall cyber security performance.
Modelling capabilities
Built into the product is Monte Carlo risk modelling functionality, a tool for evaluating and managing uncertainty in the decision-making process. This method allows users to run multiple iterations of scenarios using random variables to account for possible changes and variations in the data. As a result, the user will be able to estimate the potential magnitude of loss and exposure, and using the frequency and damage distribution parameters to track the minimum/average/maximum values for further.
The application of the Monte Carlo method in risk modelling allows not only to identify the most probable events, but also to analyse the influence of various factors on the final outcome. This makes it possible to make more informed decisions, identify and minimise potential threats in time.
Reports and dashboards
The Security Vision RM module includes preconfigured reports that allow you to upload data both on individual system objects (resource and service model objects, assessment processes, questionnaires, etc.) and summary reports that contain consolidated information.
Also included are a number of preconfigured dashboards that display key information on assessment statuses, risk levels and key risk indicators, as well as summary analyses of collected data.
All dashboards are automatically updated and interactive: the user can ‘plunge’ into the required data slice and see the source for calculating a particular indicator.
Thus, the risk management process becomes transparent and convenient.
Part of the Security Vision ecosystem
The Security Vision RM resource and service model is also a full-fledged component of the Asset Management Module, which is part of the Security Vision ecosystem. In addition to its core functionality, the Asset Management Module is closely linked to other products in the ecosystem, which ensures synergy of product line functionality in a single data area through cross-fertilisation, re-use of information and a single management interface. The Asset Management Module is an important source of baseline information used by ecosystem products, such as a list of software/OS vulnerabilities, installed updates, and artefacts and evidence used in incident management or risk management processes.
