Ruslan Rakhmetov, Security Vision
In the previous article , we discussed the fundamentals of information security risk management, examining key cyber risk management methods and risk management methodologies. In this publication, we will examine cyber risks as a connecting link in the entire information security management system and the automation of information security processes.
Cyber risk management is at the core of the information security management system (ISMS) – this key process links all other processes together to select and implement effective and cost-effective protective measures (organizational, technical, and physical). All processes, including risk management, are implemented in accordance with the Deming PDCA cycle (Plan-Do-Evaluate-Act) and can be built in accordance with the recommendations of the ISO/IEC 27001:2022 " Information Security Management Systems. Requirements". The ISMS consists of a set of interrelated information security processes, such as:
1) Asset Management: An asset is an entity that is valuable to the organization, used to achieve the organization's goals, and is subject to protection and attack to violate security properties. Examples of assets include information systems, hardware, software, accounts, business processes, suppliers, equipment and premises, as well as information, trademarks, intellectual property, reputation, etc. The asset management process includes inventory, accounting, assignment of responsibilities, definition of business roles/technical functions, determination of dependencies, classification, and assessment of the asset's priority (value). Asset management in the Security Vision ecosystem is performed in the Asset Management ( AM ) product, which receives data from the infrastructure (through active network scanning), from installed information security systems/software (vulnerability scanners, SIEM, antiviruses, CMDB, directory services, MS SCCM), and from the Security Vision EDR product (agent). The following asset property data can be used for the cyber risk management process: asset criticality and cost, requirements for integrity, confidentiality, and availability of data in systems, the dependence of business processes on assets, as well as the asset life cycle history (changes in its properties).
2) Vulnerability Management: A vulnerability is a weakness (defect, error) in an asset or information security system that can be exploited by attackers to implement a cyberthreat. Vulnerabilities can occur in code, configuration, system architecture, and business processes (organizational vulnerabilities). The vulnerability management process includes asset scanning, obtaining information about installed software, checking against a database of known vulnerabilities or attempting a controlled exploitation of the vulnerability, making a decision on vulnerability management (installing an update, reconfiguring the configuration, disabling the vulnerable component, implementing compensating measures), and monitoring the implementation of the decision. Vulnerability management in the Security Vision ecosystem is performed in Vulnerability Management ( VM ) or Vulnerability Scanner ( VS ), which receives data from the infrastructure (through active network scanning), from Security Vision AM and Security Vision EDR (agent) products. The following vulnerability data can be used for cyber risk management: the number and severity of vulnerabilities on specific assets, the presence of an exploit, the possibility of exploiting a vulnerability from specific network segments, the consequences of exploitation (e.g., a violation of the integrity/confidentiality/availability of information on the asset), and the history of vulnerability changes on assets (the number of unpatched vulnerabilities, the rate of remediation, the average lifespan of an unpatched vulnerability, etc.).
3) Configuration Management: The applied settings (configurations, parameters) of assets affect the security of the entire infrastructure, as insecure configurations (e.g., a default password or an open port) are a type of vulnerability, and the application of optimal cybersecurity settings ( hardening ) helps eliminate such vulnerabilities. Configuration management involves obtaining (reading) current configurations, comparing them with recommended manufacturers or regulators, bringing the settings in line with these recommendations, and automatically reverting to secure settings in the event of unauthorized changes. Configuration management in the Security Vision ecosystem is performed in the Security Profile Compliance product ( SPC ), which receives data from the infrastructure (through active network scanning) and from Security Vision AM and Security Vision EDR (agent) products. The following configuration data can be used for cyber risk management: the presence of insecure configurations on the asset, the severity of the insecure configuration (the use of errors and misconfigurations in real attacks), and the presence of configurations not recommended or prohibited by regulators.
4) Information Security Event Management: An information security event is a recorded change in the state of an information asset that may cause an information security incident. The information security event management process includes preparing event sources, receiving, parsing , and normalizing events, and correlating events into incidents. Information security event management in the Security Vision ecosystem is performed in the Security Information and Event Management ( SIEM ) product, which receives data from the infrastructure, installed information security tools/software, and Security Vision EDR (agent), Security Vision AM, and Security Vision VM/VS products. The following information about information security events can be used for cyber risk management: the number and severity of cyber incidents on a specific asset, taking into account its criticality, the level of reliability of sources, the breadth of detection logic, the relationship of events/incidents to vulnerabilities, and the frequency of incidents.
5) Cyber Incident Management: An information security incident is a series of information security events that can lead to, or have already led to, a successful cyberattack and damage to a company. The information security incident management process includes incident preparation, detection, analysis (triage), and containment, cyber threat mitigation, post-attack recovery, and post-incident actions (analysis of response quality and completeness, identification of incident root causes, remediation of vulnerabilities, risk reassessment, and infrastructure security enhancement). Information security event management in the Security Vision ecosystem is performed in the Security Orchestration, Automation and Response ( SOAR ) and Next Generation SOAR ( NG SOAR ), which receive data from the infrastructure, from installed information security systems/software, from Security Vision EDR (agent), Security Vision AM, Security Vision VM/VS, Security Vision SIEM, Security Vision TIP, Security Vision UEBA products. The following data on cyber incidents can be used for the cyber risk management process: the number and severity of cyber incidents on a specific asset taking into account its criticality, the average/median speed of detection and response to incidents (MTTD, Mean Time To Detect and MTTR, Mean Time To Respond), the breadth of detection logic coverage, the percentage of automatic actions when responding to incidents of a certain type, the frequency of incidents, the estimated damage from incidents, the effectiveness of response measures.
6) Business Continuity Management: This process ensures the continuity and recovery of a company's operations in the event of accidents, disruptions, cyberattacks, and emergencies. Business continuity management includes an inventory of business processes and the assets that support them, an analysis of the impact of emergencies on the business (BIA, Business Impact Analysis), the definition of continuity targets (RTO, RPO, MTPD, WRT), and the formation of continuity plans (BCP, Business Continuity Plan ) and recovery (DRP, Disaster Recovery Plan ) with step-by-step instructions, roles, and responsibilities, as well as plan testing and emergency simulation. Business continuity management in the Security Vision ecosystem is performed in the Business Continuity Management ( BCM ) product, which receives data from installed information security systems/software (vulnerability scanners, SIEM, antivirus, CMDB, directory services, MS SCCM) from the Security Vision AM product. The following data on business process resilience to emergencies can be used for cyber risk management: RTO, RPO, MTPD, and WRT values, BCP and DRP plan test results, infrastructure coverage by plans and BIA assessments, emergency history, their consequences, and business process recovery timeframes.
7) Software development security management: this process ensures the security of developed applications at all stages of their development life cycle (SSDLC, Secure Software Development Life Cycle). The software development security management process includes creating application architectural models, describing their components, application threat modeling, performing static code analysis, finding secrets and checking dependencies, ensuring infrastructure control and secure deployment, performing dynamic analysis, and operational monitoring with the import of data on detected vulnerabilities and incidents during application use. Software development security management in the Security Vision ecosystem is performed in the Application Security Orchestration and Correlation ( ASOC ) product, which receives data from installed DevOps and SecOps solutions (SAST, DAST, SCA), Security Vision VS and VM products, Security Vision SOAR/NG SOAR, and Security Vision SIEM. The following software development security data can be used for cyber risk management: the number and severity of detected errors, vulnerabilities, and incidents with applications under development, the dependence of business processes on the applications in question, the average error resolution rate, and the overall maturity level of application development.
8) Malware Protection Management: This process involves detecting malicious activity on corporate devices and blocking dangerous actions. Malware protection management includes preparation (installing agent-based security solutions on corporate devices, configuring rules), detection, analysis (triage), and blocking/mitigation of cyberthreats. Malware protection can be implemented either by classic antivirus solutions, which may not detect a new type of malware, or by EDR-class solutions, which respond not to a signature or malicious hash, but to a set of events and artifacts characteristic of an attack (for example, an application process launching a command line, where a base64 string is passed as parameters). Malware protection management in the Security Vision ecosystem is performed in the Endpoint Detection and Response ( EDR ) product, which receives data from installed Security Vision EDR agents on Windows and Linux devices, transmits detected events to Security Vision SOAR/NG SOAR and Security Vision SIEM products. The following data on malware protection results can be used for cyber risk management: the number and severity of malware samples detected on a specific asset, taking into account its criticality, the average/median detection rate and response to malware (MTTD, Mean Time To Detect and MTTR, Mean Time To Respond ), the breadth of detection logic coverage, the percentage of automatic actions in response to malware of a certain type, the frequency of incidents, the estimated damage from incidents, the effectiveness of response measures.
9) Cyber threat intelligence management: Cyber intelligence includes work at the technical (indicators of compromise), tactical (attack indicators – tactics, techniques, procedures), operational (current vulnerabilities, exploits and malware used), and strategic (cyber threat trends, goals and motivations of cyber groups) levels. The process of managing cyber threat intelligence includes obtaining cyber intelligence data from TI feeds from external providers and open sources, from security bulletins and cyber threat reports from vendors and regulators, from analytical online services, deduplicated , filtered, enriched, and then verified with information security events on the fly or during retrospective searches. Cyber threat intelligence management in the Security Vision ecosystem is performed in the Threat Intelligence Platform ( TIP ) product, which receives analytical data from external providers (TI feeds, bulletins, reports), transmits cleaned cyber intelligence data to Security Vision VS and VM products, Security Vision SOAR/NG SOAR, Security Vision SIEM, Security Vision EDR, and receives information security events from the infrastructure and from installed information security tools/software for independent match detection . The following cyber threat data can be used for the cyber risk management process : the number of true positives IoC / IoA - triggers on a specific asset taking into account its criticality, the level of capabilities and motivation of the detected attackers (based on the complexity of the tactics, techniques, and tools used), the use of non-standard attack vectors and exploits (including the exploitation of 0-Day vulnerabilities), and the interest of APT groups and cybercriminal clusters.
10) Anomaly Detection Management: When attackers use an unknown or extremely rare technique or attack method, traditional tools will not be able to detect it in time. Any malicious activity leaves traces in the form of changes in the typical behavior of devices, accounts, and infrastructure elements – and such anomalies must be identified. The anomaly detection management process includes building a model of typical infrastructure behavior (behavioral profiles), obtaining logs from the infrastructure and filtering out "noise," applying machine learning methods, mathematical statistics, and correlation rules to identify deviations and highlight suspicious events, and improving the quality of anomaly detection based on the results of previous detections. Anomaly detection management in the Security Vision ecosystem is performed in the User and Entity Behavior Analytics ( UEBA ) product, which receives data from the infrastructure and installed information security systems/software, transmits detected suspicions to Security Vision SIEM and Security Vision SOAR/NG SOAR products. The following anomaly data can be used for cyber risk management: the number of true positives on a specific asset, taking into account its criticality, the use of non-standard attack vectors, and the number of assets and accounts with changing behavioral profiles.
11) Audit and Self-Assessment Management: Compliance with corporate cybersecurity requirements can be verified by completing questionnaires by on-site responsible personnel, followed by review by the information security manager. For complex holding structures with various subsidiaries and affiliates, such self-assessments can help assess the state of cybersecurity across the entire corporate structure. The audit and self-assessment management process includes preparing a register of organizations, creating a unified resource and service model for business process accounting, creating questionnaires, completing them by on-site responsible personnel, assessing compliance, and creating tasks for remediation. Audit and self-assessment management in the Security Vision ecosystem is performed in the Self-Assessment ( SA ) product, which receives data from the Security Vision AM product. The following data on audit and self-assessment results can be used for cyber risk management: the level of asset and business process compliance, the criticality of identified deficiencies, and the potential damage from non-compliance (fines, regulatory comments, incident consequences).
12) Compliance Management: Compliance with cybersecurity regulations can be verified by completing questionnaires and collecting objective data from technical resources and infrastructure. The compliance management process includes compiling a list of applicable requirements (legislative, industry-specific, and corporate) with decomposition and deduplication of regulations, generating questionnaires, collecting information from integrated systems, calculating the level of compliance using customizable formulas, and creating tasks for remediation. Compliance management in the Security Vision ecosystem is performed in the Compliance Management ( CM ) product, which receives data from the infrastructure, installed information security systems/software, and Security Vision AM and Security Vision EDR products. The compliance management process may also include the Security Vision Critical Infrastructure Information (CIII), GosSOPKA , and FinCERT modules , which ensure compliance with Federal Law No. 187 on critical infrastructure security, reporting incidents at critical infrastructure facilities to the National Coordination Center for Critical Infrastructure Information (NCCI) via the GosSOPKA system , and exchanging information via the Central Bank of the Russian Federation's FinCERT automated system for information security. The following compliance data may be used for cyber risk management: the level of asset and business process compliance, the criticality of identified deficiencies, and the potential damage from non-compliance (fines, regulatory comments, and incident consequences).
In addition to the above processes, the following processes can also be implemented within the ISMS:
· change management;
· exception management;
· account and access management;
· management of cryptographic tools;
· network and communication channel security management;
· managing interactions with suppliers and contractors;
· management of internal documents and tasks;
· management of accumulated knowledge and best practices;
· managing staff awareness of information security issues.
In companies with a high level of maturity of the ISMS, processes such as the following can also be implemented:
· Attack surface and pentest management, Bug Bounty programs;
· Proactive threat detection management (Threat Hunting) and Compromise Assessment;
· Computer forensics management;
· Management of security of the Internet of Things and cyber-physical systems;
· ML/AI security management (MLSecOps, AISecOps).
In addition, the ISMS also includes supporting (operational) processes of the IS department (function):
· management of operational activities of the information security department;
· reporting management;
· management of interactions with customers (stakeholders);
· managing continuous improvement of cybersecurity processes.
These processes can also be implemented within the Security Vision ecosystem using a No-Code / Low-Code workflow designer, allowing you to replicate the logic of any ISMS process, from the most basic to the most advanced. A comprehensive set of connectors enables integration with infrastructure and various information security systems, analytics and visualization functionality allows you to visualize work results from any perspective, and other Security Vision modules integrate natively with the customized solution to enhance mutual benefit and increase the overall system's value.
Cyber risk management involves two subprocesses: intruder modeling and threat modeling. Attacker groups and their capabilities (potential) are identified as part of building a probable intruder model. The results of this subprocess are then applied to constructing a threat model. A qualitative or quantitative cyber risk assessment is then conducted for the resulting list of threats and for each information system under consideration . The following characteristics of intruders, cyber threats, and protected infrastructure can be used in these subprocesses:
1) the levels of capabilities (potential) of current intruders – the competencies available to attackers, attack methods/tools and capabilities (financial, personnel, scientific/research);
2) motivation of the offenders: financial (cybercriminals, cyber extortionists, hackers hired by competitors), political (cyber mercenaries, APT groups, cyber spies), ideological (hacktivists), military (cyber armies), hybrid (cybercrime and parallel performance of tasks of curators-intelligence agencies), hooligan or research motives;
3) the possibility of groups of intruders colluding, which increases the overall potential of the cyber group;
4) the attractiveness of a particular company to attackers (assessment of the attack surface and the company’s digital profile/footprint);
5) vulnerabilities: availability for exploitation from the Internet/local network, presence of an exploit (the vulnerability is “trending” and is used in real attacks, there is a working exploit in the public domain), privilege level for launching the exploit, magnitude of the consequences of exploitation (remote code execution, privilege escalation, code injection, violation of integrity, confidentiality, availability of information);
6) methods of implementing the threat: the presence of the relevant level of capabilities and conditions for their implementation among current violators, access to components (interfaces) of assets, prevalence and automation of the attack vector (i.e., a set of methods, techniques and tools for implementing a cyberattack), consequences of the implementation method;
7) properties of the impacted object (asset - information system, device, account, business process, etc.): criticality level, requirements for integrity, confidentiality, availability of information on the asset, list of business processes dependent on the asset and their criticality, assigned risk level/ asset valuation (can be assigned as part of the business continuity management process, cyber risk assessment);
8) consequences of the implementation of a cyber threat: disruption/stoppage of business processes, incapacitation or destruction of elements of the information infrastructure, breach of data security (including leaks of personal data and confidential information), theft of an organization's funds, damage to reputation/brand, failure to perform government functions, failure to fulfill obligations/orders, violation of legislation.
Cyber risk management can be implemented in the Security Vision Risk Management ( RM ) product, which is part of the Security Vision ecosystem and natively integrated with all platform modules. A unified resource-service model enables the use of a common asset database, which is enriched by all products in the Security Vision ecosystem. Centralized processing of all infrastructure data (assets, vulnerabilities, events, cyber incidents, configurations, cyber intelligence, anomalies, and compliance) enables cross-fertilization of information, a complete picture of the company's cybersecurity, and a more accurate qualitative and quantitative risk assessment using objective data from integrated technical assets and company infrastructure components. Assigning a cyber risk level to a specific threat and a specific information system allows for prioritization of incidents and vulnerabilities within it, while providing feedback – the properties of processed incidents and vulnerabilities will be taken into account when reassessing risks. Continuously updated data from other products in the Security Vision ecosystem and integrated IT/IS systems enables real-time risk monitoring for each system and threat, promptly responding to exceeded risk indicator levels and initiating risk reassessment procedures with the potential for a different risk decision in the event of a sharp increase (for example, avoidance – preventive cessation of risky activity before significant damage is caused to the company – instead of minimization).
