The Cybersecurity 3-Layer CAKE

How Cyber Risk Quantification (CRQ) fits into an overall cybersecurity program.

TL;DR This article builds on my previous article, 5 Automated Performance Controls to Improve Cybersecurity . which focused on two types of security controls - Direct Defensive Controls and Indirect Performance Controls.

Direct Defensive Controls directly block threats. Indirect Performance Controls measure the effectiveness of Direct Defensive Controls against adversarial threats and suggest improvements.

In Part Two here, I discuss how knowledge of Direct Defensive Control performance is required to make Cyber Risk Quantification (CRQ) useful to security teams and credible to business leaders who set cybersecurity budgets and decide on the organization's cyber risk tolerance.

CRQ is the third type of control. CRQ done well connects and translates individual Direct Defensive Control performance metrics, as evaluated by Indirect Performance Controls, to business risks expressed in dollars.

This allows business leaders to manage cyber risk as they do other strategic risks. The goal is to optimize cybersecurity budgets to align with their cyber risk appetites.

These three cybersecurity control layers – Direct Defensive Controls, Indirect Performance Controls, and Cyber Risk Quantification – taken together make up the Cybersecurity 3-Layer CAKE - Control Analytics Knowledge and Evaluation. Indirect Performance Controls analyze information drawn from the Direct Defensive Controls. CRQ analyzes information drawn from the Indirect Performance Controls.

Indirect Performance Controls, whether manual or automated, generate recommendations and security metrics that help security teams work more effectively and efficiently by (1) highlighting gaps in threat coverage due to misconfigured or under configured Direct Defensive Controls, and (2) prioritizing vulnerability and control deficiency remediation recommendations.

CRQ software can use this information to improve its accuracy and credibility to business leaders if the CRQ software model includes factors for individual and aggregate Direct Defensive Control effectiveness, threats, vulnerabilities, attack surfaces, and especially attack paths through an organization’s IT/OT estate.

The CRQ model must strike a balance between complexity and modeling reality. The more realistic the model, the more complex it's going to be. However, if the model is too simple, the results it generates won't be useful to security teams and won't be credible to business leaders.

In addition, the CRQ’s data model must be open enough to support whichever Indirect Performance Controls security teams select.

In this article I discuss (1) why the Cybersecurity 3-Layer CAKE is needed to supplement traditional GRC frameworks, (2) the potential value of CRQ, (3) the requirements of CRQ if it is going to achieve its potential, and (4) CRQ vendor business models – SaaS software and Advisory Services.

Finally, I will provide an example of a CRQ offering that meets these requirements.

PART ONE ARTICLE – INDIRECT PERFORMANCE CONTROLS – SUMMARY

In Part One I defined the two types of cybersecurity controls which reduce the Likelihood and Impact of cyber-related Loss Events:

• Direct Defensive – Controls that directly block threats or at least detect suspicious activities which are then resolved by an in-house or third-party security operations team.
• Indirect Performance – Indirect controls that measure and report on the effectiveness of Defensive Controls, evaluate the quality of their configurations, and make specific recommendations for improvements. Offensive security tools are a type of Performance Control.

Given the number and complexity of deployed Direct Defensive Controls, automated Performance controls are needed to provide continuous visibility and management. Having said that, highly skilled human pen testers surely add value for detecting the types of vulnerabilities that automated tools might miss.

I defined and discussed five types of automated Performance controls: Attack Simulation, Risk-based Vulnerability Management, Metrics, Security Control Posture Management, and Process Mining.

Here is the link to that article: https://www.dhirubhai.net/pulse/5-automated-governance-controls-improve-cybersecurity-bill-frank-mui5f/

WHY THE CYBERSECURITY 3-LAYER WEDDING CAKE

Why yet another cybersecurity “framework” / model?

The limitations of current GRC frameworks

Despite spending billions of dollars on cybersecurity controls and implementing a variety of Governance, Risk, and Compliance (GRC) frameworks, the frequency and impact of cyber incidents are still increasing. How can this be?

I suggest the root cause is lack of meaningful executive involvement in strategic cybersecurity decision-making. None of the GRC frameworks that security teams labor under provides a useful and credible mechanism to enable business leaders to actively collaborate with CISOs to (1) assess and set their organizations’ cybersecurity risk appetites or (2) provide meaningful criteria for setting their cybersecurity budgets.?

Business leaders want this involvement because they recognize that revenue generating business processes rely on information technology. They understand that strategic cybersecurity decisions can no longer be left to security teams.

CISOs are also frustrated because they too understand that cyber risk is business risk. They need an approach that will enable them to collaborate with business leaders who are ultimately responsible for deciding on the amount of cyber risk, expressed in dollars, they are comfortable with.

Government and industry regulatory bodies understand this as well and are moving to require executive responsibility for cybersecurity.

The Cybersecurity 3-Layer CAKE Supplements GRC Frameworks

I am surely NOT saying that the GRC frameworks don’t have value. They do.

But an overarching approach is needed to enable business leadership to take its rightful role in an organization’s cybersecurity program - setting cyber risk tolerance and budget.

The Cybersecurity 3-Layer CAKE (Control Analytics, Knowledge, and Evaluation) solves this problem. The technical language of cybersecurity teams must be translated to the financial language used by business leaders to manage the organization’s other strategic risks.

Direct Defensive Controls are the direct controls that block threats or at least alert on suspicious behavior.

Indirect Performance Controls are indirect controls that measure the performance of Defensive Controls and make recommendations for improvements.

Cyber Risk Quantification (CRQ) interprets the output of Performance Controls and translates technical metrics to business risks expressed in dollars. CRQ bridges the technical metrics – business risk gap.

To insure the flexibility security teams need to respond to new threats and advances in control technology, investments in each layer of the Cybersecurity 3-Layer CAKE must be independent of the other layers.

CYBER RISK QUANTIFICATION (CRQ)

Whichever combination of Direct Defensive and Indirect Performance Controls you select, these questions remain:

• How best to communicate the effectiveness of your security program to business leaders, particularly to those who set your budget?
• How do you gain approval for the additional budget you are requesting?
• How do you collaborate with business leaders on the likelihood of a material incident?
• How do you determine risk appetite / tolerance?
• How do you obtain cooperation from the IT teams responsible for deploying and maintaining Defensive Controls and remediating IT infrastructure vulnerabilities?
• How do you obtain cooperation from the software development teams that are responsible for remediating application vulnerabilities?
• How do you gain support from the business operations teams who would be impacted by a successful cyber attack?

In theory, Cyber Risk Quantification (CRQ) provides the process and tools to answer these questions by translating technical control metrics to cyber-related business risk expressed in dollars.

More specifically, security teams rely on technical metrics to measure and manage the cyber posture of their organizations. But business leaders rely on financial metrics when assessing business risks. This creates a cyber metrics – business risk gap that in theory CRQ bridges.

But in practice, for the last 10+ years the purveyors of CRQ have fallen short due to their inability to model the efficacy of controls individually and collectively, in the context of threats, vulnerabilities, attack surfaces, and attack paths into and through an organization.

CRQ SOFTWARE REQUIREMENTS

For CRQ software to be of value to both security teams, business leaders, IT teams, software development teams, and business operations department leaders, it must:

• Support control investment decision-making by showing how control changes, additions, enhancements, and reductions affect cyber-related business risk in dollars.
• Explicitly factor: (1) the efficacy of Defensive Controls individually and collectively, (2) the range of strength of adversarial tactics, techniques, and procedures based on MITRE ATT&CK?, and (3) attack surfaces and attack paths into and through the organization’s IT/OT estate in the context of the loss events of concern to business leaders.
• Provide a defensible method for calculating Aggregate Control Effectiveness, i.e., the overall effectiveness of all Defensive Controls working together, in concert. The best way to do this is by using information from Indirect Performance Controls to map Direct Defensive Controls’ effectiveness against the attack paths.
• Provide a set of open, standardized parameters across all Direct Defensive Control types so that the efficacy of controls across all domains can be compared.
• Accept input from any combination of Indirect Performance Controls an organization chooses to deploy. This means that the CRQ software places no restrictions or limitations on Indirect Performance Control selection.

CRQ VENDOR BUSINESS MODELS

There are two prevalent business models for CRQ vendors – SaaS software and Advisory Services.

Most security teams are not ready to make a major commitment to a SaaS annual subscription for two reasons. First, lack of a resource with CRQ experience. Second, simply the expense.

A better approach is to work with an experienced CRQ Advisory Service that can also assist with the selection and implementation of Performance Controls.

A pilot program using an Advisory Service can be inexpensively implemented with limited client resources.

GRAACE?

Risk is a function of Likelihood (Probability or Loss Event Frequency) and Financial Impact (Loss Event Magnitude measured in dollars) for a defined period of time.

While Financial Impact is well understood, the CRQ market has struggled to define a useful and credible method for calculating Likelihood.

In response to this issue, Monaco Risk developed GRAACE? (Graphical Risk Analysis of Aggregate Control Effectiveness, pronounced grace). GRAACE is both a CRQ ontology and a risk management process in which controls, threats, vulnerabilities, attack surfaces, and attack paths are first-class factors.

Monaco Risk’s Cyber Defense Graph? software, explained in more detail below, is our implementation of GRAACE.

What follows in this section is a description of the GRAACE terms, the ontology, and the process.

GRAACE Terms

Risk is based on the likelihood (probability or frequency) and the financial impact (magnitude) of loss events for a given period of time.

Control can be any people, process, or technology that the organization has control over to reduce risk.

Graphical representation of the attack surfaces and attack paths adversaries can take into and through the organization’s IT/OT estate to achieve their objectives. Controls are mapped to attack paths and visualized as a graph where the arrows are attack paths and the nodes are controls.

Aggregate Control Effectiveness is the combined effectiveness of an organization’s portfolio of controls. It’s the inverse of Susceptibility (1-Susceptibility). It’s calculated using Direct Defensive Control efficacy determined by Indirect Performance Controls, in the context of threats, vulnerabilities, attack surfaces, and, most importantly, attack paths. Control investment decision-making is improved by showing how one or more additions, changes, or removals of controls affect Aggregate Control Effectiveness.

GRAACE Ontology

Why call this an ontology? It’s simply a diagram to show the factors we use for calculating risk and the relationships among them. We developed GRAACE to address the limitations of FAIR?. Here is a link to an article I wrote comparing GRAACE with FAIR - https://www.dhirubhai.net/pulse/cyber-risk-quantification-models-fair-vs-graace-bill-frank-rxmse/

The figure below shows the GRAACE ontology.

Here is a brief description of each component of the GRAACE ontology.

Risk: Loss Event Taxonomy

As has been noted above, a Risk is defined as the Frequency (probability) and Magnitude (measured in dollars) of a loss event.

A problem that often arises when performing cybersecurity risk assessments is determining whether you have addressed all of the possible loss event types. Monaco Risk maintains Loss Event Taxonomy that exhaustively covers all cyber loss event types.

It turns out that the number of types of loss events is surprisingly small given the creativity of adversaries. During the last four years, the number of loss event types has only grown from the initial 12 to 16. They are categorized as follows: (1) Exposure of Sensitive Information, (2) Business Disruption, (3) Direct Monetary, Business, or Resource attack, and (4) Non-compliance, audit, or liability.

We make the Loss Event Taxonomy available at no charge under a Creative Commons license. Please contact me and I will send you the document.

Loss Event Frequency: Cyber Defense Graph?

Calculating Loss Event Frequency in a way that is useful to security teams and credible to business leaders has been challenging. GRAACE addresses this issue by defining the factors that need to be modeled. They are Threat Strength, Attack Surfaces and Paths, Threat Path Distribution, Direct Defensive Controls Effectiveness, and SOC Strength. The accuracy of the input values for these factors is increased through the use of Indirect Performance Controls.

Monaco Risk’s Cyber Defense Graph? simulation software is our implementation of GRAACE's Loss Event Frequency model. It uses a standard set of parameters across all Direct Defensive Control domains. It will be described in greater detail below.

Loss Magnitude – Financial Loss Components

Monaco Risk’s Loss Event Taxonomy provides four categories of Financial Loss Components which relate directly to the loss event types: (1) Direct Monetary Loss, (2) Lost Revenue, (3) Increased Costs, and (4) Liability & Regulatory. The full list of Financial Loss Components is available with the Loss Event Taxonomy under a Creative Commons license. Glad to send upon request.

The GRAACE Process

GRAACE is more than a quantitative cybersecurity risk model. It's also a risk management process which consists of three phases: (1) Identify the loss events of concern to business leaders, (2) Baseline current cyber posture using the Cyber Defense Graph, and (3) Run what-if scenarios on control changes to show changes in risk expressed in dollars.

This fosters collaboration with business leaders who set cybersecurity budgets and cooperation with IT and software development teams, and operational teams who are impacted by cyber incidents.

MONACO RISK'S CYBER RISK QUANTIFICATION

What follows is a discussion of how Monaco Risk’s CRQ Advisory Service and software platform. It's based on GRAACE and meets the CRQ requirements described earlier.

Monaco Risk’s Cyber Defense Graph?

We architected Monaco Risk’s CRQ software to be the CRQ layer of the Cybersecurity 3-Layer CAKE described earlier in this article. More specifically our patented Cyber Defense Graph? software is an implementation of GRAACE. It offers a useful and credible method of calculating individual and Aggregate Control Effectiveness in the context of threats, vulnerabilities, attack surfaces, and attack paths.

Modeling attack paths is critical to understanding how a change to a Direct Defensive Control affects the risk of a Loss Event. Put another way, evaluating a new Defensive Control in isolation cannot predict how that control will perform in concert with the other deployed controls to reduce the likelihood and impact of loss events of concern to business leaders.

Here’s why. A Defensive Control can test very well individually but not reduce risks significantly, even if it’s well configured, for two reasons. First, the control may be on a path that does not see very many threats. Second, the control is on a path with several other strong controls.

The figure below is a partial example of a Cyber Defense Graph (CDG) generated by Monaco Risk’s software.

This CDG highlights the four key stages of a successful attack, based on MITRE ATT&CK?, that results in business disruption due to ransomware: (1) Initial Access, (2) Execution on Workstations, (3) Lateral Movement including execution on workloads, and (4) Adversarial Objectives.

The arrows represent the threats that enter from the left and move along attack paths from left to right. The nodes (boxes) represent Direct Defensive Controls that can block the adversary’s tactics, techniques, and procedures (TTPs). Every Defensive Control can block some percentage of threats. Threats that make it all the to the far right represent loss events.

The shades of red of the control nodes indicate the criticality of the attack path based on the controls’ abilities to block the TTPs. The darker the shade of red, the more critical the attack path.

Sensitivity (Tornado) Charts

In addition to Critical Path Weakness graphs , Monaco Risk’s software generates Sensitivity Charts which show the relative importance of individual controls. It’s commonly referred to as a tornado chart due to the overall pattern of the bars. Here is an example:

The bars to the left of the center line show the percentage decrease in Aggregate Control Effectiveness if the control was removed. The bars to the right show the percentage increase in Aggregate Control Effectiveness if the control is implemented with complete Coverage and a high level of Governance.

GRAACE - MONACO RISK'S CRQ LAYER OF THE CYBERSECURITY 3-LAYER CAKE

Monaco Risk's GRAACE-based approach to CRQ using its Cyber Defense Graph connects and translates cyber posture ratings from Indirect Performance Controls to business risk expressed in dollars.

Loss Events of concern to business leaders provide the context for cyber risk assessments.

The GRAACE process helps with the following:

Prioritize Recommendations. The list of "immediate" improvements and recommendations generated by Indirect Performance Controls is always longer than the existing staff has time to implement. Use GRAACE to prioritize remediation activities.

Justify Cybersecurity Budgets. Collaborate with business leaders to set risk appetite and budget. Secure additional staff to implement Indirect Performance Control recommendations. Secure additional budget when needed to purchase additional functionality from Direct Defensive Control vendors.

Obtain Cooperation. Gain cooperation from IT, network, development teams by sharing risk reduction value.

Report Risk Reduction in Dollars. Communicate quarterly and annual improvements in cyber posture in terms of risk reduction in dollars. Use loss events of concern to business leaders for context.

NEXT STEPS

Select a CRQ Advisory Service to scope an inexpensive pilot project focused on one loss event scenario related to one revenue generating process of concern to business leaders.

The original version of this article was published at WEI on May 17, 2024. https://blog.wei.com/the-cybersecurity-3-layer-wedding-cake

This version of the article has updates based on feedback from the original.