Broadgate’s ASSURITY: Calculate your security exposure

Posted on : 30-07-2015 | By : admin | In : Cyber Security, Innovation

Tags: , , , , , , , , , ,

1

Broadgate are pleased to announce the launch of our security assessment product, ASSURITY.

Over the years we’ve helped our clients address the increasing security challenges and protect their digital assets. Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product.

So how can ASSURITY help?

Like it or not, dealing with the threat of data breaches is part of modern business. Not only that, it is a board level agenda item now with corporate executives being held accountable. Currently, European law makers are engaged in the lengthy process of approving the new European General Data Protection Regulation. There are still variations to be agreed upon, but when it comes to potential fines to be imposed for data breaches the upper end stands at €100 million or 5% of company revenue.

It also states that;

 “if feasible” companies should report a data breach within 24 hours of detection….and “where a data breach has occurred, the organization has to notify all those affected unless it can prove that data is unreadable by anyone not authorized to access it”

Against this backdrop, it becomes even more important that executives really understand their current risk exposure and can quantify the impact and likelihood of an event.

The ASSURITY product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated against other offerings through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

The ASSURITY product leads organisations through a 3 step process;

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call +44(0)203 326 8000 to speak to one of our security consultants.

 

ASSURITY in Action: Case Study

Posted on : 30-07-2015 | By : Jack.Rawden | In : Cyber Security, Innovation

0

The following is an example case study of a project undertaken using Broadgates ASSURITY methodology.  It is intended to be an introduction to the way that ASSURITY has been used, the unique approach that Broadgate takes and summarise some of the key outputs that ASSURITY provides.

The client that we undertook this assessment with is a global firm headquartered in the USA.  This assessment focussed on the UK subsidiary of the organisation.

Team Structure

To undertake the assessment the Broadgate team consisted of one managing partner and two security analysts/specialists.  This team worked closely with the business and technology teams to produce the high level technical and management summary reports to assist the CIO’s business case with the board.

Approach

The ASSURITY approach undertaken to complete the assessment can be broken down into 3 distinct stages:-

1. Profiling

The initial stages of the project required a profiling of the clients current technology, process and people landscape.  This was undertaken by collecting as many existing resources as possible, in essence performing an Internal IT Security Audit.  This included collecting:-

  • Infrastructure Architecture Documents
  • Identifying input, access points and output points of the network
  • Interviews with key stakeholders to identify the client’s priorities and risk appetite
  • Identifying controls and current protection levels
  • Identifying the company, board and regulatory profile

Profiling of the organisation also occurred externally using threat analytics and current industry trending. Within this stage it was possible to identify some key areas of interest where potential threats existed and set target levels of maturity for key security areas.

2.       Assessment

After the initial data collection period the qualitative and quantitative data was loaded into the ASSURITY Assessment tool.  The tool was adapted to match industry standards and also to fall in line with the company, board and regulatory profile to produce benchmarks to similar organisations within the industry.  Based off the profile gathered whilst profiling the assessment was tailored to match the risk appetite and exposure level of the client. The assessment incorporates ISO27001 and Sans 20 standards to benchmark Broadgate’s findings against Security Industry Standards.

The assessment when completed gave a total “Cyber Value at Risk” score and also identified areas of strength (or a mature area) or where an area is a potential concern (low maturity)

3.       Results

The ASSURITY assessment produced 4 distinct outputs, fed back into the business over a series of presentations/reports.

  • Maturity assessment identifying:-
    • Maturity assessment/heatmap of Infrastructure and processes
    • Gap Analysis to the target maturity level – as identified in the profiling stage of the assessment
    • Cyber at risk value with the quantification of likelihood and impact

From this strategic recommendations were made aimed to raise maturity levels and remediate any gaps identified.

From this a prioritised plan was created to work with the client internal IT team and provide:-

  • A set of quick wins
  • Medium/Long Term strategic projects
  • Recommendations on potential threats

Client Output and Findings

Below are some key outputs provided from the ASSURITY Assessment, this helped to inform areas of focus, especially where an area was particularly lower than target.

 

ASSURITY - Heat Map

ASSURITY - Heat Mape

Assurity - Target vs Findings

ASSURITY - Targeted Investments

Based off the above it is possible to drill down into the actions needed to close maturity gaps and reduce risk. This fuelled discussion for our client as to where to allocate budget to bring the level up to the identified target.  This was a powerful message to the board, as it clearly identified in simple language areas where investment was needed.

ASSURITY also identified the level of risk based off the organisational, total monetary value at risk (hidden) to give an overall score.  As can be seen in this case study the Cyber at Risk score was High and could be significantly improved by focusing on a few key areas such as Network Security and Incident Management.

Assurity - Risk Profile

ASSURITY - Risk Profile

This in turn helped to develop the “quick wins” and longer term strategic plans

The quick wins, can be performed with limited budget and within 6 months, included:-

  1. Create and communicate a password policy
  2. Create and communicate a network access policy
  3. Conduct a penetration test of the infrastructure
  4. Create and implement a patch management policy
  5. Create a server build document and apply server hardening best practice to all servers

Long Term Strategic goals included, these require long term planning and budget to complete:-

  1. Intrusion Detection and Prevention Systems (IDPS) across all infrastructure, including Wireless Intrusion Prevention (WIPS) and Applications: Host Based Intrusion Prevention (HIPS)
  2. Data Loss Prevention Strategy, Policy and technology (DLP)
  3. Implementation Malware solutions across Server, Workstations and Mobile Devices
  4. Application development audit. A strong emphasis on application security needs to be stressed
  5. A detailed penetration testing from an ethical hacker/company should be conducted key applications and infrastructure, both externally and internally.

ASSURITY: Cyber Value at Risk calculations

Posted on : 30-07-2015 | By : richard.gale | In : Cyber Security, Innovation

Tags: , , , , , , , , , ,

0

If the assumption that cyber attacks are inevitable is true then what can you do? An approach is to pour unlimited amounts of money into the blackhole of IT security. Another, more sensible, approach to take would be risk based, predicting the likelihood, the form and the cost of an attack against the cost of avoidance or mitigation.

Our ASSURITY Information Risk Assessment calculates the Cyber Value at Risk (CVaR) based on a number of criteria including industry, size, profile, interface, level of regulation and a number of other factors. What it provides is hard facts and costs that company directors demand to ensure they are obtaining value from their information security investments and that it is directed to right places.

Building a credible method of estimating and quantifying risk is essential to the process of risk management. The very public breaches at Sony, Target & Ashley Madison mask the multitude that do not make the press. In the UK there is little incentive to highlight a breach but new legislation will change that for organisations in the next year. So given that cyber attacks are “inevitable” then how can the economic impact be calculated for a particular organisation?

The World Economic Forum recently released its report “Partnering for Cyber Resilience; Towards the Quantification of Cyber Threats,” which calls for the application of VaR modelling techniques to cyber security. The report describes the characteristics a good cyber-oriented economic risk model should have, but it doesn’t specify any particular model. Here, we consider the concept of “value at risk,” what it means, how it can be applied to the cyber, and describe how a CVaR model is implemented in our ASSURITY product.

At Broadgate we have carried out a significant number of security assessments so can draw on the data but we can supplement it with simulated information based on a set of assumptions and factors related to an organisation. We utilise that knowledge from the financial markets to build out Cyber VaR.

  • Assets – these are the network infrastructure of an organisation
  • Values – these are the loss potential of service disruption, intellectual property, compliance failures etc located in the assets
  • Market changes – increase and decrease in the incidence of attack and its effectiveness

Using the data and historic information the CVaR can be calculated with growing certainty and so the risks/costs of an attack can be computed with confidence.  The challenges are modelling the network, value and market changes!

So why does CVaR matter? Cyber Security like most control mechanisms comes down to risk management. Risk management needs real information and figures in order to be useful to a business. If it does not then it is just guesswork so could end up with focus on the wrong areas resulting in over spending and gaps in defences.

Different organisations, sectors and organisational profiles have differing risk profiles and exposures. Companies also have different risk appetites (which change at different stages of their development). So understanding YOUR Cyber Value at Risk is a significant tool to helping understand the risks to your organisation, the potential losses and how to focus your cyber investment. Broadgate’s ASSURITY product can help articulate the risks, costs and best path to resolution.

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call +44(0)203 326 8000 to speak to one of our security consultants.