When I meet with CISOs and Cyber Security Directors, they usually ask what use cases should they target first. I generally proceed with a few simple questions and immediately recommend going after general use cases or low hanging fruit or a strategy based on how mature their organization is.
During this session, you’ll find out what questions I ask, what answers I get, and why I propose approaching a cyber security response using FAIR + ATT&CK + SOAR.
Risk and compliance managers and disaster recovery experts have been applying a variety of risk models to organizations and businesses for many years and they have just begun the complex process of truly understanding cyber risk. Part of the reason that cyber security insurance exists for corporations is that risk and compliance managers have a way of protecting the organization from liabilities which may be out of their control or because they simply do not understand the cyber security problem domain. One of the core reasons behind this is that risk and compliance managers focus on corporate risks such as disaster recovery or compliance risks like GDPR, PCI, SOX, HIPPA, which do not really protect or reduce the risk of cyber threats to the organization. While useful, these risks are a somewhat different realm than protecting the organization from cyber security threats or reducing risk on a continuous basis in their cyber security program. The result and outcome of all of this is a lack of focus around improving their cyber security response strategies for potential or real breaches to their organization when or if they occur.
When developing cyber security response strategies it’s obvious to CSOs, incident responders and security operations staff members that they should specifically develop solutions based on either a quantity of alerts, the cyber threat event frequency, responding to known vulnerabilities, or simply going after and protecting against low hanging fruit or things that take the most time within the organization.
However, cyber security response activities generally do not align with the overarching goals for risk managers or compliance officers nor do risk management teams necessarily understand cyber security risks. The primary reason is that risk managers and compliance managers are thinking of loss of financial or reputational value to the organization. It is much easier for risk managers to understand what the expected financial or reputational loss will be if a building burns down than the financial or reputational loss to the organization if a breach to an intern’s laptop.
So how can we improve this Wackamole? This is where potentially combining the FAIR (Factor analysis of information risk) model, with the Mitre ATT&CK and a SOAR (Security Orchestration and Automated Response) strategy can improve and enable organizations to prioritize their cyber security response strategies and process. In this talk, I will discuss the basics around the FAIR model and ATT&CK framework, as well as address how the combination of these with SOAR to prioritize an organizations response capability can attempt to reduce the risk for the organization. In order to reduce real cyber risks to an organization, it requires an active commitment to risk management combined with a continuous approach to cyber security response by not just the CISO or Directors of Security within the organization, but by the risk management staff who stand beside them.
Key take-aways: