In the game of Tetris, players assemble pieces of various shapes, called tetrominoes, to form complete lines. Once completed, the line disappears, and the player can proceed to populate the emptied spaces. Repeat ad infinitum till the screen is filled and no more pieces can descend! When puzzle-loving software engineer Alexey Pajitnov created Tetris, little did he know the impact it would have on the gaming industry, let alone its parallel to cybersecurity.
Much like Tetris, in cybersecurity, errors pile up while the accomplishments disappear quickly! Unless remedies are appropriately placed, vulnerabilities accumulate and clog the screen, leaving the enterprise paralysed. Without real-time monitoring, the security team is overwhelmed with several small, oddly shaped, and unaccounted pieces of the cybersecurity strategy. Tetris requires you to see the big-picture before every move, and so does cybersecurity.
If the last year is to be taken as the worst year in history in terms of cyberattacks, businesses need to roll up their socks and brace for a worse 2021, unless they take concrete measures. There are four pillars upon which cybersecurity of every company stands: employees, policies, technology, and the third party. However, when the WEF Global Risk Report 2021, PwC’s 24th CEO risk report, and more surveys across the world rank cybersecurity as one of the most significant threats to the global economy, one has to ask where businesses are drawing the short stick.
Despite the technological advancements in allied fields such as artificial intelligence and supervised machine learning available to simplify cybersecurity, it remains complicated, jargon-rich, and uninviting to employees who are not from the security team. Today, even after investing considerable funds to build a robust enterprise cybersecurity strategy, businesses fall prey to cyberattacks across vectors. Currently, enterprises leverage anywhere between 15 and 50 cybersecurity products/services to ensure that their four pillars remain intact. Still, they fail to collate the data to see a holistic enterprise-wide picture.
Enterprises leverage 15 to 50 cybersecurity products/services. Still, they fail to collate the data to see a holistic enterprise-wide picture.
Enterprises need to simplify cybersecurity by viewing it as a whole rather than in a piecemeal fashion. Viewing security without relating it to the technology risk or ensuring GRC compliance without real-time third-party assessment provides a false sense of security. This siloed and complex approach to cybersecurity costs billions. Cybersecurity Ventures predicts that in 2021 cybercrime will cost the world USD11.4 million each minute, reaching USD10.5 trillion annually by 2025.
Let us think of the solution
To know how the cybersecurity services, tools, XDRs, EDRs, and outside-in or inside-out security solutions improve your cybersecurity posture, you need to know your cyber risk status before and after implementing these solutions. Here is where automated and quantified risk assessment is changing the game. For instance, our risk quantification product SAFE does so by accumulating billions of data points from each cybersecurity service and product and feeds them as inputs to a supervised ML-based AI-enabled quantification engine. The engine then assesses the breach-likelihood in various situations involving one or more pillars.
Making the risk quantification engine work
Every vertical within the cybersecurity framework of an organisation can be granulated to depict its real-time security status. For instance, each employee’s individual ‘breach score’ is influenced by parameters such as their level of cyber-awareness, device configuration, and previous employment history that help determine the likelihood of malicious insider threats. The other parameters include current employment status, whether they’re serving notice or due for a promotion, their family background and verification, financial factors like recent loans or investments, and the organisation’s policies around UEBA, CASB, and DLP to check suspicious employee behavior in real-time, and more.
Similarly, every line of business, cloud instance, application, data center, device, IP address, third party, and ‘crown jewels’ can be mapped. API feeds from cloud-native scanners and cybersecurity tools are gathered across the enterprise, and signals from outside-in and inside-out scanners are collated and aligned with the existing cybersecurity policies and regulatory compliances. These are all considered inputs, which, when analysed with inherent risk factors such as geography, industry, and size, generate threat intel as an ‘output’. This helps correlate the threat quotient of a gap to the likelihood of its exploitation.
The process of monitoring, measuring, and mitigating risks in real-time with the help of automated risk assessment is possible in myriad ways, one of which is through a Bayesian Network. It is defined as a method for taking an event that has occurred and predicting the likelihood that one of the several possible known causes was a contributing factor. The beauty of the Bayesian network is that it generates a result even with a single input. However, its ‘confidence metric’ is directly proportional to the number of input parameters. In other words, an increase in the number of signals fed into the network directly influences the accuracy of the generated breach-likelihood.
The objective of having a robust cybersecurity strategy is to consistently and precisely answer one question: how secure is the organisation? This objective is continually mislabeled due to the lack of simplicity, despite the availability of means to do so! Cybersecurity needs to be easy, understandable, and simple – much like the game of Tetris – and automation, with the help of AI and ML, can help you predict the shape of the troublesome tetrominoes! Therefore, an organisation can confidently plan its Enterprise Cybersecurity Strategy through data-driven mitigation techniques with the power of prediction.
By Saket Bajoria, VP- Product Management and Customer Success, Safe Security