Un-siloed enterprise-wide cyber risk strategies: Make simplification the norm

In the game of Tetris, players assemble pieces of various shapes – tetrominoes – to form complete lines. Once completed, the line disappears, and the player can proceed to populate the emptied spaces. Repeat ad infinitum till the screen is filled and no more pieces can descend! When puzzle-loving software engineer Alexey Pajitnov created “Tetris”, little did he know the impact it would have on the gaming industry, let alone its parallel to cybersecurity.

Much like Tetris, in cybersecurity, errors pile up while the accomplishments quickly disappear! Unless remediations are appropriately placed, vulnerabilities accumulate and clog the screen, leaving the enterprise paralyzed. Without real-time monitoring, the security team is overwhelmed with several small, oddly shaped, and unaccounted pieces of the cybersecurity strategy. Tetris requires you to see the big-picture before every move, and so does cybersecurity.

If the last year is to be taken as the worst year in history in terms of cyberattacks, businesses need to roll up their socks and brace for a worse 2021 unless they take concrete measures. Every company has four pillars upon which its cybersecurity stands – Employees, Policies, Technology, and Third-Party. However, when the WEF Global Risk Report 2021, PwC’s 24th CEO risk report, and more surveys across the world rank cybersecurity as one of the most significant threats to the global economy, one has to ask where businesses are drawing the short stick. Despite the technological advancements in allied fields, such as Artificial Intelligence and Supervised Machine Learning, available to simplify cybersecurity, it remains complicated, jargon-rich, and uninviting to members of the company who are not from the security team. Today, even after investing considerable funds to build a robust enterprise cybersecurity strategy, businesses fall prey to cyber-attacks across vectors. Currently, enterprises leverage anywhere between 15 to 50 cybersecurity products/ services to ensure that their four ‘pillars’ remain fortressed. Still, they fail to collate the data to see a holistic enterprise-wide picture.  Enterprises need to simplify cybersecurity by viewing it as a whole rather than in a piecemeal fashion. Viewing people-security without so-relating it to the technology risk, or ensuring GRC compliance without real-time third-party assessment provides a false ‘sense of security.’ This siloed and complex approach to cybersecurity costs billions! Cybersecurity Ventures predicts that in 2021 cybercrime will cost the world $11.4 million each minute, reaching $10.5 trillion annually by 2025.

What is the solution?

To know how the cybersecurity services, tools, XDRs, EDRs, and outside-in or inside-out security solutions improve your cybersecurity posture, you need to know your cyber risk status before and after implementing these solutions. Here is where automated and quantified risk assessment is changing the game. For instance, our risk quantification product SAFE does so by accumulating billions of data points from each cybersecurity service/ product and feeds them as inputs to a supervised machine-learning-based AI-enabled quantification engine. The engine then assesses the breach-likelihood in various situations involving one or more pillars.

How should the risk quantification engine function?

Every vertical within the cybersecurity framework of an organization can be granulated to depict its real-time security status. For instance, each employee’s individual “breach score” is influenced by parameters such as

  • their cyber-awareness,
  • device configuration,
  • previous employment history (to determine the likelihood of malicious insider threats),
  • current employment status (whether they’re serving notice, due for a promotion, etc.),
  • their family background and verification,
  • financial factors (recent loans or investments),
  • the organization’s policies around UEBA, CASB, DLP to check suspicious employee behavior in real-time, and more.

Similarly, every Line of Business, Cloud Instance, Application, Data Center, Device, IP Address, Third-party, Crown Jewels can be mapped. API feeds from cloud-native scanners & cybersecurity tools are gathered across the enterprise, and signals from outside-in & inside-out scanners are collated and aligned with the existing cybersecurity Policies & Regulatory Compliances. These are all considered “input,” which, when analyzed with inherent risk factors such as Geography, Industry, & Size, generates threat intel as an “output”. This helps correlate the threat quotient of a gap to the likelihood of its exploitation.

The process of monitoring, measuring, and mitigating risks in real-time with the help of automated risk assessment is possible in myriad ways, one of which is through a Bayesian Network. It is defined as “a method for taking an event that has occurred and predicting the likelihood that one of the several possible known causes was a contributing factor” The beauty of the Bayesian network is that it generates a result even with a single input. However, its ‘confidence metric’ is directly proportional to the number of input parameters. In other words, an increase in the number of signals fed into the network directly influences the accuracy of the generated breach-likelihood.

The objective of having a robust cybersecurity strategy is to consistently and precisely answer one question: how secure is the organization? This objective is continually mislabeled due to the lack of simplicity, despite the availability of means to do so! Cybersecurity needs to be easy, understandable, and simple – much like the game of Tetris – and automation, with the help of AI and ML, can help you predict the shape of the troublesome tetrominoes! Therefore, an organization can confidently plan its Enterprise Cybersecurity Strategy through data-driven mitigation techniques with the power of prediction.

The author is Saket Bajoria, VP- Product Management and Customer Success, Safe Security.

Leave a Reply

Your email address will not be published. Required fields are marked *