Solid cyber risk management depends on good defense metricsReprints
Cyber security is vital for corporations and individuals alike, but its practice is hamstrung by a lack of effective data, loose monitoring and impediments to sharing the data that does exist. Sean Connors, vice president of cyber security at System Soft Technologies L.L.C., talks about the issues and offers strategies for overcoming them.
Actuaries employed by cyber security insurers face significant challenges in accessing accurate and relevant data, largely because there's not enough to perform generalized linear modeling, a specialized class of nonlinear models that use linear methods.
A major reason is a lack of historical data on cyber security incidents because of their relative newness. And the data that does exist typically consists of only reported incidents (many go unreported) and network noise (which includes attack attempts).
Then, there's the unwillingness of companies to share incident data in an industry that has quickly become highly regulated, driven by large government fines for noncompliance.
Incidents and attempts
Generalized linear modeling requires vast amounts of data, referred to as Big Data, collected by recording network traffic to and from IP addresses (the internet protocol used to route information to websites and devices). This data, collected over the last few years, is growing exponentially and is made available to defense companies for analysis. This network data, used to do forensics on incidents and real-time analysis to attempt to prevent attacks, is gathered mostly from “front facing” websites, those accessible to the public, and inadequately protected internal networks. This leaves out copying of files/data via USB or anything that happens on your local area network or PCI networks (for merchant credit cards), which are mostly hidden.
Aiding in data collection are large networks of honeypots (fake servers posing as companies with a weakened defense) to capture attacks for analysis. Like they do for bears, honeypots attract malware to identify it and learn how it works. Then, a “fingerprint” is made and passed to the shared database of malware and viruses.
Incident modeling problems
The 2013 attack on the payment systems at Target Corp. stores is one example of the complexity of the issue. Hackers accessed the data of more than 70 million shoppers, a breach that has generated nearly $150 million in total losses for the retailer. But looking at the cyber “noise” at Wal-Mart Stores Inc. at the same time as the Target breach sheds little light on the latter. Incident modeling at the time put Wal-Mart at a higher risk because it has more suppliers, adjusted for size. But what Wal-Mart didn't have was the rogue supplier suspected of opening the door at Target.
Such complexity is another reason cyber security is not as easily modeled as “hard” risks such as home invasion.
Using incidents to determine the risk or likelihood of a home break-in, you would check incidents by area, like the blog SpotCrime does.
If you were to use defenses for risk assessment, you would check:
• Security systems or applications: deadbolt door locks, burglar alarms, closed-circuit video surveillance
• Network: gated neighborhood, location, who is coming and going
• Awareness: training residents to turn on an alarm when they leave or sleep
• Forensics: checking for suspicious activity and vulnerability
• Internal defenses: a watchdog, interior door locks, a safe.
Similarly, a large number of cyber security solutions providers offer a wide range of defenses, with varied degrees of effectiveness. Most companies use multiple products such as firewalls, application patching (ongoing software updates that don't require a system shutdown) and networking with endpoint security products including smartphones, tablets, bar code readers and point-of-sale terminals, the devices compromised in the Target breach. Some use training courses, and many scan for malware and viruses. Forensics is a growing discipline with many cyber security solutions providers delivering solutions using available big data.
All are guided by core functions of the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce: identify, protect, detect, respond and recover. For example, the first step — identification — requires the following types of measurements.
What is measured and how
Because cyber security encompasses a wide framework — hardware, software, people, communication, infrastructure — measurements boil down to a people issue.
The basic methodology is based on a Capability Maturity Model, traditionally used in software development, by inspecting the level and effectiveness of the defenses against data loss, hacking, viruses, phishing and such within a company's IT infrastructure.
They are set out in the Cybersecurity 5 Layout, or CS5L, assessment tool:
• Application security (software systems)
• Network security (communications)
• Security awareness (people, capabilities, procedures)
• Internal defense (malware and virus scanning, policies, controls)
• Forensics (investigation and real-time monitoring)
Layouts, defenses, defense sectors and background are measured using Capability Maturity Modeling to determine a standard process that insurance actuaries can use to identify risk areas and set premiums.
Set up as a tool for cyber security risk auditors, the process begins with a cyber ID issued through a secure system managed by regulatory bodies. Auditors assign people to oversee each area to be monitored — self-optimizing, managed, defined and measured, repeatable and initial — and manage them to determine a score.
This process will create defense-based data for cyber risk assessments, which is more potent than incident data.
It seems obvious to measure defenses rather than incidents using big data, and in doing so a measurement process evolves that provides real data for risk analysis.
The road forward is to measure companies and their suppliers with an all-inclusive standardized process that holds a path to capability maturity. This will give insurers a score, much like a credit score, to quantify cyber risk.
Sean Connors is vice president of cyber security at System Soft Technologies L.L.C., which provides IT consulting and solutions. He can be reached at firstname.lastname@example.org or 727-723-0801, ext. 337.