The most discussed dilemma organizations face about a ransomware attack is whether to pay the ransomware or not.
The other dilemma is how to prioritize and justify control investment alternatives to reduce the likelihood and cost of a ransomware attack.
How many articles have you read about the top n recommendations to prevent a ransomware attack? How many calls have you had with vendors claiming that their solutions are the best for preventing a ransomware attack? You know there is no "silver bullet" control you can deploy to prevent ransomware. You also know that you don't have the budget or resources to deploy every recommendation.
In September 2021, NIST published its Preliminary Draft NISTIR 8374, Cybersecurity Framework Profile for Ransomware Risk Management. It contains 65 Subcategories from the NIST Cybersecurity Framework that apply to reducing the risk of a ransomware incident. While it's well organized and comprehensive, no organization can possibly implement controls to satisfy all 65 objectives in parallel. Even if budget was not a constraint, cybersecurity and IT resources are limiting factors.
NISTIR 8374 admits the difficulty of meeting 65 objectives. So it provides a short list of nine "basic preventative steps that an organization can take now." But implementing even these steps requires a risk management process to prioritize control investment decisions.
There is no one size fits all set of recommendations. Every organization is different with varying business goals, financial constraints, compliance requirements, risk profiles, IT architectures, and deployed administrative and technical controls.
So how do you prioritize and justify new control investment alternatives?
It took us over three years to refine our unique methodology and build our decision-support software that ties control investment decisions to risks such as ransomware. There are five underlying principles to our approach:
1. Business Risk. Cybersecurity risk is business risk. For some time, all organizations depend on information technology to operate. Therefore any risk to IT, like cyber risk, is a business risk. The reason ransomware became so visible and concerning to leadership teams is that ransomware disrupts business operations.
While there are many types of costs associated with ransomware, lost revenue is the most impactful short-term cost. The lost revenue can wipe out a year's worth of profits or more.
A longer term issue is the reduced confidence your customers have in you as a supplier which can also result in lost revenue. Furthermore, an organization's weakened financial posture can result in higher borrowing costs and higher costs to attract and retain employees.
2. Threat Scenario Mapping. A successful ransomware attack does not happen due to a single weak, missing, or misconfigured control. Attackers have to execute a series of steps to achieve their goals. Therefore we defenders have multiple opportunities to detect and block the malware before the business is disrupted.
A useful cyber risk analysis process must model the overlapping and interleaved sequences of tactics and techniques used by adversaries (external and internal) to enter and move through your organization's IT infrastructure, be it in the cloud, on premise, or both. Think of this as a type of threat modeling.
We leverage MITRE ATT&CK®, which has become the industry's go-to resource for understanding attackers' tactics and techniques. We also cover OWASP® for web and mobile applications and APIs. To shorten time-to-value, we built easily customizable attack map templates.
3. Control Effectiveness. Determining the efficacy of controls individually is necessary but not sufficient for investment decision-making. A control's effectiveness in isolation may be very different from its effectiveness in concert, i.e., in the context of a specific risk like ransomware, your other deployed controls, and the attack paths into and through your organization.
This means the value of a control is affected by controls before and after it in the attack path. In other words, if you have a very effective control already in place for one specific attack path, adding another effective control before or after it will minimally improve your overall cyber posture.
4. Compliance vs. Security. It's mostly understood that compliance does not equal security. The tension between meeting compliance requirements and actually reducing risk can be resolved by a risk analysis process that shows the degree to which each control contributes to overall cyber posture. Most cyber compliance frameworks either support the idea of using risk analysis to prioritize control selection or are moving in that direction.
The key point here is that if you need to meet a compliance requirement with a control that does not materially improve cyber posture, spend as little as possible on it.
5. Present cyber risk in dollars. Organizational leadership does not really care about how many vulnerabilities were patched last month, or any other detailed technical metric. It's simply not the language in which executives communicate. To make cyber risk meaningful to the leadership team, to help them understand the value of increasing the cyber budget, cyber risk must be presented in dollars, just like every other risk they track.
Monaco Risk uses a two-stage methodology:
1. Stack rank your deployed controls' contributions to overall cyber posture in the context of the ransomware risk and its corresponding attack map. (Surely ransomware is not the only risk of concern, but it's a good place to start.)
2. Run what-if scenarios to evaluate new, upgraded, removed, and/or replacement control alternatives you are considering to determine each one's impact on the risk of a ransomware attack.
In summary, Monaco Risk helps you optimize and justify new cyber control investment alternatives in terms of (1) improvements in overall cyber posture and (2) reduction in risk in dollars.
What do you think? Let me know if you would like more information about our approach, or if you want to discuss your control investment dilemma.
Comments