Note: Descriptions are shown in the official language in which they were submitted.
Patent Description - Cyber risk segmentation, quantification and visualization
methodology
Abstract
The invention is a method of performing dynamic system modeling to enable the
automated
measurement, calculation and representation of inherent and residual risks
across an
organization's set of assets and related attack surfaces and broader ecosystem
(e.g. 3rd party
service providers). This is based on defining a relational model representing
the organization's
most important assets (e.g. mission critical processes), attack surface (e.g.
applications and.
supporting infrastructure), controls, relevant threats, the associated logic
enabling qualitative and
quantitative risk scoring and the required data inputs (moving from one time
entry to ongoing
feeds to enable continuous monitoring).
Background of the invention
1. Field of the invention
a. This invention relates generally to cyber security as a sub-set of
operational risk, and
more particularly the measurement and presentation of cyber risk for an
organization
and related entities, be it a business segment/line of business, organization
or
business ecosystem.
b. There are many urgently needed applications of this method, including:
i. Providing efficient and consistent automated risk and control assessments
that
reduce manual effort and increase comparability (e.g. which business unit
holds more inherent vs. residual risk) and lays the foundation for greater
situational awareness via ongoing monitoring.
ii. Enabling highly configurable, comprehensive and data driven views of
inherent
and residual risk that can be communicated to business, IT and information
security professionals in both qualitative (e.g. heat map scoring) and
quantifiable (e.g. dollar value) terms. One specific application would be the
creation of a "digital twin" for risk management to visually depict an
organization and show areas of higher risk(e.g. failure of a critical system
leading to injury or loss of life) vs. lower risk (e.g. limited financial
loss).
iii. Allowing for dynamic and interactive planning of cyber security related
initiatives - e.g. modelling what impact a given initiative will have the
cyber
resiliency of an organization, but expressed in terms of financial impact and
return-on-investment (e.g. $2 million investment in new customer identity and
management solution will lead to a potential risk reduction of $10 million
dollars)
2. Description of the related art
a) The measurement, quantification and representation of cyber risk is a
relatively new
and inconsistently defined practice, with the following observed issues:
i. First, while there are existing methods for defining, measuring and
articulating
risk through measurement of control conditions and assigning likelihood and
impact, these methods do not formally relate the control conditions to the
services and technology solutions of the organization (i.e. calculating the
amount of coverage of protective controls such as data loss protection tools
across all the endpoints of an organization), or to clearly state the
financial
impact of the data loss related to the failure of the control due to a threat
actor compromising the endpoint. Put another way, there is no clearly defined
methodology to align the threat (e.g. cyber criminals looking to steal data),
surface (e.g. system endpoints such as a laptop), control (e.g. firewalls,
data
loss protection systems) and asset components (e.g. sensitive client data) in
a
consistent and practical manner.
1
CA 3070685 2020-02-02
ii. Second, while there is a growing multitude of data available for risk
measurement and reporting, this data is disparate in nature with no common
taxonomy or logic to assign consistent values (e.g. application log data vs.
application risk assessment outputs).
iii. Third, the practices of collecting and analyzing cyber risk related data
is highly
manual and inconsistent.
iv. Fourth, while there are existing standards for technology and security
architecture (e.g. TOGAF), they do not lend themselves to an easy to
understand view of logical and physical architecture and the related inherent
and residual risk and overall organization performance.
v. Fifth, the rate of change in the external threat environment, evolution of
the
technology landscape, increased reliance on 3rd party vendors and the
proliferation of data in organizations makes it even more imperative that
organizations possess an end to end view of their most critical assets, the
related attack surface and coverage of controls as they change over time
b) The claimed invention describes the method and components that form the
organizational environment and the relational elements that govern the
interaction
between them to drive specific outcomes (e.g. consistent quantification of
cyber risk
and ability to visualize how changes in the organizations' technology
infrastructure
impact risk) to address the needs and challenges listed above. The way the
method
has been defined allows for a progressive (i.e. increasing fidelity and
timeliness based
on quality and frequency of data and maturity of practices) approach for
threat/risk
quantification and visualization across different industries and organization
types (e.g.
modelling an ecosystem of vendors for financial organizations dependent on
outsourcers for payment processing vs. oil and gas distribution companies that
have
outsourced their fuel distribution fleet). There at least three specific
innovations here:
i. Definition of models that are specific enough to operationalize
(e.g. the ability
to identify, collect, derive and represent risk through the interaction of
threat,
surface and control elements in a progressive manner) but be flexible and
adaptive enough, moving from one-time population of data inputs to ongoing
real time threat and risk monitoring. This method can be performed in a
manual fashion or using a platform that allows for the ingestion of different
data inputs and more sophisticated calculation and monitoring.
ii. The architecture of the organization and visualization elements to enable
a
practical and interactive model for different stakeholders in an organization
to
examine relevant elements ¨ e.g for CIO to see how their proposed IoT
expansion will increase inherent risk.
iii. The related innovation is the translation of risk into financial values ¨
e.g. for a
CISO at the same organization to visualize and communicate the required
additional investment in controls to secure the expanded IoT footprint.
Summary of the invention
= For the intent of describing the invention's method, the purpose of
threat modelling as defined
here is to model a set of threats (comprised of an actor and technique)
against a model of an
organization's assets (e.g. customer chequeing account, manufacturing
facility), related attack
surface (e.g. online web portal, 3rd party provider) and respective controls
(protective,
detective, corrective) to provide a quantifiable value of inherent and
residual risk that can be
ascribed to a surface or asset.
= In order to achieve these outcomes, the method is founded on the
following interrelated
elements:
Organizational Elements:
2
CA 3070685 2020-02-02
o Asset model that allows for industry specific identification and grouping
of
organizational assets (such as applications and servers) based on different
criteria ¨
e.g. highest confidentiality-based impact, highest availability impact which
allows for
clear and straightforward definition and quantification of impacts and risk
appetite/tolerance.
o Surface model to categorize the key assets of the organization (e.g
database
containing customer personal information), exposure of the assets (e.g.
Internet facing
application to access this database) and interdependencies with 3r1 parties.
Diagram
E contains a sample structure.
o Control model(s), flexible enough to align to standards such as ISO and
NIST, that
allows for recording of discrete data points (e.g. maturity assessment,
penetration
test) from separate exercises conducted at different points in time. The model
allows
for different assessment regimes (e.g ISO) aligned to a common set of measures
(e.g.
formally documented process, presence of defined metrics) to produce a
quantifiable
view of how well the control is operating over time. Correspondingly, for
controls that
are deficient, the ability to identify drivers of deficiencies and suggestions
to improve
the control. These control models can be aligned to one another through the
addition
of integrated requirement libraries and tied back to a capability model /
service
catalogue as defined per the individual organization. This model can also be
tied back
to an existing control catalogue used in the organization's GRC (governance,
risk and
compliance) platform.
Quantification Elements:
o Risk logic model (the manner in which the models are tied together to
produce a risk
view based on the defined taxonomy).
o Data mapping, which includes the identification and categorization of
data elements
including asset databases, security operations data, operational risk
assessments.
Visualization / Interactive Elements:
o Depiction of threat, surface, control and asset components and related
data via
different narrative models to support risk logic and enable visualization;
e.g. linking
together surface elements and key controls via business process flows,
customer
journeys, data flows and threat models with the ability to incorporate
multiple
approaches and standards (e.g. ATT&CK). The visualization can take on various
forms,
from static canned reports through to fully interactive models. Diagram G
contains a
sample narrative.
= With these framework elements in place, the second step is the ingestion
and population of
the data based on the defined taxonomy, taking into account most organizations
have
incomplete or inconsistent data sets.
= Once this data is ingested, the third step is the calculation of risk, as
performed, for instance,
by running multiple threat scenarios through the integrated (i.e. linking
threats to surfaces to
controls) logic model and using mathematically sound statistical analysis to
determine risk.
= The final step is the representation of the inherent and residual risk
both in quantitative terms
and through visualization methodologies e.g. topographic map to show control
maturity
against attack surface model.
Key benefits of the method include:
= Consistent categorization of organizational risk, threat, asset and
control data
= The ability to organize, measure and communicate an organization's
surface and control
elements in a flexible and sustainable manner
3
CA 3070685 2020-02-02
= Enable a complete end to end technology footprint view, including 3rd
parties and overlay
a view of threats and control strength
= Create a scaleable, agile and re-usable model of organizational elements
that can be used
for applications for related areas (e.g. IT performance)
Potential applications include:
= Visualizing the status of threats, incidents, events and control status
for enhanced detection
and response activities (e.g. SOC monitoring and incident response) against
the organizations
attack surface
= Developing related security (e.g. cloud integration) strategies (i.e.
visualize key surface
integration points, how surface changes with SaaS, PaaS) and control gaps
= Quantifying the risk impact of the organization's digital innovation
strategy and
communication via topographic visualization
= Automation of risk assessments and reporting to reduce manual effort
= Prioritization and tracking control issues
= Consistent risk quantification to inform decision making around
investments and required
coverage for cyber insurance
A high-level schematic of the invention can be found in Diagram A
Claims
The embodiments of the invention in which an exclusive property or privilege
is claimed are defined as
follows:
1. Methodology to organize and depict an organization at different levels
(e.g. enterprise,
business unit, function) by using the concept of an asset cluster, defined
herein. For a given
industry, an organization can be depicted as a series of asset clusters that
are aligned to
business segments, products, service and/or processes depending on how the
organization is
structured. For example, for a financial institution asset clusters cloud be
defined as the lines
of business (e.g. wealth management). Alternatively, the asset clusters could
be developed to
reflect critical functions such as real-time high value payments processing
vs. batch payments.
These clusters can be modelled at a different degrees of detail. For example,
within the given
example of payments functions, the supporting applications, infrastructure and
data can be
defined within that cluster.
The benefit of grouping assets in this way include:
- Ability to depict large and complex organizations in terms of
their value generating
assets and controls to secure them against evolving threats for organization
- Ability to model organization as part of broader ecosystem including 3rd
parties
and identify systemic dependencies
- Design (i.e. security architecture) and analytical purposes; model can be
specified
at industry level or organization level
- Ability to drill down as required from the enterprise to segment parts and
related
data through a common data taxonomy
- Ability to depict assets in terms of value chain, process flow,
data flow, kill chain
- View your organization in a modular fashion and identify
distinct infrastructure and
opportunities to consolidate (efficiency) and render distinct (security)
elements -
e.g. network segmentation
2. The specifics of defining an organization and related systems in terms of
asset clusters is listed
below
a. An asset cluster is defined as a logic grouping of assets (e.g. databases,
infrastructure,
people that are on-premise, in the cloud or 3rd party vendor) that is scoped
based on
defined criteria (e.g. part of the same business unit, servicing a business-
critical
process, dependent on same critical infrastructure). The grouping logic can
vary based
4
CA 3070685 2020-02-02
on need. For instance, an asset cluster could be an entire enterprise or a
grouping of
critical assets (e.g. payment center).
b. For a given logical grouping, each asset cluster has five primary set of
characteristics:
first, its functional grouping (i.e. what products/services does it
represent), second its
attack surface (i.e. channels, applications, infrastructure, people,
locations, suppliers),
third, the most critical assets (e.g. applications, data) fourth, the related
controls (e.g.
identity, detect, protect, respond and recover) and fifth, the risk profile,
which can be
broken down into confidentiality, integrity, availability and loss of
life/injury risks. See
Diagram B for more details
c. The components comprising the surface element can be divided into six
different
categories: Channels, Applications, Infrastructure, People, Locations and
Suppliers,
defined as below.
i. Channels ¨ different ways in which a customer can interact with an
organization, such as a call center
ii. Applications ¨ the programs an organization uses to conduct work ¨ e.g.
web
facing customer application
iii. Infrastructure ¨ the servers supporting applications and network
infrastructure
iv. People ¨ employees and contractors working for the organization, customers
v. Locations ¨ physical location of where a channel, application,
infrastructure,
person and/or supplier is based
vi. Suppliers ¨ third/fourth party provider of services
These surface elements provide a taxonomy to describe "how" an organization
can be
breached/compromised by a threat actors. As such, these elements can be easily
related to concepts such as kill chain and the required compensating controls.
Another
critical element is understanding that these surface elements are related to
each other
¨ e.g. an application (customer portal) is accessed via a channel (online) and
is
enabled by infrastructure (server) hosted in a location (Toronto) provided by
a
supplier (Cloud provider) and is operated by people (employees and
contractors).
d. The attack surface and control elements of the asset cluster can be
organized in
different ways for different purposes. For example, the attack surface
elements can be
aligned to a business process (e.g. call center complaint handling) to show
the flow of
data across the different attack surface elements. See Diagram B for more
details.
Similarly, these elements can be used to structure the narrative around a
cyber attack
in terms of an attacker's actions and an organization's response. See Diagram
G for
an example
e. The characteristics of an asset cluster can be expressed at different
levels ¨ for
example for controls, data protection related control can be expressed at a
capability
level (data protection) or a given technology that is enabling the control for
the
organization (e.g. software product A). Similarly, the attack surface can be
depicted at
a category level ¨ e.g. "Application" and then at a sub-category level ¨ e.g.
in-house
vs. vendor operated. See Diagram B for more details
f. The relationship between these described elements is critical for
quantification of risk,
as seen below
g. For each of these characteristics described at different levels, there are
different
associated data points for each of these elements. For instance, the number
internet-
facing applications operated by an Fl can be recorded and mapped against the
asset
cluster.
h. These data points can be used for multiple purposes. Primarily, they can be
used to
inform inherent and residual risk. For example, in the case of an application,
the fact
that it is internet-facing will increase its inherent risk profile of the
attack surface of an
organization.
i. For capabilities and controls, there are also associated
characteristics and
measurements. For instance, the self-assessed maturity of a data loss
protection
CA 3070685 2020-02-02
capability or related tool can be used to inform the residual risk profile of
an
organization.
j. Note that it is possible to align some elements of the above
definition of an asset
cluster to existing methodologies such as the COSO Integrated Framework.
However,
the specific innovation detailed in this methodology is the explicitly defined
relationships to attack surface and control elements and how these are
defined,
measured and used for risk calculation purposes on a one-time and ongoing
basis.
3. Once defined as above, asset clusters can be used to calculate inherent and
residual risk as
per the following methodology:
a. To enable risk quantification, the concept of threats can be introduced for
an asset
cluster and the relational model to the surface, controls and critical assets.
For this
given process and attack surface, a specific threat actor and technique can be
specified to show how data can be compromised in different Ways, for example
employing a kill chain. This can be used to highlight where certain types of
controls
are most beneficial to reduce risk. This view is further enhanced by the
inclusion of the
current status of the controls (e.g. where controls are reported as deficient)
to
highlight the key gaps the organization needs to close. This threat axis is
important for
the calculation of Inherent and Residual risk, as seen below. See Diagram C
for
more details
b. Defining the relational model as such enables the straightforward
calculation of the
following, as per Diagram D below:
i. Scoping/sizing of the asset cluster ¨ e.g. high value transaction
processing
systems; can be done at a broader scale such as
ii. Inherent Risk (IR)¨ at its most basic level, the inherent risk of a given
asset
cluster can be expressed as the following:
Sum of loss of:
1. Confidentiality ¨ cost per record lost, potential regulatory and legal
fines ($)
2. Integrity ¨ maximum potential or historical value of lost funds ($)
3. Availability ¨ outage cost ($)
iii. (optional) Relevancy (R) ¨ an additional aspect that can be introduced
when
estimating the potential impact of a threat on a given attack surface, but
requires additional data points (e.g. technology footprint of the
organization)
iv. Applicability (A)¨ Captures the relationship between the threat technique
and
the corresponding control ¨ e.g. there would be a high degree of applicability
of a 3rd party governance related control to mitigating a 3rd party related
threat
v. Coverage (C)¨ measures to what extent the control covers the organization's
attack surface
vi. Effectiveness (E) ¨ expresses the overall health of the control from both
a
design and operating effectiveness perspective
vii. Residual Risk (RR)¨ in simplest form, can be expressed as the following,
recognizing the baseline calculation requires the least amount of data points:
RR = IR ¨ (CxE).
This activity can be performed both on a one-time and more progressively be
linked to data feeds to
provide ongoing monitoring.
Diagrams
Diagram A- Methodology Overview
Diagram B ¨ Asset Cluster Components
Diagram C ¨ Residual Risk Calculation Elements
Diagram D ¨ Residual Risk Calculation Methodology
Diagram E - Surface Model example for Banking
6
CA 3070685 2020-02-02
Diagram F - Reporting example for Banking
Diagram G - Depiction of cyber attack narrative using surface and control
elements
7
CA 3070685 2020-02-02
