THANK YOU FOR SUBSCRIBING
CyberWatch: Proactive Cyber Risk Management
By José A. S. Alegria, CSO, Altice Portugal, Altice Worldwide Coordinator for CyberWatch, Advisory Member, Communication Providers, EUROPOL Cybercrime Centre (EC3)
Cyber Risk Governance Requires Reliable Metrics and Attribution
The proactive end-to-end management of external and internal cyber risk at Altice Portugal is achieved through an innovative risk management architecture comprising four pillars, as illustrated on the right. The top three pillars (Cyber Security Governance, CyberWatch to Continuously Measure Risk and Improve and, finally, CyberSOC for Incident Detection and Response) are under the direct responsibility of the chief security officer (CSO), directly reporting to an executive board member which in our case is the CTIO (CTO+CIO).
The fourth pillar (Resilient Cyber Protection) is federated to our different operational organizations responsible for the resilience and day-to-day operations of our networking and IT infrastructures. It is the pillar responsible for the technology and processes necessary to help keep our infrastructure cyber resilient by preventing, protecting and monitoring cyber security incidents. It is the pillar that makes our company compliant with the official cyber security policy defined, promoted and supervised under the CSO responsibility. The technology and processes deployed follow blueprints specified by the cyber security engineering function, under the CSO and according to the corporate cyber security policy.
A key aspect of our cyber risk management strategy is that it is continuous, metrics based and comprehensive. To support it, we implemented the CyberWatch platform, primarily based on the ELK stack, to cover a wide spectrum of risk relevant elements under four key viewpoints: governance capability (weighted 10 percent), cyber risk inhibitors (72 percent overall), covering EXTERNAL (15 percent), INTERNAL (41 percent) and PEOPLE cyber hygiene (8 percent) and architectural resilience (8 percent), counter response capability – CyberSOC (10 percent) and backup resilience as a last defense (8 percent) . It works as our corporate cyber risk observatory.
In addition to the CyberWatch technical platform, we set up a four people team (CyW Team) to proactively put pressure on all relevant stakeholders to align to the CyberWatch virtuous cycle: measurefix/mitigatelearnimprove! We want to make sure all stakeholders know and understand the metrics under their responsibility and what they need to do to improve them. This team’s annual performance evaluation and bonus are directly based upon the improvement of our overall cyber risk profile.
Cyber Hygiene: External, Internal and People Related
In terms of cyber hygiene, an essential cyber risk inhibitor, we cover EXTERNAL, INTERNAL and PEOPLE related elements. For our EXTERNAL Cyber Hygiene we continuously monitor and document potential vulnerabilities with our internet exposure.
To that end we use, in parallel, a number of complementary technologies. For the purpose of this article the most important one is an adaption of BitSight’s cyber risk rating service which we use to continuously monitor and rate our exposure to the internet. Similar to personal credit ratings, BitSight Security Ratings range from 250 to 900, with a higher rating equating to better overall security posture. A similar rating approach is used for all other risk vectors and sub-vectors.
In addition to BitSight, we use CyCOGNITO for attack surface testing to uncover blind spots and mitigate internet exposed attack vectors.
The CyW Team uses the CyberWatch online risk heatmaps (on our internal portal and on many strategically placed wall screens—see figure above for the “Cyber Hygiene: EXTERNAL”, for a hypothetical company “XPTO”, and based on BitSight’s cyber risk rating service) and comprehensive daily Excel reports that target all relevant stakeholder teams: internet exposed infrastructure, certificate management, desktop management, window server management, internal network management, clear attribution of responsibility, continuously updated and reliable metrics are key to sound governance.
We apply a similar approach on our inside infrastructure (Cyber Hygiene: INTERNAL) covering managed and unmanaged endpoints and servers, databases, network, and security assets. Like for the EXTERNAL case, we track metrics related to COMPROMISED SYSTEMS, TECHNICAL DILIGENCE and, when applicable, USER BEHAVIOR.
For each of the risk vectors (sub-vectors) tracked by CyberWatch, we follow an Ishikawa diagram aggregating basic metrics to the risk rating contributed by that vector (sub-vector). For example, the figure below shows the Ishikawa diagram for the sub-vector: Endpoints: Managed, with an aggregated weight of 15 percent.
As with the EXTERNAL Cyber Hygiene case the CyW Team has online heatmaps and focused reports to interact with all relevant stakeholders to put pressure on eliminating risks and, therefore, continuously improve our overall risk posture.
In the case of the “Cyber Hygiene: USERS” risk vector we follow a comprehensive program of cyber security awareness that include an eLearning program and periodic simulated phishing attacks. We keep track of progress and attribute a risk rating weighting 8 percent in our overall risk score. We handle high risk users (such as those with access to privileged accounts) differently from lower risk users (such as those limited to highly restricted sub-networks) being far more strict to the former.
Last but not Least
Even with all cyber risk inhibitors in place (even those with a high level of cyber hygiene), you cannot exclude the possibility, however unlike, of being seriously attacked! So you need to be ready for that event! Make sure that your network and IT infrastructure are not excessively homogenous to limit the impact of a future zero-day attack. If all your endpoints and servers are of brand “X” a competent attack on a zero-day vulnerability in brand “X”’s operating system could have serious consequences to the survivability of your company. Make sure that at least your BACKUP and MIDDLEWARE infrastructures are based on a different operating system!
And, in preparing your organization for a future severe attack, who are your “fire fighters”? Do you have your own CYBER SECURITY INCIDENT RESPONSE TEAM? Are they ready? Are they capable? Do you periodically test them in RED TEAM vs. BLUE TEAM exercises? If you don’t, how can you rate them within your overall cyber risk rating?
Finally, your BACKUP infrastructure must be SACROSANCT! And make sure you have the right metrics and KPIs to bring any potential problems to the attention of the right stakeholders.
The Balancing Act: Network Security and Connectivity
Whitney Kellett, CIO, Aqua America [NYSE:WTR]
Security is Only As Good As Your Weakest Link
Sam Schoelen, CIO, Continental Resources
Taking Holistic Control of Your Enterprise's Security
Jaya Baloo, CISO, KPN
The Digital Transformation of Service
Courtney Dornell, Senior Director, Service Transformation, Otis Americas