Simplifying Risk Management

Most modern IT security departments use risk management to find a balance between realizing opportunities and minimizing potential losses. Risk management is more than just a technology; it is the process of identifying, quantifying and prioritizing the risks organizations face.

A risk doesn’t need to be a nightmare or a showstopper for innovation — it is something that can be managed.

A Common Formula for Risk

A common formula used to describe risk is: Risk = Threat x Vulnerability x Consequence. This should not be taken literally as a mathematical formula, but rather a model to demonstrate a concept.

For a complete mathematical formula, there should be some common, neutral units of measurement for defining a threat, vulnerability or consequence. Unfortunately, that doesn’t exist today. There are some common units, such as CVSS to describe a vulnerability, for parts of the formula, but these are dependent upon the environment or subjective to those that use the formula.

On the other hand, if you are able to remove one part of the formula, such as the threat or vulnerability part, and then replace it with near zero, the resulting value of risk also gets reduced to virtually nothing.

Measuring Risk Likelihood

The first part of the formula for risk, Threat x Vulnerability, can also be looked at as probability. This likelihood is a rough measure that describes the chances a given vulnerability will be discovered and used by a threat actor.

While you can limit some factors, the threat actor is, in most cases, out of your control. The rating of the threat actor depends on a number of values, including:

  • The skill level of the attacker;
  • The motive of the actor;
  • The opportunity — whether the attacker possesses the required knowledge and access; and
  • The capabilities of the opponent you’re facing, including his or her financial resources.

There are different methods through which an attacker can discover a vulnerability, such as reconnaissance, scanning and information disclosure. The likelihood of a vulnerability being discovered and exploited is described by the following:

  • The ease of discovery — is there a service or application banner that indicates that the application is vulnerable?
  • The ease of exploitation — can it be done with automated, easy-to-use scripting tools or does it require a series of events that are difficult to achieve?
  • Awareness — is it a known vulnerability?
  • Detection — is it easy to identify the attempts to exploit the vulnerability, and is it likely that the organization takes countermeasures to block these attempts?

When evaluating vulnerabilities, you should not limit yourself to system vulnerabilities. Be sure to consider the human factor — running an environment with no system vulnerabilities but with a user base that can run email attachments without restriction should also count as a vulnerability.

Assessing the Impact of a Vulnerability

The last part of the formula describes the consequences, or impact, of a successful attack by a threat actor. It is defined by two main factors:

  • The technical impact, described by the confidentiality, integrity, availability and accountability of data; and
  • The business impact, described by the business impact analysis, which accounts for financial damage, noncompliance as a result of a breach and legal or privacy implications.

The combination of the likelihood and the impact describes the severity of the risk.

You can limit the consequences and thus the severity of an intrusion by imposing security policies, processes and procedures. This will not prevent a breach, but it can greatly limit the impact of any intrusion that takes place.

Risk = Threat x Vulnerability x Consequence

Prepare, Log, Monitor, Detect and Respond

Now that you can quantify what you’re up against, how do you integrate countermeasures into your security environment so you can better deal with these risks? You can follow these four steps as a basic road map:

  • Be prepared.
    • Make sure your staff is well-trained.
    • Conduct regular exercises.
    • Raise awareness to increase the knowledge level of your staff and constituency.
    • Create boundaries between important business segments.
  • Log and monitor the important events from all your resources.
    • Know what assets are on your network.
    • Define the different log sources.
    • Centralize the logs, making sure they are in a uniform format and reliable.
    • Correlate events.
  • Detect the anomalies and the potential security incidents.
    • Differentiate between normal and abnormal behavior.
    • Apply threat information.
    • Work together with your operations team to understand what is going on.
  • Respond to these incidents.
    • Mitigate, eradicate and recover from incidents.
    • Apply the lessons learned to improve your security posture.

Threat Management

One part of the formula is the threat actor. We already described that this part is out of your control, but you should still be aware of what types of threats you face. By making use of different threat intelligence sources, you can acquire knowledge about the tools, techniques and methods used by threat actors. You can also learn about threats against players in your industry and tune your defense mechanisms accordingly.

There are many good sources of threat intelligence available, but don’t just rely on a single vendor. Threat intelligence data is more valuable when it’s enriched by the shared experience, sightings and research of a large community.

Sharing is important, so make sure your security staff gets involved with different sharing groups and knows how to interact with their national computer security incident response team (CSIRT) and security researchers.

Patch and Vulnerability Management

If you remove the vulnerability from the equation, it becomes more difficult for an attacker to get a foothold in your organization. Lowering the chances of a vulnerability going unnoticed minimizes the risk.

How do you achieve this? There are different approaches, but it basically consists of having up-to-date asset information, conducting patch and vulnerability management, and establishing policies and processes to deal with them. Understand that this is not a one-shot operation but something that must be integrated as a continuous process in your IT management.

Incident Response Plans

If, despite all the necessary protection measures, attackers are still able to gain access to your environment, you should start your incident response plan. Make sure you have set up capabilities to detect the intrusion and log sources to conduct the investigation. Detection is more that just looking at abnormal events. Combine the different events together and hunt for anomalies with human and threat intelligence.

Your incident response plan will help you to contain the incident, eradicate the actions of the attacker and recover. It is important to take stock of lessons learned after every incident to limit the chances of a repeat offense.

Striking a Balance With Risk Management

Overview or Risk = Threat x Vulnerability x Consequence

The terms threat, vulnerability and risk are often misunderstood. While they all represent very different aspects of risk, they relate to each other in nuanced ways and help security analysts strike the right balance between seizing opportunities and keeping critical systems and data safe.

Share this Article:
Koen Van Impe

Security Analyst

Koen Van Impe is a security analyst who worked at the Belgian national CSIRT and is now an independent security researcher. He has a twitter feed (@cudeso) and a personal blog (www.vanimpe.eu). Koen is passionate about computer security, incident handling, network analysis, honeypots, Linux, log management and web technologies. He is responsible for the follow-up and coordination of computer security incidents and gives security advise to customers.