Risk Assessments and Commercial Threat Intelligence

00:00

Lesson 2.3. Risk assessments and commercial threat Intelligence

00:05

For this lesson. The objectives are one. Understand what in organizations risk appetite is and how I t security fits into the overall risk picture

00:16

to discuss the risk assessment process. Frameworks available for conducting risk assessments and why they are important.

00:23

Three. Identify the benefits of threat, intelligence and how high our teams can leverage threat intelligence throughout the ire. Lifecycle. I've mentioned risk several times already through this presentation, and I really can't stress enough how important it is tohave

00:39

risk management and enterprise risk management and I t and cybersecurity. As part of those discussions,

00:45

you do not want to be hanging yourself out there or walking a tight rope is this image shows, because the risk management decisions is not an I. T or cybersecurity decision to make. It is business executives and or mission and executives or

01:02

the commander of an organization, depending on where you're coming from.

01:06

But if you make these risk decisions in a silo and no one knows the decisions that you've made as a cybersecurity leader, that can have negative consequences to your career and certainly to the organization, so you want to make sure through the risk register process that have already introduced you to And how do you communicate with executives

01:26

that

01:26

these issues and risks are being elevated as appropriate Now? Certainly you don't elevate every risk because some of the risks are easily mitigated or

01:38

controlled.

01:40

They don't have to go up to the very top, but they're certainly those large risks. And that's why we use a framework of what's the likelihood in the impact of these risks actually happening

01:49

to help you define what should go up to executives and what should stay at the local level.

01:57

So we'll talk about understanding, risk and risk appetite. You don't want to be. The people shown in this picture do not proceed beyond this point, and you can see a bunch of people out there. There are clearly some risks that should not be held close. Hold within the security organization,

02:13

and you also need to understand to what is that line of You cannot proceed beyond this without

02:20

involving some other people. And that's why sitting down with leaders and asking them just flat out what's the risk appetite of this organization and how do you feel about cybersecurity risk, and how much are you willing to let me? Except on your behalf? Vice? What should I be bringing up to senior leadership?

02:38

Those are the kinds of questions that should be asked

02:43

within an organization.

02:45

Search should also be involved in patch management and vulnerability management, because that helps you understand what the risk is like for an organization. If I t is horrible that getting patches out and there's multiple vulnerabilities that air getting shown on vulnerability scans,

03:00

especially you layer on top of that high value asset and criticality information that we've talked through

03:07

and the exploit ability of those vulnerabilities. So what's their CVS s score and how are they looking Teoh to the organization? That's really important, because if you know as a search that

03:21

these resource is over here are highly vulnerable, they're not patched. There's exploits available for the vulnerabilities.

03:29

Then you may change your response criteria. Your timelines. You're monitoring and controlling of those systems to account for these vulnerabilities, so certain really needs to be in the loop and have access to

03:43

the patch management vulnerability management processes.

03:46

When we talk about risk assessments, there's a lot of different ways. You can go about doing a risk assessment, but every organization needs to have a risk assessment, and these risk assessments need to be updated at least once a year. Because threats change, vulnerabilities change

04:01

the organization's target status may change. And that's why having a risk assessment done

04:08

on update it is so important. So if you have a risk assessment, search should be familiar with the document. When I worked in the Department of Energy's program, we had a counter intelligence organization that would go out and give us a risk assessment. We would do our own I t risk assessment, but it was really nice to see from counterintelligence

04:27

how they perceived us as a risk. What were the people that were after us, what was there,

04:31

tactics and techniques that they were using to get into organizations and how they felt about our risk posture. But then we would do our own I t. One. You may have internal audit organizations that are doing risk assessments as well, or that E R M group may be doing a risk assessment, but it might not include

04:50

I. T. And cybersecurity is part of that

04:53

there are two examples I wanted to highlight here and there. Hyperlinked within this organise are within the slide deck is the NIST cybersecurity framework, or CSF.

05:02

They also have the risk management framework, or RMF. RMF is dedicated and really designed for federal agencies. NIST is also being used for federal agencies in the CSF framework, but it was originally developed for private organizations and those that are trying to have

05:20

some standardized way to measure cybersecurity risk and implementing security controls.

05:27

And then the next 830 is a whole document that shows exactly how to do risk assessments.

05:35

Threat Intelligence can help you as an incident response team understand something very fundamental to you. So as you see on the slide, you see the threat landscape.

05:46

This is all the things that are out there that you may or may not need to be worried about. But the vulnerabilities, the threats, the exploits, just the whole landscape that's out there

05:57

and then you have your organization, all the systems and data applications and people

06:01

and then in the very middle is what threat intel helps you focus on. And really, what that is, is how does the threat landscape and your organization intersect? That is what you need to be concerned with as an incident responder, because that's where the risk really lies and threat. Intel

06:20

helps clarify that for you

06:24

another way it helps is it gives you information based on evidence. It also provides you actionable advice, and it can influence your response based on whether or not you're even susceptible to something or what

06:39

the success rate has been for certain attacks based on the threat intelligence information.

06:45

When you look through ah, examples of threat intelligence, there's a lot. There's a lot of organizations and companies that will sell you threat intel. Some of them are better than others, but there's also some feeds that you can get for free. So if you don't have much of a budget for this, and you just want to see how it might help your organization,

07:02

look at some of these links that I have here

07:04

on where you can get threat intel information

07:08

and just check it out. See if this information might be helpful to you and your organization.

07:15

Okay, a quiz question for us on this. How does threat intelligence help a security organization. A. It identifies all of the vulnerabilities within the environment.

07:26

Be the in the intelligence assists with focusing on on Lee what impacts the organization.

07:31

See, it provides a contract for 24 by seven Intel analysts to provide assistance during an incident.

07:43

All right, the answer here is be the intelligence. If you remember that slide, I have the crossover really assists with focusing on what is most impactful to the organization, and it cuts out all the other noise. And it helps you really focus on what you need to be looking at.

07:59

Another question here. What does the NIST CSF provide organizations with?

08:03

A. A framework that can be customized to define in organizations as is and to be implementation of security controls and best practices.

08:13

Be guidelines on how to remediate vulnerabilities or see compliance with the federal law that requires its implementation.

08:24

The answer to this is a It does provide you a framework to look at the maturity of the organization. It has different tiers, and we'll talk through this a little bit more in depth as we go.

08:35

But it also gives you the ability to measure your as is and then you're to be state for cybersecurity and help you identify the gaps and build a road map on how you can overcome those gaps and get to the maturity level that you feel is appropriate for your organization.

08:52

It's one summary here. We've talked about what an organization's risk appetite is and how I t and Security fits into that.