Risk Monitoring and Reporting

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now, after looking at controls when we talked about
00:00
the different control types
00:00
and categories and functions,
00:00
and we've said that we implement
00:00
security controls as a means of mitigating risks,
00:00
we'll now we have to go
00:00
back and find out, are they working.
00:00
Because we design this risk response and
00:00
in theory it makes perfect sense and it's going to work,
00:00
but we never know what happens in
00:00
the real-world of course,
00:00
not to mention the fact that the threat landscape is
00:00
always changing, new threats emerge.
00:00
These solutions that we had that work
00:00
today are not necessarily going to work tomorrow.
00:00
An important part of risk management,
00:00
one that sometimes gets left out is
00:00
monitoring our controls and reporting on what we find.
00:00
When we talk about things like,
00:00
the phrase I hear that drives me crazy is,
00:00
if it ain't broke, don't fix it.
00:00
Well, that's the very reason you
00:00
walk into numerous organizations and you
00:00
find legacy devices that are just
00:00
clinging to dear life, to work.
00:00
That's why we see so many exploits and
00:00
vulnerabilities on older systems is because
00:00
people feel like they're going to
00:00
squeeze every little drop of
00:00
value out of the money
00:00
that they've spent on these systems,
00:00
but at some point in time,
00:00
they come to end of support or end of
00:00
life and we've got to replace,
00:00
we've got to update those systems.
00:00
I had an organization that was still on Windows XP,
00:00
not all that long ago.
00:00
I understand you built
00:00
your environment on a specific operating system
00:00
and those operating systems
00:00
change and get upgraded fairly frequently,
00:00
it can cost a lot of money,
00:00
but we've got to understand that at the point
00:00
where Microsoft or whatever vendor stops supporting,
00:00
stops making patches, stops any tech support,
00:00
it's time to move on.
00:00
We got to move forward.
00:00
Also when I hold onto older equipment,
00:00
older equipment supports older protocols.
00:00
Older equipment supports earlier forms
00:00
of encryption and security.
00:00
We're really not doing ourselves any favors
00:00
by clinging to the older technology.
00:00
One example, for instance,
00:00
is WEP, Wired Equivalent Privacy.
00:00
Now, we don't get real
00:00
technical or anything like that in this class,
00:00
but just suffice to say that WEP is a means of
00:00
securing Wi-Fi communications and has been around
00:00
since Wi-Fi was first
00:00
developed and brought out mainstream.
00:00
We're talking decades ago.
00:00
Even when WEP was brought into
00:00
the environment or was ratified at that point in time,
00:00
years, decades ago, we knew
00:00
that it wasn't a good security mechanism.
00:00
We knew it had flaws.
00:00
We knew that inherently there were weaknesses,
00:00
but it was the best game in town,
00:00
so it was released.
00:00
At that point in time,
00:00
enterprises had to consider for themselves,
00:00
do they accept the risks associated with WEP
00:00
or do they avoid the risks and wait on
00:00
bringing Wi-Fi until something's better?
00:00
Well, a lot of companies spent a lot of money,
00:00
went forward with WEP.
00:00
As WPA, came out WPA2,
00:00
now we're on WPA3.
00:00
People have held with older technologies.
00:00
Yes, you can still go to
00:00
environments today and find WEP.
00:00
You're also going to find old routers.
00:00
You're going to find, if not an archaic network,
00:00
a very, very dated network.
00:00
When we're in that environment and I'm not one to say
00:00
you go got to out and be on the bleeding
00:00
edge of technology,
00:00
but we do have to be mindful of
00:00
the fact that protection that we have today,
00:00
our risk profile today
00:00
is not going to be the same in a year.
00:00
We have to be willing to go back and reassess for risks.
00:00
What we find we write up in a report.
00:00
We go back with that risk action report
00:00
that we talked about way in
00:00
the beginning and we make our recommendations.
00:00
When we talk about monitoring and reporting,
00:00
we have to do so because
00:00
the threat landscape changes, risk changes.
00:00
The only definitive thing about
00:00
risk is that it's unknown. We don't know.
00:00
We can do everything we can
00:00
in our planning, in our research,
00:00
in our analysis and evaluation but it's still just,
00:00
I hate to say guess because
00:00
a guess makes it sound haphazard.
00:00
But it's still just trying to foresee the future.
00:00
We've got to be willing once a year to go
00:00
back and look at the decisions that we made.
00:00
They may have been perfectly good decisions,
00:00
they may have held up,
00:00
they may still suffice today but
00:00
we can't assume that without looking.
00:00
What am I looking for when I do this monitoring?
00:00
Well, one of the things that should have
00:00
been a part of my project,
00:00
let's say, like we said,
00:00
we were managing a project to
00:00
upgrade the existing infrastructure.
00:00
Well, every project,
00:00
particularly every IT and IS project,
00:00
should have a set of
00:00
critical success factors that are
00:00
tied in to the needs of the business,
00:00
the needs of the organization.
00:00
We've already talked about this,
00:00
the needs of saying, okay,
00:00
this implementation has the purpose
00:00
of enabling business better,
00:00
as seen through a three percent increase
00:00
in productivity by the first-quarter,
00:00
something like that, whatever.
00:00
What do we do? Well, we measure up against
00:00
that commitment that we've made because
00:00
this is why we're undertaking this project.
00:00
This is what we can deliver.
00:00
That's the value.
00:00
What we have to do ahead of time before
00:00
implementation is set objectives for our endeavor,
00:00
for our project, for individual controls,
00:00
everything that we do should have a purpose.
00:00
It's not an IT purpose or an IS purpose,
00:00
it's a business purpose.
00:00
We put these controls in place and we have objective.
00:00
When we monitor, we're looking to
00:00
determine are the controls meeting their objectives?
00:00
If they're not, it's probably
00:00
because of risk, unforeseen risk,
00:00
risk that is being mitigated properly,
00:00
residual risk that's larger than we anticipated.
00:00
Of course, we have to monitor for risk.
00:00
Now, our KRIs,
00:00
KRIs stands for key risk indicators.
00:00
We set these for controls,
00:00
but we also set these for other elements
00:00
on our network that we continue to monitor.
00:00
A key risk indicator might
00:00
be processor utilization exceeding
00:00
70 percent for a period of
00:00
time for five consecutive minutes.
00:00
Well, then I set that as a key risk indicator,
00:00
I monitor for that,
00:00
and then I make sure there's an alert that I
00:00
receive if that key risk indicator is hit.
00:00
These are our thresholds of tolerance.
00:00
These are the periods or the points,
00:00
these are like action points, if you will.
00:00
These are the points where we move into action.
00:00
If we think about risk events,
00:00
we'd much rather prevent a risk.
00:00
I'd much rather not have to deal with this risk.
00:00
Let me put some proactive mechanisms in
00:00
place and we just don't have to
00:00
deal with it. That'd be great.
00:00
But, at some point in time,
00:00
I have to be able to see, "Hey,
00:00
that control I've put in place isn't working.
00:00
Now I have to move from proactive to reactive."
00:00
That's the job of a KRI.
00:00
You have preventive controls.
00:00
Your detection is tied into your key risk indicators.
00:00
A key risk indicator is achieved.
00:00
We get a notice or a notification,
00:00
and now we move into
00:00
reactive detective and corrective controls.
00:00
These are really, really critical that we associate
00:00
KRIs that will indicate
00:00
our security controls aren't working.
00:00
Often they're also tied into areas on the network.
00:00
Here's just a list of some suggested KRIs.
00:00
Now, there are a zillion of them.
00:00
These are just very broad for a couple of instances.
00:00
But we scan our equipment
00:00
constantly for unauthorized software.
00:00
If there's more than five pieces
00:00
of unauthorized software,
00:00
something clearly is going on,
00:00
someone's setting up a rogue infrastructure
00:00
that would be an example of a KRI.
00:00
Our servers are supposed to be up
00:00
99.997 percent of the time.
00:00
At the end of the year,
00:00
that's the availability we wanted to achieve.
00:00
If by the first day we've lost 10 minutes to downtime,
00:00
that's going to be an indicator, "Hey,
00:00
we're going to be way off on the end of the year."
00:00
Maybe we have the goal of
00:00
patching all our network systems.
00:00
Maybe we have 500 systems,
00:00
and our goal is to patch them in the next 10 months.
00:00
My performance goals is going to be that each month,
00:00
we'll say each of,
00:00
let's say I've got a thousand computers I need to patch,
00:00
we're going to do it in 10 months.
00:00
That'll be 100 a month.
00:00
My key performance indicator,
00:00
maybe when I'm halfway through five months,
00:00
I should have 500 systems patched.
00:00
KPIs, key performance indicators,
00:00
let me know if I'm on target to meet my goal,
00:00
I think you're much more likely to
00:00
see key risk indicators,
00:00
but I did want to talk about
00:00
KPIs as well just in case you see something happen.
00:00
Here's the deal. There's also something called the KGI,
00:00
which is a key goal indicator.
00:00
A key goal indicator is yes or no.
00:00
You made it or you didn't.
00:00
My key go indicator was
00:00
1,000 systems in 10 months, I didn't make it.
00:00
My KGI is no.
00:00
Or I did make it, it's yes.
00:00
But the thing is with that goal,
00:00
I want to make my goals.
00:00
I'll set performance checks along
00:00
the way to see if I'm on target to meet my goal.
00:00
I set a KPI for maybe two months.
00:00
At the end of two months,
00:00
I should have 200 systems patched.
00:00
That tells me, yeah, I'm on my way to meeting my goals.
00:00
The KPIs are like a checkpoint.
00:00
The reason I talk about these is
00:00
risks can keep you
00:00
from meeting your performance objectives,
00:00
that keep you from meeting your goals.
00:00
We have KRIs that indicate we may not meet our KPI,
00:00
which indicates we may not meet our KGI.
00:00
I love letters.
00:00
Don't you love letters?
00:00
Letters, everybody. What does that mean?
00:00
I need to know if there any risks emerging,
00:00
like maybe staff shortage.
00:00
Here in the time of COVID,
00:00
you can go through periods where
00:00
50 percent of your offices is unavailable.
00:00
A key risk indicator that we're going to be too short
00:00
of staff is that if 50 percent of staff isn't available.
00:00
Because if 50 percent of staff
00:00
isn't available for the month of January,
00:00
I'm not going to be able to patch
00:00
100 systems at the end of January.
00:00
Knowing when we reach that level
00:00
of employee absence tells me,
00:00
hey, if you don't make a change,
00:00
you're not going to meet your KPI.
00:00
Maybe I bring in some outside help,
00:00
I hire some contractors to come in and work.
00:00
Now we're back on track.
00:00
We meet our KPI, we're online to meet our KGI.
00:00
Hey, I just wanted to go over
00:00
how those elements work together.
00:00
I do think key risk indicators
00:00
is the one that I would focus on.
00:00
But remember, key performance indicators are like
00:00
check marks in progress of a project or an endeavor.
00:00
Then your key goal indicator is a yes or no,
00:00
you made it or you didn't.
00:00
Key goal indicators are always past tense.
Up Next