In my previous blog about enhancing your security posture with risk intelligence, I introduced cyber risk intelligence (CRI) and discussed its importance. To briefly recap, CRI utilizes comprehensive cyber threat intelligence (CTI) to collect data from clear, deep, and dark web sources, including social media platforms (e.g., Discord, Telegram, ICQ), app stores and repositories, leaked databases, chat channels, dark web forums and black markets, and analyzing it with manual and machine learning techniques. CRI combines this data with business context to gain actionable intelligence – with evidence-based data – on attack indicators, data leakage, phishing, brand impersonation, and data fraud. This helps businesses uncover, identify, and rank security gaps across their enterprise stack and understand what steps to take to address the most important threats and maintain compliance with evolving regulatory mandates.
From a high level, risk intelligence measures and establishes an enforceable level of risk through proactive, contextual, and actionable threat intelligence. Simply put, it aligns an organization’s threat posture with its risk level to achieve security and compliance. (For more information about this, refer to Part 1 in this series.)
In this second post, I’ll offer guidance on implementing risk intelligence, put in the context of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework (CSF) standard, to fully reap its benefits. The NIST CSF evolved from a U.S. federal order and has become a default framework that other regulatory and compliance mandates are built from as a way to measure cybersecurity posture across the enterprise. The latest iteration – NIST CSF 2.0 – just added a sixth section on governance, “Govern (GV),” highlighting the importance of risk intelligence to enrich and empower the enterprise risk management strategy.
Here are the steps to take to accumulate and benefit from CRI in multiple ways, including the ability to eliminate threats before they exist, reduce manual efforts, optimize the ROI of the security stack, and enforce compliance policies across the enterprise. These steps essentially represent the process needed to undergo a security assessment or audit and should be performed continuously as organizations grow and evolve with new systems and technologies, dynamic employee numbers and policies, and a widening attack surface.
1. Conduct metrics-driven vulnerability prioritization (Proactive gap analysis) -- The prioritization of system gaps, or gap analysis, is a core area that benefits from progress in continuous security and solution flexibility. Both can open opportunities to enrich the security assessment process by finding gaps faster and allowing businesses to use a broader set of solutions to accelerate their security audit. To prioritize vulnerabilities, such analysis must be enriched with your organization’s business context and the data flows it uses. Doing so gives you evidence-based data that applies risk metrics to validate your security posture and directs how you prioritize vulnerabilities. There are automated solutions that offer vulnerability intelligence and accelerate this analysis, such as Cybersixgill’s DVE Intelligence. The solution performs automation, combines business and attack surface context, and brings clarity to the most serious gaps to address.
For NIST CSF alignment, CRI enables organizations to quickly discover and qualify requirement gaps while continuously prioritizing vulnerabilities based on quantitative risk metrics. In addition, CRI helps companies stay on top of the NIST CSF Protect function, proving its hygiene through continuous analysis and alerting.
In the financial services industry more specifically, the failure to properly prioritize and address vulnerabilities is a leading cause of data breaches within the Payment Card Industry’s Data Security Standard (PCI DSS)-covered entities – and results in non-compliance. Many other industry regulations, such as the Sarbanes-Oxley (Sarbox) Act and the Health Insurance Portability & Accountability Act (HIPAA), include similar vulnerability risk ranking and continuous prioritization requirements.
2. Expose your digital footprint – Risk Intelligence can also be used to identify, collect, and analyze a company’s digital footprint and uncover potential attacks before they are carried out. This knowledge empowers security teams to fortify their defenses with enforceable action plans over and above typical cursory analysis of their IT stack. In addition, CRI provides a preemptive view of threats that may target an organization in the future.
For example, advanced intelligence systems can track dark web chatter about the types of malware threat actors are looking for and/or developing. This intelligence gives security analysts an advanced view of what will most likely be targeting their assets in the future, such as an increase in threat actors seeking infostealer malware or selling leaked credentials, which would give an indication of risk within the attack exploit chain and facilitate coverage of the NIST CSF Protect function.
In this step, CRI shines the light on your business data exposure and potential regulatory data violations so you can take action before an attack executes and damage is done, protecting your security posture and minimizing enterprise risk.
2a. Create data targeting – a key component of exposing your digital footprint is creating data targets, including specific types of data flows, data transactions, and the data itself. This process aligns with how a regulatory assessor would analyze your digital footprint. Building targets helps you understand the specific areas pertaining to what your business does that would potentially be targeted, including how data is stored, processed, and acted upon. Cybersixgill’s Attack Surface Management (ASM) solution is one component of this, along with our contextual CTI and Cybersixgill IQ, utilizing AI to gain perspective on your business in areas you wouldn’t think to look, such as dark web forums, marketplaces, and other underground sources.
The result of step 2 is that you can uncover and predict current and future risks while finding and protecting ALL regulatory-related data.
3. Leverage CRI findings to enrich and accelerate your risk assessment – A culmination of steps 1 and 2 above, combined with other forms of intelligence about your enterprise (i.e., asset intelligence, network or perimeter intelligence), the CRI data you’ve acquired helps summarize and expose the threats and vulnerabilities that can compromise your risk posture and helps you adjust your data security policy to empower the risk assessment process (a standard phase of most cybersecurity mandates and compliance frameworks). It gives you a fine-tuned presentation of your risk that’s quantifiable by all parties responsible for analyzing the enterprise security policy. Additionally, it provides a blueprint for how you should present your risk posture to various audiences through reports and findings from your posture assessments.
To summarize, CRI can be implemented in alignment with an organization’s cybersecurity framework while measuring its compliance posture against regulatory requirements. This is especially useful when implemented within an environment where the NIST CSF is the default framework, as it can help organizations meet the evolving requirements of the latest standard and help businesses shift into a truly prioritized risk-based posture when dealing with cyber threats, global privacy laws and regulations, and compliance requirements.
To learn more about risk intelligence and how it can help you enhance data security, compliance, and regulatory adherence, watch my recent on-demand webinar Harnessing Risk Intelligence to Achieve Enforceable Security and Compliance.
To learn more about how Cybersixgill can help you in your risk management efforts, contact us here.