“What should I measure first?”
I expect this seemingly innocuous question from any organization starting their journey towards cyber risk quantification. It’s the right first question. But, dwelling too long on the topic can result in pinning your program to the ground before you even turn on the thrusters.
Cyber Threat Intelligence (CTI) has an alternative value proposition to risk managers
Overwhelmingly, the value proposition of Cyber Threat Intelligence (CTI) is information that allows organizations to reduce incidents through early prevention. But, there’s another value proposition outside of Cyber Security Operations; threat intelligence tools provide relevant candidates to measure first in a new quantification program. The wealth of information provides a wellspring of data for use in RiskLens analyses.
Leverage CTI in RiskLens analysis to ante up the value of your data
A detailed treatment and mapping of CTI data to the FAIR model is beyond the scope of this post; however, I can point you to some new resources. I had the pleasure of making major contributions to the Open Group paper mapping Open FAIR & STIX. Organizations such as Recorded Future leverage STIX data to provide insight into the threat landscape relative to an organization’s attack surface. What that means for RiskLens-oriented programs is that we have data at our fingertips to understand what sorts of threats we are faced with today.
Example: Use CTI describing attack campaigns to fuel RiskLens Threat Event Frequency
If your program is at the point where you’re marrying CTI data to the FAIR model it means you’ve done the legwork to:
- Train your analysts on FAIR
- Level-set organizational terminology about risk
- Have an implementation of a FAIR analytics tool such as RiskLens
To prime the pump on your quantification program, you can make one data request to your cybersecurity ops teams:
“Can you provide us with a breakdown of the top campaigns we are tracking the pulse on?”
It’s a bit open-ended, but it always gets the conversation started in the right direction. Use your FAIR-oriented model of risk to put the data into the context of the assets at stake and you are on your way to inputting CTI into FAIR assessments. Within STIX, you can use the Campaigns element to feed Threat Event Frequency. (Page 10 of the Open FAIR - STIX Integration document shows a figure to support this notion).
You have no excuse for your quantification program to get stuck in the mud
STIX is freely available. Not just the language and the transmission mechanism (TAXII); the data is also freely available. Likewise, FAIR is an open model. There is no excuse for any organization of any size to miss out on the opportunity to leverage CTI data in risk analyses. The future of cyber risk quantification heavily leverages CTI. Push your quantification program forward today by tailoring CTI to FAIR and provide actionable risk intelligence immediately.
How Threat Intelligence Can Drive Risk Analysis (FAIR Institute Blog)