4 Steps to Rightsizing Your Cybersecurity Controls Environment with FAIR™ and RiskLens

March 25, 2020  Tim Wynkoop

4 Steps to Rightsizing Cybersecurity Controls EnvironmentA study by Palo Alto Networks found that the typical large company is running more than 130 different cybersecurity applications--and still data breaches are rampant. With FAIR™ quantitative cyber risk analysis and the RiskLens platform, CISOs are taking a hard second look at their stack of security solutions to see which are truly reducing risk in dollar terms and worth the spend. In particular, federal government CIOs are under orders to meet an “application rationalization” requirement before cloud migration.

Below is a four step process of how to identify, quantify, and evaluate the existing controls in your environment to determine if they are providing you the bang for your buck.

1. Evaluate Current Control Environment

The first step is evaluating the existing control environment. Most organizations utilize a defense-in-depth approach. Gaining a general understanding of which controls are located where can help to identify potential areas for downsizing. Identifying controls that serve the same or very similar purposes is a way to determine areas to focus on.

An example of this would be utilizing multiple anti-virus protections located at various network and endpoint locations to deter potential malicious traffic. Is the money you are spending on the multiple layers worth it?

As you’ll notice, you can determine this without an in-depth knowledge of Factor Analysis of Information Risk (FAIR). You just need to know your environment and what risks you have within your organization.  Part of knowing what risks you have and evaluating them is knowing what your current control environment looks like.

2. Identify Relevant Scenario(s)

The second step is to determine how the various scenarios of concern are affected by the controls you already have in place.  To determine which scenarios are relevant, consider the ultimate purpose of the controls. In the case of anti-virus, the primary goal is to prevent malicious or otherwise detrimental content from infecting the device. Some of the reasons in which the detrimental content is attempting the infection in the first place may be to compromise confidential data or cause an outage of a key system. You need to have an understanding of the current risk associated with these events before you can understand how removing an existing control will impact the exposure.

3. Model Control Impacts

Third, you can use RiskLens platform, incorporating the FAIR model, to run and compare multiple scenarios to determine the change in exposure if you were to dial back any of the controls or, in this case, if you were move from three AV’s down to two.

In order to do so, you need to be able to estimate the relative impact each of the individual controls is having on the scenario(s) in the current environment. In this example, using the reporting you get from the various AV tools you have, you can determine the amount of malicious activity that is being blocked by each one of the layers along the way and take this information to inform the FAIR model.

Using this approach, you can do a series of “what if” analyses each modeling a different potential control environment (I.e. AV 1 + 2, AV 1 only, AV 2 + 3, etc.). From there, you can easily compare the results of the “what if” analyses to current-state analyses you did originally in order to determine the change in risk.

4. Compare Control Effectiveness to Maintenance Cost 

The final step is taking that comparison of the change in risk and comparing it to the cost to maintain that control.  If the cost to maintain that current control is $100K on an annual basis but it is really only causing a reduction in risk by about $10K, there might be an opportunity to remove that control altogether so that $90K can be invested elsewhere.

Note: When performing any type of a comparison analysis, take into consideration that a particular control may not affect every scenario of concern in the same way.  In one scenario it could make sense to roll back the control but in another it may not be worth it.  You must take a holistic approach and consider all probable scenarios in which the control is relevant, rather than a siloed one looking at only one control.