Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

By Jeff B. Copeland | February 26, 2021

      

We are frequently asked if RiskLens and the FAIR™ standard will work with an organization’s existing practices based on the NIST Cybersecurity Framework (NIST CSF), the MITRE ATT&CK knowledge base and the COSO Enterprise Risk Management Framework. The answer is yes – and in fact, RiskLens and FAIR act as a force multiplier for those other elements in the security and risk management stack by introducing the power of risk quantification.

Here’s a quick rundown on enhancing this trifecta with RiskLens (and some good resources to get the details) .

FAIR and RiskLens

Factor Analysis of Information Risk (FAIR) is the international standard for analyzing cyber risk in quantitative (financial) terms by breaking down the elements of risk into quantifiable factors. The RiskLens platform makes FAIR analysis fast and easy, and ultimately, a decision support tool. The platform guides you through creating risk scenarios for analysis, along the lines of the statement “threat actor uses a method to attack an asset resulting in a loss.” A sample from the platform:

RiskLens-Platform-Scenario-Description

 

 

 

Then the platform helps you input the data to fill out the quantifiable factors in the FAIR standard (see it here) and runs the data through Monte Carlo simulation to produce a range of probable outcomes for your risk scenarios, in dollar loss terms. You can quickly identify your top risks or run what-if analyses to see, for instance, the effect on risk reduction of adding controls or changing security processes. You can also select a risk appetite and plot the simulations against that.

RiskLens-Platform-Top-Risks-Report-2

 

Top Risks Report from RiskLens, including Risk Threshold


Learn how RiskLens can enhance your ongoing practices with NIST CSF, MITRE ATT&CK and COSO ERM – contact us.


NIST CSF and RiskLens

The Cybersecurity Framework is the most widely used compendium of best practices in cybersecurity and cyber risk management. Many organizations adopt controls and processes along a path of increasing maturity laid out in the framework, and reckon that as a proxy for decreasing risk. But it is just a proxy – the framework itself can’t tell you if your risk level (or loss exposure in dollar terms) is in fact decreasing with higher maturity. And it can’t help you choose one control over another, based on their probable effect on loss exposure.

Organizations use RiskLens to identify their top risks, then go to the NIST CSF to identify the relevant controls, then go back to RiskLens to see which of the controls would give the best value, using the Risk Treatment Analysis capability. In effect, they use RiskLens to redefine “maturity” as risk reduction over time, in terms of dollars of loss exposure saved. The CSF actually recommends FAIR as a best practice for cyber risk analysis and risk management.

MITRE ATT&CK and RiskLens

MITRE-ATTCK-and-FAIR-MITRE-Matrix-768x390

 

MITRE ATT&CK matrices MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (“threat actor uses a method to attack an asset resulting in a loss”).

Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.

MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.

Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.

COSO ERM and RiskLens

COSO-ERM-Framework

 

 

 

 

 

COSO ERM Risk Management Components

Many organizations use the COSO framework to guide their enterprise risk management, but integrating cyber risk management with ERM was problematic without a way to quantify that risk in the financial terms that the rest of the enterprise understands. FAIR and RiskLens finally bring cyber risk into alignment with ERM.

In 2020, the COSO management committee issued a report written by Deloitte, Managing Cyber Risk in a Digital Age, that lists 20 principles for effective cyber risk management. Reporting generated by the RiskLens platform can fulfill each of them – in fact the COSO document calls out FAIR as a tool for “management to align the cyber security program to the business objectives and set targets.”

To list some of the principles:

  • PRINCIPLE 1. EXERCISES BOARD RISK OVERSIGHT
  • PRINCIPLE 7. DEFINES RISK APPETITE
  • PRINCIPLE 8. EVALUATES RISK MITIGATION STRATEGIES
  • PRINCIPLE 11. ASSESSES THE SEVERITY OF RISK
  • PRINCIPLES 12 & 13. PRIORITIZES RISK AND RISK RESPONSE

What’s the total value of leveraging all 4 - NIST CSF, MITRE ATT&CK and COSO ERM and RiskLens?

To sum it up at a high level:

  • RiskLens helps you identify your top risks and risk appetite
  • NIST CSF directs you to the controls and processes to mitigate those top risks, and provides a framework for security governance
  • RiskLens helps you choose among those controls and processes based on quantifiable risk reduction
  • MITRE ATT&CK sharpens your view of attack paths, improving your RiskLens analysis.
  • RiskLens + MITRE ATT&CK informs your SOC on how to prioritize among alerts and detection for their ultimate impact on the business in probable loss
  • COSO ERM provides a framework for governance of enterprise risk management
  • COSO ERM + RiskLens aligns cyber risk management with enterprise risk management, informing decision makers on the strategic value of cybersecurity in financial terms

Learn how RiskLens can enhance your ongoing practices with NIST CSF, MITRE ATT&CK and COSO ERM – contact us.


Resources:

Video Introduction to the RiskLens Platform

Podcast: Understanding the NIST CSF and FAIR Integration

Video: How Cimpress Prioritizes NIST CSF Activities with FAIR and the MITRE ATT&CK Framework

3 Steps to Combine MITRE ATT&CK and FAIR to Focus Cyber Risk Management

10 Ways RiskLens Can Help Implement COSO’s Cyber Guidance"

SHARE