A HIMSS 2018 survey of healthcare IT CIOs and CISOs suggests that the health sector is beginning to treat information security as general risk management.
Increasingly, risk managers assess the threat of a potential “cyber” event much like the threat of an earthquake or active shooter.
First, they quantify the loss expectancy using existing systems in terms of impact to the organization. The next step is to assess if additional actions can be taken to minimize the impact.
At the same time, risk management programs are recognizing that the impact is expanded by regulatory oversight, such as the HIPAA security rule. In fact, risk management is becoming the lingua franca of the C-Suite in the boardroom.
Using the NIST Cybersecurity Framework
Network environments deploy a variety of information security controls; an average portfolio of these controls is shown below. These controls are aligned with the goals of the NIST cybersecurity framework to support the functions of Prevent, Detect, and Respond.
Prevent
|
Detect
|
Respond
|
Firewall
|
Intrusion Detection System
|
Alert
|
Intrusion Prevention System
|
Log Aggregation and Review
|
Triage
|
Email security
|
Security Information/Event Management
|
Investigate/Confirm
|
URL filtering
|
|
Quarantine
|
Anti-Virus/Endpoint Security
|
|
Remediate
|
These security controls directly affect the mathematics of risk management.
An expression for quantifying risk is:
R = P(Tv) * I
That is, Risk equals the product of the Probability of a Threat being realized (usually as a result of some vulnerability being exploited) and the Impact of that Threat being realized.
Interestingly, preventive controls reduce the Probability, or likelihood, that the threat will be realized at all.
In other words, your preventive controls are in place to avoid the compromise of computing assets in our environments. However, today it’s a poor assumption that these controls will be perfect. Therefore, the probability of a compromise remains non-zero, and, in fact, is material.
Detection and response functions, on the other hand, can affect the Impact, or consequence, of the threat being realized. Identifying a compromised asset on a network and immediately quarantining and remediating turns a potential existential event into a desktop cleanup — a huge difference in the consequence. Minimizing that impact should be a key performance indicator in risk management.
How to Minimize the Impact
When prevention fails, accurate detection and effective response can minimize the impact.
Detection and response are the most critical keys organizations need to ensure a backyard fire does not burn down the forest.
Here are 5 questions to consider if you want to minimize the impact an IT security incident:
- Are you adequately aggregating network traffic, network device and server logs, security product alerts?
- Are you able to detect suspicious network events that may have IT security implications?
- Do you have a means of investigating and confirming suspected security incidents?
- When a security incident is confirmed, are you able to rapidly contain, preserve evidence if necessary, and clean the compromised asset?
- And finally, if you answered “yes” to the above, for your organization, how much time would have passed between the initial compromise and final resolution, including the time to detect?
The metrics that are most important to minimize are:
- The time to initial detection of a compromise (current average: ~200 days);
- The time to reach full recovery
There is a straight line between minimizing these and reducing the impact term of the risk expression. Hence, this can be reportable to the C-Suite and Board of Directors as a success.
Critical Insight provides fully auditable event aggregation, analysis, alerting, investigation, 100% confirmation, quarantine, and incident action plans for IT security events. SSAE-18 examination report and HIPAA business associate agreement are available on request. Contact us to connect with one of our expert cybersecurity consultants.