Introduction
In August 2020, I co-authored with Rob Newby a three-part blog series on LinkedIn entitled Taking Control of Security under Increasing Threat. In the blog series, I discussed risk assessments, continuous improvement, and maturity assessments as mechanisms to identify risks and drive security capability improvements.
In this blog post, I take a different yet complementary approach. I discuss how organizations can utilize their security incident response process with enterprise risk management to identify risks that may be challenging to identify through more traditional risk assessment approaches.
Risk Assessment as a Continuous Process
In my view, continuous risk assessment is a critical component in managing cyber risk. A risk assessment is not a one-off activity performed annually. Instead, it requires ongoing identification and evaluation of risk in today’s dynamic business and technology environment.
Business activities and their supporting ecosystems, including the technologies that enable those activities, expose organizations to evolving threats. Several industry-accepted frameworks are available to help organizations identify and evaluate risks associated with cyber threats. The NIST SP 800-30 Guide for Conducting Risk Assessment prescribes the following steps to conduct a risk assessment:
Identify relevant threat sources
Identify potential events associated with those sources
Identify exploitable vulnerabilities
Determine the likelihood of vulnerability exploitation
Determine the adverse impact resulting from the potential exploitation
Determine security risks as a combination of the likelihood of vulnerability exploitation and its impact
Risk identification requires a cross-functional effort, risk ownership, and accountability assignment. Information Security does not own risk. Instead, its function is to work with stakeholders across the organization to identify and evaluate risks and implement controls to ensure that those risks remain at an acceptable level.
Without recognizing and accepting risk ownership and accountability, organizations are deemed to treat the Information Security department as a dumping ground for problems that are low priority to business owners and other senior executives. This lack of due diligence to assess risk leaves security in the hands of technical personnel, leading to misalignment of controls with strategic objectives, ineffective allocation of organizational resources, and a false perception of security.
In the next section, I describe how this cross-functional approach in the context of incident response can help organizations uncover and more effectively manage risk.
The Role of Incident Response in Risk Identification
The primary risk identification method for many organizations is to conduct a security risk assessment, typically annually. A risk assessment focuses on identifying and evaluating threats to help organizations allocate resources as part of the overall risk management process.
A formal risk assessment may not uncover all security weaknesses. Often, when organizations experience a significant incident or a security breach, many previously unrecognized or untreated vulnerabilities surface. Organizations recognize their significance when a breach leads to a serious data privacy, operational, financial, or reputational impact.
During a breach investigation, responders often uncover serious, previously unknown or ignored security vulnerabilities. Those vulnerabilities exist because of budget constraints, poor governance, or a lack of an integrated, enterprise-wide risk management approach.
For example, technical responders often observe Active Directory design weaknesses and inappropriate access control mechanisms, insufficient network segmentation, or vulnerable legacy technologies. On the other hand, more senior stakeholders who form a strategic incident response team (IRT) may uncover process and governance deficiencies, inappropriate administrative controls, or skill shortages.
All the findings during a breach investigation can provide a unique view into threats and vulnerabilities that should be evaluated through a risk assessment process.
The following section provides examples of how organizations can integrate their incident response process with other processes to manage risk more effectively.
Incident Analysis and Risk Identification
After a significant incident or breach, organizations need to perform root cause analysis to identify the security weaknesses that led to the breach. These may include:
Software vulnerabilities
Insecure technology implementation
Control deficiencies
Vulnerable, unsupported technologies
Inappropriate governance and process failures
It is worth emphasizing that it is rare that a single vulnerability leads to a breach. In most scenarios, a combination of multiple vulnerabilities, control deficiencies, and insufficiently enforced defense-in-depth strategy allows a threat actor to progress through the attack lifecycle phases.
Incident analysis is crucial to identifying the root cause of an incident or a breach. To effectively identify the root cause, organizations need to analyze the incident at the following levels:
Technical - technical investigation and forensic analysis of compromised systems
System architecture - review of system security architecture
Organization - review of governance effectiveness, process controls, and previously accepted risks that led to the compromise
This approach is aligned with the risk assessment framework prescribed by NIST SP 800-30 Guide for Conducting Risk Assessment.
The findings during incident analysis can inform the organization about potential risk. For this reason, adding higher severity risks to a risk register for a formal risk evaluation and treatment is essential. If the organization does not address the findings through a formal risk assessment process, in my experience, it is just a matter of time before another breach occurs. This is especially important for risks where control implementation requires funding and dedicated projects.
Summary
A risk assessment is a continuous process in today's dynamic business and technology environments. A formal risk assessment is limited in scope and rarely identifies all security weaknesses. During a breach investigation, responders often uncover serious, previously unknown, or ignored security vulnerabilities. As a result, organizations need to integrate their post-incident review process with their risk assessment process to identify and treat previously unknown risks. A root cause analysis is a critical component that bridges those processes.