A Useful Tool for Cyber-security Risk Assessment
Cyber-security risk management culture has not adapted to modern development methods. This new tool can change it.
Who is this for?
- who have accountability for business risk and cyber-security
- who work on development teams with security analysts
In the spirit of bootstrapping, this post walks you through a quick Threat/Risk Assessment for the cyber-security of the QTRA.io platform — a new cloud service for creating, sharing, and managing Quick Threat/Risk Assessments (QTRAs).
Why is this a problem that needs a solution?
- Integration: There are no useful tools to define a security road map for a project in a modern iterative development environment.
- Collaboration: Enterprise security methodologies assume roles, cadences, and outcomes that just don’t appear in an increasing majority of new development and ops projects.
- Compliance: Doing business with a large company or government client requires mandatory cyber-security risk assessments as a bar to entry. Current methods don’t handle iterative development and continuous delivery well, and often not at all.
- Repeatability: Existing paper standards have too much process overhead for most organizations. Ad hoc technical approaches lack consistency.
What is the solution?
A useful threat/risk assessment tool.
One that evolves the role of security analysts, to become more integrated and collaborative in shipping product, and moves projects forward.
How does it work?
An analyst uses QTRA.io to produce the current security posture of a development project and present it to stakeholders, while updating it as each product in their portfolio evolves.
QTRA.io reduces the time and resource needs of a cyber-security risk assessment by a factor of ten by distilling the useful parts of formal security methods (with thousands of real world consulting hours) into a dynamic, cloud based tool.
The result is a view of cyber-security risk posture that reflects the current iteration of a product. A security analyst using QTRA.io provides:
- Road map items for managing product security posture
- Scope for vulnerability scans and assessments, code reviews and penetration tests
- Criteria for vendor security product evaluation(e.g. do you need it & what to buy and why)
- Self-documentation for compliance requirements
A QTRA has four sections:
- Decide what is important — Assets
- State how you protect it — Controls
- List the technologies that make it up — Technologies
- Evaluate the threats relevant to your business — Threats
The videos below show how you can produce a dynamic assessment of threats and risks in a tiny fraction of the time ( previously, weeks!) that legacy, paper and narrative processes required.
An asset is something valuable you protect. Assets in an organization roll up into categories of People, Processes, Technology, and Information. (*PPTI)
The simplest business analysis asks, “what do we need to protect, and in what priority order?”
For this assessment, the key business assets of the QTRA.io startup platform are:
- my customer data (risk models in the graph database, like the one we are creating now)
- my customer organization identities (e.g. ID’s of customers associated with the data)
- my Service Level Agreement for cloud our service infrastructure
The following short video shows how to kick this off by scoping assets and ranking them in order of importance.
It’s that simple — and powerful.
How are we protecting the assets today?
The security analysts job is to find out from developers, architects, operations teams, and other stakeholders what cyber-security controls are in place, are planned, or what they expect will be in place.
The analyst describes the controls using terms of art from the established best practice methodologies that underlie the QTRA.io workflow. (Analysts have familiarity with these from their previous security training or certification.)
The following short video continues from the previous one and shows how we add those controls to each asset in the assessment.
If we need to add a new control as the solution evolves we can go back and add it on the fly.
User stories, release notes, and code comments by themselves simply don’t produce the answers key business stakeholders need. Using QTRA.io, the analyst develops an accurate picture of the end-to-end technology stack without interrupting developer flow with requests for documentation and architecture diagrams.
In the “Technologies,” section of the QTRA, the analyst works with the development and operations team to complete the picture of the technology stack that realizes a business asset, and the potential technologies the asset has exposure to.
The following video shows how the analyst adds and tracks the current technology stack for each business asset.
Your projects become architecturally self-documenting as the result of tracking these technology dependencies and controls, which is just one game changing effect of a useful security assessment.
A key difference between a security risk analysis using a QTRA and technical vulnerability analysis is the business question, “who benefits?”
Modelling threats during development filters the noise out of vulnerability news cycles, and provides a short answer to the question, “how does this affect us?”
In a QTRA, we model threat agents based on their perceived technical skill, and their relative authority or privilege.
At a business level the analyst defines threat agents according to their model of incentives, conceptually co-related to, “means, motive and opportunity.” This anticipates the effects of new technical vulnerabilities by defining the parties, their capabilities, and your exposure to them ahead of time. A model relevant to your business keeps your organization from being jammed in a reactive mode when the market reveals a new cyber-security issue.
In a QTRA, the analyst updates threat scenarios throughout the project as they become known or relevant.
QTRA.io models internal and external attackers, but also ones with de-facto insider status like state sponsored attackers, suppliers, and political factors. The security analyst will use the threat intelligence they have about the business and market to determine the parties your business needs to be most concerned about, and model them based on the category of skill and privilege of relevant attackers.
The following video shows how to use QTRA to define precise, actionable statements about threat agents, their motivation, and their impact.
And that wasn’t even the coolest part.
Once you have modeled the threats and described the assets, the completed QTRA triage is added to your management console. From there, you can edit, share, and play the slide presentation of your cyber-security risk posture, which the QTRA.io platform generates dynamically from its back-end graph. The new features we have planned for the console are very exciting, and I hope you will keep in touch for when we launch them.
The clear presentation of cyber-security risk factors is the basis for consensus on the risks you face as an organization. A single source-of-truth for cyber-security risks aligns your team and their stakeholders on the priority of mitigating them. This integrated and collaborative approach to creating it ensures built-in traction for the solutions.
The QTRA.io platform analyzes the data we have added into a private, individual user “ontology,” and produces a visual slide presentation. The presentation is generated from the data on the fly, so it reflects changes and the current state of the projects risk posture automatically.
The analyst can share the presentation with project stakeholders, and present it directly as a normal slide deck. The presentation provides:
- Gap analysis of your controls
- Reference model for cyber-security
- User stories for risk mitigation
- Scope for vulnerability assessments, code reviews, and penetration tests
- Evaluation criteria for new security products in your infrastructure
The presentation shows threat scenarios ranked by their relative likelihood and impact, which aligns stakeholders on the priority of different risks. It has three key parts, which include the summary presentation, the depth of the threat and risk models, and then the final ~7mins shows how to re-edit it in seconds and recalculate project security posture on the fly.
Questions, or interested in a video conference demo? Get in touch! An open ended conversation with people interested in a solution like this is the single most valuable way I can spend my time as a founder. I look forward to hearing from you!
Check-in at the http://qtra.io contact link and get on the list for exclusive pre-beta access. Stay tuned for our Privacy Impact Assessment, and point compliance modules in summer ‘18.