Define the threat sources and crown jewels
Organisations need to be able to identify where their vulnerabilities lie, which business-critical assets they want to protect most and the attack routes that lead to the business’s crown jewels.
Frameworks and algorithms, such as the Max-Flow Min-Cut Theorem from Graph Theory in computer science, help solve this complex optimization problem. When it comes to cyberwar, CISOs need to focus on their efforts on the areas that matter most. They need to be able to map out and calculate which routes, if breached, can derail an entire business operation and what is the best way of securing the routes that put the business at the greatest risk for attack
Measuring the security baseline
There are multiple ways of measuring the security baseline, including risk evaluation, risk profiling, penetration testing, red, blue and purple team exercises, and so on. At the end of the process, however, organisations need to understand which threat sources can access which business-critical assets. They need to ask what the best way of achieving that, and, most importantly, how those vulnerabilities are connected to draw a specific risk map of the organisation? Organisations then need to be able to understand the likelihood of each vulnerability being identified and exploited.
We believe that organisations should stop focusing on specific vulnerabilities and instead focus on complete attack routes. When looking at mitigation plans, the important part is eliminating attack routes, not eliminating vulnerabilities. If the vulnerability is mitigated for example, but the attack route still exists, that does accomplish much. However, if vulnerabilities still exist, the attack route is eliminated, significantly increasing the organisation’s cyber resilience.
Setting the objectives
While there are multiple standards in the market to calculate cybersecurity maturity levels, such as CMMI and CMMC, we take a different approach by separating the different security domains in the organisation to evaluate them one by one. We calculate each security domain by measuring the security level of the organisation and benchmarking it against industry standards, geolocation and company size to understand where other organisations rank in the same security domain. If we see, for example, that an organisation is below average in the industry, we take the industry, add one standard deviating above the average, and make that the maturity level goal that we seek to achieve.
Establish the strategic program
We created a mathematical structure, which enables us to identify the most probable attack routes and prioritize them based on the likelihood of them being exploited. We can calculate and quantify the specific risk reduction that was associated with the attack route. This can provide a clear mathematical evaluation for the cybersecurity risk of the organisation, as well as the cost of potential damage and the cost for mitigation that is associated with the plan.
Ultimately, CYE’s unique approach:
- Takes cybersecurity from compliance-based to fact, data and mathematical based.
- Ensures that mitigation and cybersecurity programs are tailor-made per organisation.
- Starts with identifying gaps and then tailoring the solution- not vice versa.
- Identifies real attack routes and mimics actual hackers- without making assumptions.
- Focuses on attack routes, rather than specific vulnerabilities.
- Takes the technical impact of cybersecurity to business impact of cybersecurity.
With the attack surfaces increasing exponentially and the rapid pace of changes in the external and internal threat landscapes, cybersecurity assessments must be conducted on a continuous basis, using a mathematical approach that ensures that your organisation is actually improving and not fortifying its cybersecurity maturity score.