Measure and Improve Aggregate Control Effectiveness
Selecting a cybersecurity control based on its individual effectiveness can be misleading.
A new, upgraded, or replacement control, no matter how effective in and of itself, may not improve Aggregate Control Effectiveness, i.e., the overall effectiveness of the combination of all deployed technical and administrative controls.
Monaco Risk’s Cyber Control Simulation tool helps you measure and improve Aggregate Control Effectiveness.
During the last few years, we have come to understand that a successful cyber attack consists of a series of steps that an adversary must complete. This concept of attack sequences is not new, having first been articulated by security analysts at Lockheed Martin. However it's the MITRE ATT&CK® framework that is now the lingua franca for describing threat scenarios. The MITRE team has organized, cataloged, and documented the vast majority of known tactics, techniques, and sub-techniques, and made the information freely available.
Therefore we can now more easily and thoroughly analyze the controls* we deploy in terms of their abilities to detect and block these tactics and techniques. A variety of vendors now provide automated tools that enable us to validate our security controls using MITRE ATT&CK. In addition, MITRE itself performs evaluations of controls against specific threat scenarios used by teams of adversaries.
*From our perspective, a control refers to anything technical or administrative that can detect, prevent, and/or limit an adversarial tactic or technique. The goal is to reduce the risk of loss events like ransomware or sensitive information exfiltration. Another way of putting it, a control is anything you have control over that improves cyber posture.
As important as it is to understand the effectiveness of individual controls, it is critical to determine the effectiveness of our set of deployed controls that together represent an organization's overall cyber posture. In other words, what is our Aggregate Control Effectiveness, i.e., the overall strength of the combination of controls we’ve deployed against the loss events of highest concern to management?
Therefore improving overall cyber posture has two facets. One, selecting the best control for one or more specific tactics and techniques, and two, due in part to budget constraints, choosing between controls which detect different tactics in a threat scenario, and have a greater impact on Aggregate Control Effectiveness. For example, suppose we must choose between upgrading endpoint agents and increasing the use of data-at-rest encryption. Clearly this is oversimplified because another alternative might be to upgrade endpoint agents only on critical assets. In the real world there will likely be many more than two alternatives that need to be analyzed and compared.
The question is then, when budget constraints won't allow us to both upgrade endpoint agents and increase data encryption in the above example, which choice would provide a bigger improvement of Aggregate Control Effectiveness?
In reality, we make these kinds of decisions all the time. However, in my experience the decision-making process has been ad hoc. This can result in investments that don't increase Aggregate Control Effectiveness. Here at Monaco, we use our Cyber Control Simulation tool to inject a degree of objectivity, repeatability, and documentation into this decision-making process. If you're curious about what we do, please contact me via LinkedIn. Or if you just want to be updated on what we're doing, please provide your email address below.