Using Aggregate Control Effectiveness in the Real World
This is my third post about Aggregate Control Effectiveness. In the first one, I introduced the concept and how it helps cybersecurity and risk teams decide on the controls that will optimize cyber posture. While we are comfortable evaluating individual control effectiveness, there is a need to understand how a change to an individual control affects the organization’s overall cyber posture.
In my second post, I discussed how Aggregate Control Effectiveness helps resolve the tension between meeting compliance requirements and improving cyber posture. The former is about what practices and requirements you need to do, and the latter is about how you do it, i.e., the controls you actually implement. The discretion you have in selecting controls enables you to do both.
As promised, this post provides a real-world example of how you can use Aggregate Control Effectiveness. I decided to use the Colonial Pipeline ransomware attack for context. Management is surely asking, what are we doing to make sure this does not happen to us.
To start, let’s take a closer look at the techniques and tools used by the DarkSide ransomware group. FireEye’s Mandiant team’s analysis is insightful.
They map the steps and tools used by DarkSide to accomplish their double extortion – data exfiltration and data encryption. While Monaco Risk's Cyber Control Simulation (CCS) solution's external attacker templates are based on MITRE ATT&CK, we have no problem adjusting to Mandiant’s taxonomy which is very similar to ATT&CK.
I built the table below by mapping each technique and tool Mandiant described to one or more controls that could be used to block or detect them. My purpose here is to show the wide variety of controls that could be strengthened or added to prevent an incident like this. You may have other controls in mind.
Obviously, Darkside is just one of many ransomware groups. And ransomware is just one of many types of risks that management is concerned about. MITRE ATT&CK describes hundreds of techniques and sub-techniques which can be used in thousands or tens of thousands of different combinations. Therefore, making control decisions based on one specific ransomware group may not be the best approach. But it does provide a good illustration of how Monaco Risk's approach works.
Rather than focus on one risk, ransomware, Monaco Risk uses all of the risks management is concerned about. Furthermore, CCS graphs most, if not all, attack paths through an organization from the initial threat action to attaining objective.
While understanding that an organization has dozens, if not hundreds, of deployed controls, for a moment let’s look at the smaller number of controls that I identified above that could prevent or reduce the impact of the Colonial Pipeline incident.
How would you decide how to allocate budget and prioritize investments among Email security, Multifactor Authentication, Vulnerability scanning / Patching cadence, endpoint agents, fine-grained network segmentation, configuration hardening, deception, DLP, and Backup/Recovery controls? All of these are reasonable choices. And even if you have enough budget for all of them, in what order should they be implemented?
Our approach starts with analyzing your currently deployed controls to establish your baseline Aggregate Control Effectiveness. In addition, we provide several ways to visualize each control's impact on preventing those loss events.
Then we run “what-if” scenarios for each alternative you are considering by calculating how it impacts Aggregate Control Effectiveness. We found some results that are counter-intuitive.
Note, we are surely NOT saying just follow the results of our analyses, i.e., implement the controls with the highest impact on Aggregate Control Effectiveness. There are many factors within an organization that we are not modeling yet such as the relationship between the cybersecurity team, the risk management team, the IT team, and the various business units involved. But we are providing a starting point.
Also, note that “what-if” scenarios can be run on multiple control choices. So if the top choice is not feasible, it’s possible that #2 and #4 are more feasible and have as much of an impact as the top choice.
Then there is the compliance factor to consider. The reality is that compliance frameworks are important. In fact, we recommend that all organizations select a cybersecurity framework to drive their cybersecurity programs. More on this in another article.
A key insight we realized is that meeting compliance requirements does not have to take budget away from improving cyber posture because you have wide discretion on how a specific compliance requirement is met. You can use Monaco Risk CCS to determine that a control for a particular compliance requirement may not have a significant impact on cyber posture. So using a lower cost control that is simpler to deploy might be the best answer here, leaving budget available for the controls that do have impact on cyber posture.
Final point on establishing the baseline Aggregate Control Effectiveness. We do need inputs on the effectiveness of individual controls. These input values are set by a combination of subject matter expert opinions, and the results of one or more of the following: pen testing, red team exercises, Breach and Attack Simulation products, and Security Control Validation tools.
In closing, I have attempted to show how we might use Monaco Risk’s CCS solution and services to assist an organization looking to decide which controls to implement to improve its cyber posture. For illustrative purposes, I used the techniques and tools used by DarkSide, as described by FireEye's Mandiant team, in the Colonial Pipeline ransomware incident.
Does our approach seem reasonable? Please let me know if you have any questions.