By Kaus Phaltankar, Chief Sales Officer, Enterprise Risk Management & President, Virtustream Security Solutions
Every day, enterprises are faced with new and constantly evolving threat vectors. The bad actors have to get it right only once, while enterprises have to defend themselves continuously and get it right every time!
Enterprise Risk Management (ERM) has emerged as an important business trend that builds a holistic and integrated approach to risk management across the enterprise. ERM encompasses a number of risk areas, including Information Technology (IT) Risk, Operational Risk, Regulatory Compliance Risk, Financial Risk and Reputational Risk.
The ERM risk areas are affected by the security within the enterprise. There is a paradigm shift within enterprises to move away from ‘managing security by compliance to managing security by risk.’ This moves the organization to manage security, Information Assurance (IA) or compliance from a discreet snap-shot-in-time ‘checklist-based’ approach to a real-time ‘continuous risk management’ based approach. ERM provides stakeholders and decision makers a risk view across the enterprise with detailed risk by departments, bureaus or information systems. The risk view is available on-demand, as well as over a period of time, to see how the Information System owners and leaders are managing risks.
This risk-based approach requires quantification of risks identified by various security and compliance tools monitoring hardware or software assets to business critical applications. The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) defines the point security technologies, such as Asset Management Systems, Configuration Management tools, Vulnerability Scanners, Security Information Event Management (SIEM) systems, as well as Governance, Risk and Compliance (GRC) tools as ‘Sensors.’ The Department of Homeland Security (DHS) Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CAESARS) framework refers to the sensors in its ‘Sensor Sub-system’ for collecting data about enterprise asset risks, which are then analyzed and quantified using risk scoring algorithms. These risks per assets are aggregated by Information System(s) and by mission critical functions supported by those information systems. The critical emphasis is on continuous risk monitoring that utilizes automation using machine-to-machine information exchange through standards-based protocols such as NIST Secure Content Automation Protocols (SCAP) on a continuous basis. The continuous nature of the analysis allows information system owners to quickly assess risk on a near real-time basis and become proactive in mitigating risks based using a prioritized response.
Regulatory requirements, such as GLBA, SOX, HIPAA, PCI or the Federal Information Security Management Act (FISMA) also mandate ‘continuous monitoring’ of information systems for protecting Personally Identifiable Information (PII) using Privacy Impact Assessment (PIA), as well as monitoring of unauthorized access to maintain the integrity of data and systems.
The biggest challenge for enterprises today is to truly understand what it means to conduct continuous risk monitoring and what that entails. The key requirements of continuous risk monitoring under RMF are:
- Close tracking of change and configuration management of assets
- Monitoring of Information Assurance (IA) and governance controls using automated tools
- Quantifying risk based on risk algorithms and computations
- Document creation, updates and reporting
Enterprises need a scalable data ingest, collection, storage, processing platform that delivers an accurate and timely view of the IT and operational risks by providing a 360° view of the asset’s software and hardware inventory, vulnerabilities (VUL) and secure baseline compliance established on approved baselines. Other key attributes of the Continuous Risk Management platform are:
- Scalability: The continuous nature of data collection automatically imposes scalability requirements. Scalability can be imposed across data storage per size, frequency, and retention metrics. Additionally, the platform needs to demonstrate data collection flexibility and analysis scalability. It must also be deployed stand-alone or setup in a tiered architecture to accommodate distributed enterprise implementation.
- Agnostic Sensor Coverage: The data ingest should be configurable to support multiple sensors based on current point technologies, as well as a multitude of data inputs such as NIST SCAP, XML, JSON, CSV, and other input formats.
- Creating Common Operational View: The solution needs to provide a singular view of the risk by asset, by application, by department, by agency or by enterprise as a whole. This view needs to be on a single pane of glass with full drill-down and drill-back capability to view what data contributed to the overall risk at various levels of the dashboard view.
- Data Warehousing: A platform should provide options for data warehousing based on volume of data from SQL to a NoSQL Big Data solution. The SQL-based RBDMS data storage (e.g., MS SQL, ORACLE, DB2) provides a traditional data store for structured data, while a NoSQL Hadoop solution offers a store for structured and unstructured data with a linear store and processing scalability using a multi-node cluster solution.
- Monitoring Management/Work Flow Capabilities: Enterprises need a solution that controls all workflow requirements in terms of risk monitoring, compliance with baseline specifications, as well as response metrics and related mitigation steps. Built-in workflow managers should be customizable to map business processes, assign risk values and trigger alerts for mitigation actions.
At Virtustream, we offer our Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk Management, Cyber Situational Awareness and Regulatory Compliance monitoring on a continuous basis. The Continuous Risk and Compliance Monitoring (CRCM) capability provides:
- Proactive risk management using a standards-based risk management framework
- Continuous monitoring of each asset for compliance and risk by building a 360° view of each asset within the enterprise using multitude of sensor data
- Massive processing capability using Hadoop Big Data solutions to process volumes of data in a variety of formats quickly (volume, variety and velocity). The data could be structured or unstructured.
- Perform threat and impact analysis using external threat intelligence from US-CERT or commercial inputs, asset configuration policy and hardening guides such as Security Technical Implementation Guides (STIGs)
- Business Intelligence (BI) analytics and reporting capability for analyzing massive amounts of data for diagnostics and prioritizing mitigations
- Enabling near-automated mitigation by interfacing with other tools and technologies
The ACE Continuous Risk Monitoring approach truly enables Enterprise Risk Management and allows enterprises to shift away from ‘managing security by compliance to managing security by risk.