A Quantitative Approach to Evaluating Cyber RiskPresented by:

Tom Walheim, CISSPChief Technology Officer - Cyber Systems

L3 Technologies

www.L3CyberQ.com 1

Objective

Describe a network behavior model, based on factual evidence and advanced analytics techniques.

Demonstrate how network behavior models enable accurate and quantitative evaluation of cyber risk, specific to your institution, increasing executive control.

www.L3CyberQ.com 2

Agenda

o Qualities of effective measurement

o Layers of Complexity – the technical challenge

o Current Challenges for cyber risk executives

o Overview of Network Behavior Model

o Benefits of Network Behavior Model in cyber risk management

www.L3CyberQ.com 3

Qualities of effective measurement

o Evidence based with traceability from attack to enterprise consequence

o Measures against holistic view of your network

o Exhaustive evaluation of adversaries and scenarios

o Addresses all compromise types

o Mathematically Coherent and Repeatable

www.L3CyberQ.com 4

“To be better positioned to make sound investment and risk mitigation decisions, [firms] need to be able to quantify cyber risk.” – World Economic Forum

Layers of Complexity - Adversaries

www.L3CyberQ.com 5

Financials

Personal Info

Intellectual Property

InternalKnowledge

Tools

Stealthiness

Technical

Funding

Actual Adversary Model has many more dimensionsand more granularity

Insider

Hacktivist

Org. Criminal

Terrorist

Nation State

Capabilities

Motivations

www.L3CyberQ.com 6

Networks

Platforms

Software

Information Systems

Network Protection

Host Protection

Data Protection

Cyber Defense BusinessOperations

Compromises

HostileNations

Criminals Terrorists Hacktivists Insiders Adversaries

$$ Information Assets $$

Confidentiality Integrity

Availability

Layers of Complexity – System-of-Systems

Current Challenges for the risk executive

o Boards lack data to develop Risk Appetite Statements

o Boards must shift to consequence-driven cyber risk management (not technology-driven). But how?

www.L3CyberQ.com 7

“A covered entity also would be required to … manage cyber risk appropriate to the nature of the operations of the firm.” – enhanced standard ANPR

o Regulations require more from Boards and risk executives in cyber risk governance without explaining how

Overview of Network Behavior Model

How Network Behavior Models tame complexity to facilitate quantitative cyber risk measurement

www.L3CyberQ.com 8

Network Behavior Model in risk management

www.L3CyberQ.com 9

Department Impacts

Prioritized Cyber Risk Expenditures

Adversary/Threat Profiles

Network Discovery

Model Buildout

C.I.A. Business Impact Analyses

• Operations

• Trading

• Corporate

• Marketing Enterprise Risk Analyses

• EPS

• Capital

• Volatility

• Client/Shareholder Confidence

Attack Scenarios Eroded Information Assets

Can this model be realized?

Critical skills to create a model:

o Adversary intelligence and experience

o Complex systems expertise

o Evidence-based, mathematical modeling of multi-dimensional systems-of-systems

o Enterprise Risk Management proficiency

www.L3CyberQ.com 10

Can this model be realized?Network Behavior Model accurately represents your enterprise under simulated attack. It includes: o Physical Connections

o Logical Flows of data

o Software interactions

o Specific Information Assets

o Component Vulnerabilities

o Adversary and attack simulation

www.L3CyberQ.com 11

Network Behavior Model Essentials

Financial consequence, aligned to information erosion, complex systems, vulnerabilities and adversaries

www.L3CyberQ.com 12

“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.” – Theodore Roosevelt

Network Behavior Model Essentials

Use adversary intelligence to evaluate all scenarios, including complex APT attack scenarios:

o Sophisticated

o Well planned / Multi-stage

o Stealthy / Patient

o Use any available access

www.L3CyberQ.com 13

“All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” - Sun Tzu

Network Behavior Model Essentials

Mathematical Integrity based on consistent, repeatable and empirical evidence - not surveys, opinions or anecdotes

www.L3CyberQ.com 14

“If you’re a scientist, and you have to have an answer, even in the absence of data, you’re not going to be a good scientist.” – Neil deGrasse Tyson, Astrophysicist

Facilitating stronger risk management

Improve Decisions with consequences measured across multiple dimensions such as:

o Information Asset

o Department

o Consequence Type

o Adversary / Threat

www.L3CyberQ.com 15

“If you don't know the risk, you can't develop a strategy to mitigate the risk.” – Kelly King, BB&T Chairman and CEO

Departments

AssetsConfidentiality

49.7%

Integrity28.7%

Availability21.6%

What a model enables…

www.L3CyberQ.com 16

CCAR/CLAR – Bank Stress Test

Contain Expenditures commensurate with exposure

Preserve Capitalpursuant to “Stress Test” requirements

Establish Confidence & Trust for Stakeholders, Allies and the Public

0

50

100

150

200

250

1 9

17

25

33

41

49

57

65

73

81

89

97

10

5

11

3

12

1

12

9

0

50

100

150

200

250

1 9

17

25

33

41

49

57

65

73

81

89

97

10

5

11

3

12

1

12

9

EPS ImpactVolatility Impact

Reputation Impact

Capital ImpactValueat

Risk

Reputation & Volatility

Resource Allocations

Risk Weighted Assets

Quantified modeling of Cyber Attacks extrapolates to enterprise measures to …

Network Behavior Model approach is…

o Evidence based with traceability from attack to enterprise consequence

o Measures against holistic view of your network

o Exhaustive evaluation of adversaries and scenarios

o Addresses all compromise types

o Mathematically Coherent and Repeatable

www.L3CyberQ.com 17

A Quantitative Approach to Evaluating Cyber Risk

Removing the Uncertainty behind Cyber Risk

www.L3CyberQ.com 18

Questions?

Tom Walheim, CISSPChief Technology Officer – Cyber SystemsL3 Communication Systems – East856-338-4201Thomas.Walheim@L3T.com