TrustCheck: Challenging Assumptions in Cyber Risk Management
When I was 12 years old, my dad told me, “Never assume. It makes an ass out of you and me.”
I don’t recall the context of the discussion, but I do remember responding appropriately with a groan. As I got older, I realized that assumptions are a necessary part of decision-making. But it’s also wise to challenge those assumptions. Any time I start to question mine, I think back to that #DadJoke.
Cyber risk management is heavily dependent on assumptions. As security leaders, we rely on heat maps, vulnerability counts and patches. We present funnels with events summarizing incidents and alerts to demonstrate that there really are needles in the haystack of security data. And we use these indicators to support the assumption that our teams, tools and efforts are securing the organization.
The increase in data breaches and associated regulatory penalties have executives and boards of directors questioning our assumptions. The stakes are higher—incorrect assumptions can lead to real financial impact, brand damage and possible legal troubles for leadership. How are we to reduce uncertainty in our risk assumptions and communicate them effectively to the boardroom?
With the new TrustCheck™ service, Unisys is doing just that. TrustCheck is powered by X-Analytics, a patented cyber risk analytics engine that communicates cyber risk in terms of annual expected financial loss. X-Analytics uses extensive research of public breaches and associated costs to approximate loss in an objective, repeatable and defensible manner. Put through rigorous stress tests to ensure robustness and accuracy, it is the underwriting engine for some of the largest cyber insurance players.
TrustCheck measures cyber risk by conducting structured interviews to analyze your threat landscape, business impact and the effectiveness of your security controls. The results highlight how much risk your organization is actually taking on, along with prioritized guidance on how to add or change security controls for the greatest impact. TrustCheck provides a standard methodology to assess risk, yielding trends and insights that can be compared quarter over quarter.
Let’s consider an example of how TrustCheck can remove uncertainty by challenging human assumptions when identifying critical assets. Security teams point to the website, revenue generating application, or database that holds intellectual property “secret sauce.” But what about the marketing app that runs quarterly, containing 100,000 customer contact records? They may not realize that a breach of those records can cost millions of dollars. TrustCheck’s structured approach to risk management challenges assumptions about critical assets, uncovering areas that pose the greatest business risks.
TrustCheck further reduces uncertain cyber risk assumptions by collecting and analyzing security data from your environment. How many cross-site scripting attempts were there last month, or in the last year? Did any attacks target that marketing app with the customer records? TrustCheck ingests and interprets security information and event management (SIEM) data to answer these questions. The analysis is an objective counterbalance to the subjective input from security teams.
When interviewed, security may explain that cross-site scripting isn’t a big threat because of the web application firewall (WAF). However, TrustCheck detects WAF misconfiguration based on the threat activity traversing it, which not only affects your exposure (and expected loss) from web attacks, but also provides tangible guidance to operations about WAF performance. TrustCheck gathers data from security solutions such companies such as LogRhythm, Cylance and Palo Alto Networks next-generation firewall (NGFW)—in this case, identifying a WAF tuning gap from LogRhythm cross-site scripting activity.
In our example, TrustCheck provides a structured, data-driven approach to help correct two assumptions. First, it identifies the criticality of the marketing app because of the data stored inside, raising its awareness. Then it challenges the assumption that the marketing app is protected by the WAF, by exposing a misconfiguration that increases risk. By challenging assumptions, TrustCheck identifies a gap that may have otherwise gone undetected and suggests remediation before it’s too late.
Risk management is an inexact science. But when it comes to cybersecurity, incorrect assumptions are no joke. Don’t fall into the trappings of the old #DadJoke. Contact Unisys for a demo of TrustCheck, and let’s talk about how we can help improve your cyber risk management.