How to Measure 'Vital Signs' for Cyber Risk

By now, senior directors at most organizations probably are cognizant of the proliferation of network breaches and fully grasp the notion that risk mitigation must be brought to bear. However, cybersecurity practitioners can be notoriously poor communicators. Many lack the jargon-free communication skills to present a clear picture of rising cyber exposures, one that can be measured and acted on. That is the fundamental problem that start-up FourV Systems seeks to address—by defining and consistently measuring what Derek Gabbard, president and co-founder, refers to as the “vital signs” of cyber risk. See also: Cyber Risk: The Expanding Threat   “The communication gap that exists between the security teams and the leadership teams and the boards of enterprises is a pretty substantial one,” Gabbard says. “And we think we can help them get on the same page.” FourV’s cyber risk intelligence platform, GreySpark Cyber, takes the raw data from various systems like the security information event manager (SIEM), analyzes it and scores it into six indices that include defense effectiveness and surface area. “It gives security practitioners a taxonomy for explaining what they’re doing and the board of directors a way to understanding it,” Vice President Casey Corcoran says. Making risk understandable While GreySpark helps the organization’s leadership visualize security risk, it also gives the security team a simplified dashboard for tracking security events. They can drill down on specific threat indicators to see what caused a decrease in the score and track the threat to affected systems and all the way down to the endpoints in order to remediate it. “We normalize the data so one sensor type—like a firewall—doesn’t overshadow another,” Corcoran says. “So when you see the defense effectiveness score, you can see that there’s probably a layer missing, because a certain area is missing a defense.” Several companies are trying to solve the same problem of showing risk in easy-to-understand format, but Corcoran says they typically only look at outside indicators. “What we’re doing is taking the same approach (as some others) and asking, ‘how risky is what’s going on inside the organization?’ ” he says. See also: Better Way to Assess Cyber Risks? He uses the analogy of a fort to illustrate how this works. When the barbarians are attacking, he says, other companies can tell you whether the moat has water or alligators, whether the bridge is up or down and whether there’s enough oil to throw on the barbarians climbing the wall. “But they don’t tell you what the barbarians inside the fort are doing, how bad it is—and that’s what we’re measuring, “ he says. FourV Systems, which officially launched in June 2015, is a spinoff and subsidiary of SRC Inc., a government research and development and services company that employs 1,000 people and originated out of Syracuse University. SRC, an independent nonprofit founded in 1957, works in the areas of environment, defense and intelligence agencies, with customers such as the U.S. military, Department of Homeland Security and Environmental Protection Agency. Big need for big data analytics Gabbard, who was a cyber manager at SRC, saw potential in commercializing some of the intellectual property. He homed in on the big-data analytics aspect, created a business plan and secured start-up funding from the parent company. The GreySpark reasoning engine was developed by SRC over seven or more years of work on “solutions for critical national security problems,” according to FourV. Starting out with just that engine, as well as the system’s chief architect, Gabbard grew the start-up to 10 current U.S. employees. The support services staff will be scaled as the company grows in the next couple of years. See also: Analytics and Survival in the Data Age The first version of GreySpark, which was released at the end of March following several months of beta testing, is focused on IT operations risk through the “vital signs” indices. Currently, three more major releases are planned. The next release will include a personnel risk assessment, followed by infrastructure maturity risk. The final component will be risk management, looking at the security return on investment. Corcoran says the goal is to have two releases per year, with maintenance updates in between. “We’re trying to sort of lift the fog that I think the leadership teams and the boards of many enterprises feel in dealing with security,” Gabbard says, “and give them standard metrics that they can understand and look at on a daily, weekly, monthly and annual basis.” This post first appeared on ThirdCertainty. It was written by Rodika Tollefson.