What Is Risk Mitigation in Cyber Security?
Learn strategies for mitigating cybersecurity risks and how NDR can provide valuable network evidence.
Cyber risk mitigation is the act of trying to reduce an organization’s risk from incidents stemming from cyber threats such as attacks or misuse. This is accomplished by documenting and evaluating cyber risks, deciding upon protective measures, and compensating controls to combat these risks in order to reduce the likelihood that they will have a material impact on the organization.
Mature organizations understand that risk must be managed and balanced against business objectives. Assuming some risks can deliver rich business opportunities while tolerating others can lead to catastrophe. Business leadership needs to weigh the potential benefits and costs associated with risks in order to strike a balance that reflects the risk appetite of the organization at large.
There are only three ways to address cyber risk: avoid it, reduce it or transfer it. For cybersecurity and information security teams, cyber risk mitigation is the process through which they can set or recommend a course of action. Like all risk assessment, the efficiency and accuracy of the process increase when there is access to strong evidence.
Let’s explore a few approaches to evaluating and mitigating cyber risk, and then review a few use cases that demonstrate how evidence from the organization’s networks can improve various mitigation strategies.
Cyber risk mitigation strategies / how to mitigate cyber risk
The first step to any cyber risk management or mitigation strategy is assessing the ‘what’ and ‘where’ of risk: that is, documenting as many risks as possible. A risk register is a traditional documentation approach. It will include a description of the risk that is enriched with metadata, which could include the likelihood of an incident, severity of impact, and estimated cost to mitigate. A detailed register can help your team prioritize cyber risks and determine how many you can manage with the resources (time, money, etc.) you have available.
Recording, assessing, ranking and prioritizing risks must be an ongoing process, since business priorities and industry threats will change over time. Risk assessment should be a routine part of the care and feeding of any well-formed cybersecurity program.
Once the risks are documented, the next step is to evaluate risks in terms of mitigation (which might include accepting risk without forming a mitigation strategy).
The first and most obvious way to mitigate cyber risk is to avoid it in the first place. From a technical perspective, this could include policies such as:
- Disallowing network connectivity between trusted networks and untrusted networks, like the corporate network and the Internet, or between the corporate network and an industrial control system (ICS) network
- Preventing remote administration protocols such as RDP, SSH, and SNMP from being exposed to the Internet
- Not allowing users to run with administrative privileges on their daily-use corporate devices
You probably spot a problem. In many cases, these sorts of blanket avoidance strategies will hamper business activities. For example, if the organization disallows network connectivity between the internal network and the Internet, then email between the organization and partners and customers wouldn’t work. That’s a clear case of risk mitigation overkill.
Disallowing remote administration protocols from the Internet means that employees who could otherwise use them to fix things remotely cannot do so. Not allowing users to run with administrative privileges means that users can’t adapt to changing conditions by installing or uninstalling programs that they need to do their job.
A more common (and balanced) strategy for cyber risk mitigation is to reduce risks by placing partial restrictions or compensating controls in place. For example:
- Allowing network traffic between trusted and untrusted networks, but only through a next-generation firewall (NGFW) and/or intrusion detection system (IDS), with specific things being allowed or blocked
- Allowing remote administration protocols only through an authenticated gateway, such as an RDP gateway or across an authenticated VPN service
- Not allowing users to run with administrative privileges, but allowing them to choose from a curated catalog of approved, licensed applications for self-service installation, and allowing them to submit requests for applications not in the catalog
A second way that cybersecurity teams mitigate risk is by diversifying their detection stack and assuming a bad actor already has compromised their network. By carefully logging network, endpoint and application activities and threat hunting regularly, the organization increases their chances of finding adversaries before they achieve their goal(s) (e.g. data exfiltration, defacement, denial of service or holding the network for ransom). By increasing the odds that they can catch an intruder or malicious actor before a serious incident occurs, the organization can lower the expected financial and reputational impact of an incident.
The third strategy for cybersecurity risk mitigation is to transfer the risk to another entity. This is usually done through legal agreements with partners or with insurance agencies. For example, when partnering with an organization that processes data on your behalf, your organization could require the partner to indemnify themselves against losses that they may cause through mishandling of the data your organization provides. In the case that an incident occurs, your organization would be entitled to compensation from the partner organization, which it could use to offset the costs of the incident.
Similar to an indemnification agreement, a third-party organization, such as an insurance provider, can provide coverage for losses in the case of a cyber incident. One prominent example of this being used in the cyber risk mitigation space is the $1.4B claim that Merck filed with their cyber insurance provider over damages from the global NotPetya Ransomware incident of 2017.
The NIST Risk Management Framework
The first line of the NIST Risk Management Framework nails the issue at hand: “Organizations depend on information systems to carry out their missions and business functions.” When those information systems fail or are subverted, organizations’ abilities to carry out their “missions and business functions” are negatively impacted. Also, businesses with substantial resources for carrying out their own missions are a good target for attackers that want to steal those resources and use them to carry out their own missions and “business functions.”
The NIST Risk Management Framework lays out a plan for managing risk in the following stages:
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Organizations can use this framework to jumpstart or augment their cyber risk mitigation efforts.
(Note: NIST acknowledges that the cycle can begin at any phase, and that phases can run concurrently or even non-linearly.)
Challenges of cyber risk mitigation
The number one challenge of cyber risk mitigation, as mentioned above, is that most risk mitigation efforts have some cost to the organization in terms of efficiency or flexibility, not to mention investment costs (time and money both). This can cause friction between the security organization and the business units. Getting past this friction requires patience and clear communication.
Besides the challenges introduced by controls that mitigate cyber risk, the management process itself adds overhead. It is yet another lifecycle to maintain, which means that organizations must have a well-defined set of procedures for regularly documenting, triaging and updating the risk register and associated priorities. Otherwise, the risk mitigation process is likely to break down over time.
How Corelight helps you mitigate cyber risk using NDR
Corelight network detection and response (NDR) can help security teams manage and mitigate cyber risks by providing top-tier network evidence that can be used in many aspects of the cyber risk mitigation process.
Great network evidence is valuable throughout the cybersecurity risk management lifecycle and can help resolve many issues. Here is a partial list of steps to take in the first two phases of the NIST’s framework, “Prepare” and “Categorize”:
- P-10 “Stakeholder assets are identified and prioritized.”
- P-12 “The types of information processed, stored, and transmitted by the system are identified.”
- P-16 “The placement of the system within the enterprise architecture is determined.”
- C-1 “The characteristics of the system are described and documented.”
- C-2 “A security categorization of the system, including the information processed by the system represented by the organization-identified information types, is completed.”
Network evidence can help answer many questions that will come up during these tasks. By observing characteristics of the network traffic emanating from or destined to assets, information security personnel can start to build or update their asset inventory. For example, they may discover undocumented assets by locating IP addresses in use that are not documented in the inventory. Teams can also use the network traffic to identify the criticality or exposure of systems by answering questions such as:
- “Does this interact with other systems known to house protected information?”
- “Is this system exposed to an untrusted network, like the Internet?”
- “Does this system expose remote administrative interfaces?”
Information security teams can also leverage network evidence to work backward from potential risks by asking pointed questions and getting concrete answers. Instead of asking whether a specific asset is exposed to the Internet or offers remote administrative capabilities, they can ask broader questions like:
- “Are there any assets on the network which are exposed to an untrusted network?”
- “Are there any assets on the network that offer remote administrative capabilities to an untrusted network?”
Ransomware actors (like BlackSuit) often take advantage of VPNs, RDP services, and Internet-exposed applications to gain access to an organization’s network before crippling the business or seizing valuable assets. By reviewing advisories issued by the FBI and other organizations about these threat actors’ behaviors, information security teams can learn what questions to ask; NDR-generated data can deliver quick, easy answers to many of them.
Another common risk for organizational compromise is a supply-chain attack, such as the one that affected Target in 2013 or SolarWinds in 2019. Organizations sometimes will set up peer-to-peer virtual private network (VPN) interfaces between their network and a partner’s network for information exchange or remote access. Doing this opens up the organization to compromise by lateral movement between the organizations if one of the partner organizations is compromised.
Using the VPN Insights package from Corelight, organizations can get answers to important security questions like:
- “Do we have any VPN connections to partner organizations?”
- “Where do those VPN connections terminate into our environment?”
- “What compensating controls are in place at that termination point?”
- “Have these risks been documented and accounted for?”
Corelight NDR data can also be used to document traffic across the VPN in order to validate that it is being used for only legitimate and authorized purposes
Similar to the use case of auditing VPN usage, Corelight NDR data can be used to audit other assumed items, such as looking for evidence of whether sensitive networks, like ICS or PCI networks, are properly segmented or air-gapped from the general-purpose IT network, or whether the firewall configuration is accurate and behaving as expected.
Configuration data confirms “what should be,” while network traffic confirms “what is.” If they match up, e.g. policy says the IT and ICS networks should be separate and the Corelight logs say that connectivity attempts between them are not successful, then case closed. If they don’t match up, then information security teams know there is something they need to dig into to understand what is happening.
When mitigating risk by transferring it to a third party such as a cyber insurance provider, Corelight NDR logs may be useful as evidence to validate or substantiate claims, or to answer questions that the insurance provider has. For example, if the insurance provider wants to know what VPNs are in use, and where they connect to or from, or whether there are systems with RDP exposed to the internet, Corelight logs can help the organization deliver definitive answers to those questions.
Corelight NDR evidence is instrumental for incident response and threat hunting, which are critical in any overall cyber risk mitigation strategy. The more visibility SOC and threat hunting teams have, the more they can detect, and the faster they can resolve incidents, resulting in reduced business impact and a lower risk profile overall.
