Our solution is purpose-built for this exact issue. It views risk as an informed decision that can drive innovative approaches while at the same time protecting the security interests of their company.Įxpanse can provide a real-time contextual evaluation and rating based on preliminary standards such as NIST 800-53r4/5, NIST800-171, PCI, CMMC, and other related models. Which flips-the-script on checkbox math by turning a contextual risk rating into an informed conversation that will allow security leaders to evaluate not only a vendor’s cybersecurity posture, but also the role they play in their company’s business model and capacity for growth. Now we have a framework with contextual analysis that empowers security leaders to identify non-compliance within their sphere of influence, know how adversaries will attack their customer delivery model, decisively prioritize remediation of exposed assets by what is truly critical, and measures their compliance in terms of practiced evaluation methods. Threat: Aligning specific real-world adversary tactics and vulnerabilities that could target relevant exposures, as aligned to common frameworks and threat intelligence contexts (e.g., MITRE ATT&CK, OWASP, specific threat intelligence feeds).Impact: Assessing the severity of various types of exposures in the context of an organization’s customer delivery model and critical assets (e.g., data sensitivity levels as related to FIPS 199, GDPR, etc.).Relevance: Understanding the risks in terms of exposed, misconfigured, and non-compliant services as mapped to required security frameworks (e.g., CMMC, NIST 800-171, Section 889(b), HIPAA, HITRUST, etc).Risk: Identifying a list of exposed assets, and their attributes, on the network perimeter that can potentially be compromised or weaken the security posture of an organization and their vendor audience.Reach: Obtaining the vendors that provide services and support to the company.
The initial data points in this framework include: How do we put the framework into action? By developing a perspective on each of the individual vendors and the company they support. Together, these five dimensions identify a company’s true cyber risk and compliance posture and how it is influenced by its vendor audience. Threat is the chain of adversary tactics and techniques that can be used against those risks found across the company and its reach.Impact represents the level of severity of a compromised risk compared against the company’s business and customer delivery model.Relevance is the compliance or posture of your company and its reach in relation to the risks found.Risk identifies the issues found that have potential to cause harm to your company and its reach.Reach is a company’s reliance upon other vendors for services, goods, or productivity, referred to as the vendor audience.The SRC framework builds a contextual view into an organization’s cyber risk across five dimensions of influence: reach, risk, relevance, impact and threat: We built this framework in response to customers hoping to map attack surface with compliance, data protection, and attack frameworks. One way to build this new approach is with a Surface Risk and Compliance (SRC) framework. Building a Surface Risk and Compliance (SRC) Framework Requiring a new risk and compliance methodology that is contextually driven, and robust enough to understand this shift in partner complexity. It is hard enough to keep track of your boundary’s security compliance with the many security frameworks, regulations, international, national and local laws, but now your perimeter’s security is being influenced by your vendor’s security posture-for better or worse - and the vendors that influence them, and so on. Only now, the problem has become much more commonplace as opposed to confined to larger vendors like Target, blurring the network boundaries between them, their vendors, and their customers. In 2014, we witnessed the impact of a poorly protected attack surface from a cybersecurity standpoint-the Target breach through their HVAC partner 1. Mapping Your Attack Surface For Complianceīy Steve Wright - NovemYour attack surface is in a constant state of flux.īusinesses are becoming more connected through their vendors via supply chain or other digital methods-their attack surface-which is in a constant state of flux.
0 kommentar(er)
