Information technology risk management frameworks help guide organizations to reduce the probability and impact of cyber incidents. Our previous article outlined how Digital Risk Protection (DRP) solutions fit in with these frameworks at a high level.
Both the NIST 800-39 and ISO 27005 frameworks include guidance on monitoring risks once they’ve been assessed, analyzed and treated. This article delves deeper into the role a SaaS Digital footprint monitoring (DFM) solution can play to achieve the expectations outlined by the frameworks.
The NIST framework separates risk monitoring in a number of categories, for which a DFM solution can help at different levels.
1 – Monitoring Effectiveness
The effectiveness of risk mitigation measures can vary significantly and is generally hard to measure due to the complexity of IT environments and potential threats. A DFM solution can come in to help get visibility into this effectiveness. By continuously monitoring the external attack surface of the organization, the solution will provide alerts and metrics that will be compared to the expected results of the risk treatment measures. Naturally, the further the results are from the target, the less effective the risk measure is.
One of the challenges of integrating the DFM solution in this step is the extraction of key metrics and indicators from the raw alerts. All DFM solutions provide alerts but a single alert may not be an indicator of effectiveness by itself; it must instead be aggregated with the other events related to the target risk, and combine both the frequency and severity of all these alerts over time to truly be helpful in understanding the exposure change to the target risk.
A powerful DFM solution will be able to aggregate these alerts by itself and summarize them in key metrics that can be effortlessly and continuously integrated into the risk effectiveness monitoring.
2 – Monitoring Information System and Environment of Operation Changes
Information systems are continuously evolving within an organization, and risk mitigation measures are only effective within a certain range of change. As assets, individuals and processes change, new risks can appear and previously effective measures can become limited.
A DFM solution will help by continuously monitoring exposed assets and identifying changes in the external posture of the organization. A subset of risk controls will highly benefit from this monitoring as it gives visibility on significant changes that would require updating, changing or iterating on these controls.
Once again, individual events detected by a DFM solution will provide limited visibility: these events may legitimately occur even with risk mitigation measures in place. To help with this, a powerful DFM solution will automatically identify important changes in the organization’s exposure through standardized metrics and alert the organization only when actionable anomalies are detected.
Automated versus Manual Monitoring
A DFM solution provides an automated layer of risk monitoring, which is fast, efficient and cost effective. That being said, it must be accompanied by manual monitoring for non-technology-based activities, including, as described in NIST 800-39, the use of multiple suppliers within the supply chain, evaluating emerging technical capabilities, etc. The solution also only covers a subset of risks, and organizations must make sure to include additional software, hardware and/or firmware to have a complete control over their information technology risks.