"I'm having a hard time figuring out where our risk really is here..."
If you've ever had an interesting audit finding, threat scenario, risk analysis, or generally found yourself needing to try to help the business sort thrugh its thoughts about exactly what's going on, then this blog post is for you.
Before we dive in, I should introduce myself. I am a risk manager. My name is Alex, and I work for a largish financial institution where I am a director of technology and operations risk. My information security/risk management background comes from my previous work in risk intelligence at Verizon, where I was part of the Data Breach Investigations Report (DBIR) team, working with Jack Jones setting up IRM/ERM shops and teaching FAIR, and working with Brent Huston doing OCTAVE/NIST stuff "way back" in the 2001-2005 time frame. Prior to that, I was a product manager for a firewall/VPN solution for five years.
So in the past 10 years I've been working around information risk management, I've learned that security and risk are pretty complex. In fact, I don't think it would be a stretch to say that we're working with complex adaptive systems in our profession. This complexity makes it challenging to understand risk, and it can mean that we have difficulty communicating risk.
The good news is that, in my experience, once you have some formalization around definition and modeling, risk management becomes 80 percent communication methods. So in this inaugural series of posts, I'd like to share with you a little tool to help risk and security folks communicate the situation at hand. I call it "The RiskFish."
What Is The RiskFish?
The concept is simple: Take an Ishikawa or Fish Diagram that was originally created for root cause analysis in manufacturing, and then hack it up a bit so that it works for security and risk. The means to provide clarity and definition? We'll use VERIS, the community licensed/released framework used by Verizon to create the DBIR. So where a manufacturing root cause analysis is going to include categories such as Personnel, Materials, Measurements, Environment, Methods, and Machines, we will use the following:
(business unit or victim) Demographics
How To Use The RiskFish
Basically, the RiskFish is a brainstorm tool. It's designed to help you sort out your thoughts. You simply take whatever scenario you're looking at -- identify categorically which part of the fish diagram you're talking about (click on it to enlarge) -- and use VERIS to clarify all of the risk elements you think you might want to consider. I've found that VERIS provides pretty good definition and clarity; it has been used to describe thousands of incidents in Verizon's DBIR. Because Verizon has used VERIS for years, anything you think of should be able to be identified and described using the tool. If you come up with something unique and not covered in VERIS, then the community nature of VERIS means that you can contribute to the XML schema and definitions at the VERIS community website.
So using VERIS, what the diagram does is help you identify a high-level category to discuss what you're thinking about. If I'm worried about malicious insiders, for example, I would go to the Agent branch and write down "insider." Then, if I wanted to get more specific, the VERIS community website has metadata associated with "insider." So I might write down "insider - privileged - auditor" if I wanted to describe a specific case where I'm worried an audit might go rogue. Maybe then I'd match up an action of "Misuse" and circle some of the impact categories that I think might apply. I can do more threat modeling in the bottom part of the diagram, picking actions against assets, attributes that would be compromised, and so forth. And it's totally OK to have more than one thing appear in any one branch; again, this is brainstorming. The important part is to get it all down on paper and then start identifying relationships and connections between the branches.
All of this classification metadata you can associate with these top-level categories can be found at the VERIS Community website, except for controls. For now, that branch is "young," and I would welcome industry contributions to help mature that (or any other) category.
Speaking of contributing, I've tried to make the RiskFish as "free" as possible by releasing it under a creative-commons license. You can use it for free; you just can't charge for it, and if you improve it, we ask that you share back to the world. I say "we" because the RiskFish is now formally under the stewardship of the Society of Information Risk Analysts (SIRA). There's no fee to join SIRA, and you can just sign up for the mailing list and get your hands dirty if you want to learn a little bit more about it, talk to people who are using the RiskFish, or even contribute to its evolution.
So feel free to download a .pdf file of the RiskFish from the SIRA website.
Where To Use The RiskFish
I've found using the RiskFish to be really useful in discussions with the business, particularly as a tool to help it sort out its concerns. I've found it useful in Vendor Management discussions, on-boarding new systems, defining red team scenarios, risk scenarios...it's kind of a neat Swiss Army Knife for the risk/security analyst.
Like a Swiss Army Knife, the RiskFish does a little bit of everything. It helps you do a wee bit of threat modeling, control analysis, and impact analysis. The knife isn't going to cut down a tree, but you can whittle something nice with it. The RiskFish isn't a formal threat modeling or risk analysis tool, but it can give you a good idea as to what is important and indicate when it's time to bring out a real tool. The RiskFish is not a tool that's going to calculate your risk, make your world candy canes and unicorns, or protect your network. So far, however, it seems pretty useful for helping you sort your thoughts and helping you identify what's important.
Later, we'll talk about using the RiskFish to create the basis for a risk analysis. Then I thought we'd finish out this series of blog posts by discussing how to use the RiskFish to scope a penetration test, argue an audit finding, and finally, architect a new control framework.
Alex Hutton is Director of Technology and Operations Risk at a largish financial institution. He likes risk and security so much that he contributes spare time to industry groups like The Society of Information Risk Analysts.