The use of AI, Machine Learning, and SOAR within Risk Frameworks
Many organizations across the world utilize risk frameworks to provide analysis of their control capabilities around digital security. Frameworks such as FAIR, NIST, and FFIEC are roadmaps for an organization, illustrating standards for managing cybersecurity risk to systems, assets, data, and capabilities. Blending these frameworks with NG technologies could be powerful on many levels for an organization. Part one of this series focused on Next Generation (NG) technology (AI, Machine Learning, SOAR). Part two will focus on how organizations can leverage the power of NG technology to better align their security posture with the modern risk frameworks most relevant for their enterprise (NIST, FAIR, FFIEC).
NIST – CSF
The National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) helps businesses of all sizes better understand, manage, and reduce their cybersecurity risks and protect their networks and data.
It provides a strong emphasis on the classification and management of anomalies and incidents. The 5 core functions outlined by NIST are designed to allow organizations to manage cybersecurity risks to their systems, assets, data, and capabilities through use of basic guidelines and best practices ensuring all areas of cyber risk management are covered. No direct remediation methods that are conveyed to protect an organization from potential incidents, however, with the utilization of various risk management tools, an organization can understand its strengths and vulnerabilities.
Organizations can adopt the strengths of SOAR where the detection and monitoring of anomalies and threats would be automated for low-risk incidents but elevated for analyst investigation with higher severity threats. This aligns to the best practice guidelines espoused by the NIST CSF, resulting in a more efficient system of defending the business against cyber threats.
FAIR (Factor Analysis Information Risk) is a risk management framework that establishes a taxonomy of the factors contributing to risk and how they affect each other. This information is used by organizations to establish probabilities for the frequency and magnitude of data loss events. These controls are broken down as follows:
- Threat event prevention, which includes the controls that can cause less loss events.
- Vulnerability management, which focuses on controls that would reduce the likelihood that a threat event will turn into a loss event.
- Detection and Response, where all potential losses are modeled.
FAIR has been illustrated in the process flow diagram below which is heavily metric driven.
The reliance on estimates and inherent metrics needed for FAIR to function scares some organizations away. Fortunately, AI, Machine Learning, and SOAR tools can make estimates more accurate and better prepare the organization for collecting the necessary loss and probability data required in the FAIR model.
Through AI and machine learning, FAIR can take a large amount of information from a machine and learn how to make decisions with the datasets to predict losses such as costs and downtimes. It can identify patterns and generate predictions based on previous data it has been given. SOAR tools can be used to analyze incidents, and AI can even be utilized to make probable loss calculations in real-time and calculate the probability of threat events.
Finally, it can decrease vulnerabilities by reviewing previous data and reporting accurate information to warn organizations of vulnerabilities in the future. With the help of next-generation capabilities, FAIR can be turned into an impenetrable risk framework with few weaknesses.
The FFIEC (Federal Financial Institutions Examination Council) puts forth laws, regulations, and guidance against risk to measure audits, business continuity management, e-banking, information security, management, outsourcing technology services, retail payment systems, and wholesale payment systems to aid in the reduction of identity theft and fraud in portfolios. Tasked with the responsibility of creating uniform regulatory standards and reporting systems for all federally supervised financial institutions, the FFIEC is comprise of five U.S. governing bodies that have equal influence in standard creation:
- Board of Governors of the Federal Reserve System (FRB)
- Federal Deposit Insurance Corporation (FDIC)
- National Credit Union Administration (NCUA)
- Office of the Comptroller of the Currency (OCC)
- Consumer Financial Protection Bureau (CFPB)
The FFIEC focuses on six types of controls: half of which are timing-related and the others of which are nature related. This layered control system allows for stronger controls to assist weaker areas and ultimately better mitigate risk. All these controls can benefit from the use of Artificial Intelligence and Machine Learning.
The FFIEC focuses on preventing incidents from occurring, especially as it relates to the interconnectivity between institutions and service providers, where organizations have a high-risk of data leakage. This is an example of where AI can be used to track network complexity, traffic volume, and the number of connections to make an analysis providing the organizations with a prediction of their odds of encountering loss. For example, if a connection is compromised, misused, or mismanaged the AI machine can detect and warn analysts of an attack.
Machine Learning can better prepare organizations for potential future attacks and breaches with its predictive capability around historical data analysis while detective controls like SOAR can assist in the investigation of potential attacks.
As an example, if an internal user was altering data, deleting data, or destroying systems using malware, the Security Operations Center (SOC) can utilize SOAR tools to lock the person out and quarantine them from the rest of the network.
Leveraging Next Generation Capabilities
Next-generation capabilities from the use of AI and Machine Learning can offer many possibilities in support of modern risk frameworks (e.g. FAIR, NIST, and FFIEC). This could allow organizations to benefit exponentially from recent heavy investments in NG technologies and to gain a competitive advantage in the marketplace through the development of a more secure digital ecosystem. These technologies allow a business to identify and define “normal” as it relates to their digital security and react to detected anomalies as needed in a more efficient manner.
Next-generation capabilities can benefit industry known risk frameworks such as FAIR, NIST, and FFIEC because they automate the identification of data and processes at speeds and a level of accuracy that enhance management’s ability to successfully make risk-based decisions more easily in real-time. Application of NG technology within your organization allows management to better define the security posture their organization has today and the definition of “normal” behavior within your digital platforms. Today, the protection of an organization’s assets and data is tantamount to good business practice in the eyes of both management teams and board of directors. How organizations adopt this alignment of NG technology with their control frameworks determines how effective they will be in maintaining a digital environment for their internal and external clients in a manner that gives them a competitive advantage in the marketplace.
Thank you to Kevin McGovern for his oversight and to our interns Madilyn Kent, Yash Parekh, and Jake Sullivan whose enthusiasm and energy contributed to the authorship of this two-part series.