#13 on our list of “Top 20” SOC Capability Areas may be unfamiliar to many. It presents a bit of a paradox frankly, as it is the most often overlooked yet represents one of the most critical needs in Security Operations. The need to answer the elusive “So What?” question demands Consequence Analysis. When you want to know “What’s at Risk?”… Context is Everything.
Today, many Security Operations monitoring & visualization capabilities attempt to automatically present a picture of cyber “Risk” by connecting Threat data (Cyber Threat Intel and/or actual internal events) with related Vulnerabilities in the organization’s cyber infrastructure. At best, this is an incomplete picture; and can often be misleading.
This gets to the root of what some refer to as Cyber “Situational Awareness”. There can be no awareness of the “Risk” in a situation, that doesn’t consider the actual Consequences to the Organization that may result from a Threat exploiting a Vulnerability. The original “Risk Formula” concept from the 90s (right... Note: it is not an actual mathematical formula, but simply an abstract model) captured the critical role that Consequence (or “impact”) plays as the major factor in assessing Risk.
The point of this "Risk Formula" - if there is no Consequence, there is no Risk.
Consequences are a key component of the context that should be used to prioritize all decisions.
The Consequences of predicted compromises justify security investments.
The Consequences of actual incidents prioritize which get worked on first.
And the Consequences of any potential Countermeasure options are critical to decision making that balances the interests of all stakeholders… in real time.
Waiting to gather information about potential Consequences until after an incident actually occurs, wastes valuable time and resources, and delays an effective response. Further, a purely reactive approach to establishing critical context is one of the most significant contributors to Analyst burnout and turnover.
Playing such a fundamental role in all Security Operations decision making, it is paramount that all Security Operations teams invest in advanced Consequence Analysis capabilities that fully leverage the dynamic Business Dependency Mapping knowledgebase described in earlier articles (from BCP, COOP, DRP, BIA, etc.).
Hindering adoption of such capabilities today – 1) few organizations invest the time required to continuously track and document their critical Business Dependencies, and 2) there are very few commercial cyber security products in the market today that provide effective functionality to support this demand.
This article barely scratches the surface of the need for Consequence Analysis capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Consequence Analysis capabilities to support your own Security Operations efforts.