1. Technical Field
The invention relates to enterprise business risk management. More particularly, the invention relates to pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks, including efficiency and effectiveness of business processes and enhancement of cyber security.
2. Description of the Background Art
Ubiquitous deployment of IT systems, as well as business and regulatory demands, are driving interconnection of operational technology (OT) domains with information technology (IT) and security technology (ST) domains. Increasing interactions among all these elements within and between enterprises allows new types of risks to emerge and allows risks from one domain to reach others.
These emergent and cross system risks allow adverse impacts to propagate from one system to others, requiring coordination among OT, IT, and ST systems to prevent and/or mitigate such events. Whether caused by natural disasters, deliberate attacks, equipment malfunctions, or process failures, the result is increased reports of security and operational events, thus raising the importance of cyber security and business risk management for enterprises and critical infrastructures, based both on business and regulatory compliance demands.
Security and risk properties of OT, IT, and ST systems today are typically assessed through sub-domain specific expertise of individuals. These ad hoc decisions are based on personal experience, as well as guidelines and alerts issued by government agencies and third parties. Current methods are inherently informal, based on subjective perceptions of risk. They are also unable to consider the numerous complex relationships between all the relevant security and risk concepts in a systemic fashion. The result is a non-holistic and fragmented OT and IT security and risk management approach which becomes less and less effective as system connectivity and complexity increases. Additionally, increasing flexibility of business processes and rising integration of OT, IT and ST systems require continuous risk assessment which cannot be satisfied by the response time of existing methods. To improve the integrity, repeatability, effectiveness, and timeliness of security and business risk analysis from various sources, reliance on formal and automated methods is required.
Most enterprise managers require a complete understanding of their business, operational, and information security risk exposures and needed postures. While IT staff may be competent in implementing security tools, they often do not have the expertise in business or operational modeling of domains such as power systems, financial systems, or health care systems and attendant risk management. Enterprises are concerned that revealing security and risk incidents attracts other malicious hackers to exploit vulnerabilities or leads to regulatory scrutiny and loss of brand value. This reluctance to disseminate security incident information results in poor quality of data on threats and vulnerabilities.
Although IT organizations are responsible for protecting the IT and ST systems, it is difficult for the enterprises to get a clear picture of security and operational postures without a formal risk analysis. Lack of automated processes is hindering wider adoption of enterprise wide security and business risk management, and is exposing the enterprises to disruptive risk events. Automated risk management with collection, collation, and correlation of data would enable reasonable statistical analysis to estimate risks, infer effective security and risk control measures, evaluate impact of threats on various assets deployed to support the myriad business process services on which the enterprise business functions are built, and allow self healing of the system through dynamic reconfiguration to achieve heightened security, improved efficiency and enhanced effectiveness.
Unified methodologies for automated risk management, freeing enterprises from reliance on subjective analysis based on checklists and guidelines, are needed to enhance security analysis comprehensively and systemically mitigate the operational and information security risks facing an enterprise. Because threats and vulnerabilities to existing and emergent services are continuously evolving, automated and adaptive methodologies to monitor situational contexts and refine their control postures as responses to such changes are required to improve the integrity of such dynamic and interconnected risk management system. To identify, predict, and offer resiliency for, and recovery from, such security events whose origin and manifestation could be very diverse, systems of analysis and inference must be distributed throughout the domains of operation. Additionally, security, business risk and optimization controls must be pervasively applied, rather than being dictated by a centralized security manager. Such systems also allow organizations to start with a small initial data set and gradually refine and improve the analysis as high fidelity data becomes available. Such systems would also allow organizations to perform qualitative analysis on a broad scope, and then perform a more detailed quantitative analysis based on a critical subset of the problem.
Unified risk management approaches are also critically needed to guide resource allocations effectively, identify implementation of best practices on the basis of practical and meaningful benchmarks, and demonstrate various regulatory and business compliances for all domains of an enterprise. Such approaches must provide frameworks which can consider all the dynamic and interconnected vulnerabilities, system optimizations, different performance requirements, and security and risk priorities of the various data and control flow through the entire information system without adversely impacting various performance requirements and implementation limitations within the domains.
Unified security and risk analysis can offer opportunities to adapt domain specific solutions that have been used for decades to manage risks in one domain to other domains of an enterprise or to other business segments altogether different. Existing monitoring and response methods and technologies deployed to protect against inadvertent security and risk problems, such as equipment failures, operational errors, risky or sub-optimal business processes and natural disasters could be leveraged and extended to include deliberate cyber attacks and security compromises resulting from the emerging convergence of the OT, IT, and ST systems in different business domains.
A unified risk model can take advantage of a correlated view of IT security and OT reliability consequences, based on unified event detection models and deep contextual understanding of the various operational and business process interdependencies in the enterprise to analyze significant events, predict correlated consequences, and provide intelligent, systematic, and coordinated responses on a real-time basis. Such integrated risk management should be based on consistently standardized security metrics and objective risk analysis processes, along with historical vulnerability and threat data, e.g. anomaly in traffic, attack signatures, information forensics, etc., that would enable domain specific statistical analysis and characterization of attack probabilities and risks.
Coordinated risk management requires secure automated information exchange among all domains of an enterprise to support analysis and intelligent decision making distributed throughout the enterprise. Adaptive orchestrations of situational awareness, domain knowledge including malware intelligence, inference engines and decision systems and, finally, control activations could ensure that the entire enterprise operates much more efficiently while enhancing end-to-end security and mitigating overall risk. Multiple domains with increasing interdependence among diverse functions, e.g. sensing, measuring, consuming, processing, controlling, interacting adaptively to situational and governance changes transform the enterprise-wide risk management into a complex system of activities.