When analyzing the security maturity of large organizations, one of the most important stages of information security management is the identification of threats and risks. In order to be precise in this identification, multiple approaches are used, depending on the level of assessment or the required focus and rigor. In practice, unfortunately only limited and few types of actual engagements are practiced which in turn does not enable the organization to perceive real risk or to prepare its security mitigation strategy in an appropriate way. This results in an increased number of data breaches and successful exploitations by cyber criminals and other parties.
The most common engagement type is the review of known and common threats and vulnerabilities against a known set of assets in an organization, which is usually performed by following best practices from available risk assessment frameworks such as ISO ISO 27001, ISO 27002, ISO 27005 or NIST SP 800-30.
Another review angle focuses on performing a guided audit or test against an organization or a testing object. For example, this approach can include performing an audit and developing process according to ISO 27001 for an organization or verifying the security level of an application according to OWASP ASVS (Open Web Application Security Project – Application Security Verification Standard). When a company wants to simulate a realistic threat against a system and find vulnerabilities, it is suggested to perform penetration testing on an application, network or organization. The result is that the company simulates an attacker of a certain skill level, and aligns hired testers to that same skill set of an attacker in order to discover vulnerabilities or risks.
Classic red teaming also falls under this category by simulating an adversary of a specific skill level with an extended engagement period than in a regular penetration test and wider encompassing rules of engagement which allows for more freedom while testing. While red teaming is very useful in order to detect new avenues of risk, it is expensive and usually provides only a single path that the red team took in order to compromise the organization.
In both cases, the specific focus is on either broad risk assessment and asset discovery, to perform very specific checks and assessing risks for an application or part of the system.
The PreCog Security approach is about leveraging available frameworks, customer resources/infrastructure, and our expertise in order to build a customized risk framework. Our team consists of a diverse lineup of professionals, from C-Level security strategy executives with backgrounds in some of the largest IT enterprises like McAfee and Intel Security to experts with prior industry expertise to academic background experts with PhDs in information security. The diversity of our team enables us to view every security problem or every element of your enterprise from multiple viewpoints and scale our approach from the finest technical detail to c-level and boardroom executive reports.
Our approach for strategic risk assessment and analytical red teaming takes a blended approach with three critical areas and phases:
Phase 1 – Baseline Assessment and Identification (where is the organization now)
Phase 2 – Customized Risk Framework Development (where the organization wants to be)
Phase 3 – Implementation of Risk Framework (how the organization is doing)