Good afternoon, good morning, or good evening, depending upon where you are and welcome to this webinar on managing cyber risk in a hybrid, multi-cloud it environment I'm Mike Small and I'm a senior Analyst with KuppingerCole. And my co-presenter at this, this presentation is Chris Griffiss, who is a chief product officer with BICS. So in terms of looking after the housekeeping, we will be in control of the audio. We're going to run some polls. The slides are being recorded together with the presentation, and there will be a Q and a session at the end. So with that, let's move on.
So here is the first poll. So what do you in your organization consider to be the biggest security challenge? Is it understanding the real risks? Is it complexity? Is it managing the shared responsibilities for security? Is it inconsistent tools and capabilities, or is it a lack of transparency and controls? So we will give you a few moments to respond and then we'll press on. And hopefully we may be able to see some of the results by the end.
So we've closed the poll now. So let's move on to the next step in this talk.
The agenda is going to be that I'm going to start off by talking about the Analyst view of risk in the hybrid multi-cloud environment. And then Chris Griffith from bio is going to talk about the benefits of using a unified model across cloud. And on-prem. So when I look at hybrid, multi-cloud it, this is what has enabled the digital transformation.
However, it is also introduced some new risks. Indeed. One of the, the main things that, that made the world manage with COVID much better was in fact, the way in which people could work from home, which largely depended upon communications or cloud services.
However, when we look at what led to this, the reason why organizations adopted it as a service was really because of the, the longstanding flaws in the way, in which old fashioned it was delivered old fashioned, it was difficult to change.
It was, it depended upon writing specifications and so forth. It was inflexible because even if you decided you wanted to have a new application, it took months to buy the stuff that you needed to run it. And it couldn't respond to user demands.
However, the cloud altered all that because you could get access to a system with your credit card that would otherwise have cost millions of pounds. You could then use a DevOps approach to define and build what the customer needed. And when the customer explained what they really wanted, you could change it. So people moved to using cloud services as a way of getting closer to their customers of improving the way that they did business and opening up their supply chains.
However, the cloud came with some challenges and one of the major challenges, and one of the major inhibitors to the enterprise general adoption of cloud is in fact risk.
And whilst the CTO may be driving the cloud program forward 85% of securities of sec of organizations say that they find security a challenge when using cloud and hybrid environments that risk and compliance is reported as a concern by 76% of organizations. And also surprisingly 81% of organizations find the use of the cloud poses challenges in terms of cost.
So these are things that we have to take account of when we are going to use cloud services. And if you sort of summarize the concerns of what these really mean top of mind for most organizations now, because of all the incredible amount of regulation that has grown around the delivery of services is compliance. And in this particular example, I brought out the capital one hack, which was related to a misconfiguration of a cloud service, which ended up with an 80 million pound fight that most organizations now, in order to do business with their customers, hold lots of customer data.
And there are endless numbers of large consumer facing organizations, hotel groups, airlines, and so forth that have had massive data breaches because the cyber criminals recognize the value of the amount of data that these organizations hold.
And finally business continuity that the growth of ransomware, which will find any kind of weakness in your systems, whether it be in the cloud or on premises to find a route in to your systems in order to deny you access to your data. So those risk and compliance challenges need to be addressed.
And when you look in summary at what the problems that lead to this are the first one is complexity that although the cloud said it was going to make things simpler. In fact, it's actually made things more complex that you used to know that it was up to you to, to manage your security, to manage your risks, to manage your infrastructure.
Now, you have a shared responsibility which leads to confusion over who is responsible for what that this complex environment has created. A zoo of inconsistent tools and capabilities, depending upon which cloud, which servers and which services you are using.
And from a compliance perspective, it's been very difficult to provide the kind of data that you need in order to facilitate compliance management. So looking at these things in more detail, the first thing is, and this shows from our experience, what it is that people are trying to do to deal with this.
Some people are trying to say, we'll manage this complexity by having a com common environment. The cloud providers want you to use their cloud. So if you were using something like VMware, then you can run that wherever you want. If however, you are not, then are you going to use or standardize on the environment provided by your major cloud, which will be different depending upon which cloud. So all of the major cloud providers have something like a cloud in a box. Are you going to move to virtualized infrastructure?
Or indeed, we now even have major manufacturers of, of, of, of hardware systems renting out their equipment, where you choose it.
All of those are different approaches to, to that.
However, how do you deal with the public cloud? And every one of the clouds provide their own vendor templates, their own vendor monitoring and their own vendor compliance capabilities. This will be simple if there was just a single way of doing things, but what's happening is that the traditional way of running services has changed into a container based world. So a container based world is good.
Indeed, you, some people tell us they've reduced risk by going entirely to containers, but most organizations don't have the option to do that. They have the legacy, the systems of record that they cannot change. Then you may have worked out how to deal with your legacy stuff. And so there were all these tools that you were using, like identity management and network management. And there's confusion about how you might use these and what their effectiveness is in terms of what's happening in cloud and on premises.
And then you have a whole host of vendor offers that have appeared supposedly to overcome this. And none of these approaches is fully satisfactory. So let's look at shared responsibility. So when you look at the responsibilities for cybersecurity, there is a very complex sharing system between you, the consumer of the cloud service and the cloud service provider.
So when you look at all the layers that are involved, then at the very bottom, there is the physical data center right up to at the top, there is how you access everything and how the responsibilities are divided, depends upon what kind of service you are using. So for example, with infrastructure, as a service, you are responsible basically for everything over the hypervisor. If however, you are using a, a database as a service, then the database has to be secured by the platform provider. And at the top level with software is a service.
The whole Kaboodle is provided, but still you have responsibility and people fall down holes because they become confused as to what the responsibilities are and have misguided beliefs in what the cloud service provider will provide. And so you have to ensure that your meeting your responsibilities while at the same time, ascertain that the provider meets theirs. So in effect, most organizations are flying blind because you don't have the metrics to know what you are doing.
And so you don't, this is this problem of transparency in the hybrid environment, you may know what applies to you in terms of laws and regulations. You may know what your risk appetite is, but how do you know whether your controls in this complex environment are working they're effective and that they're actually meeting my obligations. And so the cloud in the first place increased this opacity, and it's been made worse because if you have a hybrid environment, you've got a mixture, you've got a mixture of clouds.
You've got a mixture of on premises.
And whilst you might have had reporting tools that worked in one environment or reporting tools that worked on premises, you don't actually know what you, what, what your real position is in terms of all of this. So what, what do we actually need?
Well, what you're missing is a common view of risk. And this has come about because you had tools that were on premises. And these were things like asset management. There was network management, vulnerability, vulnerability management, identity management, and data security. You thought you had those under control. Now you've got all the different flavors of all of the different clouds, all of which come with their own tools and their own methods of monitoring it.
And that leads to this kind of ad hoc risk management that you can't get a single view of where you are, you know, that some of your systems, some of your business critical systems may depend upon a combination of what's on premises.
And what's in one of the clouds. And what you can get is individual views, which are different express things in different ways. And generally speaking, do not help you to see where you are and what is really needed is a unified view of risk.
Now, in Kuppinger coal, we talk about the need for what we call fabrics. These are, if, if you will a, a, a, a weft, a weaving, a piece of material, which contains all of the necessary tools that you have. So you don't throw your tools away, but these are working together in a coordinated way in order to provide you a common view of risk. And it is this provision of this common view of risk, which is the thing that is mostly missing. And that is what we are saying is that is what you need to put on top of your fabric.
And so this should give you this common view over so that you can govern properly what it is that you are doing by setting objectives and seeing whether you are meeting those objectives for, for example, data protection, for resilience, and for compliance that meets your obligations and meets your level of risk appetite. And so, in summary, what I'm saying is that the multi-cloud hybrid world has arisen for a good reason. It gives flexibility, it gives agility, and it gives benefits in terms of the services that you can deliver.
However, it also brings with it a set of business risks, which are the concerns about managing business continuity, the loss of, of reputation through data breaches and the cost of compliance failures that the contributing factors to all of this are that the hybrid multi-cloud world of today is more complex.
And not only is it more complex, it depends upon third responsibility with multiple tool sets and basically results in a lack of proper transparency that the co view of the response to this is that what is needed is a security fabric and tools that provide you with a unified view of risk across all of your environments, all of your technologies and all of your security disciplines, and provides the right metrics that you can use for business governance.
So thank you with that. We're now going to come to our second poll, which is how would you best describe your hybrid multi-cloud environment?
Is it mainly based on cloud services from a single cloud service provider? Does it use cloud services from multiple providers with some from non-cloud, or is it a balance of cloud and non-cloud services? So can we start the poll please? Thank you. So we'll give you a few moments to respond to that, and then I'm going to hand over the presentation to Chris. Thank you. So the poll is now closed, so I'm going to now say thank you very much for your attention, and I'm going to hand the poll over the system over to Chris.
Thank you so much, Mike, let me get things going here.
Okay, perfect. So I think that was just an excellent summary, you know, given the way that our environments are evolving these days with our hybrid multi-cloud environments, it's, it's such an important topic. So really excited to be here and, and talk through it. So what we'll do now is take the view around how we look at benefits of that unified view across cyber risk and how it can be implemented in, in reality, and, and in practice within organizations. So starting from the view of cyber risk reporting for a moment. And if we think about why do we report on risk?
What are some of the reasons that we actually report on cyber risk, regardless of on-prem or cloud or whatever environment it is, it can be many reasons. It can be because we need to drive certain out, you know, actions and outcomes.
We need to report to senior management or boards to the C-suite. We need to look at regulations. We need to look at compliance. We need to make sure we're focused on the right things. We're investing in the right areas.
There can be many reasons why we're reporting on risk, but one of the key challenges that we see across many, many organizations is that risk reporting, this kind of the state of cyber risk reporting is pretty difficult today in that most of the time, it's, it's driven by operational metrics, a very technical and operational metrics that come from different tools that a different amount of visibility across the environment. And so then the communication and the language that's being used between cybersecurity teams, risk teams, business leaders, is different.
People are not speaking the same language. It's hard to understand if I've resolved, you know, 4,007, four vulnerabilities in July.
Am I doing well? Am I doing bad? Should I be doing better? What's you know, how am I trending? What does this mean to my business? So that's one, one key issue. Then a second key issue is as Mike's alluded to is that most companies don't have that unified view across their environments.
You know, we've seen industry surveys that indicate, you know, over 60% of organizations, you know, specifically are looking at on-premise environments differently from their cloud environments. And so that becomes a challenge.
And there are, there are different ways that companies and enterprises try, try to address this from using kind of the, the traditional tools or vulnerability scanners, and trying to extend these to cloud environments, looking at the native tools that are provided by the cloud providers themselves like an AWS inspector, for example, new cloud security posture management tools that are, are looking at cloud environments specifically or larger organizations are saying, look, we have many tools that are covering these areas. Let's, you know, try to pull it together.
Let me get a bunch of data scientists pull this information from all these areas into a data lake and try to make sense of it, which is, can be a difficult proposition. When we think about what's really needed here, we need to have this unified, but we also need a, an automated, scalable way to, to implement it at the same time.
So based on these challenges, kinda this lack of a common business language, as well as a lack of unified view, key questions become very difficult to answer.
And these are just key business questions, irrespective of the environment, whether it's cloud or on-prem or hybrid. So just taking some of these in turn, you know, what is the ROI that we're getting from our security program? Are we investing in the right areas, the right tools, the right resources? Do we have the right level of cyber insurance across our business? Based on our acceptable risk levels, are we compliant to SLAs across our environments? On-prem as well as cloud, do we know what we should be focused on to fix the most important risks that address our business?
And by the way, what is our risk by the way that we look at our, our business by business unit or geography or business leader.
So these tend to be questions that are very difficult and kind of, you know, gut wrenching to try to answer where we don't have good visibility and we don't have a good language to communicate. And so this is where BICS perspective is that what's really needed from a foundational level, is this unified model of cyber risk.
And we'll, we'll touch upon it. A couple of these areas in turn, in terms of the, the key benefits, starting from the comprehensive visibility across the attack surface, we'll explain what that means to then once you have that visibility, how do you prioritize and then remediate those areas that are bringing most risk to your business, and then reporting in a way that is aligned to the business language. It is in a tool based operational approach.
So drilling into visibility, we would argue that this is perhaps the core starting point of any effort you can't protect what you don't know about.
You need to know about what your environment looks like comprehensively. And if you think about, you know, a typical organization, it's starting to get interesting, right? You have your headquartered locations, you might have branch locations and branch offices, and you've gone from on-premise to cloud and you maybe have a mixture. It's a hybrid cloud environment. There may be multiple cloud accounts. And so we're trying to say, okay, how do we ensure that we can see what's happening across these different areas of our business?
And as time goes on, this gets even more interesting and challenging. We're building out regional locations, extending data centers of extending overseas, looking at manufacturing facilities, we're using multiple cloud accounts and multiple cloud environments. So it's multi-cloud hybrid cloud environment. So how do we ensure that we have visibility across all these areas we are operating in your business.
And certainly from a cloud perspective, specifically, when we think of infrastructures as service and the cloud providers, this is really, you know, table stakes to understand not only what the, you know, inventory of resources are, whether it's, you know, EC two compute your storage, like as three buckets, your identity and access management roles, that really kind of cover the keys to the kingdom. When you think about cloud environments to your Kubernetes, environments and resources, think about EKS, open search, your data stores like RDS and databases.
So having that visibility into the resources, but also the drivers of risks that those resources present. So the configurations and the misconfigurations in detail and how that impacts the risk that you're experiencing throughout your environment.
So this, this is, I would say table stakes from a cloud visibility standpoint. And this is just an example from, from AWS.
Now, this is a view of what this kind of visibility could look like when you're, when we're talking about cloud specifically, the ability to roll up and aggregate our cloud specific compute our container based environments, which can be interesting to manage given we can spin up and spin down quickly. Our data stores, our various services and understanding our lo our locations, our sites, our, our regions, where our, our information is held and where our resources are, are spun up and spun down.
And two other areas I'd like to highlight here, not only the visibility into our cloud inventory and, and resources, but on the right. You could see the context with respect to the additional assets that we have across our, our environments. So a perimeter versus our core are on-prem, you know, end user compute and storage and servers in addition to our cloud environments. And then you're see on the top, what's really core is then the ability to start to weave this into our view of risk.
For example, what is our breach risk, which is a combination of our likelihood of breach and our impact of a given breach at a very detailed level. So you start to see the need for all this to start to get plugged together.
And with a comprehensive view of inventory across your environment, you can then start to unify and, and kind of pivot regardless of where that those resources or that that asset inventory is.
So you can think about your different asset types, cloud storage, compute, you know, injures, your computering, networking, you know, your different operating systems, windows, Mac OS, so XX you Unix and Linux and your various locations and your sites. And you can think of this from a unified perspective across all of your assets, your cloud environments, your multi-cloud environments, your on-prem, your legacy, and not only having an overview so that the 10,000 foot view really important, because then you can say, okay, this is what I have to work with. I didn't even know that this was there.
I didn't even know that this environment existed. This is how many assets I have with this type of operating system or that type of operating system, but the details and be able to go into a very granular level is really, really important, cause that not only informs how you fix things and how you make configuration changes, but also your risk.
And so essentially what we're looking at is VALIC brings data in from all of your it security tools, your cloud environments in a streaming manner, and builds this unified asset inventory and cloud, and on-prem unified risk model.
So whether it's business context from your, your CMDB, like a service now, you know, data from your EDR tools like a CrowdStrike or trend micro vulnerability management scans, active directory information related to your organization, native information from your cloud and infrastructures and service environments, your software, bill materials, your service bill materials with this information, not only at the asset level, but also that granular information with respect to over 400 different attributes across these assets, you have system details, not only system details, but who's using it.
What's the software that's involved and installed. What if the controls in place, how are this discovered? What's our exposure? So this starts to give the, the very solid foundation for our asset inventory and making decisions about our asset inventory and ultimately feeding into our risk.
So what that very solid and unified asset inventory is our foundation. Then we can look at at risks or vulnerabilities. Now we prioritize and move forward from a remediation perspective. So if you think of what your attack surface really looks like, think of two axis.
So one axis is all the, all the assets and all this stuff within your environment, that we've just talked about, your on-prem, your cloud, your IOT, your OT, your end user compute, networking, storage, your apps, your devices, your users. Now the other access is all the ways that things go wrong from a cyber perspective, all your, all those attack, vectors and adversaries. You use all the vulnerabilities and these can cover misconfigurations, which are critical for the cloud environments.
You know, exposing your S3 buckets is, is a typical issue or identity access management overprivileged settings, but also credential issues like reuse passwords, trust relationships, which looks at how systems talk to each other via trust.
Then software vulnerabilities, individual components, obsolete software, etcetera. And so the, the combination of these two axes and gives you your attack surface. So it's important to have a very comprehensive and unified view that attack surface.
And then as a second step saying, okay, how do I prioritize those issues that I'm finding across my attack surface appropriately? And the important way to do this is based on a, using a risk based approach and a risk based approach needs to consider all those dimensions that are important here. And those dimensions include the severity of individual vulnerabilities and security weaknesses. What is the exposure to, to an adversary? How likely is an adversary to explore exploit these risks? What's the threat level, is my asset actually exposed to vulnerabilities or not?
Am I using the software or is it exposed the internet? Do I have mitigations or security controls deployed to protect these assets?
And then lastly, but maybe even most importantly is the business criticality, right? So what's the impact of a, a breach or ransomware attack on, on these assets or this asset. When you look at all these holistically, we can really make very good decisions for risk-based prioritization of what to address. And we can move on to responding and, and fixing issues that are found.
And an important element of this is being able to map the process of fixing and remediation to the organization. So we, we are showing here kind of a simple view of what an organization might look like or different business units, then different asset owners that are responsible for different it, assets on-prem or cloud, but also applications. And so you can start to gamify the whole process of addressing your risks, but making it very, very clear and quantified who owns what risks and vulnerabilities, what is a risk level?
How is it trending? Who's doing well, who needs help?
And this is how you, you can start to get on that very positive trajectory within your organization, but really enabling a culture change of responsibility and ownership and transparency then lastly, but perhaps most importantly is around how do we end up reporting risk aligned to the business? And we find that many organizations ultimately take, take a journey along this process.
You know, we've started with system visibility that visibility into, you know, that near real time asset inventory across your cloud on-prem environments, your hybrid environments, including system level details, software, bill materials, software components, users, system, settings, configurations that then enables appropriate risk discovery.
Like what are my vulnerabilities, my risk issues across which attack vectors can we feed this into the risk equation so that we're prioritizing our risk appropriately looking at the likelihood of our breach from a given attack, vector, looking at the impact of her breach of a given asset.
And then we start to move as an organization into an operational cadence of addressing issues appropriately focusing on the right things.
We can measure these using key metrics, like meantime to patch or meantime to remediate, how many remediations am I deploying each week, each month we start to get on this cadence. And then as we get more sophisticated, we're able to map the risk that we're seeing in the environment to our business. So what is my risk exposure in pounds in euros and dollars or in yen? How does that cost of a breach or that risk map to my business units, my geographies, my business owners, my, my vice presidents, my applications.
And then we can start to see how my risk is trending over time.
If I'm focusing in the right areas, I can view my quantified risk aligned in my business. How is it being reduced? How do I compare to my peers? Am I getting the return on my investment that I need, whether it's from tools or other security resources. And then we can start to have very sophisticated and confident conversations about our security posture maturity, and be able to report very confidently to the board and the C-suite. And then we can start to have conversations with these types of, of information and metrics. So being able to see the risk in a way that's aligned to my business.
So here we can, we can see the various business units of cloud business units, commerce, emerging, digital retail in millions of us dollars or euros or pounds.
And then how does that risk align to the various business owners and not only what is a risk, but be able to double click and see exactly what issues are in focus, which are highest priority. What do you have to do to fix it that gives full traceability end to end. And then lastly, how does risk map to our policies and our policies might be deployment of security controls across our environment. Are we consistent?
Are we, are we not consistent or might be patching SLAs? Are we meeting our patch SLAs for critical severity vulnerabilities that are exploited and have, have malware associated with them? Maybe that SLA is seven days or 15 days. Am I meeting, am I meeting that SLA? So these are the types of conversations we can have, which directly impact our business.
So to wrap up, we feel they are perspective from a BIC standpoint, is that building this unified cyber risk model, starting from a foundation of data, you know, near realtime data across your environment, covering your cloud, your on-prem, your hybrid environments, your multi-cloud environments, starting with asset inventory in a unified perspective is critical and foundational. So you have your starting point. Here's what I had to protect. I have clear visibility into it. I know how it's categorized. I know how it's classified.
Then I have unified visibility across the weaknesses and, and security vulnerabilities within my environment in a way that I can then prioritize in a truly risk based way that everyone can understand and get behind and clearly fix issues with clear ownership and then report in a way that maps my business.
So I'm not trying to talk about, you know, technical bits and bites when I'm talking to the board or the C-suite or business leaders, I'm actually speaking in a language that we can all understand and then things get better in a very clear and quantified way that, that, that helps across a whole organization.
Thank you very much, Chris. So before we, we, we move on to the Q and a, we've got another final poll. So perhaps we can start this poll please. How do you measure hybrid multicloud risks in your organization?
And do you use qualitative assessments based on, for example, ISO 27,005, do you do quantitative approach such as fair? Do you use maturity models or are you using a CSP tool, cloud security posture management tool, or is it a GRC tool?
So please, will you let us know what your approach to this is?
Okay. Thank you. Thank you very much for that. So now we can move on to the Q and a, and it's interesting, perhaps I, I, I think I should be able to share the result of that lust pole. So here you can see the results of what people are doing. And interestingly, it's kind of a fair split between qualitative as qualitative assessments and using CSP tools and following that it's GRC tools.
So this, this is an interesting perspective because GRC tools don't really usually give you that kind of detailed insight that we would see what, what's your opinion on this, Chris?
Yeah, I would agree with you, Mike.
I think GRC tools have been kind of grown up and deployed in an environment that is important in terms of trying to be comprehensive across the risk that a, an organization might face and certainly from an it, and sec and cybersecurity perspective being part of that, the challenge has been, as you mentioned, is there enough detail visible within the GRC tool to actually know what's happening operationally with your business? And is there a linkage to the underlying telemetry of how things have evolved since that risk was entered in your GRC tool maybe weeks or months ago?
So it can be, it'd be, I would say difficult to, to keep such a kinda scenario updated where you're trying to measure your risk on an ongoing basis using only GRC approaches, because you'll tend to be somewhat divorced from the actual underlying reality of your, your environment.
Yeah. Yeah. That's that, that's, that's an interesting perspective. And that's my perspective as well, that most of the GRC tools are really quite long winded in, in that they collect information and really just sort of their presentation.
And they have a database that says you have a control, but are not very good at having an up to date detailed view. So that's an interesting perspective of what people are doing. So the interesting thing though, is given that, is it really complex to use your tool because you've got, you've got such a lot of stuff coming in, it sounds like it might be a bit difficult to, to make it work
Well, I'd say it's actually the, the opposite.
I mean, really we've spent a tremendous amount of kind of effort and development investment to ensure that it actually becomes a straightforward process when we've talked about the starting point of a unified asset inventory and unified risk model. When we have that as a starting point, then it becomes, you know, a little bit more agnostic in terms of where we're pulling information from, right? Whether that's from on premise tools, your legacy systems, it tools, security tools, cloud, you know, given cloud, you know, cloud native APIs, et cetera.
When you're, when what you're populating is a unified, generalized asset and risk model, you don't really have to worry as much about where the data comes from, right? As long as you're able to populate that model with, you know, enough detail and enough fidelity, then you drive the use cases that you're looking for.
So that's, that's really been, our focus is to make it as easy as possible and clearly an important part of that operationally is making sure that there's a scalable platform underneath is a scalable connector framework underneath. So it becomes more of a, you know, point, point and click here's my data source. Here's my wide variety of attributes that we can support and flexibly map those for whatever data source that you have. And then we don't have to worry so much about what the specific data source is.
Yeah. Very good. Very good.
Now, interestingly, there was a, the, that just raised a question, which is how do you normalize your asset inventory? What tool do you rely on as the truth in inverted commerce?
Yes. So I'd say there's a, there's a couple angles to that. It's a very interesting question.
So on one, one hand, when we think about data sources, data sources bring different levels of visibility into your environment and they, they bring their own perspectives. One, one source might have excellent visibility into your asset and your business context, but maybe not very good visibility into your current patch level of your operating system or your software stack. Another tool might have excellent visibility in your software bill, bill of materials, limited business context, and maybe a limited view of your vulnerabilities.
Another tool might have very detailed view of vulnerabilities within your container environment or your servers or networking, but limited elsewhere. So what we do is we essentially look at what is the data fidelity that we're getting from each particular source and ensuring that where we see strong data fidelity, we use that to populate the model, right?
So that, okay. Ultimately the data model itself becomes very high fidelity across, across the board top to bottom
Because you are using the best, the most accurate information sources.
Yeah, very good.
Obviously what we're we're doing is looking to triangulate right across all the different signals that you have within your environment. It's asset signal, there's risk signal, vulnerability signal signal about your, your controls. And so being able to make sense of that is really kind of the, kind of a core, core value proposition of what we're doing.
Yeah.
Another, another aspect is the, the end consumer of, of this information and there are lots of different end consumers. So one of the questions that's come from here is do you leverage the might attack framework for attack vectors?
So
Yes, yes we do. So if you think about pulling all this information together, right, so you have an asset that could be on-prem or in the cloud, it might be your compute asset. That asset has a vulnerability. That asset has a certain amount of exposure that might be exposed across the network or not, or exposed externally or not that vulnerability, that specific instance of the vulnerability on that asset can be exploited in certain ways by adversary. And we think about, you know, the TTPs and we think about the specifics from a minor attack framework standpoint.
Now on that asset, you might have a control and that control may have strong efficacy against certain tactics and techniques for detection and protection that control might have limited efficacy across other tactics and techniques. So the key is to really put all this together so that we're understanding the vulnerability on a given asset.
The control on that, that is applied to that asset, how effective it is across various techniques and tactics that could be used to exploit that specific vulnerability.
And then you can get a really clear view of what your risk is due to that specific instance of a vulnerability. It gets to that level of detail. And that's, that's certainly where the, the minor attack framework comes in and other frameworks can be leveraged as well. But getting to that level of detail is really key because you're able to correlate across all these different elements that I just talked about to make a really clear decision about your level of risk.
Yeah.
And that, that's interesting because this is quite a unique sort of functionality that you're providing here, because it's fairly common that auditors go in and say, show me that your controls exist. Yes. And that's one thing, then it's another thing to say, is it actually operational?
Exactly. Is it operational,
Which is, which is going above, but doesn't really say that it's effective and, and that effectiveness is dependent upon the particular threat and the particular location.
Is it effective to the actual vulnerabilities where we are actually in our environment and the threats that are actually bargaining us?
So an awful lot of, you know, sort of companies that say how well we've got risk under control, we are compliant. It's really just based on an order to report, which says two years ago, we looked and you had these controls and they were operational.
Exactly.
And think of the difference, think of the, think of on one hand, being able, you know, mapping your risk and, and control status and saying, we have CrowdStrike, we have an EDR, that's our corporate stand that's on one hand, but then imagine understanding is CrowdStrike deployed across all my systems or not. I I've deployed across 72% of my systems on those systems that's deployed. It is actually enabled or not enabled on those systems where it's enabled, what is the efficacy of that particular control against a vulnerabilities that are actually exposed on those actual assets.
So you see the difference it's it's like, oh
Yeah, yeah, it's nice, indeed. And, and that's, that's the point, isn't it that you're you're you are doing that. And so in that respect, you can provide an input that is useful for sorry, a display, an output, which can be consumed by lots of different people. It can be consumed by the person that's responsible for cloud strike, but in just the same way, the risks can be aggregated up against the framework to say, well, this is our posture against, you know, whatever the framework is you're interested in.
Correct.
And, and that's really important because when you have this model, as the core, the asset and risk model, it's important to enable the different consumers of that information to have the views that they need. The senior people need high level views, map to risk in dollars and cents and pounds and euros in a way that maps, their organizations auditors need to understand how are my controls being deployed and are those effective operational teams need to understand for that?
I don't care about the full environment for the environment, in my scope, my assets, or my applications, what are the important things I need to fix? And what are the precise fixes I need to deploy most efficiently to address it. These all come out of the same unified risk model, but they're very different perspectives to enable the different users to get their job done. And that's, that's really important.
Yeah. So another point that organizations often make is they say, oh, well, we, we, we are running AWS and we've got really good tools on AWS and that's what we're going to use.
So let me just share the response about the environments that people are faced with. The interesting thing here is that 54% of the people that were watching this said that they were using cloud services from multiple providers.
And that, that, that means that the problem is not whether you have a good tool for environment a or environment B it's. How can you manage this complex multi-cloud environment?
Exactly.
I mean, what this data is highlighting is that the listeners here are hybrid multi-cloud. And so think about the, as you mentioned, the complexity of trying to manage this with the different tools, the different views, how do you pull all that together in a way that makes sense? It's very difficult, very challenging.
I mean, if you say I'm gonna increase my team size to try to handle this, put more, more bodies on it, right. To make sure they have eyes on glass and multiple tools or pulling this together, you know, consolidating it, correlating it, it doesn't really scale very well, and it doesn't handle change very well.
So that's, that's really the nature of the challenge that most of our, our customers and enterprises that we're talking to, you know, globally are, are being faced with. If you don't have that unified view, you're, you're chasing chasing many tools and it, it relies on the team to stitch that together manually.
It's it's, it's painful.
Yeah. Now I've got a couple more questions that have come in and do you require asset values to be added, to determine the risk exposure that's so
We, yeah, so we have a flexible approach. So BICS automatically categorize and classify as the, the assets that we discover across the environment on a relative basis first. So we can say, okay, this looks like a server. It's a fingerprint of a server. We can see it's actually domain controller. Okay. You have a production domain controller.
That's a key asset because if it's, if it's breached, then those are kind of the keys that the kingdom, that's more important than, you know, a general, you know, endpoint device or laptop that is maybe used in the reception area. And so we can see that and automatically rank the impact of those assets across your organization, without any input from the, from the company. But then when we do want to make sure that we're mapping to the business, we can take inputs at different levels, either at the overall organization.
Let's say if, if I had a massive breach, my overall organization was an environment was compromised. The cost of that breach, we maybe have done some analysis is, you know, 500 million pounds. VALIC also provides guidance tools. So we've analyzed thousands of data breaches globally across different size organizations. And with some simple parameters like size of your organization, your revenue head count location, we basically can provide guidance in terms of what that overall breach impact is very likely to be, but you can, you can adjust it.
And then we provide the ability for our customers to then tweak that and say, I can apply these impacts from a monetary perspective at a business unit, a business group, an application level, a business owner level, or even at the individual asset, to the extent that you have additional information. So either we can allocate it for you based on the automated ranking we've done, or the company can, when data's available, put those, you know, enter those business impacts and use those as inputs to the system.
Okay. The questions are still coming in. So there's another question here.
What size organization is your tool best fit for?
So I would say when you start to see some complexity in the environment, it's, it's a good fit for ALX. And that comes from, I'd say, medium size organizations.
You know, you might have, you know, a couple of thousand assets, you know, might have a couple hundred employees that might be on the, on the lower end, where you start to have some complexity in your environment. You might be using multi, multiple cloud accounts. You might have multiple on-premise environments all the way up to the fortune hundred and the fortune 10, where you have millions of assets, dozens, and dozens of tools and different compliance and policy regimes that you have to have to handle.
So I say, so we, we span those in those areas and across different verticals, cuz honestly we see this very similar challenges, whether it's manufacturing, technology, financial services, insurance, healthcare, pharma, it's, it's very consistent challenges. The assets look different, but the challenges are, are equivalent.
Yeah. And there is another question which interestingly takes it right back to the beginning, which is that we talked about flexibility in dev SecOps and so forth.
So is, is the tool suitable for, for, for, just for production environments or will it work in systems under test and so forth?
So our customers gen generally we use Bix across their environments, whether what's looking at production QA test, it doesn't matter. So exposure from an adversary can come from any part of your environment, your production environment or a non-production environment. So our view is that your coverage should reflect that and should be as comprehensive as and complete as possible.
Very good. Very good.
So I think we're coming to the top of the hour, so it's coming to the end. So are there any lust words that you would like to say Chris, before we finish?
Yeah, I would just say you've taken a very important first step and, and trying to understand how to, can I make your cyber risk journey better and we're happy to follow up and explain, you know, more of the benefits of that unified cyber risk approach for any of that would wanna reach out.
Lovely.
Well, thank you very much, Chris, for your very interesting presentation and the details of your tool and very, very many thanks to all the participants who paid attention and listened throughout this, this, this webinar. So with that, I'll say thank you very much and good evening to you all. And thank you. Bye-bye bye. Bye.
