Push Button Automated Risk Assessment and Reporting
Systems that face cyber and other threats demand a solution capable of understanding their enormity and complexity, visualizing attack options, assessing vulnerabilities and facilitating decision-making, including those related to investment into appropriate security controls.
Understanding, assessing and managing risks of such systems is currently a laborious, costly and challenging task.
As a result, assessments are often not systematic and comprehensive, leaving the systems vulnerable to multi-stage cyber-attacks, with the potential to wreak havoc in government, industrial, commercial and private domains regionally, nationally and globally.
An Easy To Use Pushbutton Solution
The good news is that there is an easy to use pushbutton solution that automatically provides an accurate risk assessment and generates the associated documentation needed to communicate properly among all stakeholders.
This solution is easy to learn and understand in just a couple of hours. It allows you to intuitively group the results of the risk analysis based on the selected criteria, resulting in the ability to more quickly address prioritized vulnerabilities in your architecture, be it for a system, a system of systems, or an organization. You can customize the solution to meet your domain specific requirements, thereby maximizing your results. Sleep better at night knowing that your risk is under control, your documentation, and compliance requirements have been met.
Cameo Risk Manager addresses this capability gap by providing a fully automated pushbutton risk analysis when enterprise architecture views (e.g. DoDAF/DNDAF/ UPDM) of the cyber system are supplied. Cameo Risk Manager provides the ability to modify and/or add to the DoDAF model elements. Our easy-to-use operational model element editors provide add, delete, and modification capabilities to ensure a complete and comprehensive model is analyzed. So, even without a DODAF/UPDM model Cameo Risk Manager allows easy manual input of operational data that will be leveraged for analyzing risks.
The analysis includes identification of multi-stage attacks and application vulnerabilities to produce:
- quantitative inherent risk
- risk distribution by components, business assets, and threats
- list of identified associated vulnerabilities
The resultant outcome is used to calculate the optimal controls to assist in identifying system security requirements and mitigations.
Furthermore, a targeted "bottom-up vulnerability assessment" can now be performed which evaluates the riskiest component(s) against vulnerabilities, enabling more effective resource allocation and prioritization. As such, the solution is effective on "as-is" systems currently in operation, as well as pre-operational and/or envisaged "to-be" systems, including upgrades and enhancements planned for the future, making cyber systems more resilient and secure.
Ensuring a High Level of Confidence
To ensure high-level confidence in the resulting risk assessment outcome, the provided architecture views (e.g. DoDAF/DNDAF/UPDM) are analyzed in order to assign a "fitness for purpose" score that feeds directly into the confidence rating. Scoring of the architecture models is based upon the Assurance Case compliant with ISO/IEC 15026 standard. Questions for which Cameo Risk Manager provides answers include:
- Is your DoDAF/UPDM Architecture Complete?
- How do I score?
- Where are my risks?
- What is the riskiest component?
- What are the vulnerabilities associated with the riskiest component?
This automated analytics provides valuable feedback to the authors of the model, even when the model is not fully suitable (e.g. incomplete, etc.). Some facts can still be extracted and can serve as a gate for the approval of the DoDAF model.
Model Scoring Factors: Navigating the Seven Cs
Scoring of system designs done in the form of DoDAF/UPDM models, are applied in providing unparalleled automated assurance of your model's "fitness for purpose".
- Correctness (i.e., adheres to the syntax and semantics of the language (UPDM) specification(s))
- Completeness (i.e., concepts, components and constructs are present throughout the viewpoints – cross-compartmental)
- Consistency (i.e., naming, typing, and usage across the multiple architectural viewpoints)
- Conservation (i.e., data sources and sinks (aka producers and consumers))
- Causality (i.e., sources (events) and sinks ((direct) effects) (behavioral))
- Correlation (i.e., anything (source) that affects an effect (sink) is a factor of that effect (indirect effects))
- Compartmentalization (i.e., the degree to which a system's components may be separated and recombined (coherence – logical and orderly and consistent relation of parts within and between viewpoints, coupling and cohesion, and reusability)). The DoD preferred approach for implementation of open systems previously called Modular Open Systems Approach (MOSA), is now called Open Systems Architecture (OSA).
- Quick and accurate risk analysis
- Timely response to change
- Enables delta re-certification
- Assists in informed & overall better decision making process