Introduction
This article will provide detailed information about risk assessment.
What is Risk?
In the field of cybersecurity, the definition of risk is a measure calculated based on the probability of an attack occurring and the magnitude of the damage that the attack can cause. Risk is generally calculated with the following formula: Risk = Consequences x Probability.
The concept of "Consequences" expresses the potential impact of an attack. This impact can manifest in many ways, such as data loss, service interruption, material damage, reputation damage, or legal sanctions.
"Probability" is the likelihood of an attack occurring. This probability can vary depending on factors such as the abilities of attackers, weaknesses in the system, the quality of security measures, and other factors.
By performing a risk analysis, an organization can determine what kind of threats it faces and take appropriate security measures to minimize risks. Risk management in cybersecurity requires continuous monitoring and updating of threats, risks, and security measures.
Risk Scoring
Logsign Unified SecOps Platform uses many techniques to transform collected data into actionable results. Data merging, analyzing assets and user behavior, and profile creation are some of these features.
The platform is designed to be fully integrated with Asset, Alert, and Event Management mechanisms. Risk Scoring produces a numerical result associated with the criticality levels of assets and the priority levels of alerts. This numerical result makes events more significant and easier to read. Information such as user events, user behaviors, and user locations in the network create a meaningful result.
Below is a drawing that explains how risk scoring works.
Risk calculation takes into account many factors, such as behavior analysis, static rules, various factors, and the criticality level of assets related to many events. With these effects in mind, the risk score calculation expands.
In the Severity and Criticality Weight stage shown in the image above, your alarm rules, behaviors, or lists are calculated with the special formula for risk coefficients determined for the levels of assets and users of related log level statuses. The results are presented to the user in a format that is easy to understand.
Logsign's Risk Mechanism and General Architecture
Risk Level Management
Risk levels are directly affected by alert priorities and asset criticality. Changing these values affects risk scoring.
You can follow the steps below to apply the actions.
You can examine the following steps to process them collectively.
Let's explain risk scoring with an example.
In case A, you have a service account that provides continuous successful user access outside working hours, and it has triggered the alarm 35,200 times within 24 hours.
In case B, your server that has reached a malicious target has triggered alarms in 2 different categories and has transmitted more than 1 gb of data within an hour.
The first sentence states that there are many alarms triggered in situation A, but it is not an important situation according to the risk score.
The second sentence states that there were 8 alarm triggers in situation B, and it is a situation where prompt action and precautions are necessary according to the risk score.
The difference between the scoring of situation A and B is based on the alarm findings, accessing a harmful target, and prioritizing the situation with multiple behavior lists.