Watch TC Risk Quantifier Demo: A Comprehensive Risk Management Solution

Tim Wynkoop:
Is we want to be able to show you, um, our risk quantifier product. Um, and the goal of this product is really just to help you report risk, um, and we’re gonna use this terminology from the board to the byte. Right? So we wanna be able to help you report risk for your various audiences. So we’re gonna dig a little bit deeper into that and and talk about what how do we go about doing that. So we’re gonna kinda start right in the middle for maybe the your CECL audience. Right? Because these are the types of people that need to understand what their risks are, but then also what to do about it. So when you go into the platform, this is where we’re able to show you. If you had, for example, a data breach over your customer management system, let’s say, um, we are able to tell you what is how much risk exposure you’re gonna have if that happens. We also tell you what the likelihood or the probability of this particular type of an attack happening within your environment specifically. And then we also tell you how frequently will that happen. Um, and a lot of this and I know you may be asking those questions as far as where where do we get this data from. Right? So this is where we are able to pull in our over forty years worth of industry data. Um, and that’s a global dataset. Right? So, um, we we get that from a variety of different sources, but what what we do is we allow you to give us the context. Right? So we allow you to place your information on top of our loss models. Throughout everything in here, uh, we want to give you we want to take the, uh, mostly we call it the critique versus create approach. Right? We wanna allow you to, um, critique the data instead of saying, well, where do I get this data or to generate that data for yourself? So, um, that’s another aspect of the platform. But as I mentioned, the goal is to help report your risks from all the way from the very top all the way down to the very bottom. So the next piece of that puzzle is being able to say, okay. Well, I I you now show me what my risks are. What’s that next step? What what can we do about that? Well, that’s where the platform what it will do is actually provide you automatic recommendations. So for example, this is a a sample NIST CSF assessment. So the platform, what it does is it shows you if you were able to improve your maturity from a level two to a level three. Right? What would that look like? And we give you a couple of different views into that. One, is it from the attack perspective? So if you wanna look at it from a data breach, what are some of those things that you could put into place, um, to reduce your risk from a data breach? We also give you the view into your control environment, and this is agnostic of any individual applications, agnostic of any individual attack. Right? And then so we show you how much risk reduction opportunity there would be. And then finally, one of the most powerful aspects is being able to say, well, how much is that gonna cost you? Right? This is where you’re able to say, hey. Look. This is gonna cost us x amount, and, therefore, you can make that decision or you can inform that decision maker to say, here’s your options of which to potentially reduce this risk. What do you wanna do about it? Do you wanna make this improvement or that improvement? Which one is gonna provide that better, um, return on investment or return on security spend? Now, again, taking that next layer. Right? So the first layer is saying, hey. Here’s what your risks are. Here’s what you can do about it from a high level perspective. The next aspect is, well, what are some specific things you can fix? Right? So if you give it to us, we actually can take it a step further and actually tie in your vulnerability schemes. And what we’re able to do is we’re actually able to help you prioritize your vulnerabilities by financial exposure. Now we’re not going out and actively scanning your environment. Right? You don’t have to buy another tool just to, um, or another add on just to do this. Right? We actually fit into your existing security stack. So, uh, if you have Tenable, Rapid7, Qualys, doesn’t matter what the vulnerability scanner is, We’re able to help augment that those results that you get. So instead of you seeing that you have three different critical vulnerabilities and struggling to determine maybe which critical is more critical than the other critical, right, we’re actually able to tell you, look. Here’s how much risk exposure you have to this individual vulnerability. Now that could be because it’s on multiple endpoints. It could be because it’s on multiple applications as well as it being exploitable in the wild. Right? So it’s meant to help augment that data that you are getting, um, from the best in class, uh, vulnerability scanners in this particular example. Now, again, we the the goal is to be able to, again, report risk from the board to the bud. Well, the next piece of that is, well, what are the specific endpoints? Right? So if you have that mapped down to the endpoint level, we can actually tell you, hey. You should patch these individual endpoints first because those are the ones that are posing the most risk to your organization. Right? So it helps you really get as deep into the weeds as you would like. Now, um, just like any other risk quantification platform, one one thing that we also like to do is, uh, and especially when you’re trying to report on your risks, is what can you do about it? So we have a couple of different ways in which to to look at that. We have an entire section that allows you to do what we call a what if analysis. Right? So, for example, what if you change your controls for a particular application? Now notice I didn’t say improve or improve your controls. Right? You can do that, but this also allows you to say, well, what happens if we decide to maybe reduce our spend on a particular control? How is that gonna change your risk? Right? It helps to inform your decision as far as is this an acceptable delta? Right? Is this an acceptable change, either positive or negative? Now we also recognize that your environment is dynamic. Right? Things are changing. Right? So, therefore, maybe you’re noticing an increase in or decrease in the rate of incidents for your particular applications for your attacks. You can run a write it on that without it actually affecting your overall risk calculation unless you want it to. Now, um, one thing I didn’t mention earlier is our platform actually has three different models for calculating risk. So I’ll come back to the scenarios here, but just to show you what those three different models are. One is our machine learning model. Right? This is really the easy button when it comes to risks. Right? It leverages our machine learning as well as our industry data and allows you to put in some context behind that. Now we are also part of the open group, so, therefore, we do support the use of the FAIR model for those of you that are familiar with it. But if for those of you that aren’t, um, it’s basically the probable frequency and probable magnitude to the future loss. It basically allows you to run a Monte Carlo simulation on your data. So it requires you to input the data that you want, both mid and maximum most likely, and, um, both on frequency side and the magnitude side, and you can run those calculations. And then the third model that we have is actually something we call semi automated FAIR. So this allows you to leverage our machine learning attack based models or attack path modeling as well as our industry loss data in a fair analysis and run those Monte Carlo simulations. Right? So, um, these are the different types of analysis. And, again, we allow you to do as many as you would like from that perspective. Now, again, going back to that reporting aspect. Right? So some some organizations wanna be able to report their analysis via FAIR. Others want to do specific what ifs. Um, others wanna ask the question of, well, how much risk do I have to my PII information or personally identifiable information? Right? You’re able to run a what if directly on that. Again, and so it allows it to be done very quickly. So not just being able to, again, report from the board to the light, but also allowing you to to look at very specific things, um, and and answer very specific questions that you may be getting asked by your stakeholders. Now I don’t know if if many of you were on our last conversation that we had around, um, our queue, but some new functionality we just launched within the platform is actually taking it one layer deeper. Right? So we talked about we can take a high level approach. You start maybe talking from the board. You may be able to show, hey. Here’s what your risk is. Here’s what you can do about it. Um, but we also want to allow you to take a risk led approach to your threats, which is why we also allow you to work down at the MITRE attack level. Right? So you can get very in the weeds. Again, you don’t have to, but, again, if your organization, um, and you have very specific things that you wanna look at, you’re able to do that. So what you’re able to do is you instead of you defining, oh, all of this information, you just tell us what’s the thing of value, what’s the thing at risk, What is the attacker group? What’s the capability of that attacker group? And then we allow you to either do one or two things. We allow you to say, hey. We are worried about these individual fighter tactics and techniques, and you can choose yours. Or you can actually leverage our historical dataset as well. Right? So we do have historical attacks from a MITRE perspective that allow you to automatically select this. However, we do have other organizations that, hey, may have very mature threat intel perspective or threat intel operations. So you may be looking at very specific groups like midnight blizzard or a p t twenty seven or insert whatever threat actor group you would like. Right? And you’ve done your research as far as this is the and these are the individual techniques or tactics that they’re using. So, again, you can choose your own as well. And then the last piece of this is we allow you to say, okay. Well, what defenses do you have in place? And, again, if you enable this and if you allow the allow us to it, um, you can actually tie in your existing security stack. Again, we we are not going out and actively scanning your environment. We don’t require you to put agents on your computers and and look at various things. Right? We’ll tie in with your EDR tools, with your CloudStrikes, Defender, your vulnerability scanners, whatever security stack you are using. Um, so it allows you to leverage the best in class from, um, the security toolset perspective and tie that into our queue. And what it will do is it it allows you or enables the platform to say, hey. Here are some specific observations about your environment, and then also, here’s the coverage of those particular controls. So for example, your antivirus or antivirus in in MLMer is fully enabled and up to date. Those are things that can physically be observed within your environment using your security stack. So it’s able to show you, hey. Here’s what that looks like. Um, and and, therefore, these are the things that could potentially prevent an attack from happening. Now this is where we give you a variety of different ways at of of ingesting or of of consuming that data. One is allowing you to say, okay. Well, from the attack navigator perspective, which are my individual techniques and tactics? Which ones should I be focusing on as an organization? Whether that be under the responsibility of the risk team to say, hey. Look. We need to focus here. Or maybe it’s your CATI team or your, um, your threat intel teams, right, or your threat defense, right, as far as trying to determine where do we need to focus our efforts. Right? So we give you this view as well as taking it a step further and allowing you to say, okay. What are the biggest areas from a techniques and tactics perspective? Right? Which one’s posing the most risk? So we’re actually able to tell you. So, for example, if this was, uh, midnight blizzard as an example. Right? If we are able to tell you which are the tactics and techniques that are you’re most susceptible to within your organization based upon your controls. But, again, we don’t just stop there. We take it a step further. We actually tell you what are the toggles, what are the triggers that we you can turn on or off within your environment to, uh, reduce your risk. And you’re able to see that very quickly and see what that risk reduction would be. Now, again, our goal is to enable you to communicate at whatever level you are trying to, whether that be very in the weeds and you’re trying to talk to your vulnerability management team, whether you’re talking to your application owners, whether you’re talking to your CSO, uh, whether you are the CSO and you’re trying to talk to the board, and you’re trying to help them understand how much risk exposure, what should they do about this, isn’t it an acceptable amount of risk. So that’s where we also give you a lot of other reporting. One of those is actually a quantitative heat map. Now, uh, I know some of you are if maybe thinking like, well, heat maps are terrible. Right? You’re right in general. Right? But they can be done, and they can be used in an effective way in which to communicate your risks, especially as you go higher up the chain. What this allows you to do is instead of you deciding where the dots go in your typical heat map, the platform will actually map that for you. Right? It’ll actually say, look. The based on the parameters you set, here are our thresholds for each one of the various levels, and, oh, look. Here’s the ones that, uh, are posing the most risk to your organization. So therefore, dig deeper into that one. Now some organizations also, and you may be one of them, like to or you’re maybe just starting out with risk quantification. Right? And you’re like, well, we still need to report qualitatively. We give you that ability to report that very same heat map in qualitative terms. So it allows you to bridge that gap between qualitative and quantitative, um, in a very defensible fashion. Now we also as I mentioned, we give you ways of breaking that down so that way you’re able to say, hey. My incident response team, here’s how much we’re spending from a remediation perspective. Right? Does this track with what we’re actually seeing? What do we need to do? Alright. Legal team, here’s here’s what we can forecast to, um, our losses are gonna be. Right? What can we do about this? And we also give you the ability. Um, I think we’re also a lot but there’s there’s a lot of different things that you can do within the platform. And one of those is actually if maybe you’re a more mature organization, and you’re like, hey. This is great, but we wanna use our own data. We wanna use some of we we have some, uh, of our own pieces that we think is better than yours. Right? We allow you to edit every single data point within the platform as well as add your some of your own formulas in there, whether that be a formula for reputation damage. Right? I know that’s a a hot topic for a lot of organizations. Right? So you’re able to actually say a plus b equals c, put that into the model and see where that fits in our overall risk perspective. And as I mentioned, uh, we give you the ability to edit every single data point within the platform. So, therefore, again, you’re trying to contextualize this as much as you can for your organization. You can get in there and do that. Right? It allows you to improve that communication and then models you to say, look. This is based on our data. Right? That adds that defensibility into your overall analysis. Now, again, because communicating throughout the entire organization is important, you may not wanna give just flat access to the platform. What we’ve seen a lot of customers do is say, hey. I wanna be able to get this data out of the platform. What does that look like? Right? So you’re actually able to get every single data point out of the platform as well. So that allows you to push it back into maybe a GRC platform or your own dashboarding. Right? Whether you want to use, um, Power BI or Tableau. Right? We also give you the ability. If you want to give them access to the platform, they can choose what are most relevant for them. Right? We widgetize, and a very technical term there, the dashboard to say, hey. Here’s the things that you care about. Great. You can have that view just for yourself. And, again, as risk tends to be not just your insiders, right, your first party risk, we also give you the ability to, again, tie in your existing security stack and and measure your third parties. We give you an entire section that allows you to carve out your third parties and say, hey. What third party risk management team? Um, what our risk look like? We allow we have existing integrations with third party partners like SecurityScorecard, your BitSites, your, um, Ionix, right, uh, UpGuard, any of those. So instead of you defining, hey. What controls do we have in place? You can take that scan and say, hey. Look. Here’s the scan for SAP. Right? What can we do about it? Should we bring this vendor on? Right? The whole goal is to enable those decisions, enable informed decisions throughout your organization. Now, um, in addition, uh, you may get as you start presenting some of these, the defensibility aspect. Right? We have an entire section that talks about how we go about breaking down losses. How do we go about calculating that probability of success? Do we back test the model? And the answer is yes. We all do. So it’s not a black box. We try and make sure we give you enough information in which to communicate what you need to within your organization at whatever level, whether you’re talking to the board or all the way down to your tactical teams that are actually fixing some of the challenges or implementing some of those controls. Now as your organization grows, right, you may also want to report risk across your environment. This is where we’re able to actually say, hey. What does your large organization? Maybe you wanna break this down by geographic region. That’s how you’re reporting on risk. Or maybe you have different companies underneath yours, and each company is responsible for fixing their own things. We give you what we call a portfolio view, allowing you to look across your quote, unquote legal entities or lines of business or whatever you wanna define that as. Right? And so that it allows you to have that view in a very consistent fashion. Now we can get into the details of how do you put in everything in here, um, but the whole purpose of this conversation is to show you here’s what you can do from the board to the bike, um, and how you go about reporting on that. So I will open it up to questions to you all, but let me go ahead and and answer some of the questions that we typically get around, uh, risk quantification. Right? How do you do it? Well, the first piece of information we give you or we ask for is what industry you’re in, what’s your size from a revenue perspective, and location. Those are all important factors because, um, a manufacturing company is different than a financial services company. And more specifically, a manufacturing company or a financial services company in The US is different than what it would be in The EU or maybe other locations as well. Right? So we’re telling the platform what type of context to apply to the scenarios in which you’re running. We also get questions around, well, what how do I account for my controls? What if I’m using, um, the NIST CSF or the CIS control frameworks? Absolutely. We support the use of any control framework that you can imagine. Right? Obviously, we have all the ones out of the box, but we can also support custom control frameworks as well. Right? So maybe you’re using a mixture of a a variety of different frameworks. We can get that as an option for you within the platform. Um, another thing is from an integrations perspective. Um, what do you integrate with? Well, as I mentioned, we will integrate with whatever systems you have. Um, and and if there’s a particular integration that you want that we don’t have, we have a very great feedback process to say, hey. We would like this integration. Here’s what we wanna get. So it’s not a matter of can we integrate with it. It’s a matter of what information do you wanna pull from there. Um, and then, really, other than that, there’s a variety of different questions as far as what what can you do about this? Do you have what’s the support look like? Have number of users? Right? We try and make everything very simple for you. Right? We we don’t like the feature gating. We don’t like you getting stuck, um, within the platform and saying, I can’t do what I’m trying to do. Right? You actually we give you full access to the platform. Right? So we don’t feature gate anything within the platform. And then we also don’t limit you on the number of users as well. Right? So these are all things that, um, you’re able to, um, just get the value out of this in a way that, uh, makes sense for your organization. And then, uh, lastly, as I mentioned, if you want to, um, also just give specific things. Right? Maybe we, uh, you want to be able to answer some questions like how much cyber insurance do I need. Right? We don’t need to get very detailed on that. Right? We have actually have an entire section within the platform that allows you to ask three simple questions. What industry you’re in? What’s your size? And do you have data? Right? And then we’re able to apply that to our loss models to help you answer those question of, well, would this be a material event for my organization? Especially if you’re publicly traded, you may need to say, hey. What is our, uh, uh, what would be a material event and be able to answer that question? Or you’re able to say, hey. I wanna insure against my eightieth percentile. Do I have enough cyber insurance coverage? Maybe your, um, insurance is $400,000,000 as an example. Well, you’re able to quickly see if you have potentially enough coverage as well as breaking that down into the individual loss types. And then from a defensibility perspective, we also give you the ability to have peer analytics to say, hey. Where where do I where do I stack up among my peers in my industry? Whether it be from a loss or a revenue size perspective. So you’re actually able to see very specific things in the platform that can be used to ultimately help tell that story. So I’m gonna pause, um, and see what other questions that the team may have. We’re gonna open this up to to you all, um, and and kinda go from there. And feel free to put any of your questions in the chat, um, is with that is monitored, um, and we’ll we’ll kinda go from there. Brie, have we had any, um, presubmitted questions?

Brie Merhar:
No. Let me let me go double check, but I didn’t see any. Um, Yeah. Please, anyone, feel free to

Brie Merhar:
add anything in the chat. And if not, we can, um, tell me if there’s anything else you wanna share. We can share that and then wrap it up already.

Tim Wynkoop:
Absolutely. Um, one question that we usually get in these events is will this information be shared? Yep. Absolutely. We’ll we’ll post this, um, on our website so that way you can go back and share this with other people, um, within your organization, um, and you’ll be able to they’ll be able to access this as well. One final comment, um, as as some of these questions are coming in is we don’t look at we we will try and help you throughout your entire journey. Right? We will provide things within the platform that work into the direction of which we’re going. Um, and, ultimately, where we’re going is being able to allow you to that continuous controls monitoring. Right? Being able to say, based upon these factors, you are a level three of a maturity perspective. We’re getting there. Right? So those so stay tuned for some of the, um, future webinars that we’re gonna do around risk quantifier, and you’ll be able to see some of that functionality. So with that, um, we thank you for your attention. And if you have any questions, feel free to shoot those over. And even afterwards, you can feel free to send us a note, and we’ll be able to answer those offline as well. So at this point, this is the presentation. Thank you so much for your time today. And if you have anything else, feel free to let us know. Thank you so much.