Adaptive Risk in the era of the Internet of Things
Back to homepage
Click here for an overview of all news articles
Risk has been always a key factor to be considered by companies and one of the major pains has
always been how to manage it. We are used to analyzing Risk through a simple model that follows a method similar to the one below:
- identify, characterize threats
• assess the vulnerability of critical assets to specific threats
- determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
- identify ways to reduce those risks
• prioritize risk reduction measures based on a strategy
It is a well-known model and it is based on the fact that a threat could or could not be identified.
To represent this in a graphical way we may define the status of the threat by means of two separate values: 1 (one) and 0 (zero) and the probability that the threat fall in one of the two status as a line between these two spots.
Figure 1 -
Risk probability of a threat to occur.
Risk probability of a
threat to occur
What is in the middle? Anything that could happen in real world. Think of a day-zero attack and how it presents itself: by definition, one cannot know what kind of threat it will be until the day on which the threat itself will start attacking your ecosystem. So if we relate this information to our model and to the scale, we will assume that it is a value of zero due the fact that is not yet identifiable.
The moment the attack will start, we will assume a clear value of 1 for the identification and something in the middle between zero and one for the assessment and determination part.
Does it work? Of course, it works if you think your ecosystem is well-known and the identities related to them, the targets or potential targets and the “attackers” – or whatever may be used as a relaying party to attack you (infected systems) – are known. It is the world as we used to know it after all, and we all know what’s in our “backyard” (aka company network).
So now I’ll repost the same question above: Does it work? Let me add some new actors to the picture we draw above.
“…your ecosystem is well-known and the identities related to them, the targets or potential targets and the “attackers” – or whatever may be used as relaying party to attack you (infected systems) – are known.”
But the real question is: is the world still a known world? Following many reports from various analysts like IDC, Gartner, et cetera, it has been forecast that by 2019, the market for the so-called Internet of Things (IoT) will grow from the actual $128 billion to the impressive value of $500 billion, including a long list of devices and capacity to communicate ‘things’ like: RFID, Sensor Nodes, Gateways, Cloud Management, NFC, CEP, SCADA, ZigBee.
What does this mean to you? It means that your well-known ecosystem will be (or is it already?) filled in with hundreds, maybe thousands – or in some particular cases millions – of sensors and devices that may or must communicate with the outside world (the Internet) and your internal network (Intranet). This is nothing special, it’s just that if we add this to what is known as ‘shadow IT’, or in a more fancy way ‘Bring Your Own Everything’, we may see that our day-zero attack use case will be an ‘every day is a zero-day attack’ and the model we used till now is no longer usable.
Let me put it again in a graphical way. We said the threat is something between 0 (zero) and 1 (one). We said that now the ecosystem is known or not known, so we may assume that, again, a zero, one case applies. Consequently, our model will be something similar to the below logic:
• 1,0: I know the ecosystem and I don’t know the threat
• 1,1: I know the ecosystem and I know the threat
• 0,1: I don’t know the ecosystem (completely) but I know the threat
• 0,0: I don’t know the ecosystem (completely) and I don’t know the threat
Graphically our model will be something like the figure below.
Figure 2 - The internet of things classical model
Is the previous question clearer now? Let me reformulate: Does it work? I’ll tell you: no, it doesn’t.
It does not, since if I look at the square, I see an area where my model fails and it’s, by the way the biggest one.
Our model of risk moves along the lines but does not consider any other case since it is not designed to do so. As for the Internet of things we, the digital immigrants who were born in a non-digital world, are not prepared to take into account such a rapid change to our ecosystems. Let me put it in a graphical way again and, at the very same time, let me challenge you with a simple question:
What is this point in your risk management model?
Figure 3 - The adaptive Risk model in place
The classical risk model does not take into account anything that is outside the lines. This is because the approach is based on a probabilistic analysis and consequently may only consider an “identifiable” status : zero or one and everything in the middle. The point in the middle require the introduction to a different model of analysis: the fuzzy logic
What does it mean? That we are considering a case where the Risk model we presented at the beginning of this article is still valid but must be used as a constant loop.
A continuous evaluation of the status of the ecosystem that, as for the IoT, needs to be constantly ‘connected’ to everything and must be able to evaluate every single behavior or context in order to provide an index able to trigger an action or a reaction.
How could this be done? Think of the concept of putting the “Internet” into things and placing this model in a context where the various components of your ecosystem are able to communicate (M2M) with each other, sharing risk indexes, behaviors, et cetera, in order to learn from and instruct each other.
The terms ‘risk engine’ and ‘actionable server’ may help you draw a picture that illustrates this, but I prefer defining it as an adaptive risk or, better, as an adaptive risk model.
Let’s then look again at the initial model we used and complete it with an adaptive risk approach.
- Identify, characterize threats + Analyze the behavior and the context of operation in real-time of the ecosystem.
Assess the vulnerability of critical assets to specific threats
- Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets) + a risk may evolve, modify the impact so consider the partial determination and act as in the ‘worse case’ scenario .
- Identify ways to reduce those risks
- Prioritize risk reduction measures based on a strategy + start over to identify the risk and the status of you knowledge related to it.
The Risk model will then produce a result similar to the one below.
Figure 4 - The adaptive Risk model
The point in the center of our Risk Square is now the definition of our model and may explain every case we find, starting from what is on the lines to what’s inside the square, no matter how large or well-known the ecosystem is and how many ‘things’ we add to it.
Adaptive Risk Model:
“To identify a potential threat based on the context, the behavior and the average information related to similar cases that are provided in real-time or almost real-time by other ‘things’ and produce a global risk index re-usable from every actor in the ecosystem to: assess, determine, reduce the risk and prioritize the action needed to avoid the threat.”
Sr. System Consultant at Dell