Contact Us


security automation framework


We’re excited to wrap up and announce our Winter 2019 release!

Customers will benefit from closed-loop security, which unlike siloed approaches to proactive and reactive security, assesses the impact of alerts related to new, deleted or changed resources from AWS CloudTrail and Google StackDriver Monitoring using CyberPosture scoring to prioritize infrastructure changes based on their risk. As part of closed loop GCP security, a Cavirin-developed Google Function watches Google StackDriver Monitoring for events related to the creation, deletion and changes to specific Google resource types. As these changes accumulate beyond a certain threshold, Cavirin triggers an assessment of your GCP account. This results in CyberPosture scores for affected resources which in turn helps create a remediation plan sorted based on improvement to security posture. A similar (alert -> threshold trips -> assess -> score) blueprint applies to AWS resources based on AWS Lambda Functions and AWS CloudTrail events.

Next, prioritized security gaps can be auto-remediated using AWS Lambda and Google Functions, as applicable. As the figure below shows, the remediation blueprint for Google comprises of a Google Function that watches for remediation requests from the Cavirin server on a GCP PubSub topic. As the Google Function remediates security gaps, the Cavirin server processes the remediation confirmations as another set of changes to your environment. As before, as changes accumulate beyond a threshold, an assessment is triggered, resulting in updated and improved CyberPosture scores. A similar remediation blueprint applies to AWS.


machine learning in cyber security


Extending closed loop security to operating systems resources, the Winter 2019 release also offers Ansible integration to streamline the hardening of operating systems powering compute instances. Cavirin periodically assesses all instances, checking for drift against a known baseline and recommending and carrying out remediation through Ansible to re-establish the instances’ golden posture. As the figure below shows, as we assess OS resources for policy packs like CIS and generate Ansible artifacts, in particular a variables file (list of failed policies to remediate) and a hosts file (list of Ansible-managed resources that require remediation), which when applied with the Ansible playbook for the given policy pack results in a return to the golden posture.

ai machine learning

Compliance and security professionals struggle with translating regulatory requirements and industry standards to automated technical controls – spreadsheets and manual mapping processes are the state of the art. While organizations like UCF have provided a universal/canonical representation of regulatory requirements, gaps still remain with respect to mapping requirements to technical controls with quantitative inputs that can drive risk scoring and security analytics.  Cavirin’s Winter 2019 release is the first to apply machine learning to recommend technical controls for industry standards (e.g. NIST 800-171) and regulatory frameworks (e.g HIPAA) with associated weights and severities which in turn drives the ability for customers to drive compliance based on risk, using Cavirin’s CyberPosture scores. Machine Learning ensures consistency of mapping and the resulting weights and severity. This further improves the efficacy of CyberPosture scoring and resulting remediation guidance.


cybersecurity through machine learning

Announced earlier, we now feed security findings for resources in a customer’s Google Cloud Platform into Google Cloud Security Command Center, which unifies security finds from a select group of Google Cloud partners. To leverage this feature, be sure to check out Cavirin Cloud SCC Companion and Cavirin CyberPosture Intelligence on the Google Cloud Marketplace!

deep learning for cybersecurity

Reporting enhancements: A new change reports feature offers the ability to compare the latest assessments against the previous one enabling users to quickly gauge the effectiveness of change management. A new reporting service for RSA-Archer permits management of Cavirin-reported compliance posture gaps through an organization’s existing GRC platform. 

Enhanced connectivity through Bastion and proxy hosts: Network segmentation and isolation are important best practices. With the Winter release, customers can isolate compute instances behind bastions and proxy hosts while allowing Cavirin to discover and assess these assets.  

Other new capabilities include additional OS scanning support, including for Amazon Linux 2, SUSE Linux 11/12 and Ubuntu 18.04.




Minimize Risks Due to Change Management Delays 

As DevOps leaders continue to deliver greater agility to the business, SecOps is faced with a widening security gap needing more time to manually work through change requests that ensure appropriate testing is achieved taking into account risk, security, and compliance. This whitepaper is for those looking to minimize the risks due to change management delays and manual processes. It highlights how Cavirin auto-remediates both compute instances and cloud services to minimize the security gap between SecOps and DevOps.


Many organizations separate security posture monitoring from change management, leaving them exposed when security alerts monitored by SecOps teams wait for DevOps teams for remediation. Closing this security gap via auto-remediation is a key outcome enabled by Cavirin. In this document, we discuss how Cavirin auto-remediates both compute instances and cloud services, starting with a chart that highlights an organization with and without auto-remediation. 


For compute instances, Configuration Management systems like Puppet Enterprise, Chef Automate, or Red Hat Ansible offer a good foundation. Their cloud counterparts include Microsoft Azure Automation as well as the AWS Elastic Compute Cloud Systems Manager. Cavirin’s approach, below, leverages Ansible to remediate compute instances in AWS, GCP, Azure or on-premise environments. 

First, a SecOps user using the Cavirin system defines a “golden configuration” of operating system parameters for a group of machines using Cavirin’s technical controls (CIS, in the figure below). The system continually assesses the organization’s machines against “golden” technical controls and identifies those assets drifting from it (Step 2 in the figure below). 

Next, the Cavirin system creates the list of drifting machines (“host file”) as well as a list of configuration settings (“variables file”) that require remediation in Ansible’s format. Finally, the Ansible server retrieves the Ansible hosts file, variables file and the Cavirin-supplied Ansible playbook to remediate machines to the golden state. 

The same approach can also be used to create ‘golden’ images during pre-production by assessing candidate images against a golden posture and involving Ansible with Cavirin playbooks to remediate images to a golden state. 

Moving from compute instances to cloud services, here we can use the monitoring, queuing, and remediation services provided by public clouds. Options for remediation include AWS Lambda, Azure Functions and Google Functions. Cavirin monitors cloud services via provider APIs and assessing them for various technical controls. The system then develops a list of the top resources for remediation, and then executes the provider-specific functions. 

Using AWS as an example, Cavirin, via its AWS Network Policy Pack, periodically assesses the status of commonly used TCP ports associated with the Security Groups created within a given AWS account. It then informs the operator of the top 50 ports, which if remediated will positively impact the score (see Figure below). 

Technically, in the figure below, 

  1. The operator issues the remediation command from the Cavirin dashboard 
  2. Which publishes a remediation request to an AWS SNS topic 
  3. …that then invokes the Cavirin-authored Lambda function 
  4. Remediation occurs and confirmation is now posted to Cavirin via SQS 
  5. Cavirin takes this confirmation and modifies the scoring accordingly 

To summarize, auto-remediating compute instances and cloud services as described in the article can help organizations accelerate responses to security gaps, reduce security risks, and eliminate manual processes. 




security automation framework

“NEW” CyberPosture Intelligence Solution

Cavirin is a world’s first solution that provides CyberPosture intelligence for the hybrid cloud. It does so by discovering resources located on-premises, in traditional data centers such as virtual/physical machines, in multi-cloud environments (Google Cloud, AWS, and Azure) and/or Docker/Container based environments. Subsequently, Cavirin enables risk, security and compliance management for these hybrid cloud resources through a Protect-Monitor-Respond-Predict based automation framework. Cavirin supports 25 audit frameworks derived from Security (NIST, CIS etc.) and compliance (HIPAA, PCI, GDPR, ISO etc.) domains to ensure corporate security and compliance policies are enforced for the hybrid enterprise of tomorrow! The Cavirin solution has been featured in leading market research reports and has won multiple awards for innovation and market leadership.  

Here is the second part (in a two-part series) that highlights customer benefits along with the features supported in our Summer 2018 release of Cavirin's "New" CyberPosture Intelligence Solution--Check out Part 1 or visit the "Why Cavirin" page for an introduction into our CyberPosture Intelligence solution.

1. Protect-Monitor-Respond-Predict security automation framework

Cavirin has implemented the Protect-monitor-respond-predict security automation framework which is at the core of everything that Cavirin does. We have provided the various puzzle pieces in this security automation framework over the last few releases and added some new elements in the summer release as well. 

Technology and Infrastructure agnostic solution - Cavirin provides the Protect-Monitor-Respond-Predict security automation framework with a single pane of glass view for the hybrid cloud infrastructure in a technology agnostic, cloud infrastructure agnostic manner so that customers don’t have to worry about the underlying infrastructure type.

In the summer release we have augmented the support greatly, namely:

  • Protect: we have increased the coverage for “protection” policies greatly, including adding new control frameworks such as support for CCPA (California consumer privacy act), Support for CIS Azure and CIS GCP benchmarks, enhancing AWS Cloud policies support, thereby further strengthening the number of policies support to be unparalleled in the industry. Cavirin supports 80,000 policies over 25 control frameworks.
  • Monitor: there are multiple ways that Cavirin implements monitoring,
    • Golden Posture monitoring: Continuous monitoring to ensure any golden posture drifts are detected and alerted through any of the signaling channels supported by Cavirin: JIRA/Slack/ServiceNow/PagerDuty.
    • AWS Lambda and SNS-Based Monitoring: Security monitoring of AWS CloudTrail events has been revamped to detect and alert operations staff via SNS Topics when the configuration of AWS resources are modified. 

  • Respond: Cavirin provides several capabilities to remediate the various issues/problems discovered by the Cavirin solution:
    • Cavirin provides a prioritized remediation gap report which provides a sorted and “prioritized” action plan based on its potential improvement on the overall CyberPosture score. This enables customers to focus on the most impactful remediation plan thereby minimizing time and resources expended.
    • Auto-remediation: Cavirin is launching “CavBots” to execute auto-remediation capabilities that are detailed below.
  • Predict: Cavirin provides data science insights to understand how the CyberPosture score is trending with time. Further, there are ways to analyze the assessment data for all the resources discovered and managed by the Cavirin solution. Capabilities exist to filter, sort, remediate and generate extensive reports with multiple perspectives as required by the customer.


2. Auto-remediation through Cavirin Cloud-bots aka “CavBots”

From the CISO Dashboard, there are two ways to get remediation guidance

  • Alerts and Remediation: Users can view failed policies sorted by their impact on the CyberPosture score, get a prioritized gap report along with remediation guidance and post notifications or work-items in Slack, PagerDuty, Jira and ServiceNow.
  • AWS Lambda-Based Remediation (New): Users can configure Cavirin to auto-remediate using built-in auto-remediation capabilities using “Cav-Bots” which execute remediation commands on behalf of the user. Remediation of AWS policy failures are achieved via AWS Lambda. Pre-built Lambda functions can be deployed in customer’s AWS accounts to initiate remediation of failed AWS policies.


3. More Enterprise-ready features

There are several enhancements made to support large enterprise-grade scalability and deployability to ensure that Cavirin can integrate with the enterprise infrastructure for large-scale enterprise deployments.

  • Role Based Access Control (New): To support deployments within large organizations, Cavirin’s Role-Based Access Control features allow customers to segment users, asset groups, reports and resources based on user’s role and function. In addition, access to CyberPosture views and actions is restricted by a user’s role. Custom roles can also be defined providing great flexibility.
  • Single Sign-On (New): Support for single-sign-on with Single-Sign-On products including support for Okta.
  • Enhanced OS Support (Enhanced): Certified Cavirin software on Ubuntu 16.04 (from 14.04). the Content team will continue to release content updates every month.
  • Digital fingerprinting of assets: Each asset in Cavirin has a unique identifier (GUID) which is derived by doing a digital fingerprinting of every asset discovered by Cavirin. With the Summer, 2018 release, compute instances are identified by their GUID. A given GUID may have multiple IP addresses. This identifier is used during the entire “Protect”-“Monitor”-Respond-Predict security automation framework. This also helps greatly to identify and de-duplicate compute instances.
  • Cloud workflow framework (New): Significant increase in the number of policies that Cavirin supports across major clouds (AWS, Azure, and Google Cloud). In addition, Cavirin provides the ability to roll-out additional content fast to customers on a regular basis.

Check out Why Cavirin for more information on our CyberPosture Intelligence Solution.

CyberPosture Intelligence

“NEW” CyberPosture Intelligence Solution

Single-click Hybrid Cloud CyberPosture scoring with actionable intelligence using a breakthrough user experience that’s dynamic, interactive and contextual. CyberPosture provides a credit-score like rating 0-100, quantifies the health of the infrastructure, which can be used by customers to do root cause analysis for all cybersecurity, risk and compliance issues followed by protection, monitoring and remediation through prioritized gap reports and/or auto-remediation using Cavirin automation based “CavBots".

Cavirin has announced the “new” CyberPosture Intelligence solution with its Summer 2018 release, now available. With the Summer 2018 release, customers benefit from breakthrough improvements on multiple fronts (visit the "Why Cavirin" page for an introduction into our CyberPosture Intelligence solution). Here is the first part (in a two-part series) a highlight of the of the customer benefits along with the features supported in this release: 


1.  New User Experience - CISO Dashboard with single-click actionable intelligence 

A new CISO/SecOps dashboard with a new CyberPosture scoring algorithm which enables a “credit-score” like representation of risk, security and compliance posture across the hybrid cloud infrastructure, including AWS, Google Cloud, Azure, containers and on-premises infrastructure. The CyberPosture score “quantifies” the health of the hybrid cloud infrastructure by assigning a score between 0-100, higher the score the better it is. More on the scoring methodology later.

Customers can get contextual actionable intelligence in the form of prioritized gap reports which is updated contextually based on the selections made in the middle pane. Remedial actions such as opening a JIRA/ServiceNow ticket, or signaling through Slack messages is one click away!

Customers can analyze trends and drill down into scores by asset group, environment, policy pack, cloud service, operating systems, and individual resources to pinpoint risk and prioritize remediation plans. Every score provides security & compliance drill downs for on-premise and cloud resources. 


enterprise security score 


In summary, the new user experience, which has received rave reviews from customers provides the following:

  • CyberPosture Scoring – contributions from security/compliance issues
  • Dynamic, Interactive and personalize-able based on role-based access control. The Dashboard is continuously updated in real-time
  • Ability to click-through and drill down to do root cause analysis to understand the cause for the various issues affecting the customer
  • Actionable intelligence is a click or two away


2.  Enhanced Hybrid Cloud Infrastructure Support

Several new enhancements have been made to augment support for the Hybrid Cloud infrastructure in the summer release.

CyberPosture Scoring: Credit score like rating between 0-100 - The CyberPosture score analyses and quantifies the health of the end-to-end hybrid cloud infrastructure by assigning a score between 0-100 using several variables described below. This is unique in the industry and Cavirin is the only company that provides a CyberPosture score for the hybrid cloud.

Higher scores mean that the risk exposure of the infrastructure is lower. This score quantifies the Cyber- Risk Exposure and is a measure of the risk for the hybrid infrastructure due to a combination of security and compliance issues which could lead to cyber-breaches. The list of various contributing factors that contribute to the overall CyberPosture scoring:

  • Asset Criticality: Asset criticality ensures that all the critical assets contribute more towards the overall CyberPosture score than less critical ones. CyberPosture scores are now based on user-assigned Confidentiality, Integrity and Availability ratings for every resource. As a result, critical resources can be identified, scored and prioritized for remediation.
  • Configuration Vulnerability Assessment: All configuration and vulnerabilities related issues are quantified and contribute towards the overall CyberPosture scoring.
  • Real-time Monitoring: the hybrid infrastructure is continuously monitored, and the real-time impact of the monitoring is included in the overall CyberPosture. The score is updated in real-time continuously.
  • Control Frameworks: Cavirin supports 25 control frameworks, 80,000 policies. Depending on the frameworks selected each control policy contributes towards the overall CyberPosture score.

For more information on CyberPosture Scoring, download our whitepaper.  

Enhanced Cloud Policies and Resource Scoring - The cloud resources discovery process has been greatly enhanced in the summer release. Several new control frameworks have been added, please see details below.

Cloud Resource Discovery and Scoring (New) - All cloud resources, services, and accounts are discovered and scored separately as an asset.  Cavirin’s cloud and on-premise resource inventory discovers and depicts resources associated with AWS, Google Cloud and Azure services including object stores (e.g. AWS S3, Google GCS), VPC, Security Groups, databases (e.g. AWS RDS), key management services (e.g. AWS KMS) and more.

CyberPosture for Azure Cloud (New) - Support for CIS Azure control policy framework along with Cavirin specific policies for Azure cloud infrastructure. Developed new Visibility of Azure Cloud resource types (e.g. Azure Cloud Storage) and additional technical controls from CIS Azure Foundation to drive CyberPosture scoring and remediation guidance for Azure.

CyberPosture for Google Cloud (New) - Support for CIS GCP control policy framework along with Cavirin specific policies for Google cloud infrastructure. Visibility of Google Cloud (e.g. Google Cloud Storage) resources and Cavirin-defined technical controls for Google Cloud to drive CyberPosture scoring and remediation guidance for Google Cloud.



Part 2 of this blog series (now available) shares more of the customer benefits and features supported in this summer release.  

hybrid security framework

Cybersecurity Scoring Blog Series

This is the third in a three-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture-.  Over the course of the series, we are presenting the concept of cybersecurity posture along with a security framework and an approach to calculate your overall posture score.  

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring
  3. Using a Security Framework to Measure Your CyberPosture Score

Key Attributes and Elements for Building a Successful Security Framework

In our first two blogs, we presented an overview of what cybersecurity posture scoring is and how it relates to cybersecurity risk scoring. As we take you along the path to generate a CyberPosture score for your company, the first step is to establish an IT security framework from which you will guide your own scoring process leading you to a consistent scorecard that can be used throughout the organization.

When developing a security framework for measuring the CyberPosture of your IT infrastructure, it’s important that the framework adheres to five key attributes:

  • Comprehensive—incorporates all business-oriented risk signals impacting the security posture.
  • Extensible—dynamic ability to incorporate future risk signals and emerging controls that could impact the security posture over time.
  • Comprehensible—consumers of the score must be able to understand it with minimal cybersecurity knowledge.
  • Meaningful—represent your security posture adequately, accurately, and consistently to help drive prioritized action plans.
  • Defensible—based on industry-standard cybersecurity frameworks and supporting details available for those who want (or need) to dig deeper into the analysis.

Your CyberPosture will be driven by the following six elements, which serve as the scoring for your IT security framework:

  • Asset Criticality (discover and classify)
  • Threats (events perpetrated by threat actors in the context of the critical assets and vulnerabilities)
  • Vulnerabilities (weaknesses in the infrastructure)
  • Controls (mitigating controls against the vulnerabilities)
  • Likelihood of a Breach (historical projected)
  • Impact of a Breach (business assessment based on CIA triad)

When the attributes and elements of your posture scoring framework are in place, the information security team can articulate and present a clear view into how well the organization is prepared to deal with the threats and attacks it will likely face.

The rest of this blog will take you through the key factors to consider as you apply this framework to your IT environment.

Key Factors When Applying a Security Framework to Your IT Environment

Asset Criticality—the criticality of IT assets is an important contributory factor to your overall CyberPosture assessment. Assets are classified under the following categories:

  • Information—databases, data files in servers as well as desktops and laptops, system documentation, user documentation, training materials, operational/support procedures, continuity plans, and archived information.
  • Software—application software, system software, development tools, and utilities.
  • Physical Devices—computer equipment, processors, monitors, laptops, modems, printers, and other hardware.
  • Services—general utility services such as power, lighting and air conditioning that are used for IT equipment.
  • People—those who own and run the programs and perform tasks for the IT department related to these assets.

Each asset should be rated using the CIA information security triad—Confidentiality, Integrity, and Availability (CIA). It’s best to have the respective asset owners identify and classify the assets. This ensures that the individual owners’ concerns around security for each asset are taken into consideration.

The criticality of each asset will be scored according to the impact on the business if that asset were to be compromised:

Level 1 - No impact
Level 2 - Insignificant impact that will not result in a business or financial loss
Level 3 - Some impact that may result in some level of business or financial loss
Level 4 - Significant impact that will probably result in a significant business or financial loss
Level 5 - Severe impact that will likely result in a significant business or financial loss

Taking this approach will help prioritize which assets to focus on first as far as raising their posture score. Once the most critical assets are selected, they can then be grouped based on similar criticality ratings.

Of course, the assessment of criticality if only as accurate as the inventory of assets being evaluated. Therefore, the first step as part of this element is to implement a thorough discovery process that can identify the systems, containers, applications, and services in use throughout the organization, both on-premises and in the cloud.

Additionally, one must not forget to explore the environment for assets that may have been brought into the environment by employees, contractors, and partners without the knowledge of the IT department; or “Shadow IT.”

As a final point here, it is also essential to maintain a proactive view into the inventory of these assets, keeping abreast of planned and unexpected changes made to the environment, such as the modification of scope made to an existing workload and/or the launch of a new workload to address a new business requirement or process.

Threats—threat events pertain to conditions that can lead to breaches and are perpetrated by threat actors—either humans (insiders or outsiders), botnets (human-controlled networks) or nation states (government entities).

Threat actors can exploit weaknesses in systems and software to create threat events that portend breaches. The threats could be the result of malice (e.g., a cybercriminal trying to steal data) or unintentional (e.g., an admin-level user who changed access control permissions – to an S3 bucket, for example – without understanding the consequences).

Threat events can span:

  • Configuration issues: unintended data flows that expose data to the outside world.
  • Defects and other vulnerabilities in systems and applications: which can be used to bypass authentication, access rights, and other powerful system-level capabilities.
  • Limitations in compliance frameworks: far too often, the regulatory bar is set way too low, guiding the threat actor for how high they need to jump.

To gain a proper view of the threats the organization faces, the team must consider collecting and consuming one or more threat intelligence feeds. These feeds will provide real-time feedback for threat events pertinent to the organization which will, in turn, contribute crucial intelligence needed to better for a security posture score relevant to the environment within your organization (which, of course, was identified in the asset discovery and criticality element above).

Vulnerabilities and Mitigating Controls—according to, a vulnerability is a weakness in an application, operating system, or other components, that allows a threat actor to cause harm or compromise. The weakness can be a design flaw, misconfiguration, operational lapse (ineffective security practices), or other attack vectors.

A mitigating control is a configuration, process, technology, or even a person implemented as a means to safeguard or provide some other countermeasure in which to avoid, detect, counteract, or minimize the risk identified for a given asset.

As one might naturally picture, vulnerabilities and controls are very closely related to threats. The reason for this is simple: threat actors both intentionally and accidentally take advantage of vulnerabilities in the hopes that there are no effective mitigating controls in place. If the threat actor is malicious, for example, they could easily search the open web for the types of systems, applications, and services in use within your organization, do a lookup for the known vulnerabilities and common (out-of-the-box) misconfigurations they possess, and the check to see if there is a control in place to block access and/or prevent the payload from succeeding. 

If there is an adequate control in place, the threat actor can move on to seek out another system or application that is missing the control. If there is no mitigating control in place, the threat actor can choose to exploit the vulnerability and/or misconfiguration and leverage the benefits from doing so; change/increase access rights, change the system/application configuration, laterally move to another location on the network, or even sit and wait to use the machine’s location and capabilities to their advantage at a later time after they perform some additional reconnaissance.

As noted above, there are three types of vulnerability and control assessments that factor into the CyberPosture score:

  1. Configuration related issues
  2. Vulnerabilities related issues
  3. Security and Compliance framework related audit issues

The score contributions will come from any IT infrastructure resources such as OS resources, Cloud accounts, and services—both from an initial assessment contribution followed by a run-time monitoring assessment of the configuration, vulnerability, and control framework policies for which the organization has in place for the hybrid cloud infrastructure. Assessment monitoring also aligns with the CIA model in that one cloud service may require more availability or confidentiality than another.

The Likelihood and The Impact of a Breach—the likelihood of a breach is the probability of an asset being compromised due to threats exploiting the specific vulnerability and can range from <unlikely to occur> to <certain to occur>.

The impact of a breach that results in a business or financial loss should be assessed by the owner of each asset, collection of assets, and the overall business process that utilizes those assets. The value can range from <no impact at all> to <severe impact>, which may result in disastrous consequences or lead to significant financial loss.

The likelihood and impact analysis relies heavily on historical trends within the organization, trends in threat intelligence data, statistics related to the industry in question, statistics related to the geographical location of the business operations (laws and regulations can have an impact), the current patching regimen, and what types of attacks are actually possible against the identified vulnerabilities. There may be other factors as well, but these are the core areas from which the assessment would be made.

As the likelihood and impact are calculated, keep in mind that a single asset may be used to enable multiple business processes and may also be in play in support of multiple business units in many forms and in many locations.

For the security framework to be successful, you must have visibility into the hybrid world of the OS (both VM and container), of the workloads, and the key set of cloud provider services utilized as well. Remember: the faithfulness of your CyberPosture score is directly related to the rigor, consistency, and honesty that goes into each phase of the process.  For complete details read the Cavirin whitepaper: Your CyberPosture Score



Cybersecurity Scoring Blog Series

This is the second in three-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture.  Over the course of the series, we will present the concept of cybersecurity posture along with a framework and an approach to calculate your overall posture score.  

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring
  3. Using a Security Framework to Measure Your CyberPosture Score

Comparing Cyber Security Posture Scoring to Cyber Security Risk Scoring

 When building a cybersecurity program to defend your digital assets, the plan should be developed by assessing three critical aspects:

  • Step One: What assets are you trying to protect?

Identifying the systems, applications, data, business processes and end-users that need to be protected

  • Step Two: What are the risks?

Determining through cyber risk scoring which assets are left open to cyber-attacks, and the impact of each system going offline and/or leaking data

  • Step Three: How well are you protected?

Documenting the controls in place to protect the assets and the strength of those controls by using CyberPosture scoring

Many security-mature businesses adequately address Step One, identifying the assets to be protected. And a variety of methods and tools have been around a long time for Step Two, determining the risks. But in our discussions with clients, we find that many have not taken that important Step Three, finding out just how well they are protecting the things that matter to the business by using posture scoring. 

An Overview of Risk Scoring

An important part of going through all three steps is gaining an understanding of how CyberPosture scoring compares to cyber risk scoring. When conducting cyber risk scoring, you analyze what could go wrong. You first take an inventory of your systems, applications, data, business process, and end users (Step One) and the role they play in allowing you to run the business. Then you assess their weaknesses and vulnerabilities:

  • What systems can be hacked and taken offline?
  • What data can be stolen, leaked or changed?
  • Can private information or intellectual property be lost or stolen?

Risk scoring combines the extent of the weakness and the value of the asset. The assessment requires an understanding of the CIA triad (confidentiality, integrity, and availability), which measures the business impact of an asset that’s taken down or experiences a data breach. Those that play a critical role in running the business and lack sufficient cybersecurity mechanisms will score as a high risk. Those that aren’t mission-critical, and those with few weaknesses and/or with limited exposure, will score as a low risk.

Using a scoring system for each asset—which may be as simple as Red-Yellow-Green, or as granular as a scale of 1-100 - allows IT to prioritize which risks to address first. By having a risk scoring method and system, IT can also more easily communicate the overall level of risk for assets to the business leaders. This is particularly important when additional resources need to be purchased to address those risks!

Risk Scoring Leads to Posture Scoring

The risk scoring process then drives the compensating security controls that will be deployed to address the vulnerabilities and weaknesses, to reduce their exposure, and to ultimately mitigate the risks. These may be a combination of hardware and software systems as well as corporate policies that govern end-user activities when utilizing company devices. It could even include end-user awareness training to minimize the impact humans can have on the systems, data, and surrounding processes.

After the compensating policies and controls are in place, the cybersecurity posture scoring then comes into play to determine how strong those controls are in mitigating the risks. It’s essentially a reassessment of the IT environment to see how strong it is in defending against potential threats. As with risk scoring, posture scoring can be based on a three-color scheme or a wide-ranging numbered scale.

The leading cybersecurity posture platforms generate results that are comprehensible to personnel with minimal cybersecurity training. The results represent the strengths of the compensating controls in order to adequately drive prioritized action plans for upgrading or replacing inadequate controls.

The scoring results are based on industry-standard cybersecurity frameworks. In addition, they incorporate all the risk signals that an organization is aware of and then compare those risks to the controls in place to mitigate the risks.

Cybersecurity posture scoring can also be integrated with other security management applications. This makes it possible to incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

An On-Going Scoring Process

As your cybersecurity posture score increases, your cybersecurity risk score will decrease. Ideally, you want to find a balance of controls that justifies the investment in hardware and software and returns the required digital-asset protection value. The two-pronged risk/posture scoring process also needs to be conducted on a recurring basis as new business processes are introduced creating more exposure and new cyber threats emerge, creating new risks that current controls cannot mitigate.

In the final blog, we present the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture - including what you need to do to prepare before you can start scoring. 

Download our whitepaper on the topic: Your CyberPosture Score.




© 2019 Cavirin Systems, Inc. All rights reserved.