Mosaic Data Science has a patent-pending IT risk-management methodology we’ve named Blackbird. (We’re also developing Blackbird software.) Blackbird differs radically in approach from currently available IT risk-management methods. Existing methods identify generally known vulnerabilities that occur in your IT infrastructure. Some methods even try to discover specific, previously unknown vulnerabilities. The goal of these methods is to eliminate existing vulnerabilities. The problem with such methods is, they’re reactive, so you’re always catching up. You only act on a vulnerability after it materializes. That’s like managing risk at a nuclear reactor by waiting for cracks to appear in the pipes and valves, and only then replacing the failing components. By the time a new vulnerability appears, it’s likely too late. A hacker has exploited the vulnerability, and the damage is done. The heartbleed bug is a great example. Aggressive patching policies aimed at reducing security risk actually increased that risk, because new versions of OpenSSL introduced the bug. To quote heartbleed.com: “Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most.” Even worse, sometimes there’s a substantial lag between the time you become aware of a vulnerability and the time a patch is released that eliminates the vulnerability. Continuing the Heartbleed example: “OpenSSL is very popular in client software and somewhat popular in networked appliances which have [the] most inertia in getting updates.” In the worst case, there are classes of vulnerability such as human error and earthquake that you can’t avoid. You can only architect defense in depth around them, to reduce their impact when they’re exploited. Some security breaches are so novel that it’s clear nobody could see them coming. But in today’s world we have a great deal of empirical evidence and expert opinion about the frequency with which various classes of security breaches occur. Even if we don’t see a specific vulnerability coming, we can foresee that a vulnerability of its kind will likely occur at a given frequency, and that a hacker will exploit it when it appears. This much we can know. And that’s Blackbird’s premise. It’s fundamentally different from reactive IT risk analysis, because (like the eponymous spy plane) it spots classes of vulnerabilities from afar, seeing risk before it sees you.
Blackbird answers two key questions:
1. What residual risks remain, after we find and fix all current vulnerabilities?
2. What is the most cost-effective way for us to reduce the impact of these residual risks to acceptable levels?
Blackbird identifies all plausible chains of adverse IT-security events that would lead to economically significant security breaches (unauthorized use of data and/or IT infrastructure). For each such chain of events, Blackbird computes the probability of the ultimate breach, and determines the most cost-effective way to reduce the likelihood of that breach to an acceptable level. The result is, you are perfectly positioned to reduce your IT infrastructure’s long-term security risk to acceptable levels at minimum cost. Once you’ve completed a Blackbird intervention and implemented its recommendations, you’ll know (to a degree of certainty you specify) that your IT infrastructure is engineered to survive all scientifically foreseeable vulnerabilities without resulting unauthorized use of data, software, or hardware. Blackbird won’t stop individual vulnerabilities from occurring, but it will help you minimize their impact when they occur—before you even realize they exist.
Blackbird performs a fully rigorous probabilistic risk analysis (PRA) to identify residual risks, and then an equally rigorous probabilistic decision analysis (PDA) to determine how best to mitigate those risks. Both analyses are based on thorough statistical risk models of classes of IT-infrastructure components and classes of security breaches on those components. These models, in turn, are based on all available empirical evidence and expert opinion about how frequently the adverse outcomes occur. The PRA and PDA account for all factors that may affect IT-security risk, including natural disasters, facility security, organizational processes, and human error. The PRA and PDA may employ several different formalisms, depending on the complexity of your IT infrastructure. Enterprise-class IT infrastructures typically require Monte Carlo simulation methods to compute risks accurately. Mosaic has a decade of experience building and analyzing Monte Carlo simulations of extremely complex engineering systems involving numerous human lives and billions of dollars’ worth of physical assets. Nobody knows more than Mosaic about modeling risk in complex systems. Contact Mosaic today to learn how Blackbird can help you secure your organization’s IT infrastructure. See IT risk before it sees you.