As explained in the introduction RIMICI “ONE Source” Security Operations Center Architecture has been designed for Risk Assessment and Decision making.
This means that all decisions are made by Risk assessment, so it is necessary to understand the process of calculating the Risk value and what each of the used parameters mean.
Only through this understanding an administrator will know how to approach the tuning and management process of the full security system.
The importance in security terms of an event depends on the following three factors:
1. The Asset value of the target, or how much money it costs
2. The Threat represented by the event, or how much it can damage our Asset
3. The probability that the event will occur
1. Traditional View: Intrinsic Risk
These three factors are the building blocks for the traditional definition of risk:
“A measure of the potential Impact of a Threat on Assets given the Probability that it will occur”
Traditionally risk assessment is concerned with Intrinsic Risks, or latent risks. In other words, risks that an organization assumes by virtue of both the assets it possesses for the purpose of developing its business, and circumstantial threats to those assets.
2. Real Time Risk
In our case, due to real-time capabilities we can measure the associated Risk with the current situation in immediate terms.
In this case the measurement of risk is weighted by the damage it would produce and the probability that the threat is really happening in the present.
That probability, which is a derivative of the false positives produced by our detectors, becomes the degree of Reliability of the event, or in other words: a form of measuring how often this event is a false positive.
By immediate risk we mean the state of risk produced when an event is received and assessed instantaneously as a measure of the Damage an attack would produce, eighted by the Reliability of the event that raised the report.
One of the main reasons SIM systems are needed is to fight against false positives as any organization can receive millions a day.
RIMICI “ONE Source” Security Operations Center full system is designed to manage this three parameters:
- Threats (which we call priorities)
In order to produce a real time Risk parameter for each event.