ThreatConnect Risk Quantifier FAQ

ThreatConnect RQ is a risk quantification platform that enables better decision-making by representing cyber risk, as well as other types of risk, in financial terms.

ThreatConnect RQ is different in three main ways:

• It measures your attack surface area to determine the risks that are relevant to your organization.

• It provides short-term (i.e., vulnerability) and long-term (i.e., control investment) mitigation recommendations.

• It can take an outside-in or inside-out view into third-party risks.

Yes, ThreatConnect RQ supports the use of the Open FAIR™ model in FAIR™ (Factor Analysis of Risk) scenarios.

Semi-automated FAIR scenarios take control data for your organization into account to help determine vulnerabilities and then combine that information with industry frequency data to calculate the frequency side of the Open FAIR model.

A Business Application (also known simply as an Application) is the container in which controls are applied to prevent an attack from occurring.

A Business Asset is the item (e.g., PCI data or revenue) that gives an Application value.

Yes, there are multiple ways to perform an analysis of a process within ThreatConnect RQ.

No, there is no limit to the number of users allowed in a ThreatConnect RQ instance.

Yes. With an Enterprise Administrator account, you can create additional Legal Entities that have a separate set of users assigned to them.

A Legal Entity is a construct within ThreatConnect RQ that ensures the correct industry data are applied to an organization. It can represent an entire organization, a particular business unit, or a product line. The ThreatConnect RQ Support Team can work with you to set up a Legal Entity structure that fits your reporting needs.

The number of Legal Entities you can create depends upon your ThreatConnect RQ license.

No, there is no limit to the number of Applications you can create.

No, there is no limit to the number of 'What If' analyses you can perform.

Each model used in ThreatConnect RQ is backtested to ensure its accuracy. You can also view a detailed breakdown of each model in the Model Insights section of ThreatConnect RQ.

ThreatConnect RQ uses a combination of open- and closed-source industry data, as well as internal data that are mapped to the MITRE ATT&CK^® framework.

The industry data within ThreatConnect RQ are updated at least quarterly when there is a significant change to the data set.

ThreatConnect RQ minimizes the amount of data that needs to be collected. Depending on the model being leveraged for measurement, you may need to provide only the organization's firmographic information (i.e., industry type, location, and size), Control framework, and Application information (i.e., Application type and corresponding Business Assets), the majority of which can be ingested by the platform via an API.

Yes, you can update values for data used in ThreatConnect RQ calculations on the Model Tuning screen. This is helpful if your organization has a stronger data point that they would like to leverage in ThreatConnect RQ's calculations.

Navigate to the Model Insights screen within ThreatConnect RQ for more information on how the probability of success is calculated.

ThreatConnect RQ computes two numbers: loss magnitude and the likelihood of an attacker breaching your defenses. Each computation uses different methods.

When computing loss magnitude, ThreatConnect RQ uses historical data to build loss models. These models are built using several methods, including polynomial regression and machine learning (ML) techniques, depending on what the ThreatConnect RQ Data Engineering Team finds to be appropriate after the initial analysis of the historical loss data.

When computing the likelihood of an attacker breaching your defenses, ThreatConnect RQ uses probabilistic methods, such as absorbing Markov chains, Stochastic error functions, and Monte Carlo simulations.

For probability simulations, ThreatConnect RQ uses normal distributions.

The distributions used in loss impact calculations vary by impact type. The distribution choice is led by the data that ThreatConnect RQ has to model (both commercial data and self-gathered data). In some cases, ThreatConnect RQ's models are based on observations or decision trees, where there is an expectation of a complete data set being available (usually for regulatory losses, such as HIPAA and GDPR fines); in other cases, the models are based on log-normal distributions. The ThreatConnect RQ Data Engineering Team examines other distributions regularly to ensure that the type of distribution is appropriate.

ThreatConnect RQ has a library of attack patterns used in the wild, based on postmortem reports of attacks, malware analysis reports, and aggregate reports of attack groups and campaigns. From these data, ThreatConnect RQ can distill the techniques used by an attacker and the stages of the attacks.

In addition, ThreatConnect RQ uses an absorbing Markov chain to provide the simulation of each attack pattern and then iterates using Monte Carlo simulation. The result is an aggregate probability distribution that accounts for the different attack paths an attacker may take.

ML models are deployed throughout ThreatConnect RQ's data-gathering and model-building operations. On the probability side of ThreatConnect RQ, natural language processing (NLP) and various classifiers, such as Google’s Bidirectional Encoder Representations from Transformers (BERT) model, are used to gather and enrich data for modeling purposes. On the loss side, several ML techniques are used to analyze loss data and produce loss models.

The primary mechanism used in loss analyses is decision trees (particularly, the XGBoost library); however, other models may be used, depending on their applicability, which is determined during the exploration phase of data analysis. To leverage ML in loss analyses, ThreatConnect RQ separates probability and loss components and then treats them as two separate phases of an attack, allowing ThreatConnect RQ to go beyond pure Monte Carlo simulations. When using loss data to build ML models, ThreatConnect RQ uses a mixture of data created by the ThreatConnect RQ Data Engineering Team, data retrieved from paid sources, and data retrieved from open sources. This approach eliminates the need to use Monte Carlo simulations to calculate the potential loss a company faces, as actual loss data are being used in loss analyses.

ThreatConnect RQ has built-in support for the following control frameworks: ISO 27001, NIST-CSF, CIS Top 20, and TAG Cyber.

If your organization uses a control framework that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with you to add it as a supported control framework.

There is no limit to the number of control frameworks that can be added to ThreatConnect RQ.

Control effectiveness is one of the most difficult problems to solve in cyber risk quantification. Currently, there are three ways to measure control effectiveness: test all controls all the time (e.g., breach attack simulations), measure effectiveness on a Capability Maturity Model Integration (CMMI) scale, and use subjective inputs.

ThreatConnect RQ uses a CMMI scale to measure control effectiveness. In ThreatConnect RQ, organizations express their security posture in terms of standard control frameworks, such as NIST-CSF and ISO 27001. Behind the scenes, ThreatConnect RQ decomposes the control measurement into security features that map these control frameworks to more granular controls, which are then mapped to their corresponding MITRE ATT&CK tactic, technique, or procedure (TTP) for analysis. The effectiveness of these granular controls is measured against their corresponding TTPs using a variety of methods, including a proprietary instrumented application that runs attacks against various defensive configurations. These attacks can be scripted to examine the impact of controls acting alone and acting together. ThreatConnect RQ also uses data from external laboratory tests, attack reports, and other pieces of research to augment the measure of control-to-TTP effectiveness. When data are not available, subject matter expertise is used instead. To integrate these disparate sources of information, ThreatConnect RQ uses a technique called subjective logic that provides a calculus for dealing with the completeness and correctness of data obtained from various sources.

ThreatConnect RQ has built-in support for the following types of APIs: vulnerability scanner; third-party scanner; governance, risk, and compliance (GRC); configuration management database (CMDB); and reporting (specifically, Tableau^® and Power BI™). If you need to use a type of API that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with your organization to add support for it.

No, all API usage is included with your ThreatConnect RQ license.

Currently, you can connect ThreatConnect RQ to Archer^®, ServiceNow^®, Snowflake^®, and SureCloud^®. If you use a GRC platform that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with you to help connect it.

To leverage SecurityScorecard® ratings in analyses, your organization must obtain a subscription to SecurityScorecard.

There is no limit to the number of third parties that you can measure in ThreatConnect RQ; however, depending on the approach, you may be limited by the SecurityScorecard license.

ThreatConnect RQ has built-in support for the following vulnerability scanners: Qualys^®, Rapid7^®, and Tenable^®. If your organization uses a vulnerability scanner that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with you to add support for it.

A vulnerability scanner is required only when a Business Application is housed on-premises or is an Infrastructure as a Service (IaaS) Application, or when your organization wants to prioritize vulnerabilities.

In ML-based scenarios, ALE (or exposure) is the product of the single loss expectancy (SLE), the P(S), and the rate of incidence.

Yes, you can export reports from ThreatConnect RQ as PowerPoint^® and CSV files. You can also use an API to export reports to a reporting tool.