ThreatConnect Risk Quantifier FAQ
  • 05 Mar 2024
  • 10 Minutes to read
  • Dark
    Light

ThreatConnect Risk Quantifier FAQ

  • Dark
    Light

Article summary

Overview

The ThreatConnect® Risk Quantifier (RQ) platform applies risk and financial models based on your business, your technical environment, and industry data that enable you to make strategic- and tactical-level decisions to mitigate financial risk to your organization. This article provides a list of frequently asked questions related to ThreatConnect RQ.

Frequently Asked Questions (FAQ)

General Questions

What is ThreatConnect RQ?

ThreatConnect RQ is a risk quantification platform that enables better decision-making by representing cyber risk, as well as other types of risk, in financial terms.

How is ThreatConnect RQ different from other risk quantification platforms?

ThreatConnect RQ is different in three main ways:

  • It measures your attack surface area to determine the risks that are relevant to your organization.

  • It provides short-term (i.e., vulnerability) and long-term (i.e., control investment) mitigation recommendations.

  • It can take an outside-in or inside-out view into third-party risks.

Does ThreatConnect RQ use Open FAIR?

Yes, ThreatConnect RQ supports the use of the Open FAIR™ model in FAIR™ (Factor Analysis of Risk) scenarios.

What are semi-automated FAIR scenarios?

Semi-automated FAIR scenarios take control data for your organization into account to help determine vulnerabilities and then combine that information with industry frequency data to calculate the frequency side of the Open FAIR model.

What is the difference between a Business Application and a Business Asset?

A Business Application (also known simply as an Application) is the container in which controls are applied to prevent an attack from occurring.

A Business Asset is the item (e.g., PCI data or revenue) that gives an Application value.

Can I run an analysis of a process?

Yes, there are multiple ways to perform an analysis of a process within ThreatConnect RQ.

Is there a limit to the number of users in ThreatConnect RQ?

No, there is no limit to the number of users allowed in a ThreatConnect RQ instance.

Can I limit the amount of data other users see in ThreatConnect RQ?

Yes. With an Enterprise Administrator account, you can create additional Legal Entities that have a separate set of users assigned to them.

What is a Legal Entity?

A Legal Entity is a construct within ThreatConnect RQ that ensures the correct industry data are applied to an organization. It can represent an entire organization, a particular business unit, or a product line. The ThreatConnect RQ Support Team can work with you to set up a Legal Entity structure that fits your reporting needs.

Is there a limit to the number of Legal Entities I can create?

The number of Legal Entities you can create depends upon your ThreatConnect RQ license.

Is there a limit to the number of Applications I can create?

No, there is no limit to the number of Applications you can create.

Is there a limit to the number of 'What If' analyses I can perform?

No, there is no limit to the number of 'What If' analyses you can perform.

Modeling

How does ThreatConnect RQ know whether its models are accurate?

Each model used in ThreatConnect RQ is backtested to ensure its accuracy. You can also view a detailed breakdown of each model in the Model Insights section of ThreatConnect RQ.

Which data types does ThreatConnect RQ use?

ThreatConnect RQ uses a combination of open- and closed-source industry data, as well as internal data that are mapped to the MITRE ATT&CK® framework.

How often are industry data in ThreatConnect RQ updated?

The industry data within ThreatConnect RQ are updated at least quarterly when there is a significant change to the data set.

What makes ThreatConnect RQ faster than other risk quantification platforms?

ThreatConnect RQ minimizes the amount of data that needs to be collected. Depending on the model being leveraged for measurement, you may need to provide only the organization's firmographic information (i.e., industry type, location, and size), Control framework, and Application information (i.e., Application type and corresponding Business Assets), the majority of which can be ingested by the platform via an API.

Can I use my own data in ThreatConnect RQ?

Yes, you can update values for data used in ThreatConnect RQ calculations on the Model Tuning screen. This is helpful if your organization has a stronger data point that they would like to leverage in ThreatConnect RQ's calculations.

How is the probability of success [P(S)] calculated in ThreatConnect RQ?

Navigate to the Model Insights screen within ThreatConnect RQ for more information on how the probability of success is calculated.

When you are quantifying cyber risk using probabilistic models, are you referring to Monte Carlo methods?

ThreatConnect RQ computes two numbers: loss magnitude and the likelihood of an attacker breaching your defenses. Each computation uses different methods.

When computing loss magnitude, ThreatConnect RQ uses historical data to build loss models. These models are built using several methods, including polynomial regression and machine learning (ML) techniques, depending on what the ThreatConnect RQ Data Engineering Team finds to be appropriate after the initial analysis of the historical loss data.

When computing the likelihood of an attacker breaching your defenses, ThreatConnect RQ uses probabilistic methods, such as absorbing Markov chains, Stochastic error functions, and Monte Carlo simulations.

What types of distributions does ThreatConnect RQ use for likelihood and impact calculations?

For probability simulations, ThreatConnect RQ uses normal distributions.

The distributions used in loss impact calculations vary by impact type. The distribution choice is led by the data that ThreatConnect RQ has to model (both commercial data and self-gathered data). In some cases, ThreatConnect RQ's models are based on observations or decision trees, where there is an expectation of a complete data set being available (usually for regulatory losses, such as HIPAA and GDPR fines); in other cases, the models are based on log-normal distributions. The ThreatConnect RQ Data Engineering Team examines other distributions regularly to ensure that the type of distribution is appropriate.

How does ThreatConnect RQ's approach for a given scenario handle the possibility of an attacker taking multiple potential paths?

ThreatConnect RQ has a library of attack patterns used in the wild, based on postmortem reports of attacks, malware analysis reports, and aggregate reports of attack groups and campaigns. From these data, ThreatConnect RQ can distill the techniques used by an attacker and the stages of the attacks.

In addition, ThreatConnect RQ uses an absorbing Markov chain to provide the simulation of each attack pattern and then iterates using Monte Carlo simulation. The result is an aggregate probability distribution that accounts for the different attack paths an attacker may take.

What components are used in the machine learning model for quantifying risk?

ML models are deployed throughout ThreatConnect RQ's data-gathering and model-building operations. On the probability side of ThreatConnect RQ, natural language processing (NLP) and various classifiers, such as Google’s Bidirectional Encoder Representations from Transformers (BERT) model, are used to gather and enrich data for modeling purposes. On the loss side, several ML techniques are used to analyze loss data and produce loss models.

The primary mechanism used in loss analyses is decision trees (particularly, the XGBoost library); however, other models may be used, depending on their applicability, which is determined during the exploration phase of data analysis. To leverage ML in loss analyses, ThreatConnect RQ separates probability and loss components and then treats them as two separate phases of an attack, allowing ThreatConnect RQ to go beyond pure Monte Carlo simulations. When using loss data to build ML models, ThreatConnect RQ uses a mixture of data created by the ThreatConnect RQ Data Engineering Team, data retrieved from paid sources, and data retrieved from open sources. This approach eliminates the need to use Monte Carlo simulations to calculate the potential loss a company faces, as actual loss data are being used in loss analyses.

Controls

What control frameworks does ThreatConnect RQ support?

ThreatConnect RQ has built-in support for the following control frameworks: ISO 27001, NIST-CSF, CIS Top 20, and TAG Cyber.

I do not see the control framework my organization uses in ThreatConnect RQ. Can it be added?

If your organization uses a control framework that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with you to add it as a supported control framework.

How many control frameworks can be added to ThreatConnect RQ?

There is no limit to the number of control frameworks that can be added to ThreatConnect RQ.

How is control effectiveness measured within ThreatConnect RQ?

Control effectiveness is one of the most difficult problems to solve in cyber risk quantification. Currently, there are three ways to measure control effectiveness: test all controls all the time (e.g., breach attack simulations), measure effectiveness on a Capability Maturity Model Integration (CMMI) scale, and use subjective inputs.

ThreatConnect RQ uses a CMMI scale to measure control effectiveness. In ThreatConnect RQ, organizations express their security posture in terms of standard control frameworks, such as NIST-CSF and ISO 27001. Behind the scenes, ThreatConnect RQ decomposes the control measurement into security features that map these control frameworks to more granular controls, which are then mapped to their corresponding MITRE ATT&CK tactic, technique, or procedure (TTP) for analysis. The effectiveness of these granular controls is measured against their corresponding TTPs using a variety of methods, including a proprietary instrumented application that runs attacks against various defensive configurations. These attacks can be scripted to examine the impact of controls acting alone and acting together. ThreatConnect RQ also uses data from external laboratory tests, attack reports, and other pieces of research to augment the measure of control-to-TTP effectiveness. When data are not available, subject matter expertise is used instead. To integrate these disparate sources of information, ThreatConnect RQ uses a technique called subjective logic that provides a calculus for dealing with the completeness and correctness of data obtained from various sources.

APIs

What types of APIs does ThreatConnect RQ support?

ThreatConnect RQ has built-in support for the following types of APIs: vulnerability scanner; third-party scanner; governance, risk, and compliance (GRC); configuration management database (CMDB); and reporting (specifically, Tableau® and Power BI™). If you need to use a type of API that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with your organization to add support for it.

Is there a charge for using APIs in ThreatConnect RQ?

No, all API usage is included with your ThreatConnect RQ license.

Which GRC platforms can ThreatConnect RQ be connected to?

Currently, you can connect ThreatConnect RQ to Archer®, ServiceNow®, Snowflake®, and SureCloud®. If you use a GRC platform that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with you to help connect it.

Third Party

Do I need to have a subscription to SecurityScorecard to use it in ThreatConnect RQ?

To leverage SecurityScorecard® ratings in analyses, your organization must obtain a subscription to SecurityScorecard.

How many third parties can I measure in ThreatConnect RQ?

There is no limit to the number of third parties that you can measure in ThreatConnect RQ; however, depending on the approach, you may be limited by the SecurityScorecard license.

Vulnerabilities

Which vulnerability scanners can I use in ThreatConnect RQ?

ThreatConnect RQ has built-in support for the following vulnerability scanners: Qualys®, Rapid7®, and Tenable®. If your organization uses a vulnerability scanner that ThreatConnect RQ does not support by default, the ThreatConnect RQ Team can work with you to add support for it.

Do I need to connect a vulnerability scanner to ThreatConnect RQ to run an analysis?

A vulnerability scanner is required only when a Business Application is housed on-premises or is an Infrastructure as a Service (IaaS) Application, or when your organization wants to prioritize vulnerabilities.

Reporting

How is annualized loss expectancy (ALE) computed differently in ML-based scenarios?

In ML-based scenarios, ALE (or exposure) is the product of the single loss expectancy (SLE), the P(S), and the rate of incidence.

Can I export reports from ThreatConnect RQ?

Yes, you can export reports from ThreatConnect RQ as PowerPoint® and CSV files. You can also use an API to export reports to a reporting tool.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
PowerPoint® is a registered trademark, and Power BI™ is a trademark, of Microsoft Corporation.
Qualys® is a registered trademark of Qualys, Inc.
Rapid7® is a registered trademark of Rapid7 LLC.
Archer® is a registered trademark of RSA Security LLC.
SecurityScorecard® is a registered trademark of SecurityScorecard, Inc.
ServiceNow® is a registered trademark of ServiceNow, Inc.
Snowflake® is a registered trademark of Snowflake, Inc.
SureCloud® is a registered trademark of SureCloud Limited.
Tableau® is a registered trademark of Tableau Software, Inc.
Tenable® is a registered trademark of Tenable, Inc.
FAIR™ and Open FAIR™ are trademarks of The FAIR Institute.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20161-01 v.01.A


Was this article helpful?