Enterprise Solutions Operational Resilience, InfoSec, Manufacturing RiskView® Business Risk Analytics Date Evan Birkhead Business Development [email protected] (908) 910-6988
Dec 18, 2015
Enterprise SolutionsOperational Resilience, InfoSec, Manufacturing
RiskView® Business Risk AnalyticsDate
Evan Birkhead
Business Development
(908) 910-6988
Value Proposition
Our RiskView® Risk Concentration Analysis™ framework offers the ability to identify, quantify, and compare vulnerabilities throughout an organization.
RiskView identifies the materiality of risks according to their potential impact on business performance, helping our customers to prioritize and schedule risk mitigation, business process automation, problem resolution, resource allocation and overall spending.
RiskView measures risks in terms of their Financial, Reputational, Legal and Regulatory impact.
RiskView outcomes typically include: Reduced operational risk profile Reduced OpEx Improved customer experience Competitive advantage
Confidential 2
Rev2 is a rapidly growing Business Risk Analytics™ provider focused on delivering solutions that improve business performance.
Overview
Executive summary Low-footprint SaaS solution -or-
On-premise solution, customer choice Monthly subscription service includes
professional analytics, visualization, periodic reports, maintenance
Primary differentiators Risk Concentration Analysis™ identifies
hidden risks Enables prioritization of most material risks
Capitalization Employee owned ARRIS investment and board members
Selected verticals
Robert Cruickshank, CEO
• VP Customer Service Ops Center, Cablevision
• ARRIS, C-Cor, Stargus, TWC RR
• Led CableLabs DOCSIS development
Evan Birkhead, Business Services
Micromuse (IBM), OneOps, Quantiva
Sanjay Subramanian, Technical Services
NetOps, Micromuse, IBM Tivoli
Scott Stansbury, Field Services
IBM Global Network, IBM HPCC, NYSERnet, NFSnet
Confidential 3
Key Rev2 Personnel
Harry Ulmer, Reporting Services
Burroughs, GE, SNMP Workshop
Core Verticals
Confidential 4
… RiskView is a business risk analytics solution that identifies the business materiality of those events that would be the most impactful to your operational performance.
Highly Available Enterprise Solutions
… RiskView is an outage risk analytics solution that helps you drive down costs and improve your customer’s experience by delivering the capability to move from a reactive, point-in-time view of data to an over time, cross-silo view of performance metrics.
Cable & Service Provider Outage Solutions
RiskView Architecture
Confidential 5
Risk Management Landscape
No direct competitors; risk data typically analyzed via MS Excel spreadsheets
Across verticals, RiskView can collect data from: GRC (EMC/Archer, LockPath) Reporting (Crystal, SAS, etc.) Security Performance (McAfee, Clearpoint Metrics, Core Security, nCircle)
RiskView value proposition vs. competitors: Collects risk data across the enterprise, shows multiple views of risk
concentrations-geography, data center, business function, etc. Scores every risk based on its business materiality, taking into account the
importance of the business asset adversely impacted Identifies risks in the context of other risks, as opposed to looking at risks in
isolation Customers improve spending efficiencies and customer-facing
performance; lower their business-wide risk profile; and position their business for competitive advantage
Confidential 6
RiskView for Operational Resilience
SunGard R3 Solution
The Power of RiskView, R3 & CERT-RMM
Shows you how to do it…The CERT-RMM is a process improvement approach for driving operational resilience and remediating exposures.
26 Process Areas for Improvement
Shows you what to do…The SunGard proprietary R3 framework provides the tools and methodology for enabling operational resilience.
Enabling Technology & Services
Shows you where to focus…The RiskView visualization tool provides the analytical representation of risk concentration and where best to focus resources.
Risk Visualization
Confidential 8
Operational Resilience – Challenges and Benefits
Organizations often struggle with: • Meeting business and compliance requirements• Ever increasing costs• Breakdown in key processes• Understanding and measuring resilience
An Operational Resilience program can: • Lower or eliminate redundancy and cost by optimizing
between protection and sustainability strategies• Lower operational risks with an enterprise focus• Improve processes that are measurable and manageable –
and therefore make them more effective!
Confidential 9
R3 Framework
SunGard’s approach to delivering services to our clients which reduce Risk while enhancing Recoverability and thereby improving Resilience
Drives the creation and delivery of SunGard Availability Services Consulting solutions
Built upon the foundation of the Carnegie Mellon Resilience Management Model (CERT-RMM)
Confidential 10
Methodology in Action – The Process
Collect
Data
• Export data from plans in LDRPS• Perform BDNA asset scan and export results• Perform Nessus vulnerability scan and export results
Map &
Import
Data
• Normalize and validate source data• Run adapters to populate RiskView
Develop
Risk Profil
es
• Build and refine formulas to calculate concentration of risk
Evolve
Data
• Analyze & represent data in various views (business function, location, processes, etc.)• Identify gaps in BC/DR plans and testing• Perform what if analysis on identified risks
Rollout
Results
• Review results to determine focus and priority of resilience spending• Develop actionable roadmap to quantifiably reduce risk exposure
Confidential 11
The outliers represent the most material risks.
RiskView Demo
Confidential 12
Remedy & RiskView – An Ideal Complement
• Tracking of incident responses and service desk performance that require immediate attention.
• Automates processes, policies and tasks, with a focus on real-time business services.
• Asset and software license lifecycle and compliance management.
• Historical analytics determines materiality of each incident for prioritization.
• Identifies risk concentrations in processes, geographies, departments, products, etc.
• Correlation of Remedy incident data with enterprise-wide data ascertains risks to the overall business.
Remedy RiskView
Confidential 13
Remedy Case Study
“It is stunning to cut our outage impact in half.”
RiskView outage risk analytics of Remedy data identifies previously unrecognized outage risks underlying the service delivery infrastructure. Remedy tickets (excluding service requests) are analyzed and assigned an incident
materiality score, which measures each incident’s client impact. Scoring identifies potential areas of customer impact based on chronic and
intermittent faults. Measurements include: Duration, Affected System, Service Criticality, Number of Affected Users. Data can be viewed by: Service, Vendor, Resolution Type, Business Unit, Time of Day.
Experienced “impressive” declines in: Materiality from a decrease in the number of incidents/month. Decrease in the average materiality score of incidents that occur.
Additional returns: Freed up cycles for the Ops team, 2nd/3rd level support. Critical to the Result: A tiger team was assigned to focus on the most material issues.
RiskView resulted in 50% reduction in customer service incident materiality in under one year.
Confidential 14
RiskView for InfoSec
Highly extensible platform for fact-based,scalable, repeatable risk management decisions.
DATA SOURCES- NETWORK &
CONFIG SCANS, SIEM- COMPLIANCE- PEN TESTING- DB PROTECTION
- SECURE CODE- BEHAVIORAL ANALYSIS
ANALYSIS & REPORTING
- PRIORITIZE MATERIAL VULNERABILITIES- CREATE RISK MITIGATION PLAN & CONTROLS FOCUS- BUSINESS CASE GENERATION FOR MITIGATION ACTIVITIES
RISKVIEW ADAPTERSCOLLECTION & ABSTRACTION
Quantifiable business justification, demonstrable & immediate ROI
RiskView Architecture - InfoSec
Confidential 16
Behavioral Analysis
Mazu, ArcsitePen Testing
White Hat
Config Scans
Symantec, Cisco
Network ScansMcAfee
Vulnerability Mgr,Nessus,Qualys,IBM/ISS
Secure CodeFortify,
Veracode
DB ProtectionAppSec,
SPI Dynamics,HP
Compliance Surveys
Archer, Qualis
SIEMArcher, Tivoli,
IBM/ISS,CA, Cisco, etc.
"What's most important in each area?”
"What's most critical across all?”
"How do I fix?"
The Business Problem We Solve
• Trouble tickets
• Alarms
• Performance Data
• Billing data
• Service data
• Financial data
Confidential 17
McAfee & RiskView – An Ideal Complement
The RiskView “Materiality Score”Prioritizes enterprise-wide risks based on:
• Exploitability: The probability that a vulnerability might be taken advantage of.• Susceptibility: The probability that the business might be affected. • Impact: How critical an event might be to the business.
• Focus on technology-based vulnerability and threats.
• Proactively correlates a threat feed with vulnerability and countermeasure information to pinpoint at-risk critical assets that require immediate attention.
• Actionable data to secure the enterprise.
• Correlation of MVM/MRA vulnerability data with enterprise-wide data to ascertain risks to the overall business.
• Identifies risk concentrations in processes, geographies, departments, products, etc.
• Determines materiality of each vulnerability for prioritization.
MVM/MRA RiskView
Confidential 18
Typical RiskView Install Data Points
Benefits & Take-aways Total Risk Determined organization’s greatest risk =
InfoSec CIA Model Determined outliers = Confidentiality Confidentiality Determined IIE greatest vulnerability Resolution Drilled down to repair information Total Risk of 11,000 vulnerabilities prioritized into 176
manageable risk mitigation items Prioritized risk mitigation steps, Improved performance of the business as it relates to security
management.
Confidential 19
Manufacturing
RiskView Architecture – Manufacturing
Highly extensible platform for fact-based, scalable, repeatable risk management decisions.
MANUFACTURINGDATA SOURCES- EXCEL, CLARITY- BUGZILLA, RATIONAL- ORACLE, SAP- MS PROJECT- SALES/FIN SYSTEMS
ANALYSIS- SUPPLY CHAIN INTERRUPTION- LOSS OF FACILITIES- CUSTOMER, COMPETITOR & MARKET RISK- OPERATIONS ISSUES- PROCESS GAPS & CHANGES- ETC.
RISKVIEW ADAPTERSCOLLECTION & ABSTRACTION
Quantifiable business justification, demonstrable & immediate ROI
Confidential 21
Vulnerability Scores
A fact-based risk program requires normalized data, with a range of impacts tied to specific assets.
Normalized data supports a fact-based, scalable, repeatable process.
The issue: Risks are measured
differently How to compare them?
The Solution: Create a normalized risk
score Score based on materiality of
adverse business impact
Normalized Data
The issue: Risks have different impacts How to evaluate risk types?
The Solution: Score vulnerabilities on the
type of risk they present Differentiate financial, legal,
regulatory, and reputational risks
Different Impacts
The issue: Risk impact varies based on
where it occurs How to recognize
differences?
The Solution: Score impact based on the
specific asset at risk Recognize differences in
asset value
Asset Roles
Confidential 22
Pre and Post Testing
RiskView filters let users evaluate risk controls before and after they are implemented.
Pre Test
Answer questions such as… How will the control impact risk? What controls reduce risk most? Which control has a better
return? What controls in what order?
Post Test
Answer questions such as… Were my controls effective? How much risk was reduced? What risks were avoided? What was the business value?
Track progress and trends over time.
Confidential 23
Outliers Represent the Most Material Risk
22
Represents 24% of total risk
Risks Ranked By Impact
Confidential 25
Methodology
Process
Risk Identified by Function
Cause(s) Creating Risk Identified
External Influences of Risk ID’d
Susceptibility to Risk ID’d
$ Impact of Realized Risk
Data Collected via Automated Survey
Risk and Cause Ranked
Risk-weighted $ value relevant to other risks
Changing Customer Demands
% of Submissions Not Meeting Margin Requirements Due to
Customer Demands
Importance of Customer to Region
Regional Margin $ by BU
Survey Issued
Data Imported into RiskView
Margin Erosion
Example Sales Analysis
Confidential 26
Thank you!