Control Verification - Cyber City Map

# Control Verification [[Control Verification]] is a top-level [[Cybersecurity]] capability, used to verify controls ahead of adversary attacks to ensure thresholds are being met and adversary resilience exceeds its tolerances. It is common for customers to request that an organization perform security tests to provide assurance that its data and assets are kept safe. ## Map ``` mermaid  graph TD Top[[Cybersecurity]] --- D[[Control Verification]] D --- D.1[[Attack Surface Enumeration]] D --- D.2[[Resilience Testing]] D --- D.3[[Risk Prioritization]] D --- D.4[[Remediation Management]] D --- D.5[[Assurance Reporting]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.2,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:#333,stroke-width:4px,font-size:15px,font-color:white; class D cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!cm-definition] Definition > Control verification is a set of capabilities that aim to pressure test cyber defenses from and adversary perspective to determine if they are operating within threshold on a continuous basis to ensure remediation or heighten monitoring for weaker assets. ## Goals >[!cm-goal] Goal 1 >**Adversary Driven Testing** - All tests are performed to surface the securability of an asset from an adversary perspective. >[!cm-goal] Goal 2 >**Complete Coverage** - Total testing and verification coverage is evaluated with findings to ensure assets are secured according to threshold. >[!cm-goal] Goal 3 >**Verified Compliance** - Testing and control verification provides a measure of control effectiveness that also operates to satisfy control assessments and audits. >[!cm-goal] Goal 4 >**Risk Prioritization** - Weak assets can be prioritized for remediation and alert correlation with risks coordinated back to the organization's risk matrix. ## Scope The scope of Control Verification covers all assets identified by Adversary Research which need to be verified resilient within the tolerances required by the business, from inception through end-of-life. ## Process ```mermaid flowchart LR A1[Test Plan as Input] --> B[1. Enumerate Attack Surface] A2[Thresholds as Input] --> B A3[Exploits as Input] --> B A1 ~~~ A3 A3 ~~~ A2 B -.-> F A1 --> C[2. Test Resilience] A3 --> C B --> C C -.-> F A1 --> D[3. Prioritize Findings for Risk] A2 --> D C ~~~ D D -.-> F A1 --> E[4. Manage Remediation] A2 --> E D ~~~ E E -.-> F[Send output to Security Data Lake] A1 --> G[5. Report Weaknesses] A2 --> G E ~~~ G F --> G G -.-> F F --> Stakeholders G --> Stakeholders ``` ## Metrics >[!cm-metric] Metric: [[Mean Time to Identify Finding]] >[!cm-metric] Metric: [[% of Issues Remediated within a 30 day period]] (Fixed Rate) >[!cm-metric] Metric: [[% of Issues fixed that exceed SLA]] (Out of SLA) >[!cm-metric] Metric: [[Average Time to Patch]] >[!cm-metric] Metric: [[Asset Controls Operating within Threshold]] >[!cm-metric] Metric: [[Assets Operating within Assigned Thresholds]] >[!cm-metric] Metric: [[% of Assets within Threshold vs. Total Assets]] ## Inspiration & Resources + https://www.cisa.gov/known-exploited-vulnerabilities-catalog + https://nvd.nist.gov/ + https://cve.mitre.org/ + https://cwe.mitre.org/ + https://www.first.org/cvss/ + https://www.first.org/epss/ ## Release Notes + [[Q4 2023 Release#Document L1 for Control Verification]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.