Tuesday, 12 September 2023 14:56

Black Kite Looks to Offer a Better View of Risk in a Rapidly Changing Threat Landscape

Written by

Reading time is around minutes.

Black Hat 2023 – Las Vegas. Risk is an interesting subject and has many different meanings to many different people. For the most part Risk breaks down into a few categories, depending on who you are talking to cyber risk, financial risk, and reputational risk. Although these are certainly not the extent of risk, they are some of the most common. One of the biggest challenges with these is that they are usually built and tracked by different groups inside of an organization each with their own goals and motivations. Because of this they can be at odds with each other. This is where risk platforms come into play and can add some outside context which can be helpful in combining the risk types into a coherent message. We talked to one of these, Black Kite, while at Black Hat to see how they approach this.

Black Kite is a 3rd party risk management provider that claims to offer a view of risk from three dimensions. Risk Quantification, Technical Cyber Risk, and Compliance Correlation. While these three can be found in other platforms in various forms, it is the gathering, parsing and compilation of the data points which makes them stand out from the crowd. During our conversation we talked about these differences in some technical detail.

In order to be an effective platform for addressing risk Black Kite started with existing standards. They currently use 292 controls to build out their risk profile. From there they use open-source intelligence and review of part breaches to identify potential attack vectors in common use which an organization might be exposed to. This intelligence is part of a continuous monitoring effort which is aimed at cyber risk in particular. With their platform they also are able to gather information on 3rd party vendors to gain an understanding of how their own cybersecurity postures affect an organization. This can extend to 4th or even 5th party as they build out the connecting links and identified risks associated with each layer. This is part of their vendor mapping effort.

As with all intelligence products, there is a lot of data behind it. Black Kite says they have more than 1,000 sources for gathering risk information. These sources are used to identify publicly available information and compile it into a risk profile of the organization in question. It all starts with a domain name, and they are off and running. The Black Kite platform currently has more than 35 million profiles already available, and these are updated as more information is found/ discovered.
The collection of this type of information allows for proactive warnings for particular types of risks. If there is a discovery of leaked credentials on a dark web marketplace this would be a flag which would be used as a warning, the same as any information which may indicated a ransomware attack is likely, or one has happened to a vendor which might not have been reported (the name shows up on a leak site).

The building of a risk profile for your organization is a great thing and one that can be utilized to inform spending, future vendor relations and even for an audit. Black Kite mentioned that their reports can be used as an independent review for compliance and audit purposes, which is nice (you should hear this in Bill Murry's voice from "Caddy Shack").

Speaking of compliance, Black Kite also has systems for policy review. In this instance they use an LLM which is not directly exposed to the client. The policy in question is uploaded and reviewed by the LLM for completeness and to ensure it meets the scope of the regulation is it intended for. This is then subjected to additional review for policy gaps. There are currently 15 frameworks and regulations that are incorporated into this and more can be added based on customer needs. You can also combine frameworks as needed. I know in the past where there was overlap from PCI and HIPAA pulling the individual reports and then contrasting them to ensure we met both was a pain in the ass, so being able to build this on the front end and reviewing documentation based on a combined framework is very helpful.

All of these items are fantastic on their own, but there is one feature of Black Kite that I find very attractive. This is the quantification of risks identified. Speaking as someone that has built out a risk report, identified gaps in policies and then presented it to finance and the CFO, I have always been more than disappointed to see how they calculate the potential financial impact of identified items. Black Kite gives a check of the math here to provide a relatively neutral review of how costly existing risks are to an organization. This type of information is vital to moving from cybersecurity is a cost, to cybersecurity is a method for protecting and expanding revenue. It is also, by the way, a requirement for some regulatory bodies and insurance. Being ignorant of your true financial risk can be a bit of a problem come audit time, or if there is an actual incident. Depending on the size of your company it can also play into the fun conversation around materiality.

The three components that Black Kite offers in their platform to build and understand inherent risk are certainly complimentary items. They can give security and operational teams a good view of where they stand in terms of exposure. This can and should be used to properly plan for spending and changes in how an organization functions. This should be a welcome addition as many organizations do not have proper staffing to address this and we all know due diligence questionaries for vendors do not work in the real world. As threat groups continue to expand their attack vectors and the dangers of compromise via a third or even fourth party grow, having Black Kite available to provide important insight is not a bad idea at all.

Read 1801 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.