GreySpark is a solution for measuring and managing organizations’ IT security risk. GreySpark ingests information security metadata from a large range of existing sensors, applies the risk model to the data, and presents it in a way that’s helpful to risk and financial executives, as well as the IT people who need to drill down into details.
From a technical perspective, the customer installs a single data collection agent inside the network. A cloud variant of the agent can be used, but the company prefers to use the on-premise virtual appliance. The purpose of the agent is to receive data via syslog, SNMP or RESTful APIs from sensors such as firewalls, intrusion detection systems, antivirus solutions, and so on. In case you already use a different log manager or SIEM solution, even better – you can pull that data as well.
The risk model
The model that GreySpark is based on was initially pioneereed and created by SRC, Inc. for a US government SOC. It proved to be a great success for managing and reducing risk, so in May 2015 SRC decided to offer it as a product via the newly incorporated FourV Systems.
We live in the age of Big Data – everyone is talking about it and every organization generates a great deal of it. GreySpark collects the data, normalizes it and finally applies custom risk analytics. The result of this process are six key risk indicators, as well as a general risk index for the IT organization.
These risk indicators include:
- New threat: Things that are happening in your networks that weren’t recently identified or aren’t common.
- Technical debt: Workload needed to remedy the issues; risk score adjusted depending on the importance and severity of detected threats.
- Opportunity risk: How severe are the risks, as the system sees them.
- Defense effectiveness: Is the security team dealing with recurring problems – the same type of malware entering the network or reappearing of vulnerabilities that were previously patched on other systems?
- Score history: Is there enough collected data to be confident regarding the scoring?
- Surface area: Can we see everything we should see and are there any blind spots in the network environment?
Besides the risk scores as seen through the mentioned indicators, the quick risk analysis can be done by looking at the heatmap. Its axes include Volume and Severity and shows which departments in your organizations are contributing to the higher total risk score. In addition to the number of events and red/yellow/green status badges, you can also analyze each department’s current trend.
Analyzing the data
The GreySpark user interface comes in dark and corporate white/blue themes and is based on the powerful Angular framework. Visually, it is flawless. All the graphical elements have a high end corporate look, the web application flow is immaculate and with literally a few clicks you can get to every aspect of the data you want to examine. The interface has two main screens – the Scorecard and the Dashboard. Scorecard is the first screen you’ll get to and it renders a selection of risk indices.
Dashboard goes deeper from the high-level and provides the customer with a diagnostic view of every risk indicator across a chosen timeframe. It is easy to zoom, segment and get down to details. By just looking at the charts, without any further effort, you can identify the moment when something went good or bad, causing a change in the risk score. A neat addition to zooming for details are journal entries. These are textual notes that could (or better say should) accompany every bigger change to the network.
In the example above, an IPS solution was activated. This action will impact the risk score from then on, so with an accompanying journal entry it will be easier to comprehend the correlation between deploying a new technology and the change in perceivable risk. Annotations are also available from the “Journal Entry” screen, and can be used as a browsable manifest of changes done in a specific timeframe. GreySpark supports two classes of users – the admin and the regular user. The regular user can just view data and the only modification he or she can do to the system is adding journal entries.
Everything you see in the GreySpark user interface is API-driven, so customers who, for instance, have different reporting requirements or need to pull the data into other systems, can use the API customization options. XML and JSON is available for all the data and CSV for the most of the data sets.
The five click rule
Just a couple of weeks ago, FourV Systems released a major update to the solution, bringing it up to version 2.0. One of the notable additions is something that could be called a “five click rule”. You will need just five clicks to move from an executive perspective (topped with figures and charts) to the bare-bottom technical analysis of the actual sensor event (as seen on the image below). Focusing on both worlds, GreySpark bridges the gap between the high-level management-centric data and “SIEM level” technicalities.
GreySpark provides a couple of different reports. Executive summary is a one-page document with high-level data based on the current status of the main risk indicators. It contains a descriptive summary (stressing the risk score difference in correlation to a previous time period) and the risk contributors heatmap.
The Risk narrative report is more detailed and spreads over 12 pages. After the obligatory summary, it shows data and charts related to different event types – per domain specifics, per-sensor data, severity (as shown on the screenshot above), as well as the analysis of the main risk indicators. The report ends with cyber risk gap analysis (pie chart bundled with identified reasons for the gap) and a two page glossary for a better comprehension of the figures in the report.
Administrators can set up many configurable alerts that will pop up when something occurs that changes the defined risk indicators.
FourV’s GreySpark is a powerful solution that takes a huge amount of data, does its “secret sauce” risk modelling (which is, nevertheless, completely transparent via the drill-down diagnostics) on it, and provides a treasure trove of easily understandable and comparable data.
What’s important is that the generated data will be invaluable to both executives that need to understand and act upon the level of risk to the organization, as well as the technical staff that will use the provided data to remedy issues and enhance the company’s security posture.