ThreatConnect released ThreatConnect Risk Quantifier 5.0 (RQ 5.0), continuing its innovation in the emerging field of cyber risk quantification.
ThreatConnect Risk Quantifier (RQ – formerly Nehemiah Risk Quantifier) enables the identification of the risks that matter most to the organization by quantifying them based on potential financial and operational impact, unifying security and the business to a common goal.
This quantification relies on generally accepted risk models such as the popular Factor Analysis of Information Risk (FAIR) model, among others. It is also established in part by, and continuously informed by, your internal environment, threat intelligence, vulnerability management, operations and response data found within ThreatConnect and other integrations.
RQ is distinctly different from other approaches offered in the market as it focuses on automation and data integration, and delivers value in days and weeks as opposed to months and years.
Companies cannot effectively prioritize vulnerabilities by leveraging risk scores alone. Effective prioritization requires an understanding of the impact an unmitigated vulnerability could have to the business.
By quantifying risk, based on possible losses from business interruption and response, vulnerability exposure can be directly linked to the business services that are affected.
With RQ 5.0, security professionals for the first time have a way to understand the potential financial risk that Common Vulnerabilities and Exposures (CVE’s) introduce to an organization and prioritize those CVE’s that could lead to the greatest financial loss if an attacker succeeds.
RQ 5.0 takes into account existing technical scoring methods, including CVSS Scores, and uses that data as a weighting for the financial impact.
“This is an important capability that businesses have been demanding and that other vendors cannot address,” said ThreatConnect Vice President of Cyber Risk Strategy Gerald Caponera.
“Now, through integration with your vulnerability management software, we are able to help organizations handle the flood of CVEs they get every day and prioritize them based on the quantified financial risk each introduces to the specific business – ultimately bringing relevancy and focus to the security team.”
RQ 5.0 also introduces support for multiple security control frameworks, including the NIST Cybersecurity Framework and the Center for Internet Security Controls. Now customers can have their prioritized recommendations based on the framework of their choice.
“Businesses also need a way to identify gaps in their program and the risk those gaps represent to the organization,” Caponera said. “With RQ 5.0 they can show the business solid numbers that support a prioritized list of recommendations based on the framework of their choice and their organization’s tolerance for financial risk by application.”
Another new feature of RQ 5.0 includes a powerful ‘what-if’ impact analysis tool that allows security leaders to model changes to application security control levels in a sandbox environment.
Running the models enables security leaders to communicate to the C-Suite how increasing investment in security controls can lower the annualized loss expectancy stemming from the organization’s highest priority risks.
Using a risk-led approach to cybersecurity makes prioritization easy for security teams, enabling them to filter out noise and focus on what matters most. With CRQ, TIP and SOAR capabilities combined, ThreatConnect unifies the actions of the security team around the most critical risks, supports their response with streamlined and automated workflows and strengthens the entire security ecosystem through powerful technology integrations.