Digital resilience cycle

QinetiQ’s enterprise-level, managed cyber security services deliver a continuous, real- time situational awareness of the market, the supply chain, internal compliance, risk mitigation and the overarching threat profile. This enables you to make informed decisions about the best way to respond to threats and securely manage the development of your operations. QinetiQ’s approach is based on a continuous cycle designed to evolve and strengthen the organisation's position. Depending on the level of maturity, customers can enter the cycle at any stage.

Step 1: Vulnerability Analysis and Assessment

How well do my security controls address technical, people and process weaknesses?

The first step on the pathway is to identify your current context and vulnerabilities. Adopting the stance of an adversary, our penetration testing and red team will challenge your organisation from all angles by deploying various analysis and testing techniques including social engineering scams, human testing, technical testing, and policy adherence.

This should be repeated again at the end of the cycle to test the defences you have put in place and identify if any new vulnerabilities in your security have appeared.

Step 2: Cyber Threat Detection

Is there anything bad on my network now?

The second step in the process will identify any immediate threats. We will monitor your network to identify any anomalies, unusual events or trends which might indicate your current networks have been compromised. Monitoring will also help to build situational awareness of the technical status of networks.

Step 3: Static Cyber Risk Modelling and Mapping of Information Flows

How good should my defences be?

The third step in the process will establish a baseline risk profile and analyse the impact of cyber risks on business risk. This will enable the enterprise to prioritise its efforts and focus on the most important assets requiring protection. We will use our proprietary Cyber ADVANTAGE (CyAD) graphical modelling technique to provide a true view of cyber risk across the enterprise. Its visual nature facilitates effective communication between security, IT and business analyst teams.

Information flows around the enterprise will also be mapped and used to define information exchange requirements. The security architecture will then be mapped, which in turn will inform identification of the appropriate protective security controls.

Step 4: Dynamic Risk Modelling

How can I continuously see the threats affecting my business?

Step four involves progressing to dynamic cyber risk modelling. Building on the baseline risk profile, we will create a user-friendly dashboard underpinned by the correlation of inputs including network monitoring logs, real-time event capture utilising thousands of indicators of compromise, enterprise application security labelling alerts, detected network anomaly data, and attack path analysis feeds. The dashboard will allow a real-time view of the system status and allow drill-down into detail which will help prioritise investment decisions as well as inform decisions on mitigation activity if an event occurs on the system.

Step 5: Threat Mitigation and Risk Treatment Plan

How do I mitigate the threats to my business?

In step five, threats to the enterprise are detected and appropriate mitigation activities are launched together with a risk treatment plan.

The lessons learned, mitigation success metrics, analyst threat intelligence, and risk absorption decisions are fed back in to the dynamic risk modelling, ensuring that the mitigation against new and sophisticated threats remain the most appropriate as the threat landscape fluctuates, and also that threat trends and patterns can emerge and be levied to allow the enterprise to become more proactive, and even predict threats.

Step 6: Measurement of Security Controls

How effective and appropriate are my security controls against rapidly changing threat and risk to my organisation?

At this final stage in the cycle, we will measure the security controls, and evaluate their effectiveness in response to an actual threat and instigation of a risk treatment plan. This will allow the organisation to adapt the controls in response to a highly dynamic threat and operational environment.