PUZZLE Continuous Cyber Risk Assessment service is of paramount importance for the efficient operation of SMEs & MEs since it provides a near real- time monitoring and evaluation of the security and privacy risks.
PUZZLE’s Runtime Risk Assessment Framework focuses on the entire system and networking stack of an SME/ME including all provided applications and services too. The RA framework is split into the Design-Time Phase and the Run-time Phase. The focus of the Design-Time Phase is to generate the interdependency graphs between the various assets of the SME/ME, as well as to generate the initial high-level policy metamodel, while the focus of the Runtime Phase is to take into consideration any zero-day vulnerabilities or newly identified threats and perform a policy update.
The main purpose of the framework is to evaluate the assets, components, functions, offered services and underlying infrastructure of any target SME/ME and estimate its overall level of security, in the form of a risk, taking into consideration the previously identified vulnerabilities, threats and attacks.
The main innovation of PUZZLE Risk Assessment Framework lays in the ability to consider the attack paths among the connected assets in order to calculate a more concrete risk assessment report. The PUZZLE’s Assessment Framework considers the actual dependencies among the assets and how these dependencies could lead to potential attacks give a vulnerable entry point.
For the PUZZLE Risk Assessment Engine, UBITECH’s OLISTIC Risk Assessment Framework [OLISTIC] has been used, where mathematical modules, interdependency graphs and quantification techniques are used. More specific, OLISTIC captures and analyse all threats arising from interdependencies, quantifies their cascading effects and explore cyber-attacks to mitigate and alleviate the consequences of divergent security threats. This is supported dynamically by deriving evidence-based knowledge of data acquired from online sources and repositories, such as NIST Risk Management Framework repository. The OLISTIC methodology was enhanced and tailored to consider vulnerabilities for the specific type of ecosystems, mainly from SMEs/MEs, by using the latest version of the CVSS score.