What is our Methodology?
Cyber Threat Susceptibility Assessment (CTSA) is a methodology for evaluating the susceptibility of a system to cyberattacks developed by MITRE. CTSA quantitatively assesses a system's inability to resist a cyberattack over a range of cataloged attack Tactics, Techniques, and Procedures (TTPs).
To generate the cyber risk rating, NormShield only needs the company domain. The engine collects information from VirusTotal, Passive DNs servers, web search engines, and other Internet-wide scanners, as well as NormShield's proprietary databases, which hold more than 10 billion historic items. The engine searches the databases to find all IP address ranges and domain names that belong to the company. NormShield uses what is called Open Source Intelligence (OSINT) to gather information. The following map shows how hackers can leverage their attack vectors by using OSINT resources like hacker forums, social networks, Google, leaked database dumps, paste sites, or even legitimate security services like VirusTotal, Censys, Cymon, Shodan, or Google Safe Browsing.
NormShield compiles this data into a simple, understandable report with letter-grade scores to help identify and mitigate potential security risks. The platform identifies the risks (CVE/CWE), the risk score of the corresponding vulnerabilities/weaknesses (CVSS/CWSS) and attack patterns (CAPEC/FIPS-199 impact level). NormShield also classifies the findings into FISMA Cyber Security Framework Area and Maturity Level, NIST 800-53 Control Family, FIPS-200 Area, and NIST 800-37 Process Step. NormShield does all of this without scanning or modifying any of the organization’s business assets.
Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company. Areas of monitoring include supplier and vendor information management, corporate and social responsibility compliance, Supplier Risk Management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, information security (infosec) compliance, performance measurement, and contract risk management. The importance of third-party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties.
NormShield aggregates hundreds of data sources from open-source intelligence (OSINT). We then utilize the MITRE CTSA as a foundational scoring matrix to map all vendors in our system using a golden industry standard.
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization's operational risk profile. Investors, governments, the public and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
NormShield is the right choice for cyber risk rating services because of our unique 3D Vendor Risk @ Scale. We offer comprehensive assessments from a cyber, compliance and financial perspective. Tying in various levels of automation, open standards and a comprehensive list of data control points allows us to scale to the needs our customers require. The choice is simple!
NormShield uses non-intrusive assessments to scan the cyber risk posture for any organization at any given moment in time. We don't use intrusive vulnerability scanners like Nessus, Netsparker, Acunetix, Nexpose, nmap, openvas, and others. Our passive scan does not touch the target company's assets. Instead, we find the required data from the internet, including search engine caches, archive[.]org, internet-wide scanners, VirusTotal, PassiveTotal, hacker sites, paste sites, deep/dark web, etc.
No. NormShield's data sources are all external/open-sourced and require no internal access from a vendor or supplier.
Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. Both hackers and legitimate security companies continuously scan social media websites and networks for information on vulnerabilities, and publish their findings on the internet. The map below shows how hackers can leverage their attack vectors by using OSINT resources, namely hacker forums, social networks, Google, leaked database dumps, paste sites, and even legitimate security services like VirusTotal, Censys, Cymon, Shodan, and Google Safe Browsing. NormShield's Risk Assessment gathers data from all these sources and performs contextualization and analysis to convert data into risk intelligence.
To generate the risk assessment, NormShield only requires a company’s domain name. NormShield’s asset-discovery engine collects the related information from VirusTotal, PassiveTotal, web search engines, and other Internet-wide scanners. NormShield has one of the largest IP & Domain Whois databases holding more than one billion (1B) historical items. The asset-discovery engine searches the database to find all company-related IP address ranges and domain names.
Open FAIR is an open-source framework for quantifying risk in financial terms This model allows businesses to speak in one language concerning their overall risk when it comes to third parties. NormShield uses the FAIR model in a unique way to quantify probable financial risk dynamically and at scale.
NormShield’s Compliance module helps you streamline the compliance of a vendor you are engaged with. We have a myriad of standards and frameworks in our platform currently such as : NIST 800-53, ISO27001,GDPR, CIS CSC-20, NIST 800-17. NormShield also has a built in integration with Shared Assessments SIG questionnaire to further help organizations leveraging this toolset.
NormShield has a built-in case management system to make interacting with your vendors a breeze. Vendors can easily review findings assigned to them and ensure data points are remediated appropriately. We can also directly integrate with ServiceNow to provide this same set of features from your existing case management system.
NormShield provides an automated remediation plan for each one of your vendors. In our Strategy Report, we highlight the vendor’s current posture and outline a set prescriptive steps that are designed to advise them on increasing their cyber risk and reducing financial risk.