DeNexus Blog - Industrial Cyber Risk Quantification

DeNexus & DeRISK FAQs: Your Questions Answered

Written by DeNexus | May 2, 2024 12:14:22 AM
Most frequently asked questions about DeNexus and its platform, DeRISKTM.

How does DeNexus ensure data privacy and security?

DeNexus is SOC2 Type II compliant and maintains a strict security program that addresses both our platform, DeRISK, the data we process and our general practices. The program is enforced for all employees, engineers, and market-facing resources. Cybersecurity and specifically data security best practices are deployed throughout the organization.

DeNexus submits its DeRISK platform for an annual SOC 2 Type 2 audit to ensure the appropriate safeguards are applied to customer data and evaluate how well those controls are operating. Additional information is available via the DeNexus Trust Center.

How can I trust your models?

DeNexus has dedicated 3 years of research and development with a team of experienced AI specialists and PhDs to build its risk modeling capabilities.

The models leverage and expand existing cyber frameworks (the FAIR Institute and MITRE ATT&CK) with proprietary techniques and models custom-developed for the unique context of each industry sector.

Most importantly, the models are not static; they are expanded and refined as the cyber threat landscape evolves.

Today, the DeNexus team of data scientists and data modelers consists of 4 PhDs and several post-graduates representing a combined 50+ years of experience in AI. Since 2020, the team has engaged with top universities in Europe on research programs related to cyber risk.

How does DeNexus collect data to feed its cyber risk models?

DeNexus relies on inside-out and outside-in data to identify vulnerabilities. More than 50 data sources come into play to compile the most accurate understanding of cyber risk in a specific industry sector. External data is combined with inside telemetry to develop the most accurate understanding of risk for each individual facility part of a company portfolio of industrial sites.

Internal telemetry is provided through integration with deployed cybersecurity solutions such as Intrusion Detection Systems (IDS). We recommend such integration to facilitate the continuous update of risk output. For data that require manual input, we have templates to simplify data ingestion. make it as easy and productive as possible for your team.

What cybersecurity solutions do I need for DeNexus to provide accurate output?

Most entities have an IDS deployed for DeNexus to integrate with. If not, our platform, DeRISK, can still produce outputs but these will be less granular and less refined, relying on industry and historical data to model cyber risk.

How long does it take to input the answers into your system?

From our experience with several hundred sites in production, data input can be completed as quickly as one week. To minimize delays, our professional services team will share the required data and templates to receive data as early as possible.

How many people need to be involved to answer your questionnaire?

It mostly depends on the structure of the team supervising the cybersecurity of the Operational Technology (OT) /ICS environment and cyber-physical systems.

What is DeNexus pricing model?

DeRISK is deployed as a SaaS solution and is subscription-based.

How do I run reports?

All analysis and executive reports are dynamic and available to registered users through our user-friendly portal. What-if analysis on risk mitigation projects can be run on-demand on the DeRISK platform with outputs and reports refreshed automatically.

How often is the information updated?

DeNexus continuously ingests new data and updates its output on a weekly basis. 50 million simulations are run weekly on each site monitored to keep cyber risk analysis up-to-date.

Can I get my version of security framework in the product?

Not at this point. DeRISK supports the US NIST Cyber Security Framework (CSF) which is widely adopted in the US and ISO27001. The DeNexus proprietary framework (DNX CSF) is inspired by IEC 62443 and NIST CST and adds controls that we believe are essential to cybersecurity. If you have specific security controls that are not captured by the three frameworks available, we can consider adding them to the DeNexus framework.

DeNexus has also mapped its data and output the requirements of SEC S/K Item 106 for public entities regulated in the US. Mapping to NIS-2 for the European Union is in development.

Feel free to submit additional questions by contacting us here.