Introduction to MONARC

Optimised Risk Analysis Method

SECURITYMADEIN.LU / CASES

Cyberworld Awareness and Security Enhancements Services

April 19, 2022

Team CASES Introduction to MONARC April 19, 2022 1 / 30

 Who we are

SECURITYMADEIN.LU

Our history:

2003: Cyberworld Awareness and Security Enhancement Services

(CASES);
2007: Computer Incident Response Center Luxembourg (CIRCL);
2010: SECURITYMADEIN.LU is a GIE (Groupement d’Intérêt
Économique);
2017: Cyber security Competence Center (C3).

CASES is an initiative of the Ministry of Economy after the worm I love you
decimated more than 3 millions computers in less than a week.

Team CASES Introduction to MONARC April 19, 2022 2 / 30

 Who we are

CASES

Mission
Foster cyber security by supporting Luxembourg administrations and SMEs.

Services
Awareness: publications of articles and videos;
Trainings: introduction to cyber security for different audiences;
Software: MONARC, MOSP, Fit4Cybersecurity, etc.

Cooperations
ANSSI-LU, Centre for Cyber Security Belgium, KonzeptAcht GmbH, ILR,
GRC-Luxembourg and others.

Team CASES Introduction to MONARC April 19, 2022 3 / 30

 Who we are

Content at glance

1 What is MONARC?

2 The method

3 The tool

Team CASES Introduction to MONARC April 19, 2022 4 / 30

 What is MONARC?

Summary

1 What is MONARC?
An open source software
A community
A method

2 The method

3 The tool

Team CASES Introduction to MONARC April 19, 2022 5 / 30

 What is MONARC? An open source software

An open source software

MONARC is the tool you need for an optimised, precise and repeatable risk
assessment.

Web application (SaaS, self-hosted, virtual machine, etc.);

source code1 : GNU Affero General Public License version 3;
data: CC0 1.0 Universal - Public Domain Dedication.

MONARC is easy to use.

Used and recognized by experts from different fields (not only information
security).

For many users, it started with a spreadsheet!

1
https://github.com/monarc-project
Team CASES Introduction to MONARC April 19, 2022 6 / 30
 What is MONARC? A community

A community

more than 260 organizations:

https://my.monarc.lu;
17 organizations sharing MONARC objects (threats, assets,
recommendations, etc.):
https://objects.monarc.lu;
a global dashboard with trends about threats and vulnerabilitties:
https://dashboard.monarc.lu;
discussions on GitHub:
https://github.com/monarc-project/MonarcAppFO/discussions.

Team CASES Introduction to MONARC April 19, 2022 7 / 30

 What is MONARC? A method

A method
Based on ISO/IEC 27005:2011, but optimized

Team CASES Introduction to MONARC April 19, 2022 8 / 30

 The method

Summary

1 What is MONARC?

2 The method
Management of risk
An optimized method

3 The tool

Team CASES Introduction to MONARC April 19, 2022 9 / 30

 The method Management of risk

A Structured, Iterative and Qualitative method

Structured: 1, 2, ..., n.
Iterative: Plan, Do, Check, Act
Qualitative: Values / Consequence
Impact/Consequence, Threat,
Vulnerability;
reputation, image;
operation;
legal;
financial;
person (to the).
Possibility to define custom scales for
operational risks.

Team CASES Introduction to MONARC April 19, 2022 10 / 30

 The method Management of risk

Automated and simplified management

Method based on ISO/IEC 27005

Team CASES Introduction to MONARC April 19, 2022 11 / 30

 The method Management of risk

Automated and simplified management

Sub-stages provided by the method are also in line with ISO/IEC 27005

Team CASES Introduction to MONARC April 19, 2022 12 / 30

 The method Management of risk

Information risks

R = I ×T ×V

impact on Confidentiality Integrity Availability;

on secondary assets.

Operational risks

R = I ×P

impact by default on ROLFP (possibility to define custom scales);

on primary assets.

Team CASES Introduction to MONARC April 19, 2022 13 / 30

 The method An optimized method

Optimizations

MONARC is an optimized method:

inheritance on objects;
scope of objects;
inheritance on impacts;
deliverables;
multiple dashboards and reporting possibilities.

Team CASES Introduction to MONARC April 19, 2022 14 / 30

 The method An optimized method

Inheritance on objects
Modelling

Team CASES Introduction to MONARC April 19, 2022 15 / 30

 The method An optimized method

Inheritance
Formalisation of the modelling

Team CASES Introduction to MONARC April 19, 2022 16 / 30

 The method An optimized method

Inheritance
Formalisation of an asset

Example with OV BATI

Team CASES Introduction to MONARC April 19, 2022 17 / 30

 The method An optimized method

Scope of objects
Global or local assets

Team CASES Introduction to MONARC April 19, 2022 18 / 30

 The method An optimized method

Inheritance on impacts

Team CASES Introduction to MONARC April 19, 2022 19 / 30

 The method An optimized method

Deliverables

Shareable and customised templates of deliverables.

Team CASES Introduction to MONARC April 19, 2022 20 / 30

 The tool

Summary

1 What is MONARC?

2 The method

3 The tool
Architecture
Workshop
Modules
Roadmap

Team CASES Introduction to MONARC April 19, 2022 21 / 30

 The tool Architecture

Team CASES Introduction to MONARC April 19, 2022 22 / 30

 The tool Workshop

Le’ts work a little!

training instance: https://formation.monarc.lu

login: user [email protected], where 01 ≤ X ≤ 50;
password: Password1234!

or use the virtual machine: https://vm.monarc.lu

Compatible Web browsers: Firefox, Chrome and Safari.

Team CASES Introduction to MONARC April 19, 2022 23 / 30

 The tool Modules

Dashboard

provide different visualizations of the current analysis state;

visualizations are exportable (.png, .csv, .pptx).

Team CASES Introduction to MONARC April 19, 2022 24 / 30

 The tool Modules

Statement of Applicabitity

Statement of Applicability (SOA) and compliance level for a referential security.

Team CASES Introduction to MONARC April 19, 2022 25 / 30

 The tool Modules

Record of processing activities

Register of the information treatment for processing activities.

Team CASES Introduction to MONARC April 19, 2022 26 / 30

 The tool Roadmap

Latest notable developments

definition of custom scales for operational risks (MONARC 2.11.0);

dashboard for the CEO with data gathered from different MONARC
instances (MONARC 2.10.1);
records of processing activities for the GDPR and set of recommendations
(MONARC 2.9.0);
connection with MOSP (MONARC 2.8.2);
statement of applicability (MONARC 2.7.0).

Team CASES Introduction to MONARC April 19, 2022 27 / 30

 The tool Roadmap

Future developments

enhancements to the global dashboard towards a security weather

forecast2 ;
enhancements to the sharing of MONARC objects with MOSP3 ;
import of models in back office;
link between GDPR module and some objects in MONARC;
two-factor authentication.

Idea ? → Discussions on GitHub

2
https://dashboard.monarc.lu
3
https://objects.monarc.lu
Team CASES Introduction to MONARC April 19, 2022 28 / 30
 Services

Services related to MONARC

help at deploying;
help at using;
trainings;
developments, feature requests.

Team CASES Introduction to MONARC April 19, 2022 29 / 30

 End of the presentation

End of the presentation

Thank you for listening.

Contact: [email protected]
https://github.com/CASES-LU
https://github.com/monarc-project
https://www.monarc.lu

Team CASES Introduction to MONARC April 19, 2022 30 / 30