E nhancing your security o erations ith A cti e efenseFILE/EY-active-defense-cybersecurity.pdf · E...

Insights ongovernance, riskand compliance

E nhancing your security op erations w ith A ctiv e D efense

C ontentsIntrodu ction 1

W hat is A ctive D ef ense? 3

P reparing an A ctive D ef ense 5

C ondu cting an A ctive D ef ense 7

Is A ctive D ef ense right f or me? 1 5

1E nhancing y ou r secu rity operations w ith A ctive Def ense |

S ecu rity operations prof essionals have read the headlines and seen the reports of cy b er attackers grow ing more sophisticated and ever more destru ctive. A ccording to the trends identified by EY’s latest Global Information Security Survey* (GISS), most organizations are stru ggling to keep pace. O u r 2 0 1 4 su rvey indicated that 4 9 % of respondents ex pected their security budgets to remain “about the same.” Although our 2015 survey saw this figure drop to 39%, the percentage of organizations that reported plans to increase spending by 5 % - 2 5 % grew b y a mere 4 % . M any secu rity teams w ill f ace another y ear w ith the same or f ew er resou rces than they had this y ear.

B eing ab le to ef f ectively deploy the secu rity resou rces that have b een allocated can also challenge an organization. Seventy-one percent of respondents rated the likelihood that their organization would detect a sophisticated cyber attack at less than 50%. The most common ob stacle cited f or secu rity program ef f ectiveness w as “ b u dget constraints” at 62% with “lack of skilled resources” close behind at 57%. The cumulative effect of all these difficulties is well documented; the average time elapsed between breach occurrence and b reach discovery remains at 2 0 5 day s! 1

H ow can organiz ations im p rov e? E Y bel iev es that the answ er is A ctiv e D efense.

The following four chapters of this report will introduce EY’s perspective on Active Defense and will show cyber defenders how their organization could adopt it to help enhance its cy b ersecu rity :

W hat is A ctiv e D efense?• EY’s vision of Active Defense defined

• W hat does A ctive D ef ense add to the ex isting secu rity operations program?

• How does Active Defense fit into a holistic cybersecurity program?

P rep aring an A ctiv e D efense • W hat are the prereq u isites to estab lishing an A ctive D ef ense program?

• What must I understand about my organization to enable Active Defense?

• W hat mu st I u nderstand ab ou t my adversaries f or an A ctive D ef ense to su cceed?

Conducting an A ctiv e D efense• W hat are the components of an A ctive D ef ense?

• W hat is an A ctive D ef ense mission?

• W hat ty pes of missions can I condu ct w ith A ctive D ef ense?

Is A ctiv e D efense right for m e? • What are the benefits of an Active Defense?

• Is my organization ready to implement an Active Defense?

• How can EY help me prepare to conduct an Active Defense in the future?

The next iteration of continu ou s improvement

Introdu ction

1 M-Trends 2015: A View from the Front Lines — Annual Report, Mandiant (a Fire Eye company), 2015.

* Results shown in this report are based on findings from EY’s Global Inf ormation S ecu rity S u rvey 2 0 1 5 — ey . com/ giss2 0 1 5


Creating trust in the digital w orl dE Y ’ s G lobal Inf ormation S ecu rityS u rvey 2015

8 8 %of Inf ormation S ecu rity f u nctions do not f u lly meet the organizational needs*

1 1 %of GISS respondents reported u sing data analy tics to detect secu rity b reaches.

2 | Enhancing your security operations with Active Defense


W hat is A ctive D ef ense?To understand how Active Defense can help improve security program effectiveness, we need an analogy. Many organizations think of the ideal enterprise network as a castle or f ortress: this mental model inclu des thick stone w alls, gu ard tow ers and may b e even a moat. C astles may keep real- w orld invaders at b ay , b u t w e have learned time and again that determined attackers nearly alw ay s su cceed in penetrating even the most secu re netw orks via targeted attacks. Security professionals can’t rely on the integrity of the network’s perimeter and mu st operate u nder the assu mption that u ndetected maliciou s activity is present nearly all the time.

A more appropriate analogy might be the enterprise network as a contemporary city. This analogy w orks on several levels. C onsider the evolving w ay s that w e access data. U sers have mu ltiple rou tes into and ou t of the netw ork throu gh company w orkstations, personally owned mobile devices, cloud storage and more. This means that legitimate users and intru ders b oth have nu merou s opportu nities to engage in u nseen activities. J u st as any city of sufficient size experiences near-constant unpoliced criminal activity, expanding network size and complexity have confounded defenders’ ability to monitor in near real-time as well. Indeed, respondents to EY’s 2015 GISS that reported experiencing significant incidents revealed that only 4 5 % of detected incidents w ere discovered b y the S ecu rity O perations Center (SOC). To maintain order, the castle guards of old evolved into the modern police, and secu rity operations prof essionals mu st evolve as w ell.

W hat does A ctive Def ense add to the ex isting secu rity operations program? Let’s carry our analogy into the SOC. The security operations team comprises the enterprise’s network police force. Security monitoring with network and endpoint tools is akin to sending officers out to enforce speed limits and watch for crime. In the real world, patrol officers are effective at deterring and defeating the criminals that they can actually see. However, they aren’t effective at defeating the sophisticated crime that occurs behind closed doors and in areas that aren’t patrolled. For this, the city needs detectives. Rather than patrolling and monitoring, detectives cultivate informants, investigate leads, analyze evidence and actively hu nt su spects.

How does Active Defense fit into a holistic cy bersecu rity program?M ost secu rity operations teams lack the “ detective” capab ility , and this is w here A ctive Defense can enhance organizational effectiveness. By employing a deliberate operational cy cle to plan, ex ecu te, and review intelligence- driven activities to help implement targeted cou ntermeasu res, f ortif y def enses and hu nt intru ders, A ctive D ef ense practitioners provide the organization with the capability to identify and help eradicate latent attackers that circu mvent traditional secu rity monitoring and target y ou r intellectu al property and b u siness sy stems.

A ctive D ef ense is a delib erately planned and continu ou sly ex ecu ted campaign to identif y and help eradicate hidden attackers and def eat likely threat scenarios targeting y ou r most critical assets

4 | E nhancing y ou r secu rity operations w ith A ctive Def ense

P reparing an A ctive D ef enseWhat are the prerequisites to establishing an Active Def ense program?A ctive D ef ense resu lts f rom the f u sion of timely threat intelligence w ith delib erately planned and executed proactive measures that help combat specific threat scenarios. A ctive D ef ense does not replace traditional secu rity operations. Instead, A ctive D ef ense organizes and enhances the existing security operations program. Conducting an Active D ef ense req u ires some preparation in order to achieve max imu m ef f ectiveness.

First, cyber defenders must ensure that they have a clear understanding of the assets most coveted by potential attackers. In EY’s 2015 GISS, 23% of organizations with an SOC stated that their S O C , “ does not interact w ith the b u siness” and only 2 3 % reported that their S O C “ is tightly integrated, meeting w ith the heads of b u siness operations regu larly to understand business concerns and risks.” This interaction is key and also missing from many secu rity programs.

Thoughtful conversations between security practitioners and business leaders produce a listing of assets to be defended. These are generally associated with critical business f u nctions and consist of important applications and sy stems along w ith sensitive

S ecu ritymonitoring

Incidentresponse

O perate

M onitor S ecu re Enable

Integrate

Vulnerability management

A ttack and penetration

Global integrated security operations Research and development

S of tw are secu rity

E Y datascientists

E Y attack and penetration

team

C y ber research

laboratory

C y ber threatintelligence

Service integration layer

Attack life cycle analysis

Def ended asset identification

M issionp l anning

Indicator analysis and prioritiz ation

T hreat actor identification and

targeting

Anomaly analysis

S u rge monitoring

C y ber recon- by -fire activities

P roactive endpoint f orensics

H unting

Fortification

A nal ysis

A ctiveD ef ense

Complex vulnerability identification

C ou ntermeasu redevelopment

C ou ntermeasu re deployment

T hreat scenario validation

Inpu

tsO

pera

tion

s

A ctiv e D efense integration into security op erations


data repositories. R elevant assets w ill b e those that su b j ect the b u siness to seriou s consequences should they be manipulated, stolen, or taken offline. Examples include intellectu al property , research and development data su pporting f u tu re innovation, employees’ or customers’ personally identifiable information, payment card information f or clients, and the indu strial control sy stems that su pport critical b u siness f u nctions.

What must I understand about my organization to enable A ctive Def ense?N ex t, def enders mu st develop an u nderstanding of w hat “ normal” means f or the netw ork. Typically, this is referred to as a “baseline” in the context of security. However, much of this baseline lives in the minds of the IT staff rather than in security monitoring tools. This understanding is important for enhancing the security operations function, because A ctive D ef ense inclu des strong anomaly analy sis and hu nting components. M any activities ex ecu ted b y intru ders avoid triggering au tomated secu rity monitoring tools b ecau se they don’t fit the typical procedures, inputs or models of known attack signatures. Instead, they u se compromised credentials or illicit accou nts and b lend w ith regu lar u ser b ehavior. However, alert and experienced security analysts may recognize malicious activity when they see it, provided they have a model f or normal b ehavior on the netw ork.

W hat mu st I u nderstand abou t my adversaries f or an A ctive Def ense to su cceed?Finally, defenders need an understanding of the threat actors that are likely to target their organization. Many security teams simply assume that they are targeted by the big-three nation state adversaries, organized crime groups and hacktivists. Although this may b e tru e, additional insight is req u ired in order to craf t an A ctive D ef ense. W ithin each grou p, motivations and capab ilities vary w idely . D ef enders shou ld w ork closely w ith threat intelligence providers to paint an accu rate portrait of the threat landscape w ith as mu ch detail as possible. If possible, specific threat actors should be named and analyzed to gain insight that w ill b e leveraged in def ensive activities.

2 3 %of organizations with an SOC stated that their S O C “ does not interact with the business.”*

2 3 %of organizations reported that, “ O u r S O C is tightly integrated, meeting w ith the heads of b u siness operations regu larly to u nderstand b u siness concerns and risks.”*

Identify internal critical assetsDescriptively profile at both business and technical level

A dd env ironm ental contex tD evelop/ leverage netw ork and endpoint activity b aselines

Identify and profile most l ik el y threat actors

Inj ect timely intelligence to drive mission selection

Conduct A ctiv e D efense m issions

P lan, ex ecu te, review , repeat

A ctiv e D efense

Insi

ght

S tage 4

S tage 3

S tage 2

S tage 1


C ondu cting an A ctive D ef enseA ctive D ef ense consists of delib erately planned and ex ecu ted def ensive actions called “missions.” Each mission is followed by activities designed to capture lessons learned and enhance organizational learning. Missions include one or more specific objectives and a defined end-state, and they may last between one day and several weeks. Mission ob j ectives ty pically inclu de the implementation of one or more targeted cou ntermeasu res to defeat specific threat scenarios or deliberately planned activities to identify hidden intruders (hunting).

A lthou gh individu al missions may take the f orm of proj ects, an A ctive D ef ense program is conducted as an iterative operational cycle. Each cycle focuses on defending a specific asset or group of assets from a specific threat actor and may include one or more missions. The operational cycle includes phases for planning, mission execution (of one or more missions) and cycle review. Each mission within the operational cycle also includes analogou s phases f or planning, ex ecu tion and review .

D el iberatel y p l anned, m ission

focusedH u nting or fortification

Com p l icate

H arden

M aintain

R eview

W eekly CTI brief

A chieve desired end- state

Define desired end- state

Realize improvements

C aptu re lessons learned

H igh- valu e assetor adversary

f ocu sed

AnalyzeIdentif y likely

threat actors and scenarios Plan

E x ecu te


W hat are the components of an A ctive Def ense?Cyber threat intelligence (CTI) helps lay the groundwork for Active Defense and provides context and guidance during operations. Once likely adversaries have been identified, defenders work with their threat intelligence provider to identify specific tactics via cyber kill chain analy sis. K ill chain analy sis is the division of the steps taken b y an adversary as part of an attack into individu al “ b u ckets” that correspond to the links of the kill chain. A lthou gh researchers f rom L ockheed- M artin originally introdu ced this concept in a 2 0 1 1 w hite paper,3 there are a number of variants. Regardless of variant, identification and analy sis of tactics is key .

3 Hutchins, Eric, Michael Cloppert, and Rohan Amin, “Intelligence-Driven Computer Network Defense Informed by

Analysis of Adversary Campaigns and Intrusion Kill Chains” Lockheed Martin Corporation, 2011.

Typ ical attack l ifecycl e

Tactics

Targets

A P T X P riority 1 R & D

Intel l igence gathering

B ackgrou nd research

Escalate privilege

Gather and encry pt data

S teal dataInitial attack Establish

f ootholdEnable

persistenceM ove

laterallyEnterprise

reconnaissance

Initial ex p l oitation Com m and and control P riv il ege escal ation Data exfiltration

• S earch engines

• P u b lic releases

• External scanning

• Z ero day s

• S ocial engineering

• S pear phishing

• W ater holing

• M alw are installation

• S tolen credentials

• R oot kits

• Trojans

• A ccou nt creation

• Establish V P N s

• N etw ork scanning

• S hares

• W orkstations

• S ervers

• R ou ters

• S hares

• W orkstations

• S ervers

• R ou ters

• S hares

• W orkstations

• S ervers

• pdf , doc, x ls, ppt

• A dmin accou nts

• S ervers

• R ou ters

• W eb servers

• External applications

• S ocial media

• Executives and assistants

• R emote w orkers

• W orkstations

• W eb servers

• pdf , doc, x ls, ppt

• R & D data

• S ecu rity applications

• O perating sy stems

• FTP and email

• W eb posting

• Encrypted C 2 tu nnels

• R oot kits

• Trojans

• A ccou nt creation

• FTP and email

• Z IP and R A R compression

• M alw are encry ption

• S tolen credentials

• R emote desktop connections


B esides know n tactics, additional data collected and mapped f or relevant threat actors inclu des:

• A ttacker sou rce IP ranges

• M alw are metadata

• Typical hardware or software leveraged by the attacker

• Typical hardware or software targeted by the attacker

• Typical times of attacker operations

For each defended asset, defenders also gather:

• H ardw are or sof tw are u sed to access the sensitive data and b u siness processes

• Patch level and patching schedule for identified hardware and software

• P reviou s attack inf ormation

• D etailed identity and access inf ormation associated w ith the resou rce

This information is supplemented with intelligence about current events in the organization’s industry to determine who is attacking peers and for what purpose. Industry peers are a great source to develop first-hand insight about the latest tools, tactics and procedu res u sed b y attackers.

3 1 %of respondents say their S O C has individu als f ocu sed solely on cy b er threat intelligence

5 0 %of responders say their S O C has analy sts that read and su b scrib e to specific open-source resources

3 5 % of respondents say that they have a matu re or very matu re inf ormation secu rity strategy

O nly 1 2 % of organizations perform all security operations functions in-house

2 3 % of S O C s do not interact w ith the b u siness

2 9 % of S O C s collab orate and share data w ith other pu b lic S O C s

4 3 % of S O C s collab orate and share data w ith others in their indu stry

4 2 % of SOCs have not detected a significant incident

O nly 1 9 % of SOCs have discovered a significant cybersecurity incident

O nly 4 7 % of organizations think their SOC would be likely to detect a sophisticated attacker.


W hat is an A ctive Def ense mission?A key facet of Active Defense is the enhanced operational focus and effectiveness realized throu gh the delib erate planning of A ctive D ef ense missions. S ecu rity teams ty pically harden their def enses on an ad hoc b asis, implementing indu stry b est practices w hen they have time or in reaction to high-profile vulnerability announcements. By contrast, Active Defense missions are planned and executed to proactively defeat specific threat scenarios and uncover hidden intruders in the network. This means that defenders’ time is spent deterring and defeating the enterprise’s most likely attackers rather than an undefined or nonspecific adversary.

W hat ty pes of mission can I condu ct w ith A ctive Def ense?The use of the term “mission” conveys the fact that the operational process proceeds with a significant amount of analytical rigor and discipline in order to achieve maximum effectiveness in accomplishing the organization’s security goals. Missions are planned in response to specific threat intelligence in the unique context of the defended organization; and b y f ocu sing on the threat to the b u siness f rom real- w orld threat scenarios, A ctive Defense practitioners can maximize their defensive capabilities for their security budget.

Although Active Defense is inherently adversary focused, it is also tailored for specific defended assets — typically the organization’s most valuable proprietary data and business sy stems. A n A ctive D ef ense mission can inclu de any activities that meet this description. However, we find that a few general categories of activities tend to generate the greatest retu rns.

A ctiv e D efense m ission categories

F ortification H unting

N etw ork reconnaissanceManual identification and validation of complex vu lnerab ilities and threat scenarios and development of netw ork situ ational aw areness f or decision makers

A nom al y anal ysisFocused investigation for anomalous and maliciou s activity that cannot b e detected b y au tomated secu rity monitoring tools

Targeted counterm easuresL everage insight f rom the intelligence process to design and implement cou ntermeasu res that defeat specific threat scenarios

Trap p ing and coercionA lter netw ork and endpoint conditions to provoke a hidden attacker into engaging in maliciou s activity liab le to b e detected b y targeted intensive monitoring


FortificationThe first category of Active Defense mission includes those activities that help improve the enterprise’s defenses against specific tactics that may be used by specific attackers.

N etw ork reconnaissanceNetwork reconnaissance missions develop the organization’s understanding about its own level of risk to specific threat actors or threat scenarios. Missions of this type are generally more complex than straightf orw ard vu lnerab ility scanning and may inclu de mock attacks or red team ex ercises. A n ex ample of an inf ormation gathering mission w ou ld b e a mu lti- day ex periment to determine w hether ex isting secu rity monitoring tools are ab le to identif y the u se of a particu lar piece of malw are on the netw ork.

Tail ored counterm easuresTailored countermeasures are most often focused on network and endpoint fortification and attempt to deter, degrade or defeat specific adversary tactics. Active Defense fortification activities dif f er f rom hardening activities ex ecu ted b y traditional secu rity operations teams in that they are ex ecu ted delib erately in response to timely threat intelligence ab ou t a threat actor or threat scenario rather than as “ indu stry b est practices” on an ad hoc b asis.

• “Cyber clear-and-hold” is an example of a network and endpoint fortificationA type of network and endpoint fortification, clear-and-hold is a strategy employed to help prevent intru ders f rom re- occu py ing territory f rom w hich they have b een ej ected b y def enders. C learing is done via hu nting or proactive f orensics. A f ter the clearing stage, the holding stage is usually characterized by regular inspections, surveillance and the improvement of def enses.

A clear- and- hold mission may b e w arranted du e to a nu mb er of internal or ex ternal f actors. D ef enders may learn ab ou t an attack against an indu stry peer and may w ish to apply clear- and- hold tactics to protect the data ty pes that w ere taken in that attack. A nother driver cou ld b e the discovery of a vu lnerab ility that cannot b e patched in a critical sy stem. H osts on the same netw ork segment cou ld then b e cleared to ensu re that they are not cu rrently harb oring attackers w ho cou ld take advantage of the w eakness.

A ctivities of this natu re can u su ally only b e su stained f or a b rief period of time b ef ore resources must be redeployed to other areas. For example, a clear-and-hold mission w ou ld likely b e appropriate du ring the period w hen a merger/ acq u isition is b eing planned (from the earliest stages) and executed. Once the merger is announced publicly and completed, the protection provided b y clear- and- hold tactics is no longer necessary arou nd the sy stems containing merger data.

4 1 %of responders say their S O C has a paid su b scription to cy b er threat intelligence f eeds


H untingHunting missions attempt to discover latent (but active) attackers on the network, or previou sly u nknow n evidence of past attacks. B y actively ex amining seemingly b enign activity or artif acts in the contex t of know n tactics and techniq u es of particu lar threat actors or in the context of specific threat scenarios, Active Defense practitioners take the initiative against attackers and redu ce the time that attackers can ex pect to operate inside the network before being identified and eradicated. Hunting missions fall generally into tw o categories.

A nom al y anal ysisThese missions examine artifacts located on particular hosts along with patterns of network traffic to identify malicious activity that automated security monitoring tools miss. Although the organization may have a sophisticated and comprehensive deployment of sensors to condu ct secu rity monitoring f or netw ork segments and endpoints, there are many f orms of maliciou s activity that thw art au tomated detection b u t are plainly ob viou s to hu man analy sts.

A s w e discu ssed previou sly , the ab ility to identif y anomalou s activity is one of the key enab lers of A ctive D ef ense and is critical to hu nting missions. A nomalou s activity is any activity that is strange, abnormal or doesn’t belong in the context in which it is seen. This contex t cou ld inclu de the u ser w ho is engaging in the activity , the time w hen the activity is ob served, the f req u ency w ith w hich the activity occu rs and other circu mstances. In addition to hu nting f or anomalou s activity in new event streams, def enders shou ld ensu re that they search historical data as well. The time when defenders become aware of a particular maliciou s b ehavior is alw ay s af ter the time w hen attackers b egan u sing it: thu s, historical logs must be searched to ensure that a compromise hasn’t already occurred.

• Identify cyber staging areasA nomaly analy sis can b e u sed to identif y cy b er staging areas, and to deter or def eat sensitive data exfiltration. Attackers often form a beachhead within a compromised network. This is a host from which they launch sorties against other hosts on the netw ork and on w hich they may store stolen data. O f ten this data is compressed, obfuscated, or even encrypted, to make it look like something it isn’t. For instance, def enders may discover a large data cache rolled into several encry pted and compressed RAR files that have had their file extensions altered to make them look like video clips.

This beachhead concept is important because hackers must prepare a staging ground w ithin one or tw o “ hops” f rom a location on the netw ork f rom w hich data w ill b e stolen. N ot only is this req u ired in order to limit the amou nt of activity on a target host to prevent detection, b u t rou ting connections and data throu gh additional sy stems is technically complicated and su b j ect to discovery as w ell.

To identify staging areas, defenders search likely beachhead locations near sensitive sy stems f or stolen data and stored tools. In enterprises that enf orce data storage locations for users, such as those that require all personal files to be saved to a network-shared f older, this search can b e straightf orw ard. S earching may also b e aided b y enterprise file naming schemes. These often aren’t apparent to outsiders, so attackers may inadvertently create filenames that immediately appear anomalous.

4 7 %of respondents reported that their organization does not currently have an SOC*

2 6 %of respondents that do have an S O C , 2 6 % ou tsou rce real-time security monitoring*


Trap p ing and coercionThese missions attempt to compel latent attackers to perform activities that will cause them to b e discovered. O nce an attacker gains access to the netw ork, escalated privileges and estab lished persistence, they are u nlikely to engage in additional overt maliciou s activity . This is because they likely have gained access to legitimate account credentials or have had the opportu nity to install maliciou s sof tw are to mask, clean or hide their activities. B y altering conditions on the netw ork, def enders can impose a dilemma on hidden attackers. They must either work to maintain their access and subject themselves to the scrutiny of alert A ctive D ef ense practitioners, or they w ill lose access. H ere are ex amples of this ty pe of mission:

• M al w are starv ationM any ty pes of malw are emit a regu lar “ b eacon” or “ heartb eat” to a command and control (C&C) server as long as they are active. This serves two purposes. First, it acts as a remote notification to an attacker that his access to the network is still available. S econd, it provides au tomated control sy stems w ith an opportu nity to deliver orders to fielded malware instances (implants).

H ighly sophisticated attackers may employ mu ltiple cooperating malw are implants that w atch each other to provide b acku p. If one implant sees that its partner has b een eradicated or is no longer commu nicating on the netw ork, it activates and takes over the beaconing and malicious activity. EY has seen one network that had primary implants installed on more than 2 0 servers, w ith alternate or b acku p implants hiding on another 14. The alternates weren’t detected until after the primaries had all been eradicated — the point w hen an incident response team w ou ld u su ally close the case and go home.

C hanges in netw ork connectivity are u su ally the cau se that resu lts in the activation of dormant implants. C onsider simu lating this to “ starve” malw are of its netw ork access and change its b ehavior. N etw ork segments can b e cu t of f f rom one another temporarily to prevent cooperating malware samples from seeing or interacting with one another; this can resu lt in b acku p malw are spinning u p and try ing to take over f or w hat it thinks is an eradicated primary .

• D N S m anip ul ationMalware authors typically use hostnames to configure malware C&C servers rather than IP addresses. This improves resiliency for the malware, since defenders typically block outgoing traffic to specific IP addresses (routers and switches don’t know about hostnames). Using a hostname allows the malware’s C&C server to be located at any IP address. The attacker just needs to register it, and DNS servers around the world will carry the new s to his deploy ed malw are. D ef enders w ho have tried to sq u ash a malw are infection have probably seen this behavior before: they block outgoing traffic from b eaconing malw are only to see it shif t to new destination addresses every f ew hou rs.

By resetting the network’s DNS cache, defenders force renewed resolution of every hostname across the netw ork — inclu ding those u sed b y malw are. W ithin a f ew hou rs or day s, def enders can then ex amine the contents of the D N S cache f or low - density hostnames or hostnames that w ere resolved at odd hou rs. A b oatload of connections to www.google.com at noon on a Tuesday shouldn’t raise any eyebrows, but a single connection to www.malwaremothership.com at 2 a.m. on a Tuesday warrants closer inspection.

1 2 %of respondents that do have an S O C reported being able to fulfill all f u nctions in- hou se


EY considers the ability to mount an effective Active Defense as a strategic end-state for the enterprise secu rity program, and the j ou rney to estab lishing an ef f ective A ctive D ef ense varies for every organization. According to EY’s 2015 GISS, 47% of respondents reported that their organization does not currently have an SOC; of those that do, 26% outsource real-time security monitoring, and only 12% reported being able to fulfill all functions in-house.

Is m y organiz ation ready to im p l em ent an A ctiv e D efense?EY’s cybersecurity offerings help develop the security program with an eye toward establishing an Active Defense. However, if any of the following statements reflect your organization, then Active Defense may be right for you:

We have an SOC, but we still aren’t finding evidence of advanced attackers. W e have an S O C , b u t w e still had a maj or b reach. W e have had an S O C f or a f ew y ears, b u t w e need to evolve b ey ond

static monitoring. We have strong business pressures to defend intellectual property or confidential

business information (R&D, M&A, ICS/SCADA, etc.). We have an outsourced SOC, but we don’t believe that our most valuable data and

sy stems are tru ly secu re.

How can EY help me prepare to conduct an Active Def ense in the f u tu re?Many organizations can benefit from the enhanced operational discipline and adversary f ocu s inherent to A ctive D ef ense. H ow ever, ef f ectiveness f rom an A ctive D ef ense program req u ires appropriate matu rity levels in a range of secu rity competencies, inclu ding secu rity operations, security monitoring, asset identification and classification, IT operations, threat intelligence, secu rity architectu re and others. B y f ocu sing on an A ctive D ef ense capab ility as a strategic goal, decision- makers and secu rity practitioners can engage in meaningf u l discussion about the steps for organizational improvement that will help realize the benefits describ ed herein.

When this occurs, the benefits of an Active Defense can be:

• For the security operations team, Active Defense helps provide a defined set of improvement activities rationalized by threat intelligence and security analytics; and then connected to achievable objectives. The team builds countermeasures, hunts hidden intru ders and b olsters def enses on the b asis of real reporting ab ou t the b ehavior of real attackers.

• For decision-makers, Active Defense helps connect resource deployment directly to measu res of cy b ersecu rity program ef f ectiveness. Instead of f ocu sing on perf ormance measu res like “ nu mb er of patches applied” and “ nu mb er of tickets closed,” ef f ectiveness can b e demonstrated via, f or ex ample a decrease in su ccessf u l targeted attacks or a decrease in the time req u ired to discover and eradicate the attacks that w ere su ccessf u l.

An organization’s intellectual property and critical business systems have substantial monetary value, and organization leaders expect their security programs to keep the data secure and the attackers out. To this end, the effectiveness of the organization’s security operations can be significantly enhanced by an Active Defense guided by deliberate planning, a defined strategic end-state and an adversary focus. By organizing and integrating the organization’s existing security operations, Active Defense can help reduce the nu mb er of su ccessf u l targeted attacks and decrease the amou nt of time that intru ders can operate b ef ore b eing ej ected f rom the netw ork.

Is A ctive D ef ense right f or me?

W hat are the benefits of an A ctiv e D efense?• A n agile operational

cy cle designed to help achieve rapid resu lts and accelerate learning

• C y b er threat intelligence (CTI) analysis that helps y ield new insights ab ou t adversaries or the enterprise and generates recommendations

• A ctive D ef ense missions f ocu sed on hu nting or fortification

• A ctive D ef ense helps enhance b u t does not replace secu rity monitoring and incident response

4 7 %of respondents reported that their organization does not currently have an SOC*


W ant to learn more?Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issu es and provide y ou w ith valu ab le insights ab ou t ou r perspective. P lease visit ou r Insights on governance, risk and compliance series at www.ey.com/GRCinsights.


Cyber P rogram M anagem ent

C reating the path f orw ard

Cybersecurity and the Internet of Things

Insights on governance, risk and compliance

M arch 2015

Cyber breach response managementBreaches do happen.Are you ready?

Cyber Threat Intelligence − how to get ahead of cybercrime www.ey.com/CTI

Security Operations Centers — helping you get ahead of cybercrime w w w . ey . com/ S O C

Achieving resilience in the cyber ecosystem w w w . ey . com/ cy b erecosy stem

Managed SOC — EY’s Advanced Security Center: world-class cybersecurity working for youhttp: / / w w w . ey . com/ managedS O C

Cybersecurity and the Internet of Things www.ey.com/IoT

Using cyber analytics to help you get on top of cybercrime: Third-generation Security Operations Centers w w w . ey . com/ 3 S O C

Cyber Program Management: creating the path forward w w w . ey . com/ C P M

Cyber breach response management — Breaches do happen. Are you ready? w w w . ey . com/ cy b erB R M

Insights on governance, risk and compliance

December 2014

A chiev ing resil ience in the cyber ecosystem


Creating trust in the digital w orl dE Y ’ s G lobal Inf ormation S ecu rityS u rvey 2015

Creating trust in the digital world: EY’s Global Infomation Security Survey 2015w w w . ey . com/ GISS20 1 5

http://www.ey.com/cyberecosystem

http://www.ey.com/managedSOC

http://www.ey.com/IoT

http://www.ey.com/3SOC

http://www.ey.com/cyberBRM

If you w ere under cyber attack , w oul d you ev er k now ?As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if , b u t w hen. H ackers are increasingly relentless. W hen one tactic f ails, they will try another until they breach an organization’s defenses. At the same time, technology is increasing an organization’s vulnerability to attack through increased online presence, b roader u se of social media, mass adoption of mob ile devices, increased u sage of clou d services, and the collection and analy sis of b ig data. O u r ecosy stems of digitally connected entities, people and data increase the likelihood of ex posu re to cy b ercrime in both the work and home environment. Even traditionally closed operational technology sy stems are now b eing given IP addresses, enab ling cy b er threats to make their w ay ou t of b ack- of f ice sy stems and into critical inf rastru ctu res su ch as pow er generation and transportation sy stems.

For EY Advisory, a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses. We’ve shaped a glob al ecosy stem of consu ltants, indu stry prof essionals and b u siness alliances w ith one f ocu s in mind — y ou .

A nticipating cy b er attacks is the only w ay to b e ahead of cy b er criminals. W ith ou r f ocu s on y ou , w e ask b etter q u estions ab ou t y ou r operations, priorities and vu lnerab ilities. W e then collab orate w ith y ou to create innovative answ ers that help y ou activate, adapt and anticipate cyber crime. Together, we help you design better outcomes and realize long-lasting resu lts, f rom strategy to ex ecu tion.

We believe that when organizations manage cybersecurity better, the world works better.

So, if you were under cyber attack, would you ever know? Ask EY.

The better the q uestion. The better the answ er. The better the w orl d w ork s.

A bout E YEY is a global leader in assurance, tax, transaction and advisory services. The insights and q u ality services w e deliver help b u ild trust and confidence in the capital markets and in economies the w orld over. W e develop ou tstanding leaders w ho team to deliver on ou r promises to all of ou r stakeholders. In so doing, w e play a critical role in b u ilding a b etter w orking w orld f or ou r people, f or ou r clients and f or ou r commu nities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global L imited, a U K company limited b y gu arantee, does not provide services to clients. For more information about our organization, please visit ey . com.

© 2015 EYGM Limited. A ll R ights R eserved.

EYG no. AU3672

1 5 1 1 - 1 7 4 0 0 4 6 M W ED None This material has been prepared for general informational pu rposes only and is not intended to b e relied u pon as accou nting, tax or other prof essional advice. P lease ref er to your advisors for specific advice.

ey . com/ cy bersecu rity G l obal R isk L eader

P aul v an K essel + 3 1 8 8 4 0 7 1 2 7 1 pau l. van. kessel@ nl. ey . com

A rea R isk L eaders

A mericas

A m y B rachio + 1 6 1 2 3 7 1 8 5 3 7 amy . b rachio@ ey . com

E M E IA

J onathan B l ack m ore + 9 7 1 4 3 1 2 9 9 2 1 j onathan. b lackmore@ ae. ey . com

Asia-Pacific

Iain B urnet + 6 1 8 9 4 2 9 2 4 8 6 iain. b u rnet@ au . ey . com

J apan

Y oshihiro A z um a + 8 1 3 3 5 0 3 1 1 0 0 [email protected]

O u r C y b ersecu rity leaders are:

G l obal Cybersecurity L eader

K en A l l an + 4 4 2 0 7 9 5 1 5 7 6 9 kallan@ u k. ey . com

A rea Cybersecurity L eaders

A mericas

B ob S ydow + 1 5 1 3 6 1 2 1 5 9 1 b ob . sy dow @ ey . com

E M E IA

S cott G el ber + 4 4 2 0 7 9 5 1 6 9 3 0 sgelb er@ u k. ey . com

Asia-Pacific

P aul O ’ R ourk e + 6 5 6 3 0 9 8 8 9 0 paul.o’[email protected]

J apan

S hinichiro N agao + 8 1 3 3 5 0 3 1 1 0 0 nagao- shnchr@ shinnihon. or. j p

O u r R isk A dvisory L eaders are:

E Y | Assurance | Tax | Transactions | Advisory

A bou t E Y ’ s A dvisory S ervices In a world of unprecedented change, EY Advisory believes a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses.

Through a collaborative, industry-focused approach, EY Advisory combines a wealth of consulting capabilities — strategy, customer, finance, IT, supply chain, people advisory, program management and risk — with a complete understanding of a client’s most complex issu es and opportu nities, su ch as digital disru ption, innovation, analy tics, cybersecurity, risk and transformation. EY Advisory’s high-performance teams also draw on the breadth of EY’s Assurance, Tax and Transaction Advisory service professionals, as well as the organization’s industry centers of excellence, to help clients realize sustainable results.

True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk management w hen w orking on perf ormance improvement, and perf ormance improvement is top of mind when providing risk management services. EY Advisory also inf u ses analy tics, cy b ersecu rity and digital perspectives into every service of f ering.

EY Advisory’s global connectivity, diversity and collaborative culture inspires its consultants to ask better questions. EY consultants develop trusted relationships with clients across the C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to leading disruptive innovators. Together, EY works with clients to create innovative answ ers that help their b u sinesses w ork b etter.

The better the q uestion. The better the answ er. The better the w orl d w ork s.

mailto:sgelber%40uk.ey.com?subject=

E nhancing your security o erations ith A cti e efenseFILE/EY-active-defense-cybersecurity.pdf · E...

Documents

Transcript of E nhancing your security o erations ith A cti e efenseFILE/EY-active-defense-cybersecurity.pdf · E...