1. Report based on discussions with theSecurity for Business Innovation CouncilAn industry initiative sponsored byRSAtGettinG AheAd ofABN AmroDr. Martijn Dekker ,Senior Vice President, ChiefInformation Security OfficerAdvAnced threAtsADP INc.rolanD Cloutier ,VicePresident, Chief Security OfficerAIrtelFelix Mohan , Senior VicePresident and Chief InformationAchieving Intelligence-Driven Information SecuritySecurity Officerthe cocA-colA comPANyrenee guttMann , ChiefInformation Security OfficercSo coNfIDeNtIAl recommendAtions from GlobAl 1000 executivesProFessor Paul Dorey ,Founder and Director; FormerChief Information SecurityOfficer, BPeBAyDave Cullinane , ChiefInformation Security Officer andVice President, Global Fraud,Risk & SecurityemcDave Martin , Chief SecurityOfficerGeNzymeDaviD kent ,Vice President,Global Risk and BusinessResourceshDfc BANkvishal salvi , ChiefInformation Security Officer andSenior Vice PresidenthSBc holDINGS plcROBERT RODGER, Group Head ofInfrastructure SecurityJohNSoN & JohNSoNMarene n. allison ,Worldwide Vice President ofInformation SecurityJPmorGAN chASeanish BhiMani , ChiefInformation Risk OfficerNokIAPetri kuivala , ChiefInformation Security OfficerNorthroP GrummANtiM Mcknight , VicePresident and Chief InformationSecurity OfficerSAP AGralPh saloMon , VicePresident, IT Security & RiskOffice, Global ITt-moBIle uSAwilliaM Boni , CorporateinsiDe this rePort:Information Security Officer(CISO), VP Enterprise InformationSecurityWith guest contributor: Playbook for a key features of Practical tips forhow to gainexamples ofSuggested jobwilliaM Pelgrin, Presidentdescriptionnew approach an intelligencemaximizing the support and quick-win& CEO, Center for InternetSecurity; Chair, Multi-Stateto informationprogramuse of data from make the case opportunities for a cyber-riskInformation Sharing and security external and intelligenceAnalysis Center (MS-ISAC); and internal sources analystImmediate Past Chair, NationalCouncil of ISACs (NCI)

2. * Contentshighlights11. introduction: the need to know22. what do organizations need to know? 4 Charts 1-5: Categories of Cyber-Risk Data with Examples >>>>>>>>> 53. time for a new approach: intelligence-driven informationsecurity104. roadmap to intelligence-driven information security 12 Step 1. Start with the Basics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 12 Step 2. Make the Case >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13Chart 6: Examples of Quick Win Opportunities to Show Value 14 Step 3. Find the Right People >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 15Job Description: Cyber-Risk Intelligence Analyst >>>>>>>>>>> 16 Step 4. Build Sources >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 16Charts 7-11: Sources of Cyber-Risk Data >>>>>>>>>>>>>>>>>> 18 Step 5. Define a Process >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>20 Step 6. Implement Automation >>>>>>>>>>>>>>>>>>>>>>>>>>>> 225. no organization is an island: improving informationsharing 24Chart 12: Examples of Information-Sharing Initiatives >>>>>>> 24conclusion26appendices27 About the Security for Business Innovation Council Initiative >>>>> 27 Biographies of the Security for Business Innovation Council and Guest Contributor >>>>>>>>>>>>>>>>>>>>>>>>>>>> 28 3. Report Highlightsin toDays threat A process for efficient analysis, because it will be targeted atlandscape, organizationsfusion, and management of countering the most significantworldwide face a growingcyber-risk data from multiple threats and protecting the mostnumber of sophisticated cyber sources to develop actionable strategic assets.adversaries.intelligence.this rePort ProviDes a six- Practices to share useful threataDvanCeD threats arestep roadmap for achievinginformation such as attack in-increasingly targetingintelligence-driven informationdicators with other organizations.corporations and governmentssecurity.in order to conduct industrial Informed risk decisions andespionage, undermine business defensive strategies based on the guiDanCe answersand financial operations, and/orcomprehensive knowledge of thecritical questions such as:sabotage infrastructure.threats and the organizations What are the basic requirementsown security posture.for building an intelligencethe harD truth is Most capability?organizations dont know enoughthe vision is to harness theabout the threats or their own power of information to prevent, What does it take to developsecurity posture to defend detect, and ultimately predictbroad organizational support andthemselves adequately againstattacks.obtain funding?the rising tide of cyber attacks. the value ProPosition is What is the skill set required of athe tiMe has CoMe when clear. By maximizing thecyber-risk intelligence team?successful defense requiresuse of available information, What are the best sources ofevolving past conventional the organization can create data?approaches in informationand implement more precisesecurity.defensive strategies against How can an organization design evolving threats. Securitya process that will consistentlya new aPProaCh is neeDeD.will not only improve but alsoproduce actionable intelligenceCalled intelligence-drivenbecome more cost-effectiveand the right defensive strate-information security, thisgies?approach includes: The consistent collection of Note oN the scope What type of automation can help create efficiencies for han- reliable cyber-risk data from a of this report: dling large volumes of data? range of government, industry, commercial, and internal sources this rePort is focused on the to gain a more complete under- a CritiCal asPeCt oFcollection and analysis of standing of risks and exposures. cyber-risk data. However, manyachieving intelligence-drivenorganizations intelligence pro-information security is sharing Ongoing research on prospec- grams may include a broader cyber-risk data with other tive cyber adversaries to developset of data. For example, theyorganizations. But there are knowledge of attack motivations, may include physical-security many significant challenges to favored techniques, and knowndata (building access, travel), creating information-sharing activities.manufacturing supply chainmechanisms.risks (availability, delivery), The growth of new skills withinand/or data on competitors(financials, product develop- Fortunately, there is a the information team focused on the production of intelligence.ments). Although the scopegrowing number of industryof this report is cyber-riskand government-led initiativesintelligence, the goal for some as well as public/private Full visibility into actual condi-organizations intelligence tions within IT environments, in-partnerships that are workingprograms is to build a complete cluding insight that can identifypicture of operational risks.to enable large-scale data normal versus abnormal systemexchange. and end-user behavior.RSA, The Security Division of EMC | security for business innovAtion council report |1 4. 1 Introduction: The Need to KnowCorporations and governments worldwide areown security postureto defend themselvesadequately. For example, increasingly targeted by they cant see signs of cyber adversaries with an attack because they a range of goals fromhavent sufficiently political activism and analyzed data on the sabotage to intellectual-latest attack techniques. property theft and They cant identify financial gain. As cyber malicious activity attacks intensify andbecause they havent tactics rapidly evolve,developed baselines for organizations could find normal activity. the escalating threatTodays dedicated landscape overwhelming adversaries have their abilities to managethe means to evade the risks. commonly used defenses The hard truth issuch as signature-based most organizations dont detection. In the era know enough aboutof advanced threats, the threats or their greater situational awareness is essential relevant, make risk to detect and mitigate decisions, and take cyber attacks effectively. defensive action. Organizations need toIntelligence obtain the latest data gathering and analysis on threats, relate that to have become essential real-time insights intocapabilities for a their dynamic IT and successful information- business environments, security program, yet determine whats most enterprise IT2| security for business innovAtion council report | RSA, The Security Division of EMC 5. Cyber-risk intelligence is table stakes in 21st-century commerce. If you want Internet access to a global array of customers and suppliers, then you have to invest in developing the intelligence capabilities to defend against global threats. williaM Boni, Corporate Information Security Officer (CISO), VP Enterprise Information Security, T-Mobile USAare many external comprehensive approachsources of threat datato defense. This reportavailable, such asprovides a playbook forgovernment channels,creating a new approachindustry associations,based on buildingand commercial data an organizationalfeeds. However, mostcompetency in cyber-organizations are not risk intelligence andfully utilizing these fully leveraging datasources. In addition, infrom internal andorder to maximize their external sources.value, many current Advanced threatsinformation-sharing represent an escalatingmechanisms wouldrisk to businessrequire increased innovation. This reportparticipation.lays out a roadmap toThis ninth report ofachieving intelligence-the Security for Business driven informationInnovation Councilsecurity in order to get(SBIC) features the ahead of the threatsperspectives of top and protect criticalsecurity leaders from information assets.Global 1000 companies,as well as a guestcontributor from thesecurity organizations organizations may have U.S. National Councilhave not been builtaccess to the right data,of ISACs (NCI). Todayswith this objective in they may not be set up tothreats are dynamicmind. In fact, manymake use of it. Internal and increasing incyber adversariesdata collection is often sophistication, requiringhave developed bettertuned for compliance a fresh and moreintelligence capabilitiesreporting not cyber-than their targets.threat analysis. There While manyRSA, The Security Division of EMC | security for business innovAtion council report |3 6. 2What Do Organizations Need to Know?Organizations need to understand the cyber threats they face and their security posture against those threats. For this report, cyber-to all organizations. Other types are unique to oneorganization, for example notification that it is beingtargeted by a particular group.risk intelligence is defined as knowledge about To understand the intelligence process, it iscyber adversaries and their methods combined with important to recognize the distinction betweenknowledge about an organizations security postureintelligence and data or information. Dataagainst those adversaries and their methods. The received from various sources as described abovegoal is to produce actionable intelligence, which isis typically raw data that needs to be reviewed,knowledge that enables an organization to make risk analyzed, and put in context in order to developdecisions and take action. To gain that knowledge,intelligence which can then be used to make riskorganizations must take input data and process it. In decisions.this report, the term for that input data is cyber-riskNot all organizations will choose to collect alldata and is broadly defined as data that is collected types of data from all sources. Some data may notand analyzed in order to prevent, detect, predict, andbe considered useful or may not be cost-effective todefend against cyber attacks.obtain. Other data may be deemed useful but notfeasible to acquire yet, because an organizationsprocesses and/or technology forhandling that particular type of data stillneed to be set up and integrated.Moreover, collecting more and moredata is not the end goal. Having volumesof unanalyzed or unused data is of novalue to an organization. Ultimately, forthe data to be valuable, the organizationmust be able to apply it defensively,for immediate action in combatting acurrent or imminent cyber attack and/or for informing defensive strategies. Asdiscussed in subsequent sections of thisreport, the defensive application must bedetermined through analysis, includingfusing the data with other relevant facts Sample code from the Ice IX Trojan which was derived from the leaked codeand making a risk decision. of the prolific banker Trojan, ZeuS.Charts 1 to 5 present categories ofcyber-risk data including examplesof sources, formats, and potential defensivecyber-risk data applications. The charts reflect some typicalData used to produce intelligence is availableexamples of data formats that are used today.from a range of sources either external or internal However, it should be acknowledged that over time,to the organization. Open source is obtainedfor an intelligence program to be effective, manyfrom publicly available sources such as websites, categories of data must become machine-readable.as opposed to data from classified sources such Currently, many organizations are heavily dependentas national-security agencies. It comes in many on highly skilled analysts to process, for example,formats, such as word-of-mouth, emails, newslong lists of text. Instead, it would make sense tofeeds, automated data streams, output of numerous automate the processing of basic data, freeing up theinternal and external sensing platforms, andanalysts time to do actual analyzing.custom research. Some types, such as a list of IPaddresses on a watch list, are generally applicable4| security for business innovAtion council report| RSA, The Security Division of EMC 7. Charts 1-5: Categories of Cyber-RiskData with ExamplesEach category answers a different question about the threats andan organizations security posture against themAcronyms used in charts:CERT: Computer Emergency Response TeamNVD: National Vulnerability DatabaseISAC: Information Sharing and Analysis Center SQL: Structured Query LanguageWARP: Warning, Advice, and Reporting PointSIEM: Security Information and Event ManagementMSSP: Managed Security Service Provider DLP: Data Loss PreventionDDoS: Dedicated Denial of Service GRC: Governance, Risk, and ComplianceChart 1Input Data on Cyber Adversaries and their Methods External Sources Potential Defensive Example Input Data Example SourcesExample FormatsApplication(dependent on analysis) QQQQ CyBer-attaCk inDiCatorswhat signs are other organizations seeing that CoulD Be useD By us to Prevent, DeteCt, orPreDiCt a CyBer attaCk?Description of spear- Open source Email alert Identify and blockphishing emails Government sources these emails Industry partners Sector ISACsLists of domains hosting Open source Email alert Identify and blockmalware Government sources Listserv traffic to these do-mains Industry partners Sector ISACsList of black-listed IP Open source Email alert Identify and blockaddresses Government sources Threat feedtraffic to these IP ad-dresses Industry partners Sector ISACs Vendor listsSet of binaries used by Vendor lists Threat feed Identify and removeattackers Tool outputmalware MSSP Cloud service QQQQ CyBer-attaCk teChniqueswhat have others learneD aBout attaCk teChniques that CoulD Be useD to Prevent, DeteCt,PreDiCt, or DeFenD against CyBer attaCks?Description of attack Law enforcement Briefing Update detectionpattern using multiple cyber-intelligence In-person meetingmethods and imple-vectors including social agencies ment ways to blockengineering Industry partnersthis attack techniqueDescription of new exploit Government CERTs Email alert Update controls oninvolving mobile devices Vendor community mobile devices RSA, The Security Division of EMC | security for business innovAtion council report|5 8. what do organizations need to know? Chart 1 (continued)Potential Defensive Example Input Data Example Sources Example FormatsApplication(dependent on analysis) QQQQ CyBer attaCkers Motives anD targetswhat are our aCtual or Potential CyBer aDversaries trying to aCCoMPlish? Explanation of trend Government agencies Information on Shore-up DDoS whereby attackers select Law enforcement hacktivism defenses corporations with certaincyber-intelligence policies to hit with agencies aggressive DDoS attacks Industry partners Evidence that attackers Commercial threat- Threat feed Increase protection of are pursuing companys intelligence services Custom researchtargeted assets intellectual property such Law enforcement as new product plans orcyber-intelligence proprietary financial figuresagencies Evidence that nation-state Government agencies Classified briefing Increase protection of operatives are stealing Commercial threat- Custom researchtargeted assets proprietary informationintelligence services In-person meeting from companies in the same industry Law enforcementcyber-intelligenceagencies QQQQ CyBer attaCkers iDentitieswho are our aCtual or Potential attaCkers? Specific information on Government agencies Classified briefing Learn to recognize attackers identities: name Commercial threat- Custom researchspecific attackers and location of particular intelligence servicesfootprints In-person meeting criminal groups which are targeting the company Law enforcementcyber-intelligenceagencies Chart 2Input Data on Cyber Incidents and Counter Measures External Sources QQQQ external inCiDent inForMationwhat Can we learn FroM inCiDents at other organizations to Prevent, DeteCt, PreDiCt, orDeFenD against CyBer attaCks?Details regarding company Media News websites Integrate lessonsin the same industry Sector ISACs Email alertlearned into defensivedisclosing massive datastrategies Industry partners Information portalsbreach QQQQ Counter-Measures anD DeFensive teChniqueswhat Best PraCtiCes Can we learn FroM other organizations to DeFenD against CyBerattaCks?Description of new Peer organizations Email alert Implement new con-procedures for protecting Sector ISACs Information portalstrols around adminadmin accounts fromaccounts In-person meetinghijacking6| security for business innovAtion council report | RSA, The Security Division of EMC 9. what do organizations need to know?Chart 3Input Data on an Organizations Security Posture Relativeto Cyber Threats External Sources Potential Defensive Example Input DataExample SourcesExample Formats Application (dependent on analysis)QQQQ general vulneraBilitiesare there vulneraBilities in soFtware/harDware that CoulD Make us Prone to attaCk? Description of operating Government CERTs NVD data feed Implement patch system vulnerability Vendor community Description of SQL Sector ISACs Email alert Update application injection vulnerability Vendor community Commercial threat-intelligence servicesQQQQ sPeCiFiC vulneraBilitiesare there sPeCiFiC vulneraBilities regarDing our systeMs that CoulD Make us Prone toattaCk? Discovery of a set of the Cybercrime-intelli- Custom research Update credentials companys access gence service vendors credentials on hacker websitesThe threat can be broken down into three Felix Mohan, Senior Vice President and Chief Informationcomponents: intent, opportunity, and Security Officer, Airtelcapability. Organizations need to know,What is the intent of adversaries? Whatare the opportunities available to them? Andwhat capabilities do they have to exploit theopportunities? RSA, The Security Division of EMC | security for business innovAtion council report |7 10. what do organizations need to know?Chart 4Input Data on an Organizations Security Posture Relativeto Cyber Threats Internal Sources Potential Defensive Example Input Data Example Sources Example Formats Application(dependent on analysis)QQQQ inForMation-assets inventorywhat are our Most iMPortant inForMation assets to ProteCt anD where are they loCateD? Periodic inventory of high- Risk-management Internal report Establish status and value assets including assetteam location of systems type, relative value to thecontaining IP to organization, location, andensure adequate security exposureprotectionQQQQ eMPloyee oBservationswhat susPiCious aCtivities are eMPloyees oBserving that CoulD Be signs oF a Current orFuture CyBer attaCk? Reports of phone calls Employees Emails to Security Determine attackers being received by members communications Knowledge-manage- methods and increase of the R&D team asking Employees entries ment system alert security controls to about colleaguesinto knowledge-protect targeted assets management systemQQQQ Business strategy what eleMents oF our strategy woulD Create PossiBle oPPortunities For a Current or Future CyBer attaCk? Information regarding Business/mission Internal reporting Implement real-time outsourcing of business owners monitoring of new processes to externalbusiness partners IT providerssystems and securitycontrols Notice that company will Finance department Confidential memo Implement increased be undergoing merger Legal departmentto Securitymonitoring and con- negotiations trols around privilegedusers involved innegotiations Evidence that reduction Human resources Confidential memo Implement increased in workforce is creatingdepartmentto Securitymonitoring and disgruntled employeescontrols for employ-ees with access toprotected assetsQQQQ internal inCiDent inForMation what Can we learn FroM Past CyBer inCiDents to Prevent, DeteCt, PreDiCt, or DeFenD against Future ones? Report regarding malware Security-operations Incident report Integrate lessons that was detected and team learned and strategy remediated to shorten kill chain inthe future8| security for business innovAtion council report | RSA, The Security Division of EMC 11. what do organizations need to know? Chart 5 Input Data on an Organizations Security Posture Relative to the Cyber Threats IT and Security Sources Potential DefensiveExample Input Data Example Sources Example FormatsApplication (dependent on analysis)QQQQ CyBer-risk inFrastruCture eventsare events within the seCurity inFrastruCture signs oF a Current or Future attaCk?Warning that unauthorized Correlated SIEM System alerts Determine source ofconnections to servers events attack and target ofattempted interest; disrupt at-tacker and investigatefurtherSigns of command and Full packet capture, System alerts Determine source ofcontrol activity, data DLP or SIEM events attack and target ofexfiltration, or other lateralinterest; disrupt at-movementtacker and investigatefurtherQQQQ enD-user anD systeM Behavior Datais enD-user or systeM Behavior signaling a PossiBle Current or Future CyBer attaCk?Sign of an unusual admin Authentication log Log analysis alerts Determine source ofremote login comparison SIEM attack and target ofwith baseline interest; disrupt at-tacker and investigatefurtherSign of increasing Full packet capture System alerts Determine source ofpassword resets notable Application logs attack and target oftrend interest; disrupt at-tacker and investigatefurtherSign of unusual data Full packet capture System alerts Determine source ofmovement traffic outside Application logs attack and target ofof the norm or to unusual interest; disrupt at-destinationstacker and investigatefurtherQQQQ status oF Controlswhat is the ConDition oF our Current CyBer DeFenses?Notification that major GRC system System report Increase monitoringbusiness line did not on specific systemscomplete mandatoryuntil remediatedpassword resets for allusersNotification of upload- DLP system System report Increase monitoringpolicy violations on specific systemsand investigate further RSA, The Security Division of EMC | security for business innovAtion council report |9 12. time for a new approach?3Time for a New Approach Intelligence-Driven Information SecurityD Depending on the maturity of the information-security program, organizations may alreadyintegrate cyber-risk data into their defensiveDefiNitioNintelligence-driven information securityDeveloping real-time knowledge on threatsstrategies. For example, it is fairly commonfor organizations to have a basic vulnerability-and the organizations posture against thosemanagement program for collecting data on softwarethreats in order to prevent, detect, and/orand hardware vulnerabilities and ensuring systems predict attacks, make risk decisions, optimizedefensive strategies, and enable action.are adequately patched and updated. Many securityprofessionals read industry publications such asvendor reports on malware and data breaches andconsider this information when creating securitystrategies.For most information-security programs,There is mounting evidence that organizations inhowever, data collection and analysis are not strong a wide range of industries are increasingly targetedsuits. Collection from external sources is often by sophisticated adversaries. For example, afragmented and not integrated with internal data recent report by the U.S. Office of the Nationalsources. And although many organizations collect Counterintelligence Executive1 states, The pacereams of data from applications and security systems,of foreign economic collection and industrialthey arent harvesting and analyzing the data to espionage activities against major U.S. corporationsgain an understanding of their environment, such and U.S. government agencies is accelerating. Aas developing baselines for normal activity. Instead,major reason is the accessibility of sensitive datamuch of the data ends up as dead logs. in cyberspace. The report also indicates that manyMost organizations do not have a concerted companies are unaware when their sensitive dataeffort to collect, amalgamate, analyze, operationalize,is pilfered. Further, it suggests that areas of greatand manage cyber-risk data in order to develop interest to cyber spies include information andintelligence. Yet more and more organizations need communications technology, natural resources,this capability in order to defend against advanceddefense, energy, and healthcare/pharmaceuticals.threats.It can be hard to digest having to develop a tiM MCknightmulti-year plan to learn who your adversariesVice President and Chief Information Security Officer,are and how theyre going to steal from you. Northrop GrummanQuarter-by-quarter, you may not see any losses.It could be years until you see the losses whenall of a sudden, out of the blue, a company inanother part of the world becomes the leader inyour space, having subsidized itself with yourR&D investments.Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage,12009-2011, Office of the Director of National Intelligence/Office of the National Counterintelligence Executive, October 201110 | security for business innovAtion council report | RSA, The Security Division of EMC 13. time for a new approachOther studies indicate that companies across theglobe are being targeted. For example, the EnterpriseStrategy Group surveyed companies in the U.S. andEurope regarding advanced persistent threats (APTs)and found that 59% of security professionals surveyedat U.S. companies2 and 63% of those at Europeancompanies3 believe it is highly likely or likely thattheir organizations have been APT targets.In todays threat landscape, organizations facetargeted, complex, multi-modal attacks which canbe carried out over periods of time. They need tofuse together data drawn from multiple sources toeffectively detect and mitigate attacks. They needcomprehensive, accurate, and timely information to key featuresmake informed decisions about defensive strategies.The time has come when successful defense requiresAn intelligence capability applies expertise,evolving past conventional approaches in information processes, and tools to:security to developing competencies in data fusion, D consistently collect the right data from the rightknowledge management, and analytics.sourceschange of mind-set required D efficiently amalgamate, analyze, and managethe dataCurrently, many information-security programs D develop knowledge and produce actionableare compliance-led: Decision making about defensive intelligencestrategies is based on the audit cycle or the need to D make risk decisions and take action by modify-simply meet a regulatory baseline. Another common ing controls or planning new defensesapproach is incident-led: Decision making is basedD share relevant pieces of data such as attack indi-on day-to-day fire-fighting. What is needed is ancators with other organizationsintelligence-driven approach, whereby decisions aremade based on real-time knowledge regarding thecyber adversaries and their attack methods, and theBuilding this capability will require investmentsorganizations security posture against them.in people, process, and technology. Of course, notSome security professionals may see gainingevery organization has to achieve the intelligenceintelligence about potential cyber threats as thecapability of a national-security agency. But there isgovernments responsibility, but it is unrealistic for a large spectrum between having no accountabilityany national government to take on threat analysis for intelligence and achieving the level requiredfor each specific organization, especially in theby a highly specialized threat environment. Everyprivate sector. Governments dont have the resources organization will need to determine its level ofnor do they have the mandate. It is the organization investment based on the particular threats it faces,itself that knows its own business or mission, marketthe value of the assets it needs to protect, and its riskposition, asset valuation, and vulnerabilities and can profile.make the best determination of the cyber threats Organizations dont have to make hugeit confronts. However, governments can play an investments to get started. They can start todayimportant role in providing cyber-risk intelligenceusing existing personnel, for example, to improveand fostering information sharing. the collection and analysis of log data or to integrateBuilding an intelligence capability will alsoopen source threat intelligence. Over time, a keyrequire developing a counterintelligence and element will be automation to help decrease manualoperational security mind-set among the entire processes. Otherwise the collection and analysisextended security team. This means seeingof greater amounts of data could become onerousones own organization from the perspective of and resource-intensive. Another important aspectthe adversaries who are targeting it, being able is having an agile program whereby protectionto understand their tools and techniques, andmethods can be dynamically put into place inidentifying potential vulnerabilities before they do.response to the intelligence. The vision is to harness the power of information to prevent, detect, and ultimately predict attacks. Getting ahead of threats requires an ability to see whats coming in order to determine appropriate action before an attack happens.2U.S. Advanced Persistent Threat Analysis: Awareness, Response, and Readiness among Enterprise Organizations, Enterprise Strategy Group, October 20113Western Europe Advanced Persistent Threat (APT) Survey, Enterprise Strategy Group, October 2011RSA, The Security Division of EMC | security for business innovAtion council report| 11 14. 4 Roadmap to Intelligence-Driven Information SecurityIf youre really serious about having anintelligence-driven program, you have to haveTthe resources and a process for risk decision-making that enable rapid changes to yourprotection platform. You can have all the he following roadmap lays out a basic route forintelligence in the world, but if youre not going developing an intelligence-driven approach toto do anything with it, dont go down this road information security. While the exact route anorganization takes will depend on its own uniquebecause its a lot of wasted effort.circumstances, this roadmap offers some generalrolanD Cloutierdirection and things to consider at various stages.Vice President, Chief Security Officer,The steps will likely be parallel endeavors but theAutomatic Data Processing, Inc.focus of the program will move from one step to thenext in sequence. 1StARt WIth thE bASIcSincident-response processAnother requirement is a Security Operations 2 mAkE thE cASECenter (SOC) or Computer Emergency ResponseTeam (CERT), either internally managed or run bya managed security services provider. To be ready 3 FIND thE RIght PEoPLEto take on an intelligence program, the organizationneeds to have a foundation in place for monitoringthe network for intrusions and a workflow process 4buILD SouRcESfor responding to incidents. Ideally, this is asystematic process with well-defined roles. 5DEFINE A PRocESSrisk assessmentOrganizations must also do a risk assessment. 6 ImPLEmENt AutomAtIoN This involves determining the value of protectedinformation assets, identifying potential sourcesof harm to those assets (threat assessment),determining the extent of existing vulnerabilitiesstep 1: start with the Basics (vulnerability assessment), and evaluating theprobability that the vulnerabilities could beinventory of strategic assets successfully exploited and the potential impact toA fundamental requirement of intelligence-the organization. There are several good sources,driven information security is to have an inventory including the National Institute for Science andof strategic assets since it will be impossible toTechnology (NIST) and the SANS Institute, whichcollect data on everything and protect everything.provide detailed guidance on how to perform threat,Organizations need to know what are the mostvulnerability, and risk assessments.important assets to protect and where theyMany organizations already routinely performare located. Over the past several years, manyrisk assessments as part of their security program.organizations have established an inventory of assets As the intelligence program progresses, there willthrough a data-discovery process as part of their riskbe more data and better understanding whichand compliance programs.can be fed into ongoing risk assessments. But it isessential for an organization to begin with a basicunderstanding of the threats it faces and its riskposture.12 | security for business innovAtion council report | RSA, The Security Division of EMC 15. roadmap to intelligence-driven information securityQQQ You need to align the intelligence process with your risk- management process. How the company identifies and measures risk needs to be understood and agreed to across the organization.ralPh saloMonVice President, IT Security & Risk Office,step 2: make the case Global IT, SAP AGAn essential component of developing an key stakeholdersintelligence capability is communicating the benefits The communications strategy should not onlyto executive management and key stakeholders in convince key stakeholders of the benefits but alsoorder to garner support and funding as well as to obtain their ongoing input to ensure success. Sinceensure ongoing enterprise-wide involvement in the intelligence-driven security is a new approach foreffort. To be successful, intelligence-driven securitymany organizations, often it begins with developing amust be an enterprise-wide core competency. common language to use as the basis for discussions.The list below suggests possible key stakeholdersthe value proposition and how they might be involved in the intelligenceThe main benefit is that the organization will be effort:much better protected. By maximizing the use of D Executive Management and the Boardavailable information, the organization can createTop-level supportand implement more precise defensive strategies Risk decisionsagainst evolving threats.Security will not only improve but also becomeD Financemore cost-effective because it will be targeted Funding strategiesat countering the most significant threats andprotecting the most strategic assets. Knowledge D Human Resourceswill enable the security team to perform fact-based Employee-activity monitoringprioritization. They will know how to concentrate D Corporate Securitytheir efforts and where to make the right investments Collaborative data collection andin controls.investigationsAn intelligence-driven approach enables thesecurity team to actually achieve proactive securityD Procurementmanagement. By asking the right questions,Third-party risk managementcombining multiple pieces of key external and D Business/Mission Ownersinternal data, looking at the bigger picture, and Identification of strategic assets andexamining threats and vulnerabilities on a longer-risks to businessterm horizon, an intelligence-driven approachprovides a view of more than single events or day-D Production/Operationsto-day incidents. It allows the team to see emergingIdentification of strategic assets and risksattack patterns and developments over time, and to manufacturing operationseventually attain the necessary expertise to predictD Business Risk Officersattacks and get ahead of the threats.Enterprise view of risksRSA, The Security Division of EMC | security for business innovAtion council report| 13 16. roadmap to intelligence-driven information securityD Legalof awareness among executive leaders and boardsCompliance to privacy regulationsregarding the risks posed by advanced threats. Legal frameworks for obtaining threat dataSecurity teams can take advantage of this increased and sharing information with other organiza-interest to propose cyber-risk intelligence projects tions as an integrated part of their security strategy. Employee-activity monitoringLeadership may be more open to providing the required funding and support than in the past.D IT However, the proposed project must align to current Programming, analytics, and automationtop priorities and be able to deliver information that IT architecture and defensive strategiesis specific and critical to the business. Information on IT operations for data sharing andvague, broad risks will not be useful. service-level managementMore often than not, an intelligence-driven approach gets started because the security teamopportunities for a quick winseizes an opportunity. For example, a specific risk isStrategically, developing a fully deployed identified as critical to the business and intelligenceintelligence capability is going to be a multi-yearis proven to be very useful in mitigating that specificeffort. Typically, it makes sense for the security teamrisk. Or a security incident occurs and intelligenceto start small with the objective of quickly showing is proven to be very useful in detecting the attacksome good results. A quick win will help them gain and/or reducing the risk of future incidents. Chartthe support and funding needed.6 provides some possible examples of opportunities,Since cyber attacks have recently received a lot ofdrawn from real-world experiences of Councilmedia attention, there is generally an elevated levelmembers and their peers. 6. examples of Quick win opportunities to show value ExAmPLE oPPoRtuNItyPRojEct RESuLtS Executives express concernsData collection and analysis on this new class ofThreat briefing to regarding hacktivism based threat:executives leads to on media reports. Many other A member of the incident-response team issupport for more organizations with a similar assigned to do research on the likelihood of the technology resources risk profile are being targetedcompany being targeted by hacktivists, impact, for threat analysis. by hacktivists and some have and how to defend against attacks suffered shut-down of websites. Based on research, specific adjustments madeto DDoS defenses A critical component of theData collection and analysis on a potential business Threat briefing to organizations business strategy partner: executives leads to depends on partnering with a Short engagement with a threat-intelligencesupport for more new strategic partner. service to do research on potential threats to the funding for threat-business partner and the relationshipintelligence services Based on research, specific recommendations aremade regarding security requirements for doingbusiness with the partner An insider incident involvingData collection and analysis on internal Security team systems containing IP leadsenvironment: has support of to the awareness for increased Security team requests assistance from business- organization to protection of particular intelligence team in developing baselines for end- expand the number of information assets.user behavior in accessing a set of critical systems systems for which to Baselines establisheddevelop baselines of end-user behavior Able to monitor activity on those systems foranomalies A series of suspicious Use of external threat dataSecurity team has events leads to concern that A short engagement with a threat-discovery support of organization certain systems have beenservice to monitor outgoing communications for to expand the numbersigns of attack based on the vendors attack-of systems for which compromised.indicator database to develop baselines of end-user behavior A botnet is detected and remediated14 | security for business innovAtion council report| RSA, The Security Division of EMC 17. roadmap to intelligence-driven information securityPetri kuivalaChief Information Security In many organizations, improvements in securityOfficer, Nokia happen when there are incidents. Its human nature. Management will listen to the security team and agree to improvements at other times but they seem to get more interested and provide funding when there is an incident. step 3: find the right people The skill set for cyber-risk intelligence professionals is quite different from the traditional skill set within the security department. Historically, security professionals required technical skills such as system administration or network administration skills, but cyber-risk intelligence teams require a different set of skills which are focused on determining how attack techniques might be used against the organizations IT infrastructure. It is a relatively senior role that also requires an ability to evaluate risks and make reasoned judgement calls. Analytical skills and experience are crucial in order to look at what appear to be unrelated pieces of data to draw linkages, uncover patterns, see trends, and make predictions. Knowing how to construct and refine analytical models and workdetailed information on adversaries and their specific with other professionals such as programmers are plots turn to threat-intelligence services. also necessary skills, as well as specific expertise inThe advantages are that the threat-intelligence network- and system-behavior analysis. services already have established methodologies One of the most important aspects of the role is for active research and have amassed a wealth of building and maintaining good relationships. experience working with a wide spectrum of clients. Communication and writing skills are essential, such The drawbacks are that the services can be costly as being able to craft messages for various audiences. for smaller organizations and an external service Other facets of the job will require skills in designing provider may not have a deep understanding of each and managing processes, developing procedures, and individual organizations business. If an organization implementing tools for the intelligence program. works with a threat-intelligence service, internal Being inquisitive and investigative are useful traitsteam members must be able to define the search for performing research. Depending on theparameters so that the service provider can deliver organizations threat level and objectives for the relevant information and also be able to put the program, there may be a need for people on the information provided in context. intelligence team who have the skills to do active The title for the emerging role of cyber-risk research such as working in underground channels intelligence professional is analyst. Job descriptions in order to collect intelligence on the adversaries. vary depending on the goals and maturity of the This could require specialized technical knowledge program as well as the organizational structure. A and skills in foreign languages and cultures.sample job description for a Cyber-Risk Intelligence However, most organizations that decide to pursueAnalyst is provided in the sidebar on page 16.This could be challenging for a single individualCyber-risk intelligence requires a skill to accomplish. One approach is to have a multi-disciplinary team, combining people who have theset combining abilities to understand various requisite skills. Many organizations do notthreats, the business environment, andhave the resources to build a large dedicated team,security controls in order to determine especially in the early stages of an intelligencethe risks to the business and what controls program. Instead, they might start by forminga virtual team by getting people from variouswould mitigate those risks.departments to spend some time looking at securitythreats from different angles. Or, they might Dave Martin Chief Security Officer,designate existing security resources, for example EMC Corporationenlist senior members of the team to allocate timeRSA, The Security Division of EMC | security for business innovAtion council report | 15 18. roadmap to intelligence-driven information securityJob DescriptioN:to cyber-intelligence functions. Over time, thecyber-risk iNtelligeNce ANAlystorganization may dedicate full-time resources and/orhire people. D Determining sources of intelligenceFinding the right people can be a challenge. Since D Ensuring consistent andcyber-risk intelligence is an emerging discipline, effective collection of data fromthe skills are not widely available yet. But there those sourcesare several good potential sources, includingD Doing researchdeveloping people from within the existing incident- D Consuming information such asresponse or forensics team or hiring professionals reading bulletins, memos, andwith a background in federal law enforcement,reportsmilitary intelligence, or banking-fraud analysis. D Performing tests on the IT environ-Depending on the organizational structure, the ment to check for attack indicatorscyber-risk intelligence team could reside within the or known techniquesinformation-security department or in an enterpriseD Implementing automated methodsintelligence fusion center, which includes other of consuming dataanalysts working in areas such as physical security, D Analyzing informationsupply chain, and competitive intelligence.Constructing and refininganalytical models and runninganalytical tools Developing threat scenariosIntelligence is all about relationships. MostD Writing and presenting threat brief- ings for various audiences (daily,companies have tons of information internallyweekly, and quarterly briefings)but its not being shared. They have tons of D Developing relationships andinformation accessible through their service networks of contactsproviders but theyre not asking the right Internal such as IT team and business linesquestions. You need people who can createExternal such as law enforcement,trusted communication channels to leverage allinformation-sharing associations, andof these sources.peers at other companies Marene n. allison Worldwide Vice PresidentD Developing trusted communication of Information Security,channels Johnson & Johnson D Building an end-to-end intelligence process D Working with other teams to act on the intelligence, such as improving detection or defensive strategies step 4: Build sources Good sources of cyber-risk data depend on what information is sought. Based on the current knowledge of threats and the organizations security posture against them, the cyber-risk intelligence team needs to determine what additional data would help prevent, detect, or predict attacks. For instance, the team may decide to improve the collection of cyber-attack indicators from external sources to increase the likelihood of catching a potential problem. There may be a surge of spear- phishing emails affecting one of the business units and the team wants to know if and when other units get hit. They may see potential for an APT-style attack and want to know who could be targeting them.16 | security for business innovAtion council report | RSA, The Security Division of EMC 19. roadmap to intelligence-driven information securityOnce information requirements are determined,If something happens at your organization,the team can seek out good sources. Various typesthe first question youll ask is, Is it just me orand key factors are presented in Charts 7-11. Findingis everybody else getting hit with this attack?good sources is an ongoing process informationrequirements need to be reviewed, current sources You cant answer that for yourself. And it takesassessed to determine if they meet requirements, too long to call 20 of your closest friends. Youveand new sources researched and evaluated. As well, got to be part of a larger gene pool to get anas data is collected and analyzed, sources may needimmediate answer to that question.to be adapted on-the-fly. Even trusted sources couldget things wrong. Keep in mind that sources varyrenee guttMannsignificantly in quality and scope. Some of the bestChief Information Security Officer,The Coca-Cola Companysources may cost very little and some of the worstmay cost a lot. The value of the data from eachsource should be tracked so that, over time, the teamcan judge how good particular sources are. D What are the costs involved?evaluation criteria Are there up-front costs to receive the The cyber-risk intelligence team should not only information? Is there a membership fee?consider the attributes of the source but also theSubscription-based fee? Service fee? Would itorganizations ability to make use of the data from be a custom engagement?that source. Questions include: How many personnel will it take to collectD How trustworthy is the source?and make use of the data? Does the source provide consistent, reliable, accurate, trustworthy data? D If its an information-sharing arrangement, are Are we able to effectively collect and con-the required processes in place?sume data from this source? Do we trust that the data we provide to others will be handled with care, for example be Is the data machine-readable or does it re-kept confidential or de-identified if distrib-quire human intervention?uted? If it is machine-readable, what format is it in Do we have a policy for determining whatand do we have the right tools in place to usedata will be shared with external entities andit in an automated fashion? (For example, how?could we integrate the data with our SecurityInformation and Event Management (SIEM) Have we established the legal frameworks,system?)rules of engagement, and/or agreements(NDA) for working with this source? If it requires human intervention, do we havethe right people to review it, analyze it, and/ How much time and effort will it require toor use it to manually perform tests on ourpackage up our data in order to share withenvironment?external entities? Do we have a data-management process thatD Is the data provided by this source actionable?can ensure the confidentiality and integrity Or is it too vague and broad to use?of the data and handle sensitive data (for D Is the data additive?example, if the source cant be quoted)? Does it provide corroborating information?D If the source is our internal IT infrastructure, Or is it redundant data that we already obtaindo we have the right tools to capture or generate from another source?the right data? Could we reconfigure logging or correlation rules to get the data we need? Or would we need additional tools to generate the required data?D Do we have the time to invest in fostering therelationships that may be required to work withthis source? (Internal or external sources oftenrequire relationships.) RSA, The Security Division of EMC | security for business innovAtion council report | 17 20. roadmap to intelligence-driven information security Build your source material whether from government or commercial sources, individuals in your organization, or business-intelligence processes. Your sources have to be broad enough to catch what might beDaviD kent, Vice President, disconnected elements of a common risk.Global Risk and Business Resources, Genzymerelationships: the underpinning of good sourcesFinding good sources is often predicated onbuilding good relationships. Getting informationrequires having the right contacts who will sharedata based on trust. Relationships must be developedand maintained with colleagues throughoutthe organization, peers at other companies, lawenforcement, government officials, and personnelfrom industry associations, in order to cultivateuseful sources of intelligence.The team needs to collect enough information toperform meaningful analysis but the goal is not tocollect data on everything from everywhere. Theteam has to prioritize based on the threat model andinformation they are trying to protect, as well as thetotal costs of data collection and use. In addition, itshould be recognized that often the team has to beginan analysis with incomplete information.SOURCES OF Cyber-risk DATAtype of Examples Data Providedkey FactorsSourceQQQQ 7 governMent sourCescomputer U.S.: U.S.- CERT Reports, advisories, and alerts Threat data is mainly non-Emergency Europe: CERT-FI (Finland), on threats and vulnerabilities automated via emails and webResponseDFN-CERT (Germany), Best practices and security tips postingsAgenciesGOVCERT.NL (Netherlands), Vulnerability data often in Attack indicators*GovCERT and CPNI (UK) machine-readable formats India: CERT-In Some CERTs are membership- Global: FIRST based Australia: AusCERTFederal U.S.: DHS, NSA Reports, advisories, and alerts Publicly available data on thegovernment UK: GCHQ, Home Officeon threats and vulnerabilities threats is mainly non-Security Threat briefings automated via web postings Germany: BSIAgencies Vulnerability data sometimes Australia: DSD Attack indicatorsprovided in machine-readableformats Indicator databases starting tobe available (DHS) Classified data cannot be sharedwidely Unclassified briefings providedto certain enterprisesLaw Local police: cyber-crime offices Cyber-crime reports For specific information (versusEnforcement National police such as: Data on attack techniquespublic reports) need to navigateFBI/InfraGard (U.S.), SOCAthrough the system to find good Validation of criminal activity(UK), BKA (Germany) contacts Attack indicators International: INTERPOL Mostly non-automated data*Attack indicators include: black-listed IP addresses, domain names, command and control servers, phishing sites, email addresses,file names, binaries, and malware signatures.18 | security for business innovAtion council report | RSA, The Security Division of EMC 21. roadmap to intelligence-driven information securitytype of ExamplesData Provided key FactorsSource QQQQ 8 inDustry assoCiations anD networks Information- U.S. sectorial: ISACs such as Reports, advisories, and alerts Mainly non-automated data Sharingthe FS-ISAC and IT-ISAC, andon threats and vulnerabilities provided via emails and web Associations ES-ISAC Best practices and security tips postings U.S. Energy: EnergySec Attack indicators Some associations are moving U.S. Defense Industrial Base:towards providing some auto-DCISEmated data feeds U.S. public/private: ESF Typically membership-based with range of fees Europe: ENISA UK: WARPs, UKPA Global IT industry: ICASI Regional: PRISEM, ACSC Vendor: RSA eFraudNetwork Informal Informal networks of security Information on threats and Mostly face-to-face meetings Information- professionals from a local area or avulnerabilities Sharingvertical industry groups Peers at other Members of the security, incident- Best practices and security tips Mainly non-automated data companiesresponse, and/or intelligence teams Validation of similar activity onshared via personal contact,their networks phone calls, and emails Attack indicators Presentations at conferences Security Academic or industry-supported Vulnerability information Mainly information provided Researchers Potential threat scenarios through personal contact, networking events, and confer- Defensive methods ences QQQQ 9 CoMMerCial sourCes threat Feeds ZeusTracker, Bit9, SANS Internet Attack indicators Typically subscription fee-basedStorm Center, Malware Domain or pay-per-viewList, Stopbadware, Team-Cymru, Machine-readable data in vari-IPtrust.com, RSA AFCC ous formats Threat feeds are integrated with technology platforms such as threat-detection and security- intelligence systems threat-Cyveillance, iDefense, Data on specific attackers and Various types of engagements Intelligence iSightPartners, RSA CyberCrimetheir techniques as well as Delineate services to be pro- Research Intelligence Service, Mandiantinvestigations of compromise vided via a statement of work Services QQQQ 10 extenDeD enterPrise sourCes business Supply chain Best practices and security tips Mainly non-automated data via Partners Business-process outsourcers Validation of similar activity onpersonal contact, phone calls,their networks and emails Service providers Attack indicators Include information-sharing obligations in contract managed AT&T Validation of similar activity on Include information-sharing Security Verizon other networks obligations in contract Service ProvidersRSA, The Security Division of EMC | security for business innovAtion council report| 19 22. roadmap to intelligence-driven information security type of ExamplesData Provided key Factors SourceQQQQ 11 organizations internal sourCes Employees, Enterprise employees Observations of suspicious Employee awareness required contractors Resident contractors activities and/or incidents Automated mechanism re-quired for handling volumes ofreporting Hot line Executives Departments such as finance, Discussions regarding business Executive awareness requiredcorporate strategy, business lines strategies and associated risks Information-sharing workinggroups and/or forums It and Business applications, GRC Logs, alerts, and reports Machine-readable data Security systems, SIEM systems, network- Advanced analysis tools often Infrastructure monitoring systemsused to amalgamate data fromthese sources, for example tobaseline normal activity step 5: define a processFor designing a cyber-risk intelligence program, fed back into the system. For example, if an action the goal is a standardized methodology that producesis taken to modify security controls, data on the actionable intelligence and ensures an appropriateupdated security posture becomes new input data. response. Given the nature of intelligence, the The basic stages of a process can be described as process will need to work on both a tactical andfollows: strategic timescale. Certain information such as D Obtain data precise, real-time attack indicators will call for Input data from external and internal sources immediate action while other information such is collected and indexed. as knowledge of protracted attack techniques will require longer-term defensive initiatives. IntelligenceD Filter data needs to inform not only day-to-day operations but Data that is irrelevant, not credible, or too also provide a more strategic outlook over a period ofvague is removed. years. Irrelevant data could be exploits involvingThe diagram below is an illustration of a basictechnologies not used or attacks targeting as- process for collecting data, extracting meaning,sets that are not owned by the organization. making risk decisions, and taking action. It is set Data that is judged not credible could be up as a feedback loop so as knowledge is gained, its based on previous experience with that source providing unreliable data or on receiv- ing conflicting data. Obtain dataD Perform analysis Various pieces of data are amalgamated, cor- Filter data related, and studied to determine how they all relate. Take action The basic stages of an Analysis is typically a mix of manual and automated techniques (from white-boardingintelligence process to interactive analytics). Analyses include an initial assessment of the Perform analysisrisk and options for risk mitigation. Make risk decision D Communicate results Ideally, exigent risks are surfaced to an auto- mated dashboard for immediate attention by Communicate results the Security Operations Center (SOC). For example, if the analysis finds evidence within the IT environment of outbound traffic to an adversarys command and control server.20 | security for business innovAtion council report| RSA, The Security Division of EMC 23. roadmap to intelligence-driven information security For communicating the results of ongoing Rein-in access privileges for a setanalyses, an effective method is a system of of critical assets.regular intelligence briefings to keySegment the network to isolate certainstakeholders.critical assets.For example, the results of analysis may include Implement encryption for certain criticalintelligence on the intent of adversaries, potential business processes.opportunities available to them, and/or the capa-bilities they may have to exploit the opportunities. The cyber-intelligence team cannot work in Briefings can be provided to different audi- isolation. The security-management processences at various time intervals. should delineate who is involved at every stage. ForFor example, daily briefings to the security team, example, the team must have the right relationshipsweekly briefings to IT, monthly briefings to anacross the organization to coordinate a responseexecutive risk committee, and quarterly briefingsto the intelligence. It will require relationshipsto executive leadership. with members of SOC, network operations, system Besides regular briefings, out-of-band proce-administrators, and/or business lines, and so on.dures for communicating high risks are alsoCertain situations may call for outside expertiseneeded.such as malware forensics if not available in-house.For example, proof of an imminent attack affect- Having a flexible protection platform is also essentialing critical systems might be communicated right for rapid response. For example, with a centralizedaway versus indications of a possible future management architecture, large-scale firewallattack which would be included in a regularchanges could be made quickly across hundreds ofthreat briefing. control points. Operational responsibility for informationD Make risk decision security is typically dispersed throughout an Ideally, for exigent risks, a protocol has been organization but center-led by the Chief Information set for the SOC to make a risk determinationSecurity Officer (CISO). Therefore, creating an and take immediate action.effective cyber-risk intelligence process will For other critical risks, once they are identi-require bridging between organizational and data-fied and communicated by the intelligencemanagement silos. It may be possible to leverageteam, depending on the risk, other stakehold-existing systems for facilitating data flows. Forers (such as IT, business/mission owners, risk example, some organizations have set up a commonofficers, executives) may weigh in on the risk database for all information- and physical-securityassessment and options for mitigation. incidents and/or have built knowledge-management A risk calculation is performed consideringand workflow processes for an enterprise risk-the potential impact to the organization ver-management program. An intelligence programsus the costs to mitigate the risk.could piggy-back on these types of efforts. However new technologies may also be required. A decision is made regarding actions to betaken for each specific risk.D Take action The action required will range from reconfig- The process needs to be fast, fluid, and enable uring security tools to overhauling network dynamic response not be fixed, rigid, or architecture and implementing new securitystratified. If the goal is for the organization to controls. outmaneuver cyber adversaries, the cyber- A few examples of possible actions that couldbe taken in response to intelligence include: intelligence team cant get bogged down by bureaucracy. Change a firewall rule across the organization. Develop a new correlation rule for the SIEM. williaM Boni Corporate Information Security Officer (CISO), VP Enterprise Information Security, T-Mobile USARSA, The Security Division of EMC | security for business innovAtion council report | 21 24. roadmap to intelligence-driven information security If you have intel on a threat which has not yet materialized into an attack, there may be a tendency to say, Well, it has not happened to us so far, why do we vishal salvi need to worry about it now? Response prioritizationChief Information Security Officer becomes very important and at the same time veryand Senior Vice President, HDFC Bank Limited challenging when its a prospective threat. step 6: implement automation It is important to recognize, though, thatimplementing technology solutions does not To facilitate the intelligence process,equal developing an intelligence-analysis process. organizations should look at opportunities for Automated systems make the large data sets automation. A cyber-risk intelligence programmanageable and accessible so that the analysts can inherently involves big data. For example, to keep more easily see relationships among disparate data up on current threats, an organization will probably types, identify connections, and notice patterns be collecting cyber-attack indicators from as many of activity forming; but they do not fulfill the reliable sources as possible. To gain insights into itsrequirements for the complete analysis. entire IT environment, it will be amassing logs andAlthough there is no silver-bullet technology for a full packet information from relevant systems andcyber-risk intelligence program, there are several network devices across the organization. technologies available today for automating elements The whole point of the intelligence effort is to of data collection, analysis, and management. There correlate and analyze data from multiple sources are four general areas in which leading organizations in order to understand the threats and the make technology investments for a cyber-risk organizations security posture against them. This intelligence program: program can easily accumulate vast amounts of data. Its simply not realistic to have humans handle alla. automating the consumption of threat feeds of it at every step. An effective program necessitates The format of cyber-attack indicators is automation and planning the storage, analytic, and sometimes a list of unstructured data. When it is network architectures. delivered in a non-automated fashion, such as viaemail text or website posting, it has to be processedmanually. For example, an analyst will enter it intoa database to check the IT infrastructure for thesesigns of attack.Fortunately, there are a growing number ofgovernment, industry-association, and commercialsources that provide automated threat feeds:machine-readable data such as comma-delimitedASCII. The technologies used to consume automatedthreat feeds are typically security informationand event management (SIEM) systems, network-monitoring and forensics systems, and/or security-intelligence databases.One of the challenges in working with automatedthreat feeds is that there is no standardization forhow the content is organized. The order of datafields varies from one feed to the next. Therefore, You get a fire hose of information from potentially thousands of sources and need somewhere to put it ideally a platform that enables fast searches in an un-normalised form, rapid analysis, and automated anomaly roBert roDger, detection. Group Head of Infrastructure Security, HSBC Holdings plc22 | security for business innovAtion council report | RSA, The Security Division of EMC 25. roadmap to intelligence-driven information securityOne of the biggest problems in the worldc. automating log analysis and full packet captureof intelligence is that you quickly drown in An area of focus for many cyber-risk intelligence programs is gaining visibility into the organizationsdata. You get masses of data, but you have own internal IT environment. Security-datato be able to derive knowledge from it, make analytics has emerged as an innovative approachit relevant and actionable that takes good modeled on business-intelligence systems, which process massive amounts of customer data totools and better still excellent analysts. spot fraud or business opportunities. Security intelligence systems process data such as end-user ProFessor Paul Dorey, Founder and Director, CSO Confidential and behavior and system activity to spot cyber-attack Former Chief Information Security Officer, BP indicators. The concept is to aggregate data logs and full packet data, such as application-access logs or network data that many organizations already routinely collect, then perform various functions such as baseline normal activity, discover anomalies, create alerts, develop trending, and even predict the data may need to be parsed before it is readableincidents. by a particular technology platform. However, there are aggregated threat-feed services that provided. automating the fusion of data from multiple indicators from multiple sources, pre-process the sources data, and parse it into a consistent format.Some organizations are taking an even bigger-Another way that organizations can integrate picture view and amalgamating cyber-risk data from automated threat feeds into their current both internal and external sources into a fusion environment is by implementing technology center or security-data warehouse. The idea is to platforms such as routers, anti-malware products, merge current data from the organizations IT and and adaptive-authentication solutions thatbusiness environments with the latest information automatically contain threat data.on threats into one large-scale analysis engine to achieve precise situational awareness. b. automating the collection of employeeThe vision is a big data view of information observationssecurity which will enable security teams to have Collecting information from thousands ofreal-time access to the entirety of information employees across a large global enterprise is relevant to security risks. Advances in database ultimately not feasible without some way to automatetechnologies, data-storage systems, computing power, the process. If the intelligence team is interested and analytics are helping organizations to realize this in gathering data from employees on potential orvision. actual incidents, reporting methods such as emails or phone calls to security simply do not scale. Increasingly, organizations implement knowledge- management systems for employees to report events to the intelligence team. These systems enable searching based on various parameters and can be customized to provide alerts. The main challenge will be getting employees to understand what events are to be reported and consistently use the system for reporting. RSA, The Security Division of EMC | security for business innovAtion council report | 23 26. 5 No Organization is an Island Improving Information Sharing Sharing information is not the end state. The end state is to get actionable information that will help improve corporations and governments cyber-security posture and continually raise the bar. williaM Pelgrin, President & CEO, Center for Internet Security; Chair, Multi-State Information Sharing and Analysis Center (MS-ISAC); and Immediate Past Chair, National Council of ISACs (NCI)Sharing cyber-risk intelligence and defensive strategies has become imperative in todays threat landscape. No organization canMost information-security professionals haveestablished informal networks of trusted contactsat other companies. Informal networks can berealistically sit in isolation and still be able to defendinvaluable; they are often the most frequent wayitself. organizations share information. However, informalOne of the most propitious aspects is the networks do not enable information sharing on aexchange of cyber-attack indicators. If large large scale.communities of organizations could readily andFor achieving large-scale exchange ofcontinuously exchange data on current attackinformation, there are a growing number of industrymethods, it would seriously impede attackers or government-led information-sharing initiatives asoperations. With an online early-warning system,well as public/private partnerships. A few examplesorganizations under attack could share attack from various geographies are provided in the chartprofiles, so that others could prepare to defendbelow.themselves against similar (or even the very same)attacks. 12. exaMPles oF inForMation-sharing initiativesgeographyInformation sharing initiativesInternational Forum of Incident Response and Security Teams (FIRST) Industry Consortium for Advancement of Security on the Internet (ICASI)National Computer Emergency Response Teams (CERTs) throughout Europe and Asia Warning, Advice and Reporting Point (WARP) and CESG in the UK Sectorial Information Sharing and Analysis Centers (ISACs), EnergySec, U.S.-CERT, Defense Industrial Base Col- laborative Information Sharing Environ- ment (DCISE), and Enduring Security Framework (ESF) in the U.S.Regional Public Regional Information Security Event Management (PRISEM) in Wash- ington Advanced Cyber-Security Center (ACSC) in Massachusetts24 | security for business innovAtion council report | RSA, The Security Division of EMC 27. no organization is an island You have to invest time in being an active member of an external network. To fight threats requires data. Other companies need to be willing to share data with you. Dr. Martijn DEKKER production programs for providing data in machine- Senior Vice President, Chief Information Security Officer, ABN Amroreadable formats.As information-sharing groups have gained experience, a set of criteria has emerged as the key ingredients for a successful exchange entity including:D Trust among the participants Models of operation and profiles of members vary,D Formalized structure (charter, board members, but all of these entities have similar information-leadership, and professional staff) sharing goals. Also, since some are relatively new D Adequate funding through government and/or formed in the past few years they continue tomembership fees evolve. Some entities have already become effectiveD Established protocol and clear rules for in- channels for information exchange. Other entitiesformation sharing (what is to be shared with have not yet reached a critical mass of participationwhom) by all members.D Legal framework in which to share confidential There are many challenges to creatinginformation (NDA, government safe harbor) information-sharing mechanisms. Participation is often hindered by a lack of resources. As well, D Standardized and reliable procedures for the confidential nature of the information makes itde-identifying confidential information to be tough to share. Organizations have good reasons notdistributed to want others to know how they are being targeted D Streamlined mechanisms for submitting and by cyber adversaries. Enterprises are restricted bydistributing information (secure portal, en- legal issues, competitive considerations, and fears of crypted email, and/or digitally signed machine- reputation loss. Government agencies are restrictedreadable data) by classification requirements and national-securityD Genuine participation (through committed rep- concerns.resentatives and actual data contribution) Designing a way to deliver cyber-attack indicators is also enormously difficult. How does one create a system to distribute data that needs to be tightly held,Trust and timeliness are essential components for yet shared with the broadest amount of people ininformation sharing. Within existing information- the shortest amount of time in a form that they can sharing groups, trust is still largely rooted in personal immediately consume?relationships, which does not create a sustainable The good news is that, especially in the past system. Timeliness of information sharing couple of years, more organizations have startedcontinues to be a struggle as reliance is on particular to participate and extend their contributions toindividuals to post information in secure portals information-sharing initiatives. It has often beenor securely email information. Automated data- individual companies which lead the way decidingexchange systems need to be established to remove to make the leap of faith by being among the firstthe dependency on specific people. In addition, to provide data and expecting others to follow, which harmonized standards for representing attack spurs participation.information in machine-readable format, delivering Groups such as the U.S. National Council of it securely, and consuming it in real time would help ISACs are also working to increase the number to enable automation. of organizations that participate, expand sectorAs cyber attacks continue to threaten enterprises coverage, and improve cross-sector sharing. and governments, more organizations will likely Governments in some parts of the world arebe motivated to invest in information sharing. An actually starting to mandate participation includingimportant factor paving the way is that organizations provisions for legal protections. For example, thehave the people, processes, and technologies in place government of India recently mandated participation to effectively participate in intelligence exchange. in information exchange for the banking and critical-infrastructure sectors. There are also efforts underway to facilitate sharing mass amounts of data. Several information exchanges have pilot or RSA, The Security Division of EMC | security for business innovAtion council report | 25 28. 6 ConclusionT he era of advanced threats calls for anew approach to information security.When dedicated cyber adversaries against growing threats to their operations and intellectual property. have the means and methods to elude Although many corporations have commonly used defenses, such as signature-developed capabilities in competitive and based detection, it is clear that conventionalmarket intelligence to understand their approaches are no longer sufficient. An competitors and customers, most have not intelligence-driven approach to information developed a cyber-risk intelligence program. security can deliver comprehensiveGiven that most business processes and situational awareness, enabling transactions are now conducted in cyber organizations to more effectively detect andspace, activities such as fraud, espionage, mitigate cyber attacks. and sabotage have also moved online. Cyber-risk intelligence has become a Developing a cyber-risk intelligencerequired competency to understand the capability will take investments in people, online risks. process, and technology. It will challenge the information-security team to grow The guidance provided in this report is beyond the current skill set and to commitintended to help point the way forward. to a change in mind-set. And it will requireBy harnessing the power of information, not only the steadfast efforts of the securityorganizations can develop the knowledge team but also broad organizational support. they need to get ahead of advanced threats. The value proposition for a cyber-risk intelligence program includes improved security and cost-effectiveness. DefensiveIf you know your attackers and what they strategies can be precisely aimed atmight be capable of exploiting within addressing the most significant threats your environment, you can demonstrate and protecting the most critical assets. Theto your executive management that youre security team will have the knowledge itspending money on the right controls. needs to make informed risk decisions and Dave Cullinane, invest in the right security controls.Chief Information Security Officer and Vice President, Global Fraud, Risk & Security, eBay Organizations must begin to recognize that having a cyber-risk intelligence capability is not just for the defense establishment and national-security agencies anymore. Government entities and corporate enterprises in many sectors must start to develop this capability in order to protect26 | security for business innovAtion council report | RSA, The Security Division of EMC 29. 7 Appendices About the Security for Business security for BusinessBQQQQ innovation report series Innovation Council Initiative the tiMe is now: usiness innovation has reached the top of the Making Information Security agenda at most enterprises, as the C-suiteStrategic to Business strives to harness the power of globalization Innovationand technology to create new value and efficiencies.Yet there is still a missing link. Though business Mastering the risk/innovation is powered by information and ITrewarD equation:systems, protecting information and IT systems Optimizing Informationis typically not considered strategic even asRisks to Maximize Businessenterprises face mounting regulatory pressures Innovation Rewardsand escalating threats. In fact, information securityis often an afterthought, tacked on at the end ofDriving Fast anD ForwarD:a project or even worse not addressed at all.Managing InformationBut without the right security strategy, businessSecurity for Strategicinnovation could easily be stifled or put theAdvantage in a Toughorganization at great risk.Economy Charting the Path:at rsa, we Believe that iF seCurity teaMs Enabling the Hyper-are true partners in the business-innovation Extended Enterprise in theprocess, they can help their organizations achieve Face of Unprecedented Riskunprecedented results. The time is ripe for a newapproach; security must graduate from a technicalspecialty to a business strategy. While most BriDging the Ciso-Ceosecurity teams have recognized the need to betterDiviDealign security with business, many still struggle totranslate this understanding into concrete plans ofthe rise oF user-Driven it:action. They know where they need to go, but are Re-calibrating Informationunsure how to get there. This is why RSA is workingSecurity for Choice Computingwith some of the top security leaders in the worldto drive an industry conversation to identify a waythe new era oFforward. CoMPlianCe: Raising the Bar for Organizations Worldwidersa has ConveneD a grouP oF highly when aDvanCeD Persistentsuccessful security executives from Global 1000threats go MainstreaM:enterprises in a variety of industries which we call Building Information-the Security for Business Innovation Council.Security Strategies to CombatWe are conducting a series of in-depth interviewsEscalating Threatswith the Council, publishing their ideas in aseries of reports, and sponsoring independentresearch that explores this topic. RSA invites youbusiNess iNNovAtioN DefiNeDto join the conversation. Go to www.rsa.com/securityforinnovation to view the reports or access Enterprise strategies to enter newmarkets, launch new productsthe research. Provide comments on the reports or services, create new businessand contribute your own ideas. Together we canmodels, establish new channelsaccelerate this critical industry transformation. or partnerships, or transformoperationsRSA, The Security Division of EMC | security for business innovAtion council report | 27 30. Contributors Top information-security leaders fromGlobal 1000 enterprises mArene n. Allison, Anish bhimAni, CISSP, WilliAm boni, CISM, CPP, rolAnd cloutier, Worldwide Vice President ofChief Information RiskCISA, Corporate InformationVice President, Chief Security Information Security,Officer, Jpmorgan chase Security Officer (CISO), Officer, automatic data Johnson & JohnsonVP Enterprise Informationprocessing, inc.Anish has global responsibility Security, t-mobile u.s.a. Prior to joining Johnson for ensuring the securityRoland has functional and & Johnson, Marene was aand resiliency of JPMorganAn information-protectionoperational responsibility for senior security executiveChases IT infrastructure and specialist for 30 years, BillADPs information, risk, crisis- at Medco, Avaya, and the supports the firms Corporate joined T-Mobile in 2009. management, and investigative- Great Atlantic and Pacific Risk Management program.Previously, he was Corporate security operations worldwide. Tea Company. She servedPreviously, he held seniorSecurity Officer of Motorola Previously, he was CSO at in the United States Armyroles at Booz Allen Hamilton, Asset Protection Services. EMC and held executive as a military police officer Global Integrity Corporation, Throughout his career, Bill haspositions with consulting and and as a special agent in theand Predictive Systems. helped organizations designmanaged-services firms. He FBI. Marene is on the boardAnish was selectedand implement cost-effective has significant experience of directors of the American Information Security programs to protect both in government and law- Society of Industrial Security Executive of the Year for tangible and intangible assets.enforcement, having served International (ASIS) and the 2008 by the ExecutiveHe pioneered the application in the U.S. Air Force during Domestic Security Alliance Alliance and named to of computer forensics andthe Gulf War and later in Council (DSAC) and isBank Technology News intrusion detection to dealfederal law-enforcement President of West PointTop Innovators of 2008with incidents directed againstagencies. Roland is a member Women. She is a graduate oflist. He authored Internet electronic business systems. of the High Tech Crime the U.S. Military Academy. Security for Business andBill was awarded CSO Investigations Association, theis a graduate of Brown andMagazines Compass Award State Department PartnershipCarnegie-Mellon Universities. and Information Securityfor Critical InfrastructureExecutive of the Year Central Security, and Infragard.in 2007. dAvid Kent,Petri KuivAlA,dAve mArtin, CISSP,tim mcKnight, Vice President, Global RiskChief Information SecurityChief Security Officer,CISSP , Vice President and and Business Resources,Officer, nokiaemc corporationChief Information Security genzyme Officer,Petri has been CISO at NokiaDave is responsible for northrop grumman David is responsible for the since 2009. Previously, he ledmanaging EMCs industry- design and management of Corporate Security operations leading Global SecurityTim is responsible for Genzymes business-aligned globally and prior to that in Organization (GSO) focused Northrop Grummans global security program, China. Since joining Nokiaon protecting the companyscyber-security strategy which provides Physical, in 2001, he has also worked multibillion-dollar assets and and vision, defining Information, IT, and Product for Nokias IT Applicationrevenue. Previously, he ledcompany-wide policies Security along with Business Development organizationEMCs Office of Informationand delivering security to Continuity and Crisisand on the Nokia SiemensSecurity, responsible forsupport the company. Tim Management. Previously, he Networks merger project.protecting the global digitalreceived the Information was with Bolt Beranek andBefore Nokia, Petri workedenterprise. Prior to joining Security Executive of the Newman Inc. David has 25 with the Helsinki PoliceEMC in 2004, Dave builtYear Mid-Atlantic Award years of experience aligning department beginning in 1992and led security-consultingand Information Security security with business goals.and was a founding member organizations focused on Magazine Security 7 He received CSO Magazines of the Helsinki Criminalcritical infrastructure, Award in 2007. Tim has 2006 Compass Award Police IT- investigationtechnology, banking, and held management roles with for visionary leadership indepartment. He holds a degree healthcare verticals. He holds BAE and Cisco Systems the Security Field. Davidin Masters of Law. a B.S. in Manufacturingand served with the FBI. holds a Masters degree in Systems Engineering from the He has a Bachelors degree Management and a BachelorUniversity of Hertfordshire in and completed Executive of Science in Criminal the UK.Leadership training at the Justice.Wharton School. Tim also served as adjunct faculty at Georgetown University.28 | security for business innovAtion council report| RSA