intelligence-led security
TRANSCRIPT
Intelligence-LedSecurity
Develop a Concrete PlanA CYVEILLANCE WHITE PAPER | JANUARY 2015
2
Intelligence-Led Security: Developing a Concrete Plan
© 2015 Cyveillance
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Cyber Threat Landscape: Why a New Approach Is Required . . . . . . . . . . . 4
The Need For Intelligence-Led Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Defining the Intelligence in “Intelligence-Led Security” . . . . . . . . . . . . . . . . . . . . 9
From Concept to Action:
Concrete Steps to Move Toward Intelligence-Led Cyber Security . . . . . . . . . . 10
Step 1: Justify the Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Step 2: Define the Basic Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Step 3: Evaluate the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Step 4: Build Your Spend Plan and Outline Your Budget Requests . . . . . . . 15
Step 5: Find Your “Watchdogs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table of Contents
Executive Summary
Protecting a business – including its information and intellectual property, physical infrastructure, employees,
and reputation – has become increasingly difficult . Online threats come from all sides: internal leaks and external
adversaries; domestic hacktivists and overseas cybercrime syndicates; targeted threats and mass attacks . And
these threats run the gamut from targeted to indiscriminate to entirely accidental .
Among thought leaders and advanced organizations, the consensus is now clear . Defensive security measures
– antivirus software, firewalls, and other technical controls – and post-attack mitigation strategies are no longer
sufficient . To adequately protect company assets and ensure business continuity, organizations must be more
proactive . But on a practical level, how can they do that?
Being proactive means organizations must increase their awareness of, and preparation for, potential attacks . They must
also improve their understanding of their adversaries in order to better prepare for attacks, envision how they are likely
to manifest themselves and be prepared to respond appropriately .
Increasingly, this proactive stance is being summarized by the phrase “Intelligence-Led Security”: the use
of data to gain insight into what can happen, who is likely to be involved, how they are likely to attack and,
if possible, to predict when attacks are likely to come .
Like many security trends and frameworks, the early stages of adoption often involve inconsistent definitions,
challenges with justification and management communication and an unknown path to implementation .
In this white paper, we:
• Review the current threatscape and why it requires this new approach
• Offer a clarifying definition of what cyber threat Intelligence is
• Describe how to communicate its value to the business and
• Lay out some concrete initial steps toward implementing Intelligence-Led Security
Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance 3
4
Intelligence-Led Security: Developing a Concrete Plan
© 2015 Cyveillance
There are three significant, and expanding,
concerns which are driving the need for a new
approach to security: External Actors, Internal
Leaks, and Links between Cyber and Physical
Security. We call these out as individual issues,
but as we will see, they are in fact closely linked,
which furthers the need for security powered
by intelligence.
External ActorsData security has been a concern for decades.
But today, security threats are more pervasive,
sophisticated, and damaging. Furthermore, with
a torrent of information flowing between data
centers, business applications, mobile devices,
and online networks, protecting data assets is
more complex and difficult than ever before.
In addition, the Internet and social media have
provided all sorts of external actors, from hackers
and thieves to scam artists, activists and corporate
gadflies a free, global, powerful and easy-to-use
set of tools for all manner of mischief, disruption
and destruction, often with little or no technical
skills required.
This means that the environment external to the
corporate network is the origin of more threats,
adversaries and actors than in the past. More and
more of the risks exist beyond the edge of the
network, out in the wild. Controlling these actors,
systems and forces beyond the perimeter is
impossible, so awareness and monitoring of
them is more vital than ever.
The Cyber Threat Landscape: Why a New Approach is Required
01SECTION
Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
Top security experts regularly advise their customers to consider
network breaches as inevitable, to treat them as no longer a matter
of “if” but “when” and plan accordingly. Yet, many organizations
don’t know an attack has occurred until it’s too late. Some never
spot it at all.
Internal LeaksIn addition to inbound threats such as malware, outbound
information leaks pose serious challenges and risks for corporations.
Employees disclosing seemingly innocuous business or technical
details – either intentionally or unintentionally – across a wide
variety of online venues can provide potential attackers with
enough information to identify and exploit vulnerabilities.
These leaks often include:
• Statements related to the security of customer data
• Technical discussions or network data posted by employees
• Confidential or proprietary company information
• Posts involving internal login details or vulnerability disclosures
There have also been several high-profile cases of ideologically-
motivated attacks against corporations involving the disclosure of internal
communications and client data. With the rise of “hacktivism,” entire
industries have been targeted for a wide range of alleged offenses.
Additionally, growing economic development and Internet connectivity in
emerging markets present the new challenge of identifying information
security risks in a wide variety of foreign languages.
5
6Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
The Evolving “Threatscape”
6
and other malware are commonplace. Distributed
denial-of-service (DDoS) attacks can quickly take
a corporate network down and grind business
productivity to a halt. And advanced persistent threats
(APTs) can slowly leak sensitive information without
being detected. Email is no longer the sole entry point
for these types of malware, as they can now gain
access to corporate infrastructures via websites, social
networks, online ads, and mobile applications.
In fact, network breaches are no longer a matter
of “if,” but “when.” Many organizations don’t know
an attack has occurred until it’s too late. Others
never spot it at all.
Viruses, Trojan Horses,Spyware,Phishing Software,
SOCIALENGINEERING
INSIDERTHREATS
HIJACKING
PHISHING
SPOOFING
SNIFFING
TROJANS
MAPPING
DDoS
APT
Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
7Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
Links Between Cyber and Physical SecurityIncreasingly, cyber criminals are deploying multi-tiered attacks and
creating smokescreens to disguise their true intentions. DDoS attacks,
most often launched out of ideological differences or anti-corporate
sentiment, are also being used as diversions to tie up IT resources
while money is stolen or cash is withdrawn en mass from ATMs. In other
instances, experts have expressed concerns about media and mobile
tools being leveraged to stir up disruptions to provide cover for retail
theft and looting1.
There is clear evidence that links between digital and physical security
risks are increasing, particularly among hacktivist and activist coalitions
that align technically skilled adversaries and physical disruptions.
These have targeted everyone from the largest institutions2 to
single individuals3. Flashmobs, protests and boycotts, distribution of
counterfeit and gray market products, and targeted attacks on physical
assets and even individual executives4 can pose severe risks to
business continuity, brand reputation, and revenue streams.
Distributed denial-of-service (DDoS) attacks are not just perpetrated to affect company operations and reputations or to enable activists to conduct cyber protests; they can also be used to cover up fraud or the theft of intellectual property. 1 http://www.dailymail.co.uk/news/article-2023924/
London-riots-2011-BlackBerry-Messenger-shut-unbelievable.html2 https://www.adbusters.org/blogs/adbusters-blog/anonymous-joins-occupywallstreet.html3 http://www.theverge.com/2013/3/15/4109568/cyber-blogger-brian-krebs-ddos-attack-police-raid4 http://www.motherjones.com/mojo/2010/05/ main-street-battles-wall-street-seiu-npa-gregory-baer-peter-scher-jpmorgan-chase-bank-of-america
8
Intelligence-Led Security: Developing a Concrete Plan
© 2015 Cyveillance
With these changes in the threat landscape, the challenges and adversaries’ tactics are evolving rapidly,
and security methodologies must evolve as well. Reactive security strategies focused on technical controls
and post-attack mitigation must become much more proactive. Threats and vulnerabilities must be known
before they reach a company’s doorstep, before they have breached the corporate network, and before
they have an opportunity to do harm.
In an era of advanced threats, awareness is the utmost security measure. Awareness of potential
or imminent threats can enable improved preparation, and improved preparation can lead to more
effective mitigation and prevention tactics.
Fortunately, many outside threats, actors and methods can be detected and studied in advance through
Internet monitoring and intelligence analytics. Thousands of online sources can provide forewarning
and insight about threats and vulnerabilities, including:
These sources can be monitored and analyzed to anticipate and understand potential threats and
impending attacks.
The Need for Intelligence-Led Security
02SECTION
Open source intelligence (OSINT)
Social media Search engines Blogs and user-generated content
News accounts and case studies about attacks
against other organizations
User groups Chat roomsActivist forums
9
Intelligence-Led Security: Developing a Concrete Plan
© 2015 Cyveillance
There’s an old saying that a problem well defined is half solved. Unfortunately for both security
professionals who believe in Intelligence-Led Security and the vendors who seek to support them,
“Intelligence-Led Security” often suffers from the same sort of ill-defined overuse as “Big Data”. Everyone
talks about it, most are fairly sure they need some of it, and very few people can tell you what it actually
means. So for clarity, we define it this way:
If the goal of Intelligence-Led Security is to become more proactive, the definition must encompass
the activities that make becoming proactive possible.
Defining the Intelligence in“Intelligence-Led Security”
03SECTION
Intelligence-Led Security is the collection, aggregation, correlation and analysis of both internal and external data to understand risks, identify threat actors, discover and minimize attacks or losses already underway, and understand and predict the methods and actions of likely adversaries.
10
Intelligence-Led Security: Developing a Concrete Plan
© 2015 Cyveillance
So with these changes in the landscape, and
the broad availability of external intelligence
to correlate and synthesize with internal data,
there is a clear argument for incorporating threat
intelligence into security planning and operations.
The question then becomes whether this is the
right approach for your organization, and ( just
as importantly) if it is, how can you proceed?
In other words, if this prescription is right – and
as one of the pioneers in cyber intelligence
we believe this approach is both correct and
achievable – the question then becomes the
actual steps required to do it. This rest of this
paper provides concrete guidance on some initial
steps to take, why they are necessary and how to
communicate the need, and value, of intelligence-
led security to company management.
Step 1: Justify the Need – What Problem Are We Solving for The Business?It’s axiomatic that in business, nothing happens
without money. As the cyber threat landscape
has expanded, the threats have multiplied, and
the actors become more numerous and more
technically sophisticated, security professionals
have faced a dramatic expansion of the
challenges with which there are expected to deal,
but are often hamstrung by the accelerating gap
between what they are expected to contend with
and the resources they have to work with.
This is often the result of a failure to clearly
connect the security team’s mission, and the
risks they are trying to address, to the broader
business. This inability to translate security-speak
From Concept To Action: Concrete Steps to Move Toward Intelligence-Led Cyber Security
04SECTION
Justify the Need
Define a Basic
Architecture
Evaluate the Options
Build Your Spend Plan
Find Your “Watchdogs”
11Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
into business-speak hampers the likelihood of successfully being able
to explain, justify and garner support. While many security professionals
know and understand their own mission very well, they are often
challenged by a lack of management support, buy-in, budget and other
internal hurdles to properly protect, or get the resources to protect,
the enterprise.
In one of the classic definitions of risk – Vulnerability x Likelihood x
Impact – it is the first two components that are often closest to the
security professional, but the impact element that resonates most with
upper management. Translating security needs, budget requests and
justifications into the language of business and its key metrics – profit,
loss, customer churn, competitive advantage – is a critical next step
to garnering the management support for this type of undertaking.
If nothing happens without money, then we cannot ignore the need
to effectively make the case for those resources – and to do that
requires communicating the risks, and impacts, to those who hold the
purse strings in their own language. Another factor that must be the
considered is the organizational tolerance for risk. Because this varies
by widely, it is critical to reach agreement on what constitutes
an “acceptable level of risk.”
One in-depth study on this subject, the Live Threat Intelligence Impact
Report 2013, published by the Ponemon Institute, focused on the
hard-to-generate metrics critical to translating security risks into
the language of business.
Demonstrating the Impact: A Case Study in Advanced Persistent Threats
Long-term undetected and unresolved advanced per-
sistent threats (APTs) can result in major financial and
intellectual property (IP) losses. In some cases, the loss
of IP can result in the loss of business differentiators as
well. A major Canadian telecommunications company’s
former senior systems security adviser was quoted
as saying that he had no doubt that extensive cyber
attacks on the company contributed to its downfall. He
believed that infiltration by alleged “foreign actors” led
to the company’s subsequent failure and bankruptcy.
Source: http://www.cbc.ca/news/busi ness/nortel-collapse-linked- to-chinese-hackers-1.1260591
12Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
The report revealed the staggering costs associated with cyber attacks. These costs are hard to calculate and are often not budgeted for due
to the lack of public and industry sharing of cyber attack cost data. Some of the findings from the survey, which generated 708 respondents
from 378 enterprises, were that:
However, once a company does invest in a sophisticated cyber threat intelligence solution, there are considerable savings. Typically the
impetus to establish cyber security centers comes from security executives that transfer from traditionally-targeted industries and know
how to present the need to increase security budgets to the CEO or the board in a way that they can understand.
Organizations also need to understand the threat actors and their “Modus operandi.” This threat actor mapping can help identify the types
of exploits and motivations used in cyber campaigns against their industry, competitors, and company.
Finally, the survey responses show just how important it is to have monitoring in place to ensure that organizations are aware of changes in
the open source ecosystem, and supports the “why” of building out an intelligence-led approach to security. Changes in activity and noise can
be early warning signs of things to come. These are not always defined and require that companies employ a listening campaign to help pick
up on hints. Once an event occurs, experienced cyber security analysts can use these resources to continue to monitor the situation and be
more aware of the next hint of an attack before it occurs.
$10M(past 12 mths)
The average amount spent in the past 12 months to resolve
the impact of exploits is $10 million.
$4M(40 percent) 60% 57%
Having actionable intelligence about cyber attacks within
60 seconds of a compromise could reduce this cost on average by
$4 million annually (40 percent).
60 percent said their enterprise was unable to stop exploits
because of outdated or insufficient threat intelligence.
57 percent say the intelligence currently available to their
enterprise is often too stale to enable them to grasp and understand the
strategies, motivations, tactics, and location of attackers.
13Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
Step 2: Define a Basic ArchitectureIt is easy to get caught up in the tactical details of specific solutions, but increasingly we see the most targeted, and often the most forward-
thinking organizations, taking the time to step back and clearly define a broader vision for real Intelligence-Led Security. That means a
holistic approach and cohesive architecture, rather than a stitched-together patchwork of tactical solutions.
In the most sophisticated manifestations, this reveals itself in a holistic, dedicated “Fusion Center,” “Cyber SOC,” or other complex,
integrated environment for the gathering and analysis of data in line with our definition in Step 1 above.
Here are just a few of the questions that go into defining such an architecture and holistic approach:
This is just a sample of the things to be considered, and they are true regardless of the size of the enterprise or the scope of the threats
it faces. We have seen every manifestation of this philosophy, from the tiny credit union with its MSAccess Database, to major global
banks running Splunk, Palantir or other visualization packages on SOLR, ElasticSearch or Hadoop clusters of massive proportions. The
implementation is unique to each case, but the objective – by our definition – is the same: to gather, correlate and leverage the data to
better understand, prepare for, and mitigate the risks.
1. What internal data do I want to aggregate and store?
2. What external threat intelligence (threat and vulnerability feeds, open source intelligence, social media monitoring, etc.)
Do I want to bring in and correlate with my internal information?
3. How long do I want to store this data?
4. How much data does that imply, and what infrastructure will I need to store and access it in a timely
and cost-effective manner?
5. What types of reports, outputs, data and deliverables should these systems and analysts be expected to produce?
14Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
Step 3: Evaluate the OptionsWith a clear definition of the mission, a business justification for its execution,
and the high-level architecture for the systems, people and activities
required, now it makes sense to look at the endless list of tactical choices
you will need to make. Here again, a simple sampling of the questions it is
now appropriate to tackle, given that you have a framework to put them in:
What are the primary activities we need to be concerned about?
Insider-threat investigations? External hacking? Physical security risks to far-flung
operations or high-profile executives? Loss of intellectual property? All of the
above? Your priorities will dictate everything from what tools get the budget
and attention to which skillsets you seek to recruit.
Do we already have tools in place that are extensible to this new mission?
There are sometimes significant benefits in learning curves, licensing costs
and implementation if you have dashboards, databases, software packages
and staff whose current use can be extended to a new mission versus
starting from a clean slate.
Define evaluation criteria.
Conversely, if new tools or skillsets are required, those should be
considered, too. Many vendors will seek to offer tools, systems and
solutions. Before worrying about who to call or which to choose, be clear
on the objectives you seek to meet so that you can prepare the appropriate
measures of performance and compare apples to apples.
15Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
Step 4: Build Your Spend Plan and Outline Your Budget RequestsWith a stated definition, a business justification, a reasonably detailed framework and some good data on what kind of staff, tools, feeds and
other costs the transition will require, you are now in a position to make your case to management. To be sure, there are many operational
and tactical steps to implementing Intelligence-Led Security, but the truth is, you must also be prepared to secure the manpower, systems
and budgets to execute these steps effectively.
The industry agrees that Intelligence-Led Security is increasingly vital. Protecting the enterprise requires, more than ever, a proactive
stance and the development of information, not just data, about the risks we face, the actors responsible, the motivations and tactics or our
adversaries, and insight into when and how attacks will come. But to unlock the powerful potential of this Intelligence-Led approach, many
steps must be taken, and in the right order.
While this may sound like a daunting task, it can be made much more manageable by taking a pragmatic approach. Define the mission; justify
it on a clear business (not parochial or departmental) basis; lay out a well-considered framework; estimate the resources and tools you’ll need;
and then build and present your case. If it’s true that nothing happens in business without money, it’s also true that garnering those resources
are mostly likely to come from a well-defined mission, justification, and plan.
More than ever, protecting the enterprise requires a proactive stance and the development of information, not just data.
16Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance
Step 5: Find Your “Watchdogs”While tools, data analytics and software are vital to
dealing with the scale of information involved, skilled
cyber security analysts are still the final critical element for
organizations moving to proactive, intelligence-led security.
These analysts act as “watchdogs” for large and medium
enterprises, conducting both broad (global) and deep
(threat-specific) monitoring and analyses. In doing so, they
provide an early warning system for their clients, offering
advance awareness, detailed intelligence, and actionable
recommendations surrounding risks, information leaks, and
potential attacks.
With the help of cyber security analysts, organizations can
increase their awareness of possible threats, proactively
address network and infrastructure vulnerabilities, and
better protect:
• Intellectual property
• Information assets
• Physical assets
• Customers
• Executives
• Employees
• Revenue streams
• Brand reputation
17
Intelligence-Led Security: Developing a Concrete Plan
© 2015 Cyveillance
In an era of pervasive and sophisticated threats – internal and external, domestic and international –
companies can no longer wait for something to go wrong before they respond. They must shift from
reactive mitigation to proactive awareness and preparation.
Intelligence monitoring and analyses that are both broad (global) and deep (threat specific) are the keys
to this shift. While few companies have the resources or expertise to do this on their own, cyber security
analysts can provide an early warning system of vulnerabilities, information leaks, and possible threats.
By scouring the growing cache of open source and online intelligence, these cyber security “watchdogs”
help organizations better-protect critical information, physical and human assets, brand reputation, and
revenue streams.
Conclusions
While your network may be secure, do you have visibility beyond the perimeter? Security is no longer about what you can see. What you can’t see is where the true threats hide.
Cyveillance offers an easy-to-use platform that provides security professionals the ability to see beyond the perimeter. Our solutions identify cyber and physical threats and risks across the globe, allowing you to mitigate and eliminate them before they disrupt your business.
We go beyond data to provide the threat intelligence that you need to achieve your organization’s business goals. Contact us today to learn more and get a free trial.
Using security intelligence technology can save companies up to $2.6 million when compared to companies not using security intelligence technologies. “2014 Global Report on the Cost of Cyber Crime.” Ponemon Institute; HP. 3 Dec. 2014. http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-reportA study by Verizon has shown that the targets of 85 percent attacks are small businesses with less than 1,000 employees. Verizon, “2012 Data Breach Investigations Report,” http://www.verizonenterprise.com/resources/reports/ rp_data-breach-investigations-report-2012-ebk_en_xg.pdf
Cyber Threat Center
www.cyveillance.com/cyberthreatcenter
11091 Sunset Hills Road, Suite 210 Reston, Virginia 20190 888.243.0097 | 703.351.1000www.cyveillance.com [email protected]
Copyright © 2015 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are
trademarks or registered trademarks of their respective owners.
Cyveillance is the leading provider of cyber threat intelligence, enabling organizations to protect their information, infrastructure, and employees from physical and online threats found outside the network perimeter. Founded in 1997, Cyveillance delivers an intelligence-led approach to security through continuous, comprehensive monitoring of millions of online data sources, along with sophisticated technical and human analysis. The Cyveillance Cyber Threat Center, a cloud-based platform, combines web search, social media monitoring, underground channel information, and global intelligence with investigative tools and databases of threat actors, domain names and IP data, phishing activity, and malware. Cyveillance serves the Global 2000 and the majority of the Fortune 50 – as well as global leaders in finance, technology, and energy – along with data partners and resellers. For more information, visit www.cyveillance.com.
Cyveillance is a wholly-owned subsidiary of QinetiQ, a FTSE250 company which uses its domain knowledge to provide technical support and know-how to customers in the global aerospace, defense and security markets. For more information, visit www.qinetiq.com.