Predictive Intelligence

Transcription

1 PI Predictive Intelligence Actionable Insight for the Digital Enterprise AUGUST 2014 PI = [ C4S + G4S + I4S + CR ] x MP

2 What problems are we trying to help clients solve? Managing the Threat Landscape Organizations are increasingly vulnerable to business disruptions. These disruptions may be caused intentionally by individuals or groups intending to do harm or to steal intellectual property, or unintentionally as a result of the geographic or socio-political operating environment. All aspects of the organization are vulnerable, from employees to business partners, and from supply-chain to IT assets. Organizations need to manage these risks and take advantage of the data and analytics to start to thrive and not just survive. How do we anticipate future attacks and take defensive actions before the attacks occur? How do I identify salient threats to my global operations, executives and workforce? What is the current level and business impact of cyber risks to our company? Tradecraft Analytics How can I detect subtle but potentially violent shifts in local threat environments? How can we provide timely, actionable intelligence to executive decision makers to manage risk, protect their organization but also thrive? What type of cyber incidents or breaches do we detect in a normal week? Technology Workforce How trained is our workforce to prevent, detect and respond to a cyber breach? How do we detect insider threats before rogue employees can do significant damage? What is the status of my incident response activities and are we ready and prepared? How compliant is our cyber security and supply chain vulnerabilities program with emerging regulations? Booz Allen Hamilton Inc. Copyright Proprietary. 2

3 Overview Failure is not an Option The sheer number, speed and sophistication of attacks against today s organizations are rapidly increasing. And so are the stakes. These threats take many forms including cyber and insider attacks, physical destruction and personal harm. And worse, these threats are constantly evolving so the risk is ever present despite current security measures. For most organizations, it is no longer a question of if but when. And more urgently, what can be done to effectively mitigate the risk and secure critical assets before the next attack. 200 Attacks Average annualized number of successful cyber attacks per company in the United States. 1 $11.56 Million Average annualized cost of a successful cyber attack in the United States. 1 26% Increase Net increase in cost over the past year. Represents an additional average annualized cost of $3 million per successful cyber attack in the United States Days Average time to resolve a cyber attack. 1 33% Increase Net increase in time to remediate attack over the past year. Represents an additional 10 days per successful cyber attack in the United States. 1 11% Insiders Annualized percent of cyber attack cost attributed to malicious insiders. 1 BREAKING NEWS Cost of Cyber Crime Study: United States, Ponemon Institute, October Target Data Breach; CEO and CIO resign Dec 18, 2013 Target breach compromises 110 million payment cards Pro-Russia Hacktivists attack NATO website Mar 15, 2014 Group disrupts NATO websites in response to activities in Ukraine Heartbleed Flaw in Internet Explorer Apr 7, 2014 Vulnerability exposed impacting 17% of the internet's secure web servers Al Qaeda kidnapping attempt in Yemen May 11, 2014 Al Qaeda gunmen tried to kidnap two U.S. Embassy employees in Yemen Protests hit Brazil ahead of World Cup May 15, 2014 Demonstrations held in 18 cities protesting billions spent on games instead of housing and health care Booz Allen Hamilton Inc. Copyright Proprietary. 3

4 INTELLIGENCE Minutes Hours Days Weeks Overview The Time to Act is Now Organizations that wait and respond to events after they occur miss the critical window to capitalize on the power of foresight. By using Predictive Intelligence to anticipate and prevent critical attacks from happening or from reaching their full objectives; organizations can significantly lessen the negative impacts of a successful attack. Global Situation Awareness Where Do You Fit? Anticipate Threats Probabilistic Warnings Continuous Diagnostics Advanced Adversary Hunting Detect Threats Prevent Damage Respond to Attacks Sanitize Breaches Policies & Compliance Minutes Hours Days Weeks DECISION MAKING Booz Allen Hamilton Inc. Copyright Proprietary. 4

5 Staying Ahead of the Curve Today s global environment is wrought with potential threats, risks, and opportunities. Success is predicated on an organization s ability to successfully sense, anticipate, and adjust course to mitigate risks, seize opportunities, and defeat adversaries. Achieving this outcome requires access to a diverse set of skills, techniques and technologies that enable an organization to become and remain predictive. While many competitors have one or two of these offerings, only Booz Allen s Predictive Intelligence has the end-to-end solutions needed to holistically address both the scale and severity of the current threat landscape. PI 1 2 Specialized Tradecraft Threat actor, linguistic, socio-cultural and attack-surface intelligence Big Data & Analytics Proprietary analytics and data libraries 3 Advanced Technology Systems integration and application development 4 Workforce Readiness Threat readiness and incident response solutions Booz Allen Hamilton Inc. Copyright Proprietary. 5

6 PI = [ ] x C4S G4S I4S CR MP Predictive Intelligence Predictive Intelligence combines tradecraft, big data & analytics, technology and workforce to help clients anticipate, prevent, detect and respond to global threats and global opportunities with real-time actionable insight about their environment internally, externally, globally and socially so they can take action to be ready, to manage risk, to protect assets and to thrive. Major Product Lines and Solutions Cyber4Sight Tailored, anticipatory threat intelligence provides actionable, near-real time alerts of specific impending malicious cyber attacks. Insider4Sight TM Holistic approach tailored to mitigate insider risk using advanced detection and analytical tools. MissionPlatform Technology architecture and tool suite for data collection, storage, processing, analytics, and userfocused visualizations, and includes talent management to leverage these solutions. Global4Sight TM Threat and business intelligence derived from social media and global datasets enables anticipatory actions, rapid threat mitigation, and strategic positioning. CyberReady TM Continuous, automated diagnostics to discover vulnerabilities and to quickly sanitize breaches. Booz Allen Hamilton Inc. Copyright Proprietary. 6

7 Product Lines Cyber4Sight C4S Cyber4Sight tailored threat intelligence products and services pro-actively defend our client s organizations against the most sophisticated cyber attacks. With Cyber4Sight products and services, clients receive actionable intelligence of future attacks in near real time to avoid tactical and strategic surprise. Cyber4Sight threat intelligence products and services collect and analyze the motivations, intentions, objectives, and capabilities of specific threat actors around the world most likely to launch an attack against a client and provide an early warning capability at a fraction of the cost to build a comparable intelligence analysis center internally. OFFERINGS SOLUTIONS Threat Alerting and Warning Services Anticipatory cyber threat alerts and warnings of impending future attacks, providing clients with an early warning system to defend their enterprise. Deep Web Intelligence Analysis Services Advanced intelligence tradecraft service to monitor specific threat actor s intentions, motivations and objectives to provide actionable insights for high risk, high consequence cyber threats. Cyber Threat Intelligence Summary Products Daily compendium report on global cyber threats and incidents with a focus on nation states, known hacktivist groups, and criminal syndicates. On-Call Intelligence Analysis Services On-demand services to answer client-submitted cyber threat intelligence questions that require in-depth analysis, which may be related to virtually any cyber threat intelligence topic. Specialized Cyber Threat Intelligence Studies In direct consultation with our clients, we create deepdive, open-source analytic products that present extensive views of current cyber threats and risks. Services Availability & Support Cyber4Sight services operate 24 hours per day, 365 days per year. Intelligence analysts are always available for help and support around the clock via a telephone hotline, , and Web portal access. OSIRIS Open Source Information Research and Investigation System Automated data collection and ingestion Automated filtering, correlation, and analysis Visualization and alerting dashboard for analysts Customized client collection plans based upon business priorities and protected assets ThreatBase TM Near Real-Time Knowledge Repository Automatic meta data ingestion and tagging Link and timeline analysis Object-based queries and advanced search and pattern recognition capabilities Web Portal access for clients Booz Allen Hamilton Inc. Copyright Proprietary. 7

8 Solutions ThreatBase TM C4S ThreatBase is the knowledge repository for Cyber4Sight finished intelligence products, accessible by clients via a secure portal to provide an overview of recent threat trends, including tracking actors, threat origins, and most popular TTPs (Tactics, Techniques and Procedures). The ThreatBase knowledge repository contains all Cyber4Sight finished intelligence, cross referenced and fully searchable. There are more than a dozen search options, each of which can also be used to pivot between attributes of interest. The ThreatBase knowledge repository dynamically maps the relationships between threat actors, their tactics, techniques, and procedures, and their targets. Threat statistics, patterns and trends may be analyzed, linking threat actors with targets, attack vectors, and exploits being used. Geo-location intelligence is stored as well, tracking threat actor locations over time using based near correlations. ThreatBase Screenshots // Secure Client Portal // Advanced Search // Relationship Finder Threat actor profiles depict the relationships between threat actors, their targets, and the methods of attack, allowing analysts to pull the threat from multiple entry points, enriching analysis and providing a more complete picture for clients. Booz Allen Hamilton Inc. Copyright Proprietary. 8

9 Case Study Global Enterprise Services Firm Defending Intellectual Property and Trade Secrets Through Anticipatory Threat Intelligence Results Achieved C4S The Challenge A global enterprise services firm with large-scale briefings for government and commercial clients was stung by a string of network beaches that undermined its intellectual capital and market reputation. The organization s cyber defense was reactive so its analysts had no intelligence to prioritize resource allocation and thwart dangerous threats that compromised its networks. To protect sensitive data and its critical infrastructure, the firm needed to implement a world-class Critical Incident Response Team/Security Operations Center (CIRT/SOC) or risk losing billions of dollars in reputation and future earnings. The company turned to Booz Allen Hamilton and its Cyber4Sight team for help. The Solution The Cyber4Sight team implemented 24x7 Threat Alerting and Warning Services, combined with strategic intelligence capabilities, to substantially elevate the client s security posture using an intelligence-driven computer network monitoring and defense capability that includes Tripwire Alerts, Spot Reports, Situation Reports (SITREPS), and Daily and Monthly Intelligence summaries. The Cyber4Sight team began transforming the client s critical data into informed, proactive computer network defense activities. In the first four months alone, the Cyber4Sight team delivered more than 100 serialized threat intelligence summaries and 700 analytic insights. Daily threat intelligence briefings helped guide the client s ongoing tactical operations, fostering an anticipatory approach that exponentially decreased cyber events. Cyber4Sight intelligence reports help predict malicious actors intentions, capabilities and probabilities of success before major events occur enabling the client to prepare for attacks in advance and effectively mitigate risk in real-time. The insight provided by Cyber4Sight analysts allows the client to better prepare for major cyber events before they occur, avoiding multi-million dollar losses of intellectual property and brand equity. The Cyber4Sight team also delivers daily threat intelligence reports and briefings to alert the client to potential threats. The Cyber4Sight team continues to field regular Requests for Information (RFIs) from the client to identify and understand developing threats. Booz Allen Hamilton Inc. Copyright Proprietary. 9

10 Product Lines Global4Sight TM G4S Global threats and global market opportunities can take many forms including threat intelligence monitoring, message and influence monitoring, and supply chain risk assessment. To protect their competitive advantage and to capitalize on new opportunities, organizations need comprehensive and actionable information. Global4Sight threat and competitive intelligence products and services combine a strong heritage of cloud architecture and applications development with leading edge open source and social media research and intelligence analysis tradecraft to provide actionable information on global threats and global market opportunities. OFFERINGS SOLUTIONS Threat Intelligence Monitor strategic and tactical environment to alert & inform clients of emerging and ongoing threats to people, facilities, and operations. Executive Protection Anticipate and mitigate physical, reputational and financial risk to individuals created through vulnerabilities exposed online. Supply Chain Risk Assessment Assess third party suppliers to alert clients to business risks. FinSight Thwart illicit actors taking advantage of new opportunities using alternative payment systems. Global Advantage Conduct business research and analysis on opportunities for and threats to market advantage in new environments. Application & Architecture Development Develop innovative solutions to track, visualize, and alert users to threats and opportunities by monitoring vast government, commercial, and publicly available data sets. Attack the Network Tool Suite Suite of Tools Enabling Analytic Hunt Geospatial, thematic, and string-based investigations against raw and machine extracted content Rapid cross-corpus search of all data types Visualization and displays to facilitate interrogation of data Weatherman Analytic Value-Chain Analytic to Track Global Threats Models and identifies relationship between activities within an enemy network Analyzes value chain nodes and tracks hits against keywords that signify activity Provides geospatial and temporal view of the changes in the value chain status Booz Allen Hamilton Inc. Copyright Proprietary. 10

11 Solutions OSIRIS OSIRIS (Open Source Information Research and Investigation System) fulfills four principal functions: targeted collection, ingestion of information feeds, correlation, and visualization. Number of Categorized Authors Per Hour G4S Automated data collection and ingestion from 1,250 data feeds Ingestion of 1 Terabyte of data each day into a data lake and proprietary cloud environment Automated filtering, correlation, and analysis Visualization and alerting dashboard for analysts OSIRIS unique client dashboards provide extensive collection and analysis customization and client data segregation including quick assessments into Twitter feeds. In the example shown right, OSIRIS shows the distribution of pro- and anti-government Twitter authors geotagged at a rally for the Turkish prime minister at the Istanbul airport on 6-7 June, Number of unique authors in the immediate vicinity of the Istanbul airport from June 6 through June 7 categorized by pro- and anti-government hashtags. OSIRIS Screenshots // Targeted Collection // First-Order Correlation // Analytics Center Booz Allen Hamilton Inc. Copyright Proprietary. 11

12 Case Study Supply Chain Risk Assessment Assessing supply chain vulnerabilities to make informed decisions on risk Results Achieved G4S The Challenge A government client required assistance in understanding the risk of using certain manufacturers of a high tech component for a critical operational system. The field of possible manufacturers of this new technology was large, operated around the globe, and most had multiple global business partners. The risks the client was concerned about included quality/counterfeit products that could put safety of personnel and operations at risk, or cyber threats from embedded malware or Trojans capable of stealing Intellectual Property. The client did not have a method for assessing the list of companies against relevant risk factors to reduce the number of companies to a manageable size for further research before selecting the right manufacturing partner. The Solution Global4Sight products and services provided valuable insight into the companies involved with the technology of interest while prioritizing overall risk. Our risk methodology is applicable to all technologies or systems to evaluate supply chain vulnerabilities quickly and efficiently. Our Supplier Risk service offering protects clients against working with suppliers and manufacturers who present a higher risk to the quality, performance or security of component parts integrated into larger systems. Our supply chain vulnerability framework is a proven, repeatable process that we tailor to specific client needs. Global4Sight TM intelligence analysts employed open source research and analysis against a proprietary risk framework, developed through years of supply chain assessments with both government and commercial clients, to evaluate the commercial vulnerability of the new technology across six distinct attributes. Our supply chain vulnerability framework is a proven, repeatable process that we tailor to specific client needs. A final, prioritized list of eight companies confirmed to be working with the technology of interest, and presenting a low risk as a manufacturing partner, was recommended to the client. Booz Allen Hamilton Inc. Copyright Proprietary. 12

13 Case Study Reputation and Safety Risk for Corporate Sponsor of International Events Protecting the safety and security of personnel, assets and corporate reputation Results Achieved G4S The Challenge A global corporation is sponsoring an international event being held under the cloud of local protests. The protests have included negative sentiment against the country s leadership for putting money into the event rather than using the money to support transportation, health, and labor issues that plague the local population. The global corporation is concerned that protests leading up to and during the event may turn violent and put the safety and security of senior executives attending the event, and its corporate reputation as a key sponsor, at risk. The company turned to Booz Allen with its Threat Intelligence, Executive Protection and Global Reputation Intelligence Services for help. The Solution The insights provided by the Global4Sight TM intelligence analysts allowed the client to better prepare for and respond to major events thereby avoiding loss of human life, loss of physical assets, and millions of dollars in reputational loss. The insights provided by Global4Sight intelligence analysts allowed the client to better avoid loss of human life, loss of physical assets, and millions of dollars in reputational loss. Booz Allen provided intelligence analysts and socio-cultural linguists to monitor local, national and international media, social media and other open source data for indications and warning of emerging protests and other events. Applying a diverse list of geo-political indicators against the diverse data sets, the analysts and linguists were able to provide early warning alerts, daily updates, weekly trend reports, and deep dive studies on emerging events, protest and other group leaders that informed decisions on safety and security precautions, as well as strategic communications for influencing local and global attitudes about the corporation and the good work they do to support local and national interests and needs. Booz Allen Hamilton Inc. Copyright Proprietary. 13

14 Case Study Actionable Competitive Intelligence Informing a client s decision on the type of cross-border alliance strategy to pursue The Challenge Our client, a Fortune 100 industrial products manufacturer, wanted to establish a strategic alliance with a publicly traded Chinese corporation. While there was an abundance of information about the partnering firm, the client sought further competitive intelligence on how other US and foreign companies had designed and executed similar alliances. In particular, the client was concerned about how an equity based transaction, such as a merger or joint venture (JV), would be treated by the Committee on Foreign Investment in the United States (CFIUS). The CFIUS is a Treasury Department led inter-agency committee authorized to review transactions that could result in control of a U.S. business by a foreign entity. The CFIUS had obstructed other deals in the past, resulting in lost opportunities and significant expenditure of resources on plans that did not materialize. Our challenge was to collect insights into best practices that would inform how the client designed their alliance, and how it was presented to the CFIUS. The Solution Booz Allen used a tailored combination of competitive intelligence techniques and a wide range of novel data sources to identify over 40 different alliances in China involving firms comparable to our client. Alliances were characterized by type. Repeatable, though not widely publicized, steps that ensured positive results in CFIUS review, were identified. Insights into best practices used to minimized unintended leakage of IP were also uncovered and tabulated for the client to use as needed. Results Achieved G4S Booz Allen uncovered unique new and actionable insights into successful prior cross-border alliances engaged in by the client s competitors. These insights informed the client s overall alliance strategy, resulting in the client choosing to execute a JV with their intended Chinese partner. Booz Allen s insights informed how the client presented their case for a JV to the CFIUS. Our insights contributed to the client s design of their JV in order to minimize risks of unintended leakage of intellectual property to the Chinese JV partner. The insights provided by Global4Sight TM intelligence analysts contributed to the client s design of their JV in order to minimize risks of unintended leakage of intellectual property to the Chinese JV partner. Booz Allen Hamilton Inc. Copyright Proprietary. 14

15 Product Lines Insider4Sight TM I4S Organizations face increasing risk from insider threats posed by employees, contractors and business associates who possess legitimate placement and access and thus are often unseen by network audit tools focused on protecting networks and information from outside intervention and compromise. Insider4Sight behavior-based assessment tools are applied against expected role models to detect rogue insiders before significant damage occurs. The benefits of Insider4Sight tools and services include reduced implementation cost, improved detection probability, predictive identification of risks and coordinated repeatable response. OFFERINGS SOLUTIONS Maturity Assessments & Benchmarking Baseline assessment of a client s insider threat program maturity, using a reference model to assess risk across people, process and technology dimensions. The maturity model uses control families and control objectives measured against industry best practices. An opportunity roadmap is created mapped to key risks and business objectives. Program Design Services Insider threat program design services to create a customized program for a client s organization. Services include policy development, critical asset analysis, role and behavioral modeling, governance and oversight design, privacy and legal assessment, security design, technology planning and roadmap development. Data & Architecture Services Evaluation of existing applications and available data to establish a baseline technology architecture for an insider threat program. Data fusion and machine analytics design services to close information gaps, based upon the goals of the overall program. Insider Threat Monitoring Services Managed security services to monitor a client s enterprise 24 hours per day, 365 days per year, using a customized alerting dashboard to collect evidence of rogue insider activities. Near real time alerts are escalated within the organization, applying analytic tradecraft and case management techniques. We continuously update and evolve expected role behaviors, develop and deploy anomaly triggers, evolve machine analytics, and update tool configurations based upon changing risks and critical asset priorities. Beacon Automated Workflow and Analytic Environment Guides the analyst in the response while providing an audit trail and chain of custody documentation. Enables behavioral analysis against Use Cases (spies, fraud) I4S Signature Repository Library of Behavioral and Risk Activity Triggers Provides indications of anomalous activity indicative of likely-threat behavior Evaluates multiple data sets ( , chat, badge activity) against baseline actor thresholds to characterize and cluster on behavior profiles Booz Allen Hamilton Inc. Copyright Proprietary. 15

16 Solutions BEACON I4S BEACON provides automated workflow and case management of risk alerts to detect, assess and secure against the risk of anomalous behavior. Insider threat audit relies on several key technology platforms to deliver and aggregate the required data for effective detection, analysis and resolution or investigation. Depending on the event, a repeatable workflow process is tailored to the alert and an organization s normal operating procedures. Analysts utilize contextual information to help determine if the anomaly is within the scope of expected role behaviors or it if warrants escalation. When escalation is recommended, the analyst creates a package which contains all the relevant data regarding the alert/behavior and all collected contextual information. The Escalation Package is transferred to an appropriate investigative authority. BEACON tracks and documents all of the analyst s activities to ensure that chain of custody is maintained for reported data and escalation packages. Whether benign or malicious, all activity is captured and stored for future reference and statistical purposes. BEACON Screenshots Anomalies in user activity are detected and compared against expected role behaviors. The analyst then assesses the risk of malicious behavior. // List of Potential Issues // Potential Issue Details // Escalation Package Booz Allen Hamilton Inc. Copyright Proprietary. 16

17 Case Study National Security Client Defending Sensitive and Classified National Security Information Through Anticipatory Threat Intelligence Results Achieved I4S The Challenge An overarching degree of trust given to an employee with access to highly classified information without the balance of auditing and analysis presents a high degree of risk. The WikiLeaks disclosures exposed the need for systemic oversight of policy compliance for any agency using classified information systems. Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, codified many steps for agencies to take in order to protect classified information. The EO affirmed that agencies bear the primary responsibility for the minimum standards regarding information security, personnel security, and systems security which includes establishing an integrated capability to monitor and audit information for insider threat detection and mitigation and gathering information for a centralized analysis, reporting and response capability. These new requirements require an approach that maximizes detection results within resource and budget constraints. The Solution Leveraging behavioral psychologists, we developed triggers around known use cases of malicious insiders, resulting in an 88% increase in the probability of detecting an event that required escalation (investigation). By trending data over time against expected role behaviors, we reduced the number of false positives from over 200 per day to 23 per week, dramatically reducing the number of labor hours required to investigate all of the false positive alerts. Booz Allen partnered with an Intelligence Community client to deploy an integrated monitoring capability on both unclassified and classified networks and a centralized analysis and response capability. Our expert analyst reviewed an alert for an employee who used a thumb drive in an unclassified laptop and desktop system, in violation of standard DoD policy. By leveraging internal databases, our analyst put context around the event and determined the employee had a written exception for use while performing legitimate work functions. Noting that files were on the thumb drive prior to the employee s employment, our analyst applied a suite of tools against the thumb drive files and identified anomalies that indicated a potential compromise of the network. The analyst immediately completed a detailed report into the malware discovered, an overview of possible APT actors and made a recommendation to escalate the event to appropriate government investigative agencies. The APT was subsequently isolated and removed from the network. Reduced the number of false positives from over 200 per day to 23 per week, dramatically reducing the number of labor hours required to investigate all of the false positive alerts. Booz Allen Hamilton Inc. Copyright Proprietary. 17

18 Product Lines CyberReady TM CR Without the ability to take action, even anticipatory threat intelligence is useless. So organizations need full command and control over their IT infrastructure, so that proactive changes can be made to mitigate risks. CyberReady products and services provide advanced technologies, dynamic algorithms, and sophisticated tradecraft to actively mitigate (not just discover) cyber risks, and to sanitize organizations in the event of a breach. Automated diagnostics running against fused data assess vulnerabilities, detect persistent threat actors, and enable fixes to be prioritized. And our National Security Cyber Assistance Program (NSCAP) accredited team of cyber incident responders can act quickly to drive intruders out. OFFERINGS SOLUTIONS Continuous Diagnostics & Mitigation Services Shortening the time between identifying and fixing vulnerabilities is the key to pro-active threat mitigation. Our continuous diagnostics and mitigation services can help clients achieve real-time risk awareness, and better close gaps in their infrastructure Algorithm & Analytics Development Services Fast, accurate, and decision-reliable algorithms are the heartbeat of any cyber operations center. Our team of data scientists has created a library of common analytics, and can create new ones on almost any tools platform. Policy Compliance Automation Services Tracking and accurately measuring cyber policy compliance eliminates manual assessment and reporting practices. This allows clients to better assess the cost of compliance and make better prioritization decisions. NSCAP-Accredited Incident Response Services Booz Allen is one of only six companies who are accredited by the US Government to conduct incident response activities, due to our highly skilled and qualified staff, repeatable processes, and custom tradecraft. NetRecon and Red Team Services Understanding how a client s organization looks to an outside attacker helps clients reduce their attack surface and proactively defend against cyber threats. Our team of white hat hackers can quickly identify vulnerabilities in client s systems. Tools Integration and Data Fusion Integrating cyber tools to support decision-making is critical to pro-active threat mitigation. Our team s datacentric approach helps extract decision-making data from tools, allowing a more holistic, analytics-driven approach. CyberReady Codex An integrated library of cyber analytics and indicators User Interface to create new analytics Based on 5+ years experience supporting some of the nation s largest cyber security operations centers Automated First Responder (AFR) Custom-built incident response platform Identifies one-off malware and persistent threat actors, even if no signatures exist for the threat Zero persistent install for quick deployment CyberReady Command and Control Dashboards Visualizes fused data pulled from a variety of sources Supports Executive-level decision making, incident response, and CIRT/SOC functions Booz Allen Hamilton Inc. Copyright Proprietary. 18

19 Solutions TM CyberReady NetRecon CR One of the best techniques an organization can employ to shore up their cyber defenses is acting like attacker. This means taking an external view of their enterprise, and trying to breach the network perimeter using any means necessary. While many automated vulnerability scanning tools exist, these are frequently rigid, rule-based and reliant on published vulnerabilities. CyberReady NetRecon overcomes these limitations and provides a holistic, comprehensive view of an organization s vulnerabilities. We provide: The Attacker Perspective: Extensive discovery techniques and years of intelligence analysis experience allow us to quickly get results. Actionable Intelligence: We provide a customized report for each client, that takes into account unique elements of each business. More Than Red Teaming: We find more vulnerabilities across the milewide surface area of an organization s network, providing clients more visibility and a better understanding of where defenses are needed. Examples of issues uncovered in our reports include: Undisclosed internet Points of Presence and disaster recovery locations; High value projects unknowingly correlated to undisclosed locations; Protocol eavesdropping analysis; Unknowingly published sensitive information. Screenshots // Reconnaissance Reports // Vulnerability Dashboards // Attack Surface Modeling Our highly-trained team of CyberReady NetRecon analysts is why we re different. They connect the dots, skillfully deploy state-of-the-art tools, and apply extensive research and training to each engagement. Booz Allen Hamilton Inc. Copyright Proprietary. 19

20 Case Study Commercial Financial Institution CR Sanitizing a Breached Network and Driving Out Persistent Threat Actors The Challenge A large commercial financial institution detected anomalous activity on their network, which posed a significant threat to their business operations and reputation. To determine the extent of the damage, shore up cyber defenses, and systematically drive out the intruders, the firm needed a multi-disciplined team of incident responders who could lead, coordinate, and execute a full-scale incident response activity. The organization turned to Booz Allen and its CyberReady TM Incident Response Team for help. The Solution Booz Allen s CyberReady Incident Response activities are accredited by the National Security Cyber Assistance Program 1, which ensures highly-skilled staff can provide state-of-the-art services within 21 separate Incident Response areas. Typical activities we provide to our clients include: Rapid, comprehensive impact assessments On-the-ground team of Subject Matter Experts (SMEs) that integrate with existing technical teams (e.g., CIRT/SOC) and non-technical staff (e.g., law enforcement, media relations) Systematic breach response to drive intruders out, quickly patch vulnerabilities, and maintain situational awareness Thorough forensics analysis and evidentiary support Comprehensive vulnerability assessment to proactively identify and remediate additional threat vectors Results Achieved Within 24 hours, Booz Allen deployed a CyberReady Incident Response team within the organization and completed an initial Breach Assessment using a rapid response mobile toolkit. An Initial Malware Triage was completed within 36 hours, which allowed containment and remediation measures to begin. Within 72 hours, the team deployed custom tools to capture and analyze 62+ billion encrypted Packet Capture (PCAP) packets, and 200,000+ firewall, application, and web logs, and to conduct forensics analysis on 60+ hard drives. The CyberReady Incident Response team produced a detailed event log with 5,000+ discrete intruder actions, delivered a 400 page legal / technical report with 15,000+ additional exhibits, and supported the organization s legal, law enforcement, media, and customer outreach efforts. Before concluding, the team conducted an independent verification of the organization s cyber defenses, to make sure that there were no additional avenues of attack. Booz Allen s CyberReady Incident Response provides rapid, on-the-ground support to quickly sanitize an enterprise s IT infrastructure in the event of a breach. 1 Booz Allen Hamilton Inc. Copyright Proprietary. 20

21 Product Lines MissionPlatform MP Underpinning the Predictive Intelligence s product lines is a set of core capabilities that provides the technology foundation, a cadre of trained staffing resources, and the mission understanding required to first establish, then scale, and finally realize the full potential of the Predictive Intelligence suite of offerings. Mission Platform is an enabling product line that acts as a force multiplier by providing a robust data analytic platform for rapid data integration and exploitation; proven methodologies for creating and evolving a PI workforce; and a pool of specialized subject matter experts that possess the deep mission understanding necessary to tailor people, process, and technology to mitigate potential threats and capitalize on advantage opportunities in multiple domains. OFFERINGS SOLUTIONS PI Platform Development and Integration Design, develop, and field data analytic platforms and analytical tools. Integrate new Predictive Intelligence technology with legacy capabilities to expose and enable analytics on all available data. Provided in multiple deployment models (remote-hosting, on premise). Rapid Prototyping Quick-win design, development, and rapid fielding of new technology focused on experimentation of novel approaches to current technical challenges. Provides users with tangible capabilities for direct feedback and collaboration on follow-on iterations. Software Development Center An incubation lab focused on the invention of new Predictive Intelligence capabilities. Staff are assigned on a rotational basis and execute Agile development projects to turn new ideas into innovative solutions. Talent Management and Workforce Development Advanced training, exposure to new technologies, and lab rotations are designed to cultivate and nurture the next generation Predictive Intelligence workforce. Next Generation Analysts Methodology, training, and lessons learned for building and operating innovative analytic teams (IATs) focused on new methodology creation, rapid prototyping, and innovation solution development. PI Data Analytic Platform Cloud Analytic Architecture Enables rapid integration, processing, and analysis of large volume and diverse datasets Designed for rapid integration of new data sources (<1 day) Provides advanced entity extraction, natural language processing, and automated risk assessments Packaged for cloud-based, remote, and on premise deployments SCARAB Distributed, dynamic network for low and mis-attributable collection of internet-based content Provides disposable, virtual client machines executed through cloud service providers Booz Allen Hamilton Inc. Copyright Proprietary. 21

22 Case Study Global Financial Services Institution Protecting Personal Information and Banking Infrastructure through an Established Cyber Security Capability Results Achieved MP The Challenge A global financial services company with diverse business segments, making it one of the world s prominent financial services institutions, was breached and personal information accessed. Recognizing it faced a continuous threat environment as a high-value target by internal and external actors, the client required a robust strategy to establish a workforce capable of addressing its unique risk/threat profile. To prevent attackers intended ability to gain a privileged look at, disrupt, or manipulate, its core business functions, the institution turned to Booz Allen for an independent, third-party validation of its cybersecurity workforce readiness capability. The Solution The MissionPlaform team built a customized set of Cyber Talent Management Interventions to close organizational capability gaps. Interventions were designed to meet the unique risk/threat profile of the institution and achieve short- and long-term risk mitigation objectives. Reports guided the client in identifying critical positions, examining cyber workforce distribution and establishing a Cyber Security Job Family. In under six weeks, the MissionPlatform team identified critical talent gaps, sub-optimal performance risks, and flawed hiring practices. Also revealed were organizational misalignments of workforce, increasing the firm s exposure to risk and limiting the ability of systems to meet cybersecurity requirements, as well as a cyber security talent deficit. The analysis implemented strategic plans to close gaps were limited, including inaccurate position targets and compensation projections at nearly 60% under market. Briefings to Risk Management, Information Systems and Human Resources established an action plan for adjusting the human capital strategy and making targeted investment decisions to expand capability. The institution turned to Booz Allen for an independent, third-party validation of its cybersecurity workforce readiness strategy. MissionPlatform activities launched initial stages of a comprehensive cyber security workforce strategy to effectively safeguard client information and infrastructure, critical to both U.S. national security and global economic prosperity. Booz Allen Hamilton Inc. Copyright Proprietary. 22

23 PI = [ ] x C4S G4S I4S CR MP Predictive Intelligence Predictive Intelligence combines tradecraft, big data & analytics, technology and workforce to help clients anticipate, prevent, detect and respond to global threats and global opportunities with real-time actionable insight about their environment internally, externally, globally and socially so they can take action to be ready, to manage risk, to protect assets and to thrive. Points of Contact Angela M Messer, Executive Vice President Predictive Intelligence messer_angela@bah.com Cyber4Sight Randy Hayes Vice President hayes_randy@bah.com Global4Sight TM David Kletter Senior Vice President kletter_david@bah.com Insider4Sight TM Randy Hayes Vice President hayes_randy@bah.com CyberReady TM Brad Medairy Senior Vice President medairy_brad@bah.com MissionPlatform Brad Medairy Senior Vice President medairy_brad@bah.com Raynor Dahlquist Vice President dahlquist_raynor@bah.com Leslie Raimondo Vice President raimondo_leslie@bah.com Cyber4Sight is a registered trademark of Booz Allen Hamilton Inc. Global4Sight, Insider4Sight, CyberReady, and ThreatBase are trademarks of Booz Allen Hamilton Inc. Booz Allen Hamilton Inc. Copyright Proprietary. 23