TAKING CHARGE OF SECURITY IN A HYPERCONNECTED WORLD

TAKING CHARGE OF SECURITY IN A HYPERCONNECTED WORLD How Organizations Can Improve Breach Readiness and Cyber Security Maturity October 2013 Authors James Lugabihl, Global CIRC Senior Manager, EMC Corp. Dylan Owen, Cybersecurity Manager for Cybersecurity and Special Missions, Raytheon Company Timothy A. Rand, Senior Manager, Advanced Cyber Defense Practice, RSA, The Security Division of EMC Peter M. Tran, Senior Director, Advanced Cyber Defense Practice, RSA, The Security Division of EMC KEY POINTS Organizations are taking responsibility for proactively improving security, not just for themselves but for customers and business/supply chain partners. Rising numbers of organizations are conducting assessments of their business risks and security practices before breaches occur. Most breaches result from organizations stumbling on basic security practices. The following deficiencies play a contributing role in most security breaches: Neglecting basic security hygiene Relying exclusively on traditional threat prevention and detection tools Mistaking compliance for security Inadequate end user training An organization s optimal security posture will change as its business, risk, and threat environment changes. Good security is less about achieving a static goal state as it is about building capabilities for continuous evaluation and improvement. Of the many recommendations that emerge from security assessments, 20 percent will likely yield 80 percent of the benefits. The following areas for improvement typically generate high impact: Conduct all-inclusive risk and security assessments Locate and track high-value digital assets Model threats and address top vulnerabilities Master change management processes Deploy security staff selectively and strategically Integrate security processes and technologies to scale resources Invest in threat intelligence capabilities Quantify the impact of security investments RSA Security Brief

RSA Security Briefs provide security leaders and risk management executives with essential guidance on today s most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today s forward-thinking security and risk management practitioners. Contents Good security is a relative condition... 3 Security programs still stumble on the basics... 4 Neglecting basic security hygiene... 4 Relying exclusively on traditional threat prevention and detection tools... 5 Mistaking compliance for good security... 5 Inadequate user training... 6 Beyond the basics... 6 Security stewardship means continuous improvement... 7 Conduct all-inclusive risk and security assessments... 7 Locate and track high-value digital assets... 7 Model threats and address top vulnerabilities...8 Master change management processes...8 Deploy security staff selectively and strategically... 9 Integrate security processes and technologies to scale resources... 9 Invest in threat intelligence capabilities... 10 Quantify the impact of security investments... 10 Conclusion...11 About the Authors... 12 Security Solutions for Improving Breach Readiness...14 From Raytheon Company...14 From RSA, The Security Division of EMC...14

The boundaries have blurred between internal and external networks. Employees increasingly use their own devices, home networks, and public Wi-Fi to access corporate resources. Partners, customers, and vendors have greater access to what were exclusively internal resources, and the integration of private networks with public clouds has culminated in hybrid clouds with dynamic and complex boundaries. In a world where digital boundaries are ever-changing and hard to define, building stronger perimeter defenses, while still necessary, are inadequate to ensure sufficient security. Attackers look for the easiest means of compromise. That s why attacks are moving from more security-mature organizations down to less mature, typically smaller, partners. Attackers can exploit the trust relationships between companies to infiltrate well-protected targets through supply chain partners with less security experience. Dylan Owen, Raytheon Company In today s highly interconnected business environment, information security can no longer be an isolated endeavor: it must be the responsibility of an entire business ecosystem or value-chain. This idea has gained widespread recognition at the international level. For example, the World Economic Forum (WEF) is exploring how responsibility for cyber security can be shared among companies, industries, and governments. In its 2012 report, Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience, the WEF concluded: Increasing dependence on connectivity for the normal functioning of society makes the protection of connectivity a critical issue for all; it is a shared resource, like clean air or water. No one organization can resolve the issue by itself; a collaborative, multi-stakeholder approach must be taken. Even competitors in a given industry must become partners in the effort to ensure a stable and trusted environment. The idea that creating a stable, trusted cyber environment should be a collaborative endeavor also appears to be gaining traction among private enterprise and governments. Two trends in the global security community point to this: 1. Participation in threat intelligence-sharing groups has widened over the past few years beyond the traditional circles of defense and financial services. Nowadays, it s common to see industrial manufacturers, retail chains, utilities, and technology companies exchanging cyber threat intelligence. 2. Rising numbers of organizations are conducting assessments of their business risks and security practices to improve their overall security posture proactively. These security assessments have historically been done in the wake of serious incidents or breaches, but they are now increasingly done as a precautionary measure before trouble has been detected. GOOD SECURITY IS A RELATIVE CONDITION Organizations are conducting proactive assessments not only to improve their own security postures but to protect their business relationships. Advanced cyber attacks have been known to attack their primary targets by exploiting business partners with weaker defenses. Rather than combat the well-protected computer networks of a target company, cyber attackers try instead to infiltrate the organization through its connections to trusted partners with less-developed security practices. In recent incidents, cyber attackers have sought to cover their tracks by routing data stolen from a company through the computer networks of a business partner. page 3

Because information security within a supply chain is only as strong as its weakest link, organizations today must improve security measures not just for themselves but for their partners and customers. Every organization should achieve appropriate levels of security for their business requirements and risks which also means evaluating how their security practices could affect customers and partners, should something go wrong. Of course, appropriate security measures will vary greatly from organization to organization. For example, security practices considered appropriate for an industrial manufacturer might have very different characteristics than security practices for a regional consulting firm or a global technology company. We see security assessments trending toward improvement and a more proactive approach. There s a general sense that, because my buyer or my business partner just got hacked, maybe I should think about this now. The tough part is getting your stakeholders to realize they re on borrowed time, because they re still thinking, Well, nothing has happened to us, so why should we do this? Peter Tran, RSA Identifying appropriate levels of security can prove challenging, because it s an exercise based on risk and relativity. Appropriate security should be determined by four factors: 1. The organization s risks and requirements, which change over time and are unique for each organization 2. The value of information assets being protected, with high-value assets monitored more closely and subject to more controls 3. The security risks and threats the organization can reasonably expect to face, considering that attack techniques are constantly changing and rising in sophistication 4. Prevailing security practices for the organization s peers, with the organization aiming to be at or above the group average so as to not make itself an easy target The first three conditions listed above are associated with internal assessments. The fourth condition is a relative measure that relies in part on external knowledge of reasonable security practices within an industry peer group. Industry associations, information sharing and analysis centers (ISACs), or outside consultants can often help provide this comparative context. Another way organizations can diagnose security performance on a relative basis is through self-assessment tools. Many consulting firms and security service providers offer proprietary security maturity models. Each has merits and deficiencies, but they all aim to provide a progressive framework for measuring security performance. An example of a security maturity framework is shown in Figure 1. SECURITY PROGRAMS STILL STUMBLE ON THE BASICS In analyzing security programs across different industries, it seems many organizations today still fall down on basic execution. The following deficiencies commonly contribute to security breaches. Neglecting basic security hygiene In forensic evaluations following attacks, missed software updates frequently surface as exploited vulnerabilities. Sometimes, these are zero-day vulnerabilities, but in most cases antivirus and software updates had simply not been done. Perhaps a system was scheduled for patching at a later date after the organization could compatibility-test the patch. More likely, the system was overlooked for patching entirely because it had been added to the network without being properly cataloged: IT didn t know the system existed so they did not know to patch it. Basic security maintenance is an all-toocommon deficiency. page 4

Figure 1: Security Maturity Framework Level 1. Product-driven security Level 2. Compliance-driven security Level 3. IT Risk-driven security Level 4. Business Risk-driven security policy uenforcement vupdate trigger Sporadic and inconsistent None Enforced employee compliance Changes in policies and regulations Management reinforces cooperation Changes in IT threats Reasons for non-compliance explored Continuous business risk assessments process wreporting schedule xupdate trigger No reporting None Ad-hoc incident reports Auditor checklist Scheduled reporting IT infrastructure checklist Real-time reporting Business risk checklist yleadership capabilities Technology: low Business: low Technology: medium Business: low Technology: high Business: medium Technology: high Business: high people zmanagement communication None Contingent on policy changes and incidents Regular communication Pro-active, two-way communication between security and businesses {Employee training Product training (not mandatory) Regulations training (mandatory for some) IT infrastructure threats (mandatory for all) Role-specific training (mandatory for all) product Selection criteria }Technology focus Trends, vendors Managing patchwork of security tools Legal/regulatory requirements Compliance monitoring and reporting Specific to IT infrastructure Threat detection and response Based on business implications Business risk monitoring and predictive analytics There s no magic bullet for improving security or your breach readiness. There s no secret to it, other than you have to master the basics before you take on anything else. You have to execute get your hands dirty, move rocks. James Lugabihl, EMC Relying exclusively on traditional threat prevention and detection tools In general, organizations relying on firewalls, antivirus scanners, and intrusion detection systems (IDS) for security will never discover the truly serious problems. Yet, most security teams still wait for signature-based detection tools to identify problems rather than looking for more subtle indicators of compromise on their own. Part of the reason for this is most security teams have not done the hard work of integrating their logs, security processes, and tools, making it challenging to correlate events or determine causality. Mistaking compliance for good security Many companies are on an accelerating treadmill with their compliance programs. They re so busy keeping up with mounting compliance requirements, whether from increased government regulations or internal oversight requirements, that proving compliance becomes a goal in and of itself. Most compliance mandates reflect best practices that should be interpreted as minimum standards, not sufficient levels, of security. For example, organizations may audit their privileged IT administrator accounts only once a quarter because that s the interval specified by internal policies. However, cyber adversaries waging targeted page 5

Developing a highperforming security program what we call an intelligence-driven organization is a journey. Focus on the basics first, paying attention to the people, process, and technology. Then, you can make improvements incrementally by adding capabilities such as forensic analysis, malware reverse engineering, and threat intelligence. Timothy A. Rand, RSA attacks often phish for privileged accounts to do the most damage in the shortest amount of time. In most cases, the quarterly intervals for inspecting privileged accounts may be woefully inadequate for managing risk. The Payment Card Industry Data Security Standard (PCI DSS) serves as an example in which good compliance does not always translate into breach avoidance. Companies compliant with PCI DSS have been hacked. For this reason, the latest version of PCI DSS provides direction for implementing security into business-as-usual (BAU) activities and underscores the need to maintain ongoing compliance. Inadequate end user training Employees and other end users of corporate IT assets should be regarded as the organization s first line of defense even more so than firewalls and IDS. Threats will inevitably get through perimeter defenses, but employees can alert security teams to suspicious emails, unusual activity, or performance changes in systems. Many organizations don t invest enough time and resources in user training. While annual security training is the interval frequently mandated in corporate policies, it s not frequent enough to protect end users from phishing, malicious links, and other security hazards. Also, most organizations fail to provide differentiated training for employees more likely to be targeted by cyber attackers: finance executives, IT administrators, R&D scientists, and others. Beyond the basics While the basic deficiencies described above contribute to the majority of security breaches, other shortcomings also surface over and over again. The chart in Figure 2 itemizes ten of the most common problems identified in security assessments. Figure 2: Top 10 security deficiencies found in security assessments Infrequent user training on security hazards such as spear-phishing People Inadequate security staff, both in terms of numbers and training Security team s roles and responsibilities not clearly defined Poor patch management processes Process Reliant on ad hoc incident response and other security procedures in the absence of well-defined processes Enterprise amnesia resulting from responding nonstop to fire drills without taking time to improve based on post-incident lessons learned No centralized or real-time monitoring and alerting analysts must log into different consoles to collect alerts Technology Poor incident response-tracking and workflow systems Insufficient tools to conduct forensic analysis No threat intelligence collection or analysis capabilities page 6

SECURITY STEWARDSHIP MEANS CONTINUOUS IMPROVEMENT An organization s optimal state of security will vary as its business, risk, and threat environment changes. What this means is that good security is not about achieving a static optimal state; it s about building capabilities, or agility, for continuous assessment and improvement. The focus on improving security seems to have intensified. Two years ago, organizations commissioning outside security assessments were primarily interested in remediating vulnerabilities following a breach. Now, more organizations are requesting proactive help to improve breach readiness and incident response. Even medium-size companies, under pressure from larger business partners, are striving to proactively advance their security practices ahead of a serious incident. Because good security is not a one-size-fits-all condition, the needed improvements will vary greatly from organization to organization. Any organization that has conducted a rigorous security assessment can attest that the list of recommendations resulting from such assessments is almost endless. The key to executing a successful security improvement plan is to identify and implement the 20 percent of changes that will yield 80 percent of the benefits. The recommendations and best practices described below often fall into the top 20 percent of changes that generate the greatest improvement in organizational readiness for responding to and recovering from cyber threats. Conduct all-inclusive risk and security assessments Risk assessments should include not just digital assets but an all-inclusive risk evaluation of facilities, suppliers, and even how you sell your goods and services. For example, if your organization sells in distant geographic regions through channel partners, these partners should be factored into risk evaluations for two reasons. First, these partners are essentially your organization s face to the world within their respective regions. Second, they re likely to be attractive, vulnerable targets for spearphishing, as they potentially represent a convenient vector for attacking your company. Digital risk assessments should be done at least once per year. If you stand up a new service or enter a new market, a corresponding risk assessment should be included as part of the project management process, baking security into the implementation. Locate and track high-value digital assets While keeping track of valuable digital assets sounds straightforward, many companies say this is one of the toughest challenges they face. Tracking high-value information assets can be tricky because of shadow IT in which processes run on systems that aren t managed by the enterprise IT team. This could run the gamut from a business unit storing sensitive information in a SaaS application to an accountant in your finance department running a spreadsheet of critical financial data on his unsecure home computer. Tracking high-value information is a critical capability in incident response and remediation. When threats or problems are first detected, you have to know how to isolate or effectively protect critical assets as fast as possible. Organizations must document where high-value assets are, who has access to them, who within the business owns the risk, and how the risk can be managed. IT and security teams can provide the right frameworks and tools for auto-discovery, including creating a single repository to track and manage key assets. page 7

Model threats and address top vulnerabilities Part of any security assessment should be threat modeling, which can be boiled down to a simple formula: Threat x Vulnerability x Potential Cost of Loss = Risk Stakeholders in business units and IT often don t understand the need for threat modeling, and many security practitioners don t have sufficient experience to do it well. A common pitfall is organizations tend to underestimate internal threats. The mostoverlooked internal risks are not disgruntled employees acting out of malice; they re often well-intentioned employees making critical mistakes oversights in documenting changes to an IT system s software application is a typical example. Threat modeling should be a collaborative, multi-disciplinary process, not an isolated exercise within the security team. Participants should work together on scoping out threats to the organization and how each may affect business units or assets. Ideally, threat modeling should be a creative process: organizations must plan with the same imagination and cunning as prospective adversaries. Threat models should also build on forensic evaluations of previous threats observed in your environment with the goal of identifying ways to neutralize cyber adversaries. For example, threat models should identify the organization s most frequent historical threat vectors. Then, if you discover that the number one point of compromise for your organization is phishing attacks, you ll know to implement processes, technology, and training programs to reduce the effectiveness of spear phishing. Good change management can have a huge preventive impact. Some people think that change management just slows them down, but consider what s the cost to your business if you don t do this and something gets compromised? It s rarely worth the risk. Dylan Owen, Raytheon Company Master change management processes Security change management procedures help track and respond to changes in IT assets and business processes that have material impact on security risks. It s a hard discipline to manage consistently, especially since many stakeholders in IT, the business, and even in security mistake it for an administrative checkbox that simply slows them down. So, they may forego documenting systems and processes because they re under pressure to complete a project quickly and believe they can circle back and report on additions and modifications later. But then key people on the implementation team leave, first-hand knowledge is lost, and dependencies are never recorded. Such omissions present unnecessary risks that can have serious consequences later. Change management processes should be factored into project management schedules. You should qualify the risks and rewards of change management requirements so stakeholders understand the potential cost to the business if something gets missed and contributes to a compromise. Train people to understand the impact of their actions. Simultaneously, stakeholders should evaluate how to fulfill change management requirements in the most efficient and expedient way possible. Part of change management is the discipline of identifying and documenting interdependencies between systems so IT and security teams are aware of how changes made to one system affect the state of another. Reconfiguring one part of your IT environment could create vulnerabilities somewhere else. For example, if an organization s back-end database provider releases a patch that s incompatible with the ERP implementation to which the organization s database is tied, then the database can t be patched until a fix can be arranged. Instead, the IT team must document why the patch was not installed and work with the security group to make sure vulnerabilities in the database system can be mitigated until updates can take effect. page 8

Deploy security staff selectively and strategically In many security operations centers (SOCs) a designation that this paper also uses to refer to critical incident response centers or teams (CIRCs/CIRTs) the roles and responsibilities for in-house personnel are not clearly defined. Analysts are accountable for many things simultaneously without clear direction on priorities. The adage if you try to do everything, you wind up doing nothing well applies here. Many SOCs would benefit from revisiting their staffing models, evaluating the capabilities of individual team members to put the right people in the right roles. That way, people with advanced or specialized skills are deployed in a way that best serves the needs of the security organization. A recent report from the Security for Business Innovation Council titled Transforming Information Security: Designing a State-of-the-art Extended Team recommends that organizations focus on building security capabilities in four key areas that will be new to most SOCs: cyber risk intelligence and data analytics, security data management, risk consultancy, and controls design and assurance. These emerging skills are seen by the Council s members as essential to providing the security capabilities needed to defend organizations against escalating cyber threats. Integrate security processes and technologies to scale resources Almost every security operations team today faces staffing shortages. The capabilities of in-house security personnel are usually stretched, and new headcount is hard to authorize. Most security professionals spend too much time on mundane tasks such patch management or manually pulling data from different systems or sorting through volumes of event logs, alerts, and threat intelligence with no categorization of relevance or importance. The productivity of security personnel can be dramatically raised through technology and process integration initiatives. As detailed in a February 2013 RSA Technical Brief Building an Intelligence-driven Security Operations Center, integrating security operations processes and technologies is arguably the single most beneficial thing that SOCs can do to boost staff productivity. Process and technology integration provides valuable context for analyzing triggered events. For example, proper context can determine whether events are related to highvalue assets such as mission-critical systems and applications, business processes handling sensitive data, or privileged users such as CIOs, CFOs, and IT administrators. This type of context can help establish event severity and criticality, directing analysts attention to where it s needed most. Another huge potential time-saver involves integrating various security tools so they feed into a central incident management console. Many security teams have yet to invest in centralized, real-time monitoring, and alerting. Instead, they compel security analysts to log into different systems (firewalls, IDS, and more) to collect alerts. Security tools should be integrated to push alerts into a central repository that provides a single-console view of aggregated events and alerts. Such consoles should track and coordinate workflows. This way, multiple analysts and users can work in parallel on different aspects of the same incident. A unified console presents all the contextual information for threats in one place; analysts don t have to chase down data scattered among disparate systems and locations to get the background needed for accurate decision-making. In addition to saving analysts time, tool integration can also manage workflows to facilitate adherence to procedural best practices. page 9

Data aggregation could happen within a traditional log/event-oriented SIEM system, for example. For organizations with mature SIEM capabilities, the next phase of improvement is to enhance their central data monitoring with greater visibility (network and endpoint) as well as analytic capabilities that can automate the early phases of threat detection and shorten analysts investigation times. In threat intelligence, data is king and context is queen. You can t be secure without mastering both. James Lugabihl, EMC Invest in threat intelligence capabilities Threat intelligence, long the domain of large enterprises and government agencies, is now being used by mid-sized and smaller companies to become more proactive and to protect their business relationships. Threat intelligence can sound daunting, but it does not necessarily need to involve ISACs and government agencies. For example, if you learn that the registrant of a bad domain linked to threat activity on your network has also registered 50 other domains, you could block them all. This is an example of leveraging intelligence to proactively improve your defenses. The simplest way to mine threat intelligence is to leverage the information already on your systems and networks. Many organizations don t fully mine logs from their perimeter devices and public-facing web servers for threat intelligence. For instance, organizations could review access logs from their web servers and look for connections coming from particular countries or IP addresses that could indicate reconnaissance activity. Or they could set up alerts when biographies of employees with privileged access to high-value systems attract unusual amounts of traffic, which could then be correlated with other indicators of threat activity to uncover signs of impending spearphishing attacks. Quantify the impact of security investments Finding budget is a common constraint that security teams cite for not making the investments needed to improve incident response and readiness. ROI is very difficult to prove because it requires that organizations measure return on solutions to security problems that may never materialize. Yet, to build support from business units for funding security initiatives, it helps to compare the cost of proactive remediation with the potential cost of compromise. The cost of security controls needs to be balanced against the business harm likely to result from security failures. That s where what if scenarios can prove helpful. In modeling what if scenarios, try to capture the full costs. For example, in addition to projecting the business and reputational costs of a breach within critical systems, also consider the costs for deploying backup systems while infected systems are taken down and cleaned. Quantifying the potential impact of new security investments can help security teams win support for new investments. It can also help organizations identify and prioritize investments that are most likely to result in substantial security improvements. page 10

CONCLUSION As information security becomes an ecosystem-wide endeavor, organizations will have to demonstrate they re doing their part to improve security for all. Organizations will have to become more disciplined about basic security hygiene, which remains a consistent stumbling block. Organizations will also have to embark on thorough assessments to improve their organizational readiness in responding to and recovering from cyber threats. Security assessments can be handled in-house by experienced staff, but many organizations choose to enlist outside help. External consultants can provide objective evaluations of the organization s current security practices, as well as contribute insights on best practices from multiple industries. Regardless of who conducts security assessments or what recommendations emerge for improvement, organizations should prioritize a limited number of investments that can deliver the greatest security benefits. Targeting the highest-impact investments can be done by quantifying the risks that would be mitigated by new controls or by seeking outside counsel on what has proven beneficial to other organizations. page 11

ABOUT THE AUTHORS James Lugabihl Global CIRC Senior Manager EMC Corporation James Lugabihl took over EMC s Critical Incident Response Center in June of 2010. He is responsible for monitoring EMC s global network and responding to threats that directly impact the organization. Since February 2005, James has been a part of EMC s Global Security Organization developing the framework for risk and security administration services and worked as an internal consultant for the CSO. Mr. Lugabihl began his information security career more than 15 years ago with the U.S. Navy s Fleet Information Warfare Center handling network monitoring and incident response. Dylan Owen CISSP, ISSEP, ISSMP, GPEN, GCFA, ITIL Cybersecurity Manager for Cybersecurity and Special Missions Raytheon Company Dylan Owen is responsible for developing and providing computer network defense solutions to Raytheon s government and commercial customers. He helps Raytheon customers review and improve their security readiness, focusing on organizational alignment as well as reviewing security architectures and SOPs. Mr. Owen has helped design and implement SOCs/CERTs and threat intelligence programs for government organizations and large companies. He has also helped clients stand up CERTs, including developing core processes, hiring staff, and implementing technology solutions. In previous positions at Raytheon, Mr. Owen developed expertise in certifying and accrediting IT systems, conducting computer security awareness training, managing vulnerability assessments, and investigating many different types of computer-related breaches. Timothy A. Rand Senior Manager Advanced Cyber Defense Practice RSA, The Security Division of EMC Tim Rand is responsible for professional services engagements for incident response/ discovery (IR/D), breach readiness, remediation, SOC/CIRC design, and proactive computer network defense. Prior to RSA, he was a lead security engineer for the Mitre Corporation. Earlier, he led enterprise-wide computer emergency response, attack sensing and warning, and proactive cyber operations for the Raytheon Company s Cyber Threat Operations team. Mr. Rand has more than 16 years of experience in developing technical staff and programs, cyber investigations, Advanced Persistent Threat (APT) defense, focused threat analysis, operations, and projects. He has held various technical leadership roles, including director for an environmental analysis laboratory and senior scientist for various enterprises such as the Lockheed Martin Company. (Continued on the next page) page 12

Peter M. Tran Senior Director Advanced Cyber Defense Practice RSA, The Security Division of EMC Peter Tran leads RSA s Advanced Cyber Defense Practice, which offers world-class professional services for global incident response and discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign, and proactive computer network defenses. Mr. Tran has more than 18 years of government, commercial, and research experience in the fields of computer forensics, information assurance, and security. He is a recognized expert within the Department of Defense and U.S. federal law enforcement communities on computer forensics, malicious code, computer crime investigations, foreign counterintelligence, technology transfer, network security, and cyber espionage. He has authored several defense periodicals for his work involving distributed computer forensics and data analysis. Prior to RSA, Mr. Tran led Raytheon s commercial cyber professional services, as well as its enterprise Cyber Threat Operation Programs for SOC/CERT, IR/D, intelligence, APT threat analysis, technical operations, exploitation analysis, adversarial attack methodologies, and research and tools development. He held senior technical leadership roles with Northrop Grumman and Booz Allen Hamilton. Mr. Tran also worked as a Federal Law Enforcement Special Agent, forensic analyst, systems/security engineer, software product designer, and consultant in both technology prototyping and production. page 13

SECURITY SOLUTIONS FOR IMPROVING BREACH READINESS The products and services described below are designed to align with the best practices described in this RSA Security Brief. This security solutions overview is not intended to provide a comprehensive list of applicable products and services. Rather, it s intended to serve as a starting point for security practitioners wanting to learn about some of the options available to them. From Raytheon Company Insider Threat and Counter Intelligence Raytheon is the largest provider of insider threat solutions to the U.S. Government. Raytheon s SureView product enables safe and effective use of mission-critical technologies by capturing human behavior technical observables, which include policy violations, compliance incidents, or malicious acts that could be warning signs of a security breach. Trusted Thin Client (TTC) Trusted Thin Client is Raytheon s commercial-off-theshelf (COTS) solution that provides end users access to all allowable networks from a single device. TTC ensures homeland and corporate security while enabling the fast-paced exchange of data to foster seamless global collaboration across disparate classified or sensitive networks. Trusted Gateway System (TGS) A commercial-off-the-shelf (COTS) transfer solution, Trusted Gateway System provides exceptional built-in manual review and automatic validations, such as virus scanning, file type verification, dirty word search, and deep content inspection, enabling safe and simultaneous data movement between networks at different sensitivity levels. From RSA, The Security Division of EMC RSA Advanced Cyber Defense Practice has been developed to help clients safeguard their organizational mission by focusing on the protection of high-value assets, which are often the object of targeted attacks, and by developing the readiness, response, and resilience of their security operations. The practice s consultants are highly skilled security practitioners, each with 10-plus years average experience in incident response planning and in building, operating, and managing SOCs. RSA s security consultants don t just provide reports and recommendations; they also provide hands-on assistance with developing and improving incident-handling processes and procedures, automating securityrelated workflows to drive operational efficiencies, and generating actionable intelligence by gathering multiple sources of information and cultivating data analytics capabilities. Finally, the practice s consultants provide technology-neutral guidance on selecting and implementing security solutions that adapt to variable levels of risk. Collectively, the practice s consultants and services help clients shift from a reactive security stance to a proactive, advanced cyber-defense posture. RSA Archer GRC Suite is a market-leading solution for managing enterprise governance, risk, and compliance (GRC). It is designed to provide a flexible, collaborative platform to manage enterprise risks, automate business processes, demonstrate compliance, and gain visibility into exposures and gaps across the organization. The RSA Archer GRC platform is engineered to draw data from a wide variety of systems to serve as a central repository for risk-, compliance-, and security-related information. The RSA Archer Security Operations Management module is designed to provide a software system that manages incident workflows, page 14

reporting and notification requirements, staffing and work allocations, as well as other capabilities needed to efficiently manage a security operations center. This system also provides the required business and technical context (such as asset information) for incidents during investigations. RSA Education Services provide training courses on information security geared to IT staff, software developers, security professionals, and an organization s general employees. Courses combine theory, technology, and scenario-based exercises to engage participants in active learning. RSA Advanced Cyber Defense Training offerings are a series of instructional courses focused on improving the skills of security analysts in areas such as incident handling, the use of threat intelligence, malware analysis, and the detection and investigation of advanced threats. These courses are taught by expert personnel from the RSA Advanced Cyber Defense Practice. RSA Enterprise Compromise Assessment Tool (ECAT) is an enterprise threat detection and response solution designed to monitor and protect IT environments from undesirable software and the most elusive malware including deeply hidden rootkits, advanced persistent threats (APTs), and unidentified viruses. RSA ECAT is engineered to automate the detection of anomalies within computer applications and memory without relying on virus signatures. Instead of analyzing malware samples to create signatures, RSA ECAT establishes a baseline of anomalies from known good applications, filtering out background noise to uncover malicious activity in compromised machines. The RSA ECAT console presents a centralized view of activities occurring within a computer s memory, which can be used to quickly identify malware, regardless of whether a signature exists or if the malware has been seen before. Once a single malicious anomaly is identified, RSA ECAT can scan across thousands of machines to identify other endpoints that have been compromised or are similarly at risk. The RSA Live platform is engineered to help organizations capitalize on the collective intelligence and analytical skills of the global security community in detecting and countering advanced threats and other cyber attacks. The RSA Live platform is designed to gather advanced threat intelligence from a broad range of respected, reliable security service providers, including RSA researchers. RSA s expert researchers and analysts process security information from these myriad sources and deliver the most relevant data to the RSA Live community directly through RSA Security Analytics. RSA Security Analytics is designed to provide security organizations with the situational awareness needed to deal with their most pressing security issues. By analyzing network traffic and log event data, the RSA Security Analytics system helps organizations gain a comprehensive view of their IT environment, enabling security analysts to detect threats quickly, investigate and prioritize them, make remediation decisions, take action, and automatically generate reports. The RSA Security Analytics solution s distributed data architecture is engineered to collect, analyze, and archive massive volumes of data often hundreds of terabytes and beyond at very high speed using multiple modes of analysis. The RSA Security Analytics platform also is designed to ingest threat intelligence about the latest tools, techniques, and procedures in use by the attacker community to alert organizations to potential threats that are active in their enterprise. page 15

ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, data loss prevention and fraud protection with industry leading egrc capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.rsa.com and www.emc.com. www.rsa.com EMC2, EMC, the EMC logo, RSA, Archer, and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. Raytheon, SureView, Trusted Thin Client, and Trusted Gateway System are registered trademarks or trademarks of Raytheon Company. All other products or services mentioned are trademarks of their respective companies. Copyright 2013 EMC Corporation. All rights reserved. Published in the USA. H12485 TCSHW-BRF-1013v2