Cyber threat intelligence and the lessons from law enforcement. kpmg.com.au

Similar documents
Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

Understanding and articulating risk appetite

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

A NEW APPROACH TO CYBER SECURITY

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber security Building confidence in your digital future

Addressing Cyber Risk Building robust cyber governance

Cyber Security: from threat to opportunity

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

Cyber Security Evolved

The enemies ashore Vulnerabilities & hackers: A relationship that works

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

The Path Ahead for Security Leaders

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

THE HUMAN COMPONENT OF CYBER SECURITY

Cyber security Building confidence in your digital future

Assessing the strength of your security operating model

CEOP Relationship Management Strategy

treasury risk management

Cyber security: Are consumer companies up to the challenge?

Leveraging Network and Vulnerability metrics Using RedSeal

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

BT Assure Threat Intelligence

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

National Approach to Information Assurance

Services. Cybersecurity. Capgemini & Sogeti. Guiding enterprises and government through digital transformation while keeping them secure

CYBER SECURITY TRAINING SAFE AND SECURE

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cyber Security - What Would a Breach Really Mean for your Business?

Cybersecurity and internal audit. August 15, 2014

Protecting against cyber threats and security breaches

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

BIG DATA TRIAGE & DIGITAL FORENSICS

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

developing your potential Cyber Security Training

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Cyber Security for audit committees

ESKISP Conduct security testing, under supervision

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Cyber Security Strategy

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

The Cyber Threat Profiler

Mitigating and managing cyber risk: ten issues to consider

How To Create An Insight Analysis For Cyber Security

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Tech deficit. June 2014

Cyber security: it s not just about technology

Developing a robust cyber security governance framework 16 April 2015

Victorian Government Risk Management Framework. March 2015

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Defending against modern cyber threats

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Optimizing Network Vulnerability

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

Continuous Network Monitoring

Cyber Security: Confronting the Threat

Committees Date: Subject: Public Report of: For Information Summary

Business Continuity Management Systems. Protecting for tomorrow by building resilience today

Digital Forensics Services

integrating cutting-edge security technologies the case for SIEM & PAM

Business Plan 2012/13

The promise and pitfalls of cyber insurance January 2016

Attack Intelligence: Why It Matters

Who s next after TalkTalk?

Central and Eastern European Data Theft Survey 2012

Risk Management Policy

Cyber Security Operations Centre Reveal Their Secrets - Protect Our Own Defence Signals Directorate

the Defence Leadership framework

Security and Privacy Trends 2014

HEALTH CARE AND CYBER SECURITY:

Manifesto for Education Empowering Educators and Schools

Australian Government Cyber Security Review

Into the cybersecurity breach

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

How do we Police Cyber Crime?

Gaining the upper hand in today s cyber security battle

UK Stewardship Code. Response by Generation Investment Management LLP. London / 31 March, Generation Investment Management Page 1

Specific recommendations

Obtaining Enterprise Cybersituational

Confident in our Future, Risk Management Policy Statement and Strategy

ESKISP Direct security testing

Transcription:

Cyber threat intelligence and the lessons from law enforcement kpmg.com.au

Introduction Cyber security breaches are rarely out of the media s eye. As adversary sophistication increases, many organisations react when it is too late the attack is underway. Few organisations have the capability to anticipate cyber threats and implement preventative strategies, despite prevention being more cost effective 1 and customer focused. 2 1. For example: http://money.cnn.com/2012/12/13/technology/security/bank-cyberattack-blitzkrieg/ index.html 2. UK Cyber Crime Strategy, March 2010

Cyber threat intelligence and the lessons from law enforcement 3 This is not a new threat and hackers have been infiltrating sensitive government systems since the early 1990s. However, the focus on cyber security is increasing rapidly due to many high profile and highly disruptive/damaging security breaches threatening financial and physical damage for companies in many sectors and across critical national and corporate infrastructures. It also appears the nature of the threat is changing and becoming increasingly volatile. In our most recent survey, 67 percent of data loss resulted from external hacking, and the insider threat remains omnipresent. 3 The Information Security landscape is constantly evolving. Private and public sector organisations find it difficult to believe they could be a target for cyber attacks. This mindset needs to change as the best offence is a good defence. At the same time, it is no longer viable to rely solely on defence. The determined adversary will get through eventually. As a result, organisations must know what is going on around them so that they can identify when an attack has taken place or when an attack is imminent. Intelligence and the insight that it brings is at the heart of next generation Information Security. An intelligence capability enables organisations to identify potential threats and vulnerabilities in order to minimise the threat attack window and limit the amount of time an adversary gains access to the network before they are discovered. Organisations that take this approach understand that threat intelligence is the mechanism that drives cyber security investment and operational risk management. The number of cyber threat intelligence providers is on the rise and the concept of threat intelligence is now pervasive. While increased awareness of the cyber security threat is a positive trend, our experience indicates that many organisations now need to focus on putting in place the fundamentals of intelligence management to gain real value from threat intelligence. This will be a pre-requisite for instilling confidence in board members and ensure that the organisations are equipped to meet the ever-evolving challenges of cyber security. This does not mean we need more of the same threat data analytics. A paradigm shift is needed, organisations should combine machine learning with very powerful processing technologies, law enforcement threat intelligence methodologies and bright minds to arrive at an out-of-the-box solution for threat intelligence. Much can be learned from the methodologies of law enforcement and intelligence organisations. They have long recognised that intelligence-led decision making is critical to both strategic and operational success. KPMG member firms have been privileged to have worked extensively with law enforcement and gain understanding and experience of intelligence best practices along with the common pitfalls. We believe in three principles that will help organisations manage the cyber threat proactively and minimise the risk to customers, shareholders and employees. These are: create an intelligence-led mindset implement an intelligence operating model build an intelligence-led decision-making process. 3. KPMG Data Loss Barometer, 2012

4 Cyber threat intelligence and the lessons from law enforcement Principle 1 Create an intelligence-led mindset An intelligence-led mindset establishes a direct connection between threat, vulnerability, compliance, risk, action and consequence. It requires leaders to ask simple but fundamental questions on a continual basis. These include: What cyber threats do we face? What risk do they pose to our valuable information assets? What should our response be? How effective has our response been? Despite the increasing cyber threat risks, many boards fail to ask these questions or attain satisfactory answers. Often, this happens because the first question is the most difficult to answer. Cyber threats are hard to quantify in terms of likelihood and business impact. Much intelligence is often situational awareness, describing the symptoms or effects of the attack rather than the factual information about the adversary. As a result, many boards do not fully understand the nature of the threat and, inaccurately assume that cyber security is a technical issue. Management of cyber security is generally confined to the IT practitioners, who are often unable to pull the enterprise-wide levers that are required to reduce risk across the organisation. Adopting a preventative approach requires a cultural shift that starts with directors and board level executives. Focusing on these questions at the board level and incorporating them into the enterprise risk strategy is critical. By doing so, leaders can quickly start to identify gaps in the current cyber security strategy and encourage an organisation-wide approach to countering cyber threats. Principle 2 Implement an intelligence operating model To embed an intelligence-led decision-making process into an organisation, a basic intelligence model must be in place. Law enforcement organisations use robust systems and processes to collect, analyse and act on intelligence. While these models may vary, they are built on common components that are directly applicable to any organisation seeking to develop an intelligence capability. It is challenging to make petabytes of internal and external data available to cyber analysts in a meaningful way, that allows for querying but also suggests relevant information back to the analyst. Such platforms are in the making, and we have seen promising demonstrations. Our basic intelligence operating model, shown here, is based on our experience of improving intelligence management systems and processes in law enforcement. This paper primarily focuses on the processes that form the basic infrastructure (Element 2). 1 Cyber intelligence strategy and budget: The strategy for cyber intelligence and team budget SET The ability to decide what intelligence we need to improve understanding of the threat and to set our intelligence gathering priorities ACT The ability to make intelligence-driven decisions and act both tactically and strategically to prevent or respond to threats 2 Cyber Intelligence Processes GATHER The ability to gather cyber threat intelligence relating to cyber security threats and vulnerabilities from a range of sources and translate these into a common language ANALYSE The ability to analyse cyber intelligence gathered and to make links between discrete pieces of information to create actionable intelligence 3 Cyber intelligence resources: Structure, roles, skills and leadership Source: KPMG International, 2013

6 Cyber threat intelligence and the lessons from law enforcement Setting the intelligence requirement No organisation can dedicate resources to counter every threat. In law enforcement agencies, threats are prioritised and resources are allocated on a priority basis. Cyber threats are no different and forward thinking organisations are starting to adopt industry frameworks for categorising them. Similarly, it is possible to identify vulnerabilities and the potential impact of information loss. Intelligence collection should be informed by an understanding of priority assets, possible threats and vulnerabilities. Just as law enforcement agencies use intelligence to protect the public, organisations should be doing the same to protect information assets, customer data and, ultimately, shareholder value. Targeted threat reduction process Threat actor Actor capability Attack immediacy People Process Technology Information assets Systems Applications Regulations Priority threats Priority vulnerabilities Impact Intelligence requirement Business drivers

Cyber threat intelligence and the lessons from law enforcement 7 Gathering relevant information It is only through collaboration that information can be gathered together and bring into focus the different dimensions of the problem. Gathering relevant information is the first step toward generating actionable intelligence. This activity represents the largest proportion of budget because of the effort and expense of collecting information from diverse sources. Obtaining information about cyber adversaries is a challenge due to the global nature of the threat and the inability of many organisations to exploit useful information that often resides in their own systems. For example, data that may reveal adversary tools, techniques and procedures. The complex nature of the security threats makes it difficult to see the complete picture. It is only through collaboration that information can be gathered together and bring into focus the different dimensions of the problem. Establishing effective collaboration is a major challenge. Many organisations are wary of sharing information that could reflect negatively on their brand. Others are distrustful of law enforcement agencies handling their sensitive commercial data. Overcoming this challenge is essential to keep pace with the evolving threat.

8 Cyber threat intelligence and the lessons from law enforcement Analysing information to create intelligence Once information has been gathered, a systematic analytical approach is critical. Three hallmarks of this approach are highlighted here. 1. The ability to search and cross-reference data across multiple systems. Although this may sound simple, many organisations do not properly store and, subsequently, interrogate information relevant to cyber threats. Although the cost of storage may act as a heavy argument for not doing so, the real reason is often a lack of understanding of what to look for. The argument of costs of storage will increasingly lose ground, since storage is getting exponentially cheaper, and storage capacity for almost equal cost doubles every 2 years (commonly referred to as Moore s law). Mature organisations are increasingly considering the use of analytical tools that seek to identify potential threats by monitoring activity across systems to spot patterns, trends and suspicious activity. 2. Using analytical frameworks to build threat profiles. Many law enforcement and intelligence organisations analyse information from the viewpoints of victims, property, locations, offenders and time. These can be applied directly to cyber threats in the following manner: Offender: What do you know about the people/organisations responsible for the attacks and what is their modus operandi? Addressing the offender profile is pivotal and should drive all subsequent analysis. Victim: Is there anything about your business operations that makes you a target for cyber attack? Are certain business units being attacked or more likely to be a target than others? Property: What information assets are you trying to protect and what is the perceived risk to the security of each asset? Location: Where (physically and virtually) are the information assets you wish to protect held? What is the current form of protection? Are there any specific servers that are being attacked? Time: Are there any temporal patterns regarding cyber attacks and, similarly, are your information assets more vulnerable at certain times? 3. Intelligence products or reports must be tailored to the needs of internal customers. This requires a mature and continuous dialogue to understand customer requirements and to regularly review the quality and relevance of the intelligence products. Best practice, often used by law enforcement and intelligence organisations, indicates that a dynamic and flexible process of incorporating evolving requirements and responding to immediate needs is critical. At the same time, the intelligence function needs to drive process efficiency and ensure automation. This is particularly relevant for intelligence feeds that are directed to multiple customers in real time. The best test of the value of the intelligence product is whether it directly informs decisions about how to tackle cyber security risks. For law enforcement and corporate organisations alike the key decisions are as follows: When to act? Which tactical option to pursue? Has it been effective? These questions are very relevant for organisations that are seeking to take offensive action against the cyber adversary. During an attack, a natural tension occurs between monitoring the attack to gain further intelligence about the adversary versus neutralising the threat and minimising loss. This is clearly a matter of judgement; mature organisations often use decoys to induce adversaries to reveal additional intelligence.

Cyber threat intelligence and the lessons from law enforcement 9 Acting on intelligence The key learning takeaway is to embed the use of intelligence into core business by aligning the development of intelligence products. Principle 3 Build an intelligence-led decision-making process In law enforcement and intelligence organisations, intelligence directly informs all core business decisions. It is evident that corporate boards do not follow this approach consistently. Boards, therefore, might not have a clear view on cyber threats that could have a material impact on critical business decisions. The London 2012 National Olympics Co-ordination Center (NOCC) is a good example of a mature intelligence capability that was integrated into the governance and decision making structures of the UK policing. At the NOCC, twice daily tasking and co-ordination meetings set the direction for each day. This meeting cycle enabled senior officers to continually review the latest intelligence picture and allocate resources to mitigate emerging threats. The key learning takeaway is to embed the use of intelligence into core business by aligning the development of intelligence products to the tempo of formal decision making. Visible seniority is also important. Intelligence meetings at the NOCC were chaired by senior law enforcement officers with the authority (delegated if required) to make dynamic resourcing decisions. While it may not require this regularity, board level awareness of emerging cyber threats and direct involvement in determining the response is critical. In the uncertain world of cyber security, threat intelligence will help organisations become more proactive, focused and preventative, helping to create genuine strategic advantage and enabling organisations to grow with confidence.

10 Cyber threat intelligence and the lessons from law enforcement KPMG and Cyber Security KPMG s member firms have designed and implemented intelligence capabilities in law enforcement and intelligence agencies. We also work with some of the world s largest corporations to design their cyber security programs. This insight provides the team with a unique viewpoint on the building blocks of an effective cyber intelligence function. We see threat intelligence as the central component to effective cyber security. KPMG member firms help clients design the right model, and embed it into their organisations. The goal is to help member firm clients build a sustainable cyber security capability. PREPARE RESPOND THREAT INTELLIGENCE PROTECT DETECT KPMG s Cyber Security Services bring together specialists in information protection and business continuity, risk management, privacy, organisational design, behavioural change, incidence response and intelligence management. These combined skills are utilised to tailor a strategy relevant to the clients risk appetite and the cyber threats their organisation faces. KPMG member firms are: Global Through our member firm network, KPMG employs over 155,000 professionals in 155 countries. We have deep expertise wherever you operate. Award-winning KPMG Forensic ASPAC won the ACQ 2014 global award for full service forensic advisory of the year. In addition, KPMG Australia s Information Protection and Business Resilience (IPBR) practice won RSA Specialist Partner of the year for 2014. KPMG s Information Security consulting services capability was named a Leader in the Forrester Research, Inc. report, The Forrester Wave : Information Security Consulting Services, Q1 2013. Of the 10 firms evaluated for this report, KPMG was specifically recognised for its drive to take on the toughest consultancy tasks, often taking over from other firms. Committed to you Relationships with member firm clients are built on mutual trust and long-term commitment to providing effective and efficient solutions. KPMG practitioners are dedicated to providing a service that is second to none. CYBER TRANSFORMATION

Contact us For information on KPMG s services, our cyber security model or to discuss the content of this article further please contact: Mark Tims Partner, Technology Risk & Assurance KPMG Australia E: mtims@kpmg.com.au T: +61 412 254 142 Gary Gill Partner in Charge, Forensic KPMG Australia E: ggill@kpmg.com.au T: +61 423 771 909 Pieter van der Merwe Director, Technology Risk & Assurance KPMG Australia E: pvdmerwe@kpmg.com.au T: +61 403 299 043 Stan Gallo Director, Forensic KPMG Australia E: sgallo@kpmg.com.au T: +61 414 507 724 Visit us at: kpmg.com/au/cybersecurity The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including, if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise). 2015 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. January 2015. NSWN12537ADV.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information