MISSION-ESSENTIAL INTELLIGENCE AND CYBER SOLUTIONS



Similar documents
The Comprehensive National Cybersecurity Initiative

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Middle Class Economics: Cybersecurity Updated August 7, 2015

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Lessons from Defending Cyberspace

CYBER SECURITY GUIDANCE

Gregg Gerber. Strategic Engagement, Emerging Markets

WRITTEN TESTIMONY OF

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

The virtual battle. by Mark Smith. Special to INSCOM 4 INSCOM JOURNAL

Cybersecurity: Mission integration to protect your assets

THE 411 ON CYBERSECURITY, INFORMATION SHARING AND PRIVACY

US-CERT Year in Review. United States Computer Emergency Readiness Team

Cybersecurity Delivering Confidence in the Cyber Domain

DoD Strategy for Defending Networks, Systems, and Data

Working with the FBI

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

THE SECURITY EXECUTIVE S GUIDE TO A SECURE INBOX. How to create a thriving business through trust

Federal Bureau of Investigation

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

ITAR Compliance Best Practices Guide

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

STATEMENT OF MR. THOMAS ATKIN ACTING ASSISTANT SECRETARY OF DEFENSE FOR HOMELAND DEFENSE AND GLOBAL SECURITY OFFICE OF THE SECRETARY OF DEFENSE;

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Watch. Written by Peter Buxbaum

Preventing and Defending Against Cyber Attacks June 2011

Cyber Information-Sharing Models: An Overview

Who s Doing the Hacking?

Microsoft s cybersecurity commitment

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

RETHINKING CYBER SECURITY

Managing the Unpredictable Human Element of Cybersecurity

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

AB 1149 Compliance: Data Security Best Practices

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Cyber Security Strategy

FBI AND CYBER SECURITY

Confrontation or Collaboration?

Cybersecurity Enhancement Account. FY 2017 President s Budget

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Big Data and Security: At the Edge of Prediction

An Overview of Large US Military Cybersecurity Organizations

Cybersecurity Primer

Preventing and Defending Against Cyber Attacks November 2010

CYBER SECURITY Audit, Test & Compliance

Into the cybersecurity breach

Cybersecurity in SMEs: Evaluating the Risks and Possible Solutions. BANCHE E SICUREZZA 2015 Rome, Italy 5 June 2015 Arthur Brocato, UNICRI

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

Myths and Facts about the Cyber Intelligence Sharing and Protection Act (CISPA)

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

NATIONAL CYBERSECURITY STRATEGIES: AUSTRALIA AND CANADA

Department of Homeland Security

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

September 20, 2013 Senior IT Examiner Gene Lilienthal

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

How To Create An Insight Analysis For Cyber Security

CyberSecurity Solutions. Delivering

A Primer on Cyber Threat Intelligence

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Cyber-Crime, Cyber-Espionage, Cyber-War, & Cyber-Threats: An Exploration of Illegal Conduct & Warfare in the Cyber-World

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

POTOMAC INSTITUTE FOR POLICY STUDIES. Revolution in Intelligence Affairs: Transforming Intelligence for Emerging Challenges

Covert Operations: Kill Chain Actions using Security Analytics

Presidential Summit Reveals Cybersecurity Concerns, Trends

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

Actions and Recommendations (A/R) Summary

S. ll IN THE SENATE OF THE UNITED STATES

Cyber Security: Confronting the Threat

The promise and pitfalls of cyber insurance January 2016

Hearing before the House Permanent Select Committee on Intelligence. Homeland Security and Intelligence: Next Steps in Evolving the Mission

CYBER SECURITY INFORMATION SHARING & COLLABORATION

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Developing a Mature Security Operations Center

Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:

Secure Software Development Trends in the Oil & Gas Sectors. How the Microsoft Security Development Lifecycle helps protect critical industries

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Transcription:

Presentation to the Cyber Security & Critical Infrastructure Protection Symposium March 20, 2013 PREPARED REMARKS BARBARA ALEXANDER, DIRECTOR OF CYBER INTELLIGENCE TASC INFRASTRUCTURE PROTECTION AND SECURITY GROUP Thank you very much for the invitation to speak to you today. This is an august indeed, a bit intimidating group of cyber professionals. I find that when I am in the presence of engineers and scientists I want to wear one of those T-shirts with a complicated equation that states, This is why I majored in English or in my case, political science. I spent my career as an intelligence officer and have come to the cyber world not as a network defender or solution developer, but as someone who seeks to support those on the front lines of cybersecurity with actionable, responsive information. I m also honored to be here with some of the premier thought leaders working across the many aspects of cybersecurity today. The speakers who have already presented have been insightful and raised critical challenges that we face across government, industry, the private sector and the public. The breadth of backgrounds and perspectives represented here illustrate the scope of the problem. Go to any symposium and ask what cyber includes and whose responsibility it is - and you are likely to get the answer, Yes. Yes it is a federal issue. Yes it is a state and local issue. Yes it is an intelligence issue. Yes it is a defense issue. Yes it is a commercial issue. Yes it impacts business decisions. Yes it impacts IT operations. Yes it is a policy matter. Yes it has legal repercussions. Yes it affects foreign policy. Yes it involves the global supply chain. Yes it is an education and training matter. 1 TASC WHITE PAPER 4801 Stonecroft Boulevard Chantilly, VA 20151 703 633 8300 TASC.COM

Yes it requires a public-private sector partnership. The fact is this domain touches every one of these areas - and only an interdisciplinary, holistic approach and a focus on prevention will provide secure and resilient cybersecurity. There is widespread agreement that the threat is real, and that there are a variety of actors nation states, organized crime, insiders, hacktivists, terrorists and even mischief makers. There is agreement that the theft of intellectual property and trade secrets as a result of cyber attacks is in the hundreds of billions of dollars. General Keith Alexander, director of the NSA, has called this theft the greatest transfer of wealth in history. Shawn Henry, former executive assistant director of the FBI, once called the cyber threat an existential one, meaning that a major cyber attack could potentially wipe out whole companies. It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately even kill people." I think it s time we agree that our response must be multi-faceted - a collaboration between network defenders and system engineers, intelligence specialist and law enforcement, policymakers and lawyers, people in government and people in private industry. To be successful we must bring all of our insight and expertise into the fold. Do you remember the Rubik s cube? The cyber domain is like a Rubik s cube all aspects must be worked together. Change one and the effect impacts others, sometimes with unintended consequences. For many years, network defenders focused on keeping intruders out and attacks at bay. They wanted to catch-and-patch and didn't really care about who was attacking the system or if there was a pattern in the attacks. The trouble with this approach as a standalone solution is that it s reactive. A signature-based system will only stay ahead until the next version of malware surfaces. It is a never-ending, reactive cycle that is vitally important and, at the same time, painfully limiting. I think this is changing and there is more awareness that it s not enough to stop the attack at the door. But where the catch and patch approach still exists, it s important to move beyond reaction. We must push the boundaries of protection beyond responding and recovering by adopting a multifaceted, layered defense - which is where cyber-intel comes into the picture. Intelligence is helping with the prevent and protect side of the Rubik s cube. If through solid and responsive threat intelligence we can effectively push the border of cyber defense out, away from our networks, the network defenders have more time and better opportunity to secure the cyber domain. Intelligence helps in four distinct ways. 1. Intelligence provides context. When I was at DHS, one of my cyber intelligence experts spoke to a gathering of CIKR sector folks who are heavily dependent on SCADA systems. He 2 TASC PRESENTATION 4801 Stonecroft Boulevard Chantilly, VA 20151 703 633 8300 TASC.COM

explained to them why a particular nation state was attempting to get into their networks it wasn t to shut them down, it was to learn about the specific methods the United States uses to produce that form of energy because they were developing similar ones. We know, of course, that theft of intellectual property is a huge component of the cyber threat. But his explanation to the audience was more than just the what of the attack, it was the background and the economic explanation of the why. The information he gave them had little to do with cyber methods and everything to do with a broad understanding of the perpetrator and the target. My TASC CISO reminded me of how he uses information like this: understanding the context allows him to act on the intelligence by saying, I need to look for these guys where I store my engineering documents, not my control centers. Context allows him to better defend the networks by focusing on what the attackers look for. The point is that enemy intent is as important as enemy capability. Intelligence analysts looking at trends of attacks by the collective Anonymous, for example, concluded that DDoS attacks generally followed media reports about actions that the group disagreed with. Knowing the pattern of behavior enabled preventive action. 2. Intelligence provides indications and warnings. Sometimes a network defender s best defense is to allow an actor to remain in a network to see the pattern of behavior. And warning is important across networks if activity is occurring on a military network, for example, it could also be occurring on a corporate network, and vice versa. We need government and industry to share information with each other. Hold this idea I m going to come back to it in a minute. 3. Intelligence provides a more complete picture full situational awareness, if you will. An intelligence analyst uses all sources of information: the traditional INTs HUMINT, GEOINT, SIGINT, MASINT, and OSINT, or open source, as well as data sources from IDS, or information gathered during law enforcement investigations. There is a danger of approaching cybersecurity with a single-source mentality. Often, intel analysts hear from the private sector or operators let me see the raw intel and I will be able to defend my networks better. The problem is that raw intel is just that unevaluated, unexamined. Take for example the purported hack of an Illinois water system in 2011. Raw, unconfirmed data that was leaked to the media indicated the system was hacked by actors in Russia. In fact, after a detailed intelligence analysis, DHS and the FBI concluded was that there was no malicious or unauthorized traffic from Russia or any other foreign location instead, an authorized employee logged onto the system while vacationing abroad. Use of a single source of data had led to the wrong conclusion. But you have to remember that intelligence isn t always fast or perfect. As we move into the cyber domain as a whole, it is essential that we understand the adversary's planning process. This is what the military calls the intelligence preparation of the battlefield. For the 3 TASC PRESENTATION 4801 Stonecroft Boulevard Chantilly, VA 20151 703 633 8300 TASC.COM

cyber threat, preparation involves the threat actors collecting information, developing a strategy, ensuring the capability all before executing it. Intercepting the elements of this planning process is an area where intelligence plays an important role, but it takes time to gather accurate, actionable information. 4. Intelligence provides the information that allows better decisions. Decisions on cybersecurity are rarely made by the CISO or network defenders. They re made in the board room by the CEO and the business lines. Intelligence helps inform those decisions by enabling understanding of the threat, and helping to develop a comprehensive risk assessment. Vulnerability alone doesn t make the business case but articulating the threat in a holistic manner threats to the global supply chain, threats from insider attacks, threats from actors performing industrial espionage, and threats from actors probing for weaknesses as part of operational planning allows better decisions about resource allocation and risk analysis. In other words, intelligence helps reduce uncertainty for the decision maker. Together, the CIO, CTO, CISO and intelligence professionals make the case to the decision maker. For intelligence professionals to deliver mission-essential information, the network defenders need to provide crisp requirements. We don t always know what the user needs. In the DHS Office of Intelligence and Analysis, we developed a comprehensive list of Standing Information Needs. When we first went to our customers back in 2004 or 2005, we asked What intelligence information do you need to do your mission? We got the response I don t know whaddya got? To be effective in the realm of cybersecurity or any domain intelligence needs to know the specific requirements from the beneficiaries of that intelligence. For example: Requirements What cyber data are anomalous? Where do they come from? What specific questions do you need answered? And in what timelines? This should be an iterative discussion between the intelligence providers and the users. Data The relationship between the network operators and defenders and the intelligence providers is a symbiotic one. Intelligence analysts take data from operational sensors and logs and fuse them with all-source intelligence information to arrive at a comprehensive threat analysis and provide information about trends, tactics, techniques and procedures back to the customer. That information in turn informs the IDS which provide data back. Common understanding A dialogue with network defenders to understand what is possible and what is not possible; to understand the legal requirements and restrictions with regard to the protection of privacy; to understand the difference between law enforcement activities and intelligence; and to understand what is doable in a short timeframe versus what can be accomplished in a longer term. Additionally, the users have to be willing to accept the intelligence information without visibility into protected sources 4 TASC PRESENTATION 4801 Stonecroft Boulevard Chantilly, VA 20151 703 633 8300 TASC.COM

and methods. This willingness especially when we talk about government and private sector relationships develops as trust increases. All this leads me back to the concept of information sharing. The new executive order on cybersecurity and the accompanying presidential policy directive on critical infrastructure security and resilience recognize that both the public and private sectors hold complementary information that must be made available in both directions if we are to truly secure our cyberspace. Under the order, federal agencies are required to produce unclassified reports of threats to relevant U.S. companies in a timely manner. The challenge here is not so much sharing the data, but rather sharing it in a way that makes connections intelligence personnel are trained to meet this challenge, provided that they know what the operators need and that they can deliver actionable and tailored information. There have already been some successes in this area the DIB pilot and the FS-ISAC have demonstrated sharing relationships which, while not perfect, are examples of what we can look toward. The intel community needs to become more transparent and provide the necessary information in a way that is timely, useful and actionable without revealing their sources and methods. Speaking from experience, I can say we often speak to ourselves, rather than getting information about the threat to the user. Hopefully the dialogue sparked by the new EO and, ultimately, by legislation, will facilitate this sharing of essential information. There s an important point to make here. In the changing world of cyber intelligence, we have to recognize that our approaches can be impractical. In the intelligence world, a study can take months to get through the review and publication process. By the time a report reaches the operator, the information is useless. We have to quickly assess what information is operational, get it out and get it out fast. US-CERT bulletins are a good example of operational reports that need to be shared widely and quickly. There are other policy questions as well that must be answered what triggers a move from DEFCON3 to DEFCON1? When does corporate espionage or even the theft of intellectual property merit a counterattack? Our government leaders need to define the policies and protocols for monitoring, assessment and appropriate response. But policy and doctrine aren t the missions of the intelligence officer, so I just leave these as questions the cybersecurity community all parts of it needs to address. Our shared goal is quite clear: provide a policy platform and operational structure that ensures robust and resilient cybersecurity for government and industry. Our digital infrastructure is a national strategic asset, and its protection is a national security priority. With a more holistic and collaborative approach that integrates a complete picture of the cyber-scape from focused and tailored intelligence with the catching and patching of network defenders, we can push the cyber border further out from our networks and do 5 TASC PRESENTATION 4801 Stonecroft Boulevard Chantilly, VA 20151 703 633 8300 TASC.COM

more to prevent attacks, rather than focus primarily on response, mitigation and recovery. In the dynamic cyber environment, success does require incredibly sophisticated technical savvy - those complicated equations on that t-shirt that I don t understand. But success also requires that we apply the insight and expertise of a broad spectrum of stakeholders. Only by working in strong partnership across the intelligence community, network defenders and government and corporate leaders will we keep our cyber enemies at bay. Thank you. About TASC Founded in 1966, TASC, Inc., helps solve complex national security and public safety challenges by providing advanced systems engineering, integration and decision-support services to the Intelligence Community, Department of Defense and civilian agencies of the federal government. With about 5,000 employees in 40 locations, TASC generates more than $1.5 billion in annual revenue. For more information and career opportunities, visit our website www.tasc.com. 6 TASC PRESENTATION 4801 Stonecroft Boulevard Chantilly, VA 20151 703 633 8300 TASC.COM

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information