intelligence-led security

Intelligence-LedSecurity

Develop a Concrete PlanA CYVEILLANCE WHITE PAPER | JANUARY 2015

2

Intelligence-Led Security: Developing a Concrete Plan

© 2015 Cyveillance

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The Cyber Threat Landscape: Why a New Approach Is Required . . . . . . . . . . . 4

The Need For Intelligence-Led Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Defining the Intelligence in “Intelligence-Led Security” . . . . . . . . . . . . . . . . . . . . 9

From Concept to Action:

Concrete Steps to Move Toward Intelligence-Led Cyber Security . . . . . . . . . . 10

Step 1: Justify the Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Step 2: Define the Basic Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Step 3: Evaluate the Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Step 4: Build Your Spend Plan and Outline Your Budget Requests . . . . . . . 15

Step 5: Find Your “Watchdogs” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table of Contents

Executive Summary

Protecting a business – including its information and intellectual property, physical infrastructure, employees,

and reputation – has become increasingly difficult . Online threats come from all sides: internal leaks and external

adversaries; domestic hacktivists and overseas cybercrime syndicates; targeted threats and mass attacks . And

these threats run the gamut from targeted to indiscriminate to entirely accidental .

Among thought leaders and advanced organizations, the consensus is now clear . Defensive security measures

– antivirus software, firewalls, and other technical controls – and post-attack mitigation strategies are no longer

sufficient . To adequately protect company assets and ensure business continuity, organizations must be more

proactive . But on a practical level, how can they do that?

Being proactive means organizations must increase their awareness of, and preparation for, potential attacks . They must

also improve their understanding of their adversaries in order to better prepare for attacks, envision how they are likely

to manifest themselves and be prepared to respond appropriately .

Increasingly, this proactive stance is being summarized by the phrase “Intelligence-Led Security”: the use

of data to gain insight into what can happen, who is likely to be involved, how they are likely to attack and,

if possible, to predict when attacks are likely to come .

Like many security trends and frameworks, the early stages of adoption often involve inconsistent definitions,

challenges with justification and management communication and an unknown path to implementation .

In this white paper, we:

• Review the current threatscape and why it requires this new approach

• Offer a clarifying definition of what cyber threat Intelligence is

• Describe how to communicate its value to the business and

• Lay out some concrete initial steps toward implementing Intelligence-Led Security

Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance 3

4


© 2015 Cyveillance

There are three significant, and expanding,

concerns which are driving the need for a new

approach to security: External Actors, Internal

Leaks, and Links between Cyber and Physical

Security. We call these out as individual issues,

but as we will see, they are in fact closely linked,

which furthers the need for security powered

by intelligence.

External ActorsData security has been a concern for decades.

But today, security threats are more pervasive,

sophisticated, and damaging. Furthermore, with

a torrent of information flowing between data

centers, business applications, mobile devices,

and online networks, protecting data assets is

more complex and difficult than ever before.

In addition, the Internet and social media have

provided all sorts of external actors, from hackers

and thieves to scam artists, activists and corporate

gadflies a free, global, powerful and easy-to-use

set of tools for all manner of mischief, disruption

and destruction, often with little or no technical

skills required.

This means that the environment external to the

corporate network is the origin of more threats,

adversaries and actors than in the past. More and

more of the risks exist beyond the edge of the

network, out in the wild. Controlling these actors,

systems and forces beyond the perimeter is

impossible, so awareness and monitoring of

them is more vital than ever.

The Cyber Threat Landscape: Why a New Approach is Required

01SECTION

Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance

Top security experts regularly advise their customers to consider

network breaches as inevitable, to treat them as no longer a matter

of “if” but “when” and plan accordingly. Yet, many organizations

don’t know an attack has occurred until it’s too late. Some never

spot it at all.

Internal LeaksIn addition to inbound threats such as malware, outbound

information leaks pose serious challenges and risks for corporations.

Employees disclosing seemingly innocuous business or technical

details – either intentionally or unintentionally – across a wide

variety of online venues can provide potential attackers with

enough information to identify and exploit vulnerabilities.

These leaks often include:

• Statements related to the security of customer data

• Technical discussions or network data posted by employees

• Confidential or proprietary company information

• Posts involving internal login details or vulnerability disclosures

There have also been several high-profile cases of ideologically-

motivated attacks against corporations involving the disclosure of internal

communications and client data. With the rise of “hacktivism,” entire

industries have been targeted for a wide range of alleged offenses.

Additionally, growing economic development and Internet connectivity in

emerging markets present the new challenge of identifying information

security risks in a wide variety of foreign languages.

5

6Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance

The Evolving “Threatscape”

6

and other malware are commonplace. Distributed

denial-of-service (DDoS) attacks can quickly take

a corporate network down and grind business

productivity to a halt. And advanced persistent threats

(APTs) can slowly leak sensitive information without

being detected. Email is no longer the sole entry point

for these types of malware, as they can now gain

access to corporate infrastructures via websites, social

networks, online ads, and mobile applications.

In fact, network breaches are no longer a matter

of “if,” but “when.” Many organizations don’t know

an attack has occurred until it’s too late. Others

never spot it at all.

Viruses, Trojan Horses,Spyware,Phishing Software,

SOCIALENGINEERING

INSIDERTHREATS

HIJACKING

PHISHING

SPOOFING

SNIFFING

TROJANS

MAPPING

DDoS

APT

Intelligence-Led Security: Developing a Concrete Plan | © 2015 Cyveillance


Links Between Cyber and Physical SecurityIncreasingly, cyber criminals are deploying multi-tiered attacks and

creating smokescreens to disguise their true intentions. DDoS attacks,

most often launched out of ideological differences or anti-corporate

sentiment, are also being used as diversions to tie up IT resources

while money is stolen or cash is withdrawn en mass from ATMs. In other

instances, experts have expressed concerns about media and mobile

tools being leveraged to stir up disruptions to provide cover for retail

theft and looting1.

There is clear evidence that links between digital and physical security

risks are increasing, particularly among hacktivist and activist coalitions

that align technically skilled adversaries and physical disruptions.

These have targeted everyone from the largest institutions2 to

single individuals3. Flashmobs, protests and boycotts, distribution of

counterfeit and gray market products, and targeted attacks on physical

assets and even individual executives4 can pose severe risks to

business continuity, brand reputation, and revenue streams.

Distributed denial-of-service (DDoS) attacks are not just perpetrated to affect company operations and reputations or to enable activists to conduct cyber protests; they can also be used to cover up fraud or the theft of intellectual property. 1 http://www.dailymail.co.uk/news/article-2023924/

London-riots-2011-BlackBerry-Messenger-shut-unbelievable.html2 https://www.adbusters.org/blogs/adbusters-blog/anonymous-joins-occupywallstreet.html3 http://www.theverge.com/2013/3/15/4109568/cyber-blogger-brian-krebs-ddos-attack-police-raid4 http://www.motherjones.com/mojo/2010/05/ main-street-battles-wall-street-seiu-npa-gregory-baer-peter-scher-jpmorgan-chase-bank-of-america

8


© 2015 Cyveillance

With these changes in the threat landscape, the challenges and adversaries’ tactics are evolving rapidly,

and security methodologies must evolve as well. Reactive security strategies focused on technical controls

and post-attack mitigation must become much more proactive. Threats and vulnerabilities must be known

before they reach a company’s doorstep, before they have breached the corporate network, and before

they have an opportunity to do harm.

In an era of advanced threats, awareness is the utmost security measure. Awareness of potential

or imminent threats can enable improved preparation, and improved preparation can lead to more

effective mitigation and prevention tactics.

Fortunately, many outside threats, actors and methods can be detected and studied in advance through

Internet monitoring and intelligence analytics. Thousands of online sources can provide forewarning

and insight about threats and vulnerabilities, including:

These sources can be monitored and analyzed to anticipate and understand potential threats and

impending attacks.

The Need for Intelligence-Led Security

02SECTION

Open source intelligence (OSINT)

Social media Search engines Blogs and user-generated content

News accounts and case studies about attacks

against other organizations

User groups Chat roomsActivist forums

9


© 2015 Cyveillance

There’s an old saying that a problem well defined is half solved. Unfortunately for both security

professionals who believe in Intelligence-Led Security and the vendors who seek to support them,

“Intelligence-Led Security” often suffers from the same sort of ill-defined overuse as “Big Data”. Everyone

talks about it, most are fairly sure they need some of it, and very few people can tell you what it actually

means. So for clarity, we define it this way:

If the goal of Intelligence-Led Security is to become more proactive, the definition must encompass

the activities that make becoming proactive possible.

Defining the Intelligence in“Intelligence-Led Security”

03SECTION

Intelligence-Led Security is the collection, aggregation, correlation and analysis of both internal and external data to understand risks, identify threat actors, discover and minimize attacks or losses already underway, and understand and predict the methods and actions of likely adversaries.

10


© 2015 Cyveillance

So with these changes in the landscape, and

the broad availability of external intelligence

to correlate and synthesize with internal data,

there is a clear argument for incorporating threat

intelligence into security planning and operations.

The question then becomes whether this is the

right approach for your organization, and ( just

as importantly) if it is, how can you proceed?

In other words, if this prescription is right – and

as one of the pioneers in cyber intelligence

we believe this approach is both correct and

achievable – the question then becomes the

actual steps required to do it. This rest of this

paper provides concrete guidance on some initial

steps to take, why they are necessary and how to

communicate the need, and value, of intelligence-

led security to company management.

Step 1: Justify the Need – What Problem Are We Solving for The Business?It’s axiomatic that in business, nothing happens

without money. As the cyber threat landscape

has expanded, the threats have multiplied, and

the actors become more numerous and more

technically sophisticated, security professionals

have faced a dramatic expansion of the

challenges with which there are expected to deal,

but are often hamstrung by the accelerating gap

between what they are expected to contend with

and the resources they have to work with.

This is often the result of a failure to clearly

connect the security team’s mission, and the

risks they are trying to address, to the broader

business. This inability to translate security-speak

From Concept To Action: Concrete Steps to Move Toward Intelligence-Led Cyber Security

04SECTION

Justify the Need

Define a Basic

Architecture

Evaluate the Options

Build Your Spend Plan

Find Your “Watchdogs”


into business-speak hampers the likelihood of successfully being able

to explain, justify and garner support. While many security professionals

know and understand their own mission very well, they are often

challenged by a lack of management support, buy-in, budget and other

internal hurdles to properly protect, or get the resources to protect,

the enterprise.

In one of the classic definitions of risk – Vulnerability x Likelihood x

Impact – it is the first two components that are often closest to the

security professional, but the impact element that resonates most with

upper management. Translating security needs, budget requests and

justifications into the language of business and its key metrics – profit,

loss, customer churn, competitive advantage – is a critical next step

to garnering the management support for this type of undertaking.

If nothing happens without money, then we cannot ignore the need

to effectively make the case for those resources – and to do that

requires communicating the risks, and impacts, to those who hold the

purse strings in their own language. Another factor that must be the

considered is the organizational tolerance for risk. Because this varies

by widely, it is critical to reach agreement on what constitutes

an “acceptable level of risk.”

One in-depth study on this subject, the Live Threat Intelligence Impact

Report 2013, published by the Ponemon Institute, focused on the

hard-to-generate metrics critical to translating security risks into

the language of business.

Demonstrating the Impact: A Case Study in Advanced Persistent Threats

Long-term undetected and unresolved advanced per-

sistent threats (APTs) can result in major financial and

intellectual property (IP) losses. In some cases, the loss

of IP can result in the loss of business differentiators as

well. A major Canadian telecommunications company’s

former senior systems security adviser was quoted

as saying that he had no doubt that extensive cyber

attacks on the company contributed to its downfall. He

believed that infiltration by alleged “foreign actors” led

to the company’s subsequent failure and bankruptcy.

Source: http://www.cbc.ca/news/busi ness/nortel-collapse-linked- to-chinese-hackers-1.1260591


The report revealed the staggering costs associated with cyber attacks. These costs are hard to calculate and are often not budgeted for due

to the lack of public and industry sharing of cyber attack cost data. Some of the findings from the survey, which generated 708 respondents

from 378 enterprises, were that:

However, once a company does invest in a sophisticated cyber threat intelligence solution, there are considerable savings. Typically the

impetus to establish cyber security centers comes from security executives that transfer from traditionally-targeted industries and know

how to present the need to increase security budgets to the CEO or the board in a way that they can understand.

Organizations also need to understand the threat actors and their “Modus operandi.” This threat actor mapping can help identify the types

of exploits and motivations used in cyber campaigns against their industry, competitors, and company.

Finally, the survey responses show just how important it is to have monitoring in place to ensure that organizations are aware of changes in

the open source ecosystem, and supports the “why” of building out an intelligence-led approach to security. Changes in activity and noise can

be early warning signs of things to come. These are not always defined and require that companies employ a listening campaign to help pick

up on hints. Once an event occurs, experienced cyber security analysts can use these resources to continue to monitor the situation and be

more aware of the next hint of an attack before it occurs.

$10M(past 12 mths)

The average amount spent in the past 12 months to resolve

the impact of exploits is $10 million.

$4M(40 percent) 60% 57%

Having actionable intelligence about cyber attacks within

60 seconds of a compromise could reduce this cost on average by

$4 million annually (40 percent).

60 percent said their enterprise was unable to stop exploits

because of outdated or insufficient threat intelligence.

57 percent say the intelligence currently available to their

enterprise is often too stale to enable them to grasp and understand the

strategies, motivations, tactics, and location of attackers.


Step 2: Define a Basic ArchitectureIt is easy to get caught up in the tactical details of specific solutions, but increasingly we see the most targeted, and often the most forward-

thinking organizations, taking the time to step back and clearly define a broader vision for real Intelligence-Led Security. That means a

holistic approach and cohesive architecture, rather than a stitched-together patchwork of tactical solutions.

In the most sophisticated manifestations, this reveals itself in a holistic, dedicated “Fusion Center,” “Cyber SOC,” or other complex,

integrated environment for the gathering and analysis of data in line with our definition in Step 1 above.

Here are just a few of the questions that go into defining such an architecture and holistic approach:

This is just a sample of the things to be considered, and they are true regardless of the size of the enterprise or the scope of the threats

it faces. We have seen every manifestation of this philosophy, from the tiny credit union with its MSAccess Database, to major global

banks running Splunk, Palantir or other visualization packages on SOLR, ElasticSearch or Hadoop clusters of massive proportions. The

implementation is unique to each case, but the objective – by our definition – is the same: to gather, correlate and leverage the data to

better understand, prepare for, and mitigate the risks.

1. What internal data do I want to aggregate and store?

2. What external threat intelligence (threat and vulnerability feeds, open source intelligence, social media monitoring, etc.)

Do I want to bring in and correlate with my internal information?

3. How long do I want to store this data?

4. How much data does that imply, and what infrastructure will I need to store and access it in a timely

and cost-effective manner?

5. What types of reports, outputs, data and deliverables should these systems and analysts be expected to produce?


Step 3: Evaluate the OptionsWith a clear definition of the mission, a business justification for its execution,

and the high-level architecture for the systems, people and activities

required, now it makes sense to look at the endless list of tactical choices

you will need to make. Here again, a simple sampling of the questions it is

now appropriate to tackle, given that you have a framework to put them in:

What are the primary activities we need to be concerned about?

Insider-threat investigations? External hacking? Physical security risks to far-flung

operations or high-profile executives? Loss of intellectual property? All of the

above? Your priorities will dictate everything from what tools get the budget

and attention to which skillsets you seek to recruit.

Do we already have tools in place that are extensible to this new mission?

There are sometimes significant benefits in learning curves, licensing costs

and implementation if you have dashboards, databases, software packages

and staff whose current use can be extended to a new mission versus

starting from a clean slate.

Define evaluation criteria.

Conversely, if new tools or skillsets are required, those should be

considered, too. Many vendors will seek to offer tools, systems and

solutions. Before worrying about who to call or which to choose, be clear

on the objectives you seek to meet so that you can prepare the appropriate

measures of performance and compare apples to apples.


Step 4: Build Your Spend Plan and Outline Your Budget RequestsWith a stated definition, a business justification, a reasonably detailed framework and some good data on what kind of staff, tools, feeds and

other costs the transition will require, you are now in a position to make your case to management. To be sure, there are many operational

and tactical steps to implementing Intelligence-Led Security, but the truth is, you must also be prepared to secure the manpower, systems

and budgets to execute these steps effectively.

The industry agrees that Intelligence-Led Security is increasingly vital. Protecting the enterprise requires, more than ever, a proactive

stance and the development of information, not just data, about the risks we face, the actors responsible, the motivations and tactics or our

adversaries, and insight into when and how attacks will come. But to unlock the powerful potential of this Intelligence-Led approach, many

steps must be taken, and in the right order.

While this may sound like a daunting task, it can be made much more manageable by taking a pragmatic approach. Define the mission; justify

it on a clear business (not parochial or departmental) basis; lay out a well-considered framework; estimate the resources and tools you’ll need;

and then build and present your case. If it’s true that nothing happens in business without money, it’s also true that garnering those resources

are mostly likely to come from a well-defined mission, justification, and plan.

More than ever, protecting the enterprise requires a proactive stance and the development of information, not just data.


Step 5: Find Your “Watchdogs”While tools, data analytics and software are vital to

dealing with the scale of information involved, skilled

cyber security analysts are still the final critical element for

organizations moving to proactive, intelligence-led security.

These analysts act as “watchdogs” for large and medium

enterprises, conducting both broad (global) and deep

(threat-specific) monitoring and analyses. In doing so, they

provide an early warning system for their clients, offering

advance awareness, detailed intelligence, and actionable

recommendations surrounding risks, information leaks, and

potential attacks.

With the help of cyber security analysts, organizations can

increase their awareness of possible threats, proactively

address network and infrastructure vulnerabilities, and

better protect:

• Intellectual property

• Information assets

• Physical assets

• Customers

• Executives

• Employees

• Revenue streams

• Brand reputation

17


© 2015 Cyveillance

In an era of pervasive and sophisticated threats – internal and external, domestic and international –

companies can no longer wait for something to go wrong before they respond. They must shift from

reactive mitigation to proactive awareness and preparation.

Intelligence monitoring and analyses that are both broad (global) and deep (threat specific) are the keys

to this shift. While few companies have the resources or expertise to do this on their own, cyber security

analysts can provide an early warning system of vulnerabilities, information leaks, and possible threats.

By scouring the growing cache of open source and online intelligence, these cyber security “watchdogs”

help organizations better-protect critical information, physical and human assets, brand reputation, and

revenue streams.

Conclusions

While your network may be secure, do you have visibility beyond the perimeter? Security is no longer about what you can see. What you can’t see is where the true threats hide.

Cyveillance offers an easy-to-use platform that provides security professionals the ability to see beyond the perimeter. Our solutions identify cyber and physical threats and risks across the globe, allowing you to mitigate and eliminate them before they disrupt your business.

We go beyond data to provide the threat intelligence that you need to achieve your organization’s business goals. Contact us today to learn more and get a free trial.

Using security intelligence technology can save companies up to $2.6 million when compared to companies not using security intelligence technologies. “2014 Global Report on the Cost of Cyber Crime.” Ponemon Institute; HP. 3 Dec. 2014. http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-reportA study by Verizon has shown that the targets of 85 percent attacks are small businesses with less than 1,000 employees. Verizon, “2012 Data Breach Investigations Report,” http://www.verizonenterprise.com/resources/reports/ rp_data-breach-investigations-report-2012-ebk_en_xg.pdf

Cyber Threat Center

www.cyveillance.com/cyberthreatcenter

11091 Sunset Hills Road, Suite 210 Reston, Virginia 20190 888.243.0097 | 703.351.1000www.cyveillance.com [email protected]

Copyright © 2015 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are

trademarks or registered trademarks of their respective owners.

Cyveillance is the leading provider of cyber threat intelligence, enabling organizations to protect their information, infrastructure, and employees from physical and online threats found outside the network perimeter. Founded in 1997, Cyveillance delivers an intelligence-led approach to security through continuous, comprehensive monitoring of millions of online data sources, along with sophisticated technical and human analysis. The Cyveillance Cyber Threat Center, a cloud-based platform, combines web search, social media monitoring, underground channel information, and global intelligence with investigative tools and databases of threat actors, domain names and IP data, phishing activity, and malware. Cyveillance serves the Global 2000 and the majority of the Fortune 50 – as well as global leaders in finance, technology, and energy – along with data partners and resellers. For more information, visit www.cyveillance.com.

Cyveillance is a wholly-owned subsidiary of QinetiQ, a FTSE250 company which uses its domain knowledge to provide technical support and know-how to customers in the global aerospace, defense and security markets. For more information, visit www.qinetiq.com.

intelligence-led security

Documents