Getting Ahead of Advanced Threats: Achieving Intelligence-driven Information Security

Uploaded on

The Council’s new report lays out a six-step roadmap to achieving intelligence-driven information security: …

The Council’s new report lays out a six-step roadmap to achieving intelligence-driven information security:

• Step 1: Start with the Basics
Inventory strategic assets, strengthen incident-response processes and perform comprehensive risk assessments.
• Step 2. Make the Case
Communicate the benefits of an intelligence-driven security program to executive management and key stakeholders. Identifying “quick wins” to prove value out of the gate is essential for gaining broad organizational support, including funding.
• Step 3. Find the Right People
Look for professionals who can blend technical security acumen with analytical thinking and relationship-building skills.
• Step 4. Build Sources
Determine what data from external or internal sources would help detect, predict or lessen the chances for a targeted attack; evaluate sources on an ongoing basis.
• Step 5: Define a Process
Codify a standardized methodology to produce actionable intelligence, ensure an appropriate and timely response and develop attack countermeasures.
• Step 6: Implement Automation
Find opportunities to automate the analysis and management of large volumes of data from multiple sources.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Report based on discussions with theSecurity for Business Innovation Council An industry initiative sponsored by RSAt GettinG AheAd ofABN AmroDr. Martijn Dekker ,Senior Vice President, ChiefInformation Security Officer AdvAnced threAtsADP INc.rolanD Cloutier ,VicePresident, Chief Security OfficerAIrtelFelix Mohan , Senior VicePresident and Chief Information Achieving Intelligence-Driven Information SecuritySecurity Officerthe cocA-colA comPANyrenee guttMann , ChiefInformation Security OfficercSo coNfIDeNtIAl recommendAtions from GlobAl 1000 executivesProFessor Paul Dorey ,Founder and Director; FormerChief Information SecurityOfficer, BPeBAyDave Cullinane , ChiefInformation Security Officer andVice President, Global Fraud,Risk & SecurityemcDave Martin , Chief SecurityOfficerGeNzymeDaviD kent ,Vice President,Global Risk and BusinessResourceshDfc BANkvishal salvi , ChiefInformation Security Officer andSenior Vice PresidenthSBc holDINGS plcROBERT RODGER, Group Head ofInfrastructure SecurityJohNSoN & JohNSoNMarene n. allison ,Worldwide Vice President ofInformation SecurityJPmorGAN chASeanish BhiMani , ChiefInformation Risk OfficerNokIAPetri kuivala , ChiefInformation Security OfficerNorthroP GrummANtiM Mcknight , VicePresident and Chief InformationSecurity OfficerSAP AGralPh saloMon , VicePresident, IT Security & RiskOffice, Global ITt-moBIle uSAwilliaM Boni , Corporate insiDe this rePort:Information Security Officer(CISO), VP Enterprise InformationSecurityWith guest contributor: Playbook for a key features of Practical tips for how to gain examples of Suggested jobwilliaM Pelgrin, President description new approach an intelligence maximizing the support and “quick-win”& CEO, Center for InternetSecurity; Chair, Multi-State to information program use of data from make the case opportunities for a cyber-riskInformation Sharing and security external and intelligenceAnalysis Center (MS-ISAC); and internal sources analystImmediate Past Chair, NationalCouncil of ISACs (NCI)
  • 2. * Contents highlights 1 1. introduction: the need to know 2 2. what do organizations need to know? 4 Charts 1-5: Categories of Cyber-Risk Data with Examples >>>>>>>>> 5 3. time for a new approach: intelligence-driven information security 10 4. roadmap to intelligence-driven information security 12 Step 1. Start with the Basics >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 12 Step 2. Make the Case >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 13 Chart 6: Examples of “Quick Win” Opportunities to Show Value 14 Step 3. Find the Right People >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 15 Job Description: Cyber-Risk Intelligence Analyst >>>>>>>>>>> 16 Step 4. Build Sources >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 16 Charts 7-11: Sources of Cyber-Risk Data >>>>>>>>>>>>>>>>>> 18 Step 5. Define a Process >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>20 Step 6. Implement Automation >>>>>>>>>>>>>>>>>>>>>>>>>>>> 22 5. no organization is an island: improving information sharing 24 Chart 12: Examples of Information-Sharing Initiatives >>>>>>> 24 conclusion 26 appendices 27 About the Security for Business Innovation Council Initiative >>>>> 27 Biographies of the Security for Business Innovation Council and Guest Contributor >>>>>>>>>>>>>>>>>>>>>>>>>>>> 28
  • 3. Report Highlightsin toDay’s threat • A process for efficient analysis, because it will be targeted atlandscape, organizations fusion, and management of countering the most significantworldwide face a growing cyber-risk data from multiple threats and protecting the mostnumber of sophisticated cyber sources to develop actionable strategic assets.adversaries. intelligence. this rePort ProviDes a six- • Practices to share useful threat“aDvanCeD threats” are step roadmap for achieving information such as attack in-increasingly targeting intelligence-driven information dicators with other organizations.corporations and governments order to conduct industrial • Informed risk decisions andespionage, undermine business defensive strategies based on the guiDanCe answersand financial operations, and/or comprehensive knowledge of the critical questions such as:sabotage infrastructure. threats and the organization’s • What are the basic requirements own security posture. for building an intelligencethe harD truth is Most capability?organizations don’t know enough the vision is to harness theabout the threats or their own power of information to prevent, • What does it take to developsecurity posture to defend detect, and ultimately predict broad organizational support andthemselves adequately against attacks. obtain funding?the rising tide of cyber attacks. the value ProPosition is • What is the skill set required of athe tiMe has CoMe when clear. By maximizing the cyber-risk intelligence team?successful defense requires use of available information, • What are the best sources ofevolving past conventional the organization can create data?approaches in information and implement more precisesecurity. defensive strategies against • How can an organization design evolving threats. Security a process that will consistentlya new aPProaCh is neeDeD. will not only improve but also produce actionable intelligenceCalled “intelligence-driven become more cost-effective and the right defensive strate-information security,” this gies?approach includes:• The consistent collection of Note oN the scope • What type of automation can help create efficiencies for han- reliable cyber-risk data from a of this report: dling large volumes of data? range of government, industry, commercial, and internal sources this rePort is focused on the to gain a more complete under- a CritiCal asPeCt oF collection and analysis of standing of risks and exposures. cyber-risk data. However, many achieving intelligence-driven organizations’ intelligence pro- information security is sharing• Ongoing research on prospec- grams may include a broader cyber-risk data with other tive cyber adversaries to develop set of data. For example, they organizations. But there are knowledge of attack motivations, may include physical-security many significant challenges to favored techniques, and known data (building access, travel), creating information-sharing activities. manufacturing supply chain mechanisms. risks (availability, delivery),• The growth of new skills within and/or data on competitors (financials, product develop- Fortunately, there is a the information team focused on the production of intelligence. ments). Although the scope growing number of industry of this report is cyber-risk and government-led initiatives intelligence, the goal for some as well as public/private• Full visibility into actual condi- organizations’ intelligence tions within IT environments, in- partnerships that are working programs is to build a complete cluding insight that can identify picture of operational risks. to enable large-scale data normal versus abnormal system exchange. and end-user behavior. RSA, The Security Division of EMC | security for business innovAtion council report |1
  • 4. 1 Introduction: The Need to KnowC orporations and governments worldwide are own security posture to defend themselves adequately. For example, increasingly targeted by they can’t see signs of cyber adversaries with an attack because they a range of goals from haven’t sufficiently political activism and analyzed data on the sabotage to intellectual- latest attack techniques. property theft and They can’t identify financial gain. As cyber malicious activity attacks intensify and because they haven’t tactics rapidly evolve, developed baselines for organizations could find normal activity. the escalating threat Today’s dedicated landscape overwhelming adversaries have their abilities to manage the means to evade the risks. commonly used defenses The hard truth is such as signature-based most organizations don’t detection. In the era know enough about of advanced threats, the threats or their greater situational awareness is essential relevant, make risk to detect and mitigate decisions, and take cyber attacks effectively. defensive action. Organizations need to Intelligence obtain the latest data gathering and analysis on threats, relate that to have become essential real-time insights into capabilities for a their dynamic IT and successful information- business environments, security program, yet determine what’s most enterprise IT2| security for business innovAtion council report | RSA, The Security Division of EMC
  • 5. Cyber-risk intelligence is table stakes in 21st-century commerce. If you want Internet access to a global array of customers and suppliers, then you have to invest in developing the intelligence capabilities to defend against global threats. williaM Boni, Corporate Information Security Officer (CISO), VP Enterprise Information Security, T-Mobile USA are many external comprehensive approach sources of threat data to defense. This report available, such as provides a playbook for government channels, creating a new approach industry associations, based on building and commercial data an organizational feeds. However, most competency in cyber- organizations are not risk intelligence and fully utilizing these fully leveraging data sources. In addition, in from internal and order to maximize their external sources. value, many current Advanced threats information-sharing represent an escalating mechanisms would risk to business require increased innovation. This report participation. lays out a roadmap to This ninth report of achieving intelligence- the Security for Business driven information Innovation Council security in order to get (SBIC) features the ahead of the threats perspectives of top and protect critical security leaders from information assets. Global 1000 companies, as well as a guest contributor from thesecurity organizations organizations may have U.S. National Councilhave not been built access to the right data, of ISACs (NCI). Today’swith this objective in they may not be set up to threats are dynamicmind. In fact, many make use of it. Internal and increasing incyber adversaries data collection is often sophistication, requiringhave developed better tuned for compliance a fresh and moreintelligence capabilities reporting not cyber-than their targets. threat analysis. There While many RSA, The Security Division of EMC | security for business innovAtion council report |3
  • 6. 2 What Do Organizations Need to Know?O rganizations need to understand the cyber threats they face and their security posture against those threats. For this report, “cyber- to all organizations. Other types are unique to one organization, for example notification that it is being targeted by a particular group. risk intelligence” is defined as “knowledge about To understand the intelligence process, it is cyber adversaries and their methods combined with important to recognize the distinction between knowledge about an organization’s security posture “intelligence” and “data” or “information.” Data against those adversaries and their methods.” The received from various sources as described above goal is to produce “actionable intelligence,” which is is typically raw data that needs to be reviewed, knowledge that enables an organization to make risk analyzed, and put in context in order to develop decisions and take action. To gain that knowledge, intelligence which can then be used to make risk organizations must take input data and process it. In decisions. this report, the term for that input data is “cyber-risk Not all organizations will choose to collect all data” and is broadly defined as “data that is collected types of data from all sources. Some data may not and analyzed in order to prevent, detect, predict, and be considered useful or may not be cost-effective to defend against cyber attacks.” obtain. Other data may be deemed useful but not feasible to acquire yet, because an organization’s processes and/or technology for handling that particular type of data still need to be set up and integrated. Moreover, collecting more and more data is not the end goal. Having volumes of unanalyzed or unused data is of no value to an organization. Ultimately, for the data to be valuable, the organization must be able to apply it defensively, for immediate action in combatting a current or imminent cyber attack and/ or for informing defensive strategies. As discussed in subsequent sections of this report, the defensive application must be determined through analysis, including fusing the data with other relevant facts Sample code from the Ice IX Trojan which was derived from the leaked code and making a risk decision. of the prolific banker Trojan, ZeuS. Charts 1 to 5 present categories of cyber-risk data including examples of sources, formats, and potential defensive cyber-risk data applications. The charts reflect some typical Data used to produce intelligence is available examples of data formats that are used today. from a range of sources either external or internal However, it should be acknowledged that over time, to the organization. Open source is obtained for an intelligence program to be effective, many from publicly available sources such as websites, categories of data must become machine-readable. as opposed to data from classified sources such Currently, many organizations are heavily dependent as national-security agencies. It comes in many on highly skilled analysts to process, for example, formats, such as word-of-mouth, emails, news long lists of text. Instead, it would make sense to feeds, automated data streams, output of numerous automate the processing of basic data, freeing up the internal and external sensing platforms, and analysts’ time to do actual analyzing. custom research. Some types, such as a list of IP addresses on a watch list, are generally applicable4| security for business innovAtion council report | RSA, The Security Division of EMC
  • 7. Charts 1-5: Categories of Cyber-RiskData with ExamplesEach category answers a different question about the threats andan organization’s security posture against themAcronyms used in charts:CERT: Computer Emergency Response Team NVD: National Vulnerability DatabaseISAC: Information Sharing and Analysis Center SQL: Structured Query LanguageWARP: Warning, Advice, and Reporting Point SIEM: Security Information and Event ManagementMSSP: Managed Security Service Provider DLP: Data Loss PreventionDDoS: Dedicated Denial of Service GRC: Governance, Risk, and ComplianceChart 1 Input Data on Cyber Adversaries and their Methods – External Sources Potential Defensive Example Input Data Example Sources Example Formats Application (dependent on analysis) QQQQ CyBer-attaCk inDiCators what signs are other organizations seeing that CoulD Be useD By us to Prevent, DeteCt, or PreDiCt a CyBer attaCk? Description of spear- • Open source • Email alert • Identify and block phishing emails • Government sources these emails • Industry partners • Sector ISACs Lists of domains hosting • Open source • Email alert • Identify and block malware • Government sources • Listserv traffic to these do- mains • Industry partners • Sector ISACs List of black-listed IP • Open source • Email alert • Identify and block addresses • Government sources • Threat feed traffic to these IP ad- dresses • Industry partners • Sector ISACs • Vendor lists Set of binaries used by • Vendor lists • Threat feed • Identify and remove attackers • Tool output malware • MSSP • Cloud service QQQQ CyBer-attaCk teChniques what have others learneD aBout attaCk teChniques that CoulD Be useD to Prevent, DeteCt, PreDiCt, or DeFenD against CyBer attaCks? Description of attack • Law enforcement • Briefing • Update detection pattern using multiple cyber-intelligence • In-person meeting methods and imple- vectors including social agencies ment ways to block engineering • Industry partners this attack technique Description of new exploit • Government CERTs • Email alert • Update controls on involving mobile devices • Vendor community mobile devices RSA, The Security Division of EMC | security for business innovAtion council report |5
  • 8. • what do organizations need to know? Chart 1 (continued) Potential Defensive Example Input Data Example Sources Example Formats Application (dependent on analysis) QQQQ CyBer attaCkers’ Motives anD targets what are our aCtual or Potential CyBer aDversaries trying to aCCoMPlish? Explanation of trend • Government agencies • Information on • Shore-up DDoS whereby attackers select • Law enforcement hacktivism defenses corporations with certain cyber-intelligence policies to hit with agencies aggressive DDoS attacks • Industry partners Evidence that attackers • Commercial threat- • Threat feed • Increase protection of are pursuing company’s intelligence services • Custom research targeted assets intellectual property such • Law enforcement as new product plans or cyber-intelligence proprietary financial figures agencies Evidence that nation-state • Government agencies • Classified briefing • Increase protection of operatives are stealing • Commercial threat- • Custom research targeted assets proprietary information intelligence services • In-person meeting from companies in the same industry • Law enforcement cyber-intelligence agencies QQQQ CyBer attaCkers’ iDentities who are our aCtual or Potential attaCkers? Specific information on • Government agencies • Classified briefing • Learn to recognize attackers’ identities: name • Commercial threat- • Custom research specific attackers’ and location of particular intelligence services footprints • In-person meeting criminal groups which are targeting the company • Law enforcement cyber-intelligence agencies Chart 2 Input Data on Cyber Incidents and Counter Measures – External Sources QQQQ external inCiDent inForMation what Can we learn FroM inCiDents at other organizations to Prevent, DeteCt, PreDiCt, or DeFenD against CyBer attaCks? Details regarding company • Media • News websites • Integrate lessons in the same industry • Sector ISACs • Email alert learned into defensive disclosing massive data strategies • Industry partners • Information portals breach QQQQ Counter-Measures anD DeFensive teChniques what Best PraCtiCes Can we learn FroM other organizations to DeFenD against CyBer attaCks? Description of new • Peer organizations • Email alert • Implement new con- procedures for protecting • Sector ISACs • Information portals trols around admin admin accounts from accounts • In-person meeting hijacking 6| security for business innovAtion council report | RSA, The Security Division of EMC
  • 9. • what do organizations need to know? Chart 3 Input Data on an Organization’s Security Posture Relative to Cyber Threats – External Sources Potential Defensive Example Input Data Example Sources Example Formats Application (dependent on analysis) QQQQ general vulneraBilities are there vulneraBilities in soFtware/harDware that CoulD Make us Prone to attaCk? Description of operating • Government CERTs • NVD data feed • Implement patch system vulnerability • Vendor community Description of SQL • Sector ISACs • Email alert • Update application injection vulnerability • Vendor community • Commercial threat- intelligence services QQQQ sPeCiFiC vulneraBilities are there sPeCiFiC vulneraBilities regarDing our systeMs that CoulD Make us Prone to attaCk? Discovery of a set of the • Cybercrime-intelli- • Custom research • Update credentials company’s access gence service vendors credentials on hacker websites The threat can be broken down into three Felix Mohan, Senior Vice President and Chief Information components: intent, opportunity, and Security Officer, Airtel capability. Organizations need to know, ‘What is the intent of adversaries? What are the opportunities available to them? And what capabilities do they have to exploit the opportunities?’” RSA, The Security Division of EMC | security for business innovAtion council report |7
  • 10. • what do organizations need to know? Chart 4 Input Data on an Organization’s Security Posture Relative to Cyber Threats – Internal Sources Potential Defensive Example Input Data Example Sources Example Formats Application (dependent on analysis) QQQQ inForMation-assets inventory what are our Most iMPortant inForMation assets to ProteCt anD where are they loCateD? Periodic inventory of high- • Risk-management • Internal report • Establish status and value assets including asset team location of systems type, relative value to the containing IP to organization, location, and ensure adequate security exposure protection QQQQ eMPloyee oBservations what susPiCious aCtivities are eMPloyees oBserving that CoulD Be signs oF a Current or Future CyBer attaCk? Reports of phone calls • Employees’ • Emails to Security • Determine attackers’ being received by members communications • Knowledge-manage- methods and increase of the R&D team asking • Employees’ entries ment system alert security controls to about colleagues into knowledge- protect targeted assets management system QQQQ Business strategy what eleMents oF our strategy woulD Create PossiBle oPPortunities For a Current or Future CyBer attaCk? Information regarding • Business/mission • Internal reporting • Implement real-time outsourcing of business owners monitoring of new processes to external business partners’ IT providers systems and security controls Notice that company will • Finance department • Confidential memo • Implement increased be undergoing merger • Legal department to Security monitoring and con- negotiations trols around privileged users involved in negotiations Evidence that reduction • Human resources • Confidential memo • Implement increased in workforce is creating department to Security monitoring and disgruntled employees controls for employ- ees with access to protected assets QQQQ internal inCiDent inForMation what Can we learn FroM Past CyBer inCiDents to Prevent, DeteCt, PreDiCt, or DeFenD against Future ones? Report regarding malware • Security-operations • Incident report • Integrate lessons that was detected and team learned and strategy remediated to shorten kill chain in the future 8| security for business innovAtion council report | RSA, The Security Division of EMC
  • 11. • what do organizations need to know? Chart 5 Input Data on an Organization’s Security Posture Relative to the Cyber Threats – IT and Security Sources Potential Defensive Example Input Data Example Sources Example Formats Application (dependent on analysis) QQQQ CyBer-risk inFrastruCture events are events within the seCurity inFrastruCture signs oF a Current or Future attaCk? Warning that unauthorized • Correlated SIEM • System alerts • Determine source of connections to servers events attack and target of attempted interest; disrupt at- tacker and investigate further Signs of command and • Full packet capture, • System alerts • Determine source of control activity, data DLP or SIEM events attack and target of exfiltration, or other lateral interest; disrupt at- movement tacker and investigate further QQQQ enD-user anD systeM Behavior Data is enD-user or systeM Behavior signaling a PossiBle Current or Future CyBer attaCk? Sign of an unusual admin • Authentication log • Log analysis alerts • Determine source of remote login – comparison • SIEM attack and target of with baseline interest; disrupt at- tacker and investigate further Sign of increasing • Full packet capture • System alerts • Determine source of password resets – notable • Application logs attack and target of trend interest; disrupt at- tacker and investigate further Sign of unusual data • Full packet capture • System alerts • Determine source of movement – traffic outside • Application logs attack and target of of the norm or to unusual interest; disrupt at- destinations tacker and investigate further QQQQ status oF Controls what is the ConDition oF our Current CyBer DeFenses? Notification that major • GRC system • System report • Increase monitoring business line did not on specific systems complete mandatory until remediated password resets for all users Notification of upload- • DLP system • System report • Increase monitoring policy violations on specific systems and investigate further RSA, The Security Division of EMC | security for business innovAtion council report |9
  • 12. • time for a new approach? 3 Time for a New Approach Intelligence-Driven Information Security D Depending on the maturity of the information- security program, organizations may already integrate cyber-risk data into their defensive DefiNitioN intelligence-driven information security Developing real-time knowledge on threats strategies. For example, it is fairly common for organizations to have a basic vulnerability- and the organization’s posture against those management program for collecting data on software threats in order to prevent, detect, and/or and hardware vulnerabilities and ensuring systems predict attacks, make risk decisions, optimize defensive strategies, and enable action. are adequately patched and updated. Many security professionals read industry publications such as vendor reports on malware and data breaches and consider this information when creating security strategies. For most information-security programs, There is mounting evidence that organizations in however, data collection and analysis are not strong a wide range of industries are increasingly targeted suits. Collection from external sources is often by sophisticated adversaries. For example, a fragmented and not integrated with internal data recent report by the U.S. Office of the National sources. And although many organizations collect Counterintelligence Executive1 states, “The pace reams of data from applications and security systems, of foreign economic collection and industrial they aren’t harvesting and analyzing the data to espionage activities against major U.S. corporations gain an understanding of their environment, such and U.S. government agencies is accelerating.” A as developing baselines for normal activity. Instead, major reason is the accessibility of sensitive data much of the data ends up as dead logs. in cyberspace. The report also indicates that many Most organizations do not have a concerted companies are unaware when their sensitive data effort to collect, amalgamate, analyze, operationalize, is pilfered. Further, it suggests that areas of great and manage cyber-risk data in order to develop interest to cyber spies include information and intelligence. Yet more and more organizations need communications technology, natural resources, this capability in order to defend against advanced defense, energy, and healthcare/pharmaceuticals. threats. It can be hard to digest having to develop a tiM MCknight multi-year plan to learn who your adversaries Vice President and Chief Information Security Officer, are and how they’re going to steal from you. Northrop Grumman Quarter-by-quarter, you may not see any losses. It could be years until you see the losses – when all of a sudden, out of the blue, a company in another part of the world becomes the leader in your space, having subsidized itself with your R&D investments.” “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 1 2009-2011,” Office of the Director of National Intelligence/Office of the National Counterintelligence Executive, October 2011 10 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 13. • time for a new approach Other studies indicate that companies across the globe are being targeted. For example, the Enterprise Strategy Group surveyed companies in the U.S. and Europe regarding advanced persistent threats (APTs) and found that 59% of security professionals surveyed at U.S. companies2 and 63% of those at European companies3 believe it is “highly likely” or “likely” that their organizations have been APT targets. In today’s threat landscape, organizations face targeted, complex, multi-modal attacks which can be carried out over periods of time. They need to fuse together data drawn from multiple sources to effectively detect and mitigate attacks. They need comprehensive, accurate, and timely information to key features make informed decisions about defensive strategies. The time has come when successful defense requires An intelligence capability applies expertise, evolving past conventional approaches in information processes, and tools to: security to developing competencies in data fusion, D consistently collect the right data from the right knowledge management, and analytics. sources change of mind-set required D efficiently amalgamate, analyze, and manage the data Currently, many information-security programs D develop knowledge and produce actionable are compliance-led: Decision making about defensive intelligence strategies is based on the audit cycle or the need to D make risk decisions and take action by modify- simply meet a regulatory baseline. Another common ing controls or planning new defenses approach is incident-led: Decision making is based D share relevant pieces of data such as attack indi- on day-to-day fire-fighting. What is needed is an cators with other organizations intelligence-driven approach, whereby decisions are made based on real-time knowledge regarding the cyber adversaries and their attack methods, and the Building this capability will require investments organization’s security posture against them. in people, process, and technology. Of course, not Some security professionals may see gaining every organization has to achieve the intelligence intelligence about potential cyber threats as the capability of a national-security agency. But there is government’s responsibility, but it is unrealistic for a large spectrum between having no accountability any national government to take on threat analysis for intelligence and achieving the level required for each specific organization, especially in the by a highly specialized threat environment. Every private sector. Governments don’t have the resources organization will need to determine its level of nor do they have the mandate. It is the organization investment based on the particular threats it faces, itself that knows its own business or mission, market the value of the assets it needs to protect, and its risk position, asset valuation, and vulnerabilities and can profile. make the best determination of the cyber threats Organizations don’t have to make huge it confronts. However, governments can play an investments to get started. They can start today important role in providing cyber-risk intelligence using existing personnel, for example, to improve and fostering information sharing. the collection and analysis of log data or to integrate Building an intelligence capability will also open source threat intelligence. Over time, a key require developing a counterintelligence and element will be automation to help decrease manual operational security mind-set among the entire processes. Otherwise the collection and analysis extended security team. This means seeing of greater amounts of data could become onerous one’s own organization from the perspective of and resource-intensive. Another important aspect the adversaries who are targeting it, being able is having an agile program whereby protection to understand their tools and techniques, and methods can be dynamically put into place in identifying potential vulnerabilities before they do. response to the intelligence. The vision is to harness the power of information to prevent, detect, and ultimately predict attacks. Getting ahead of threats requires an ability to see what’s coming in order to determine appropriate action before an attack happens. 2 U.S. Advanced Persistent Threat Analysis: Awareness, Response, and Readiness among Enterprise Organizations, Enterprise Strategy Group, October 2011 3 Western Europe Advanced Persistent Threat (APT) Survey, Enterprise Strategy Group, October 2011 RSA, The Security Division of EMC | security for business innovAtion council report | 11
  • 14. 4 Roadmap to Intelligence-Driven Information Security If youre really serious about having an intelligence-driven program, you have to haveT the resources and a process for risk decision- making that enable rapid changes to your protection platform. You can have all the he following roadmap lays out a basic route for intelligence in the world, but if youre not going developing an intelligence-driven approach to to do anything with it, dont go down this road information security. While the exact route an organization takes will depend on its own unique because its a lot of wasted effort.” circumstances, this roadmap offers some general rolanD Cloutier direction and things to consider at various stages. Vice President, Chief Security Officer, The steps will likely be parallel endeavors but the Automatic Data Processing, Inc. focus of the program will move from one step to the next in sequence. 1 StARt WIth thE bASIcS incident-response process Another requirement is a Security Operations 2 mAkE thE cASE Center (SOC) or Computer Emergency Response Team (CERT), either internally managed or run by a managed security services provider. To be ready 3 FIND thE RIght PEoPLE to take on an intelligence program, the organization needs to have a foundation in place for monitoring the network for intrusions and a workflow process 4 buILD SouRcES for responding to incidents. Ideally, this is a systematic process with well-defined roles. 5 DEFINE A PRocESS risk assessment Organizations must also do a risk assessment. 6 ImPLEmENt AutomAtIoN This involves determining the value of protected information assets, identifying potential sources of harm to those assets (threat assessment), determining the extent of existing vulnerabilities step 1: start with the Basics (vulnerability assessment), and evaluating the probability that the vulnerabilities could be inventory of strategic assets successfully exploited and the potential impact to A fundamental requirement of intelligence- the organization. There are several good sources, driven information security is to have an inventory including the National Institute for Science and of strategic assets since it will be impossible to Technology (NIST) and the SANS Institute, which collect data on everything and protect everything. provide detailed guidance on how to perform threat, Organizations need to know what are the most vulnerability, and risk assessments. important assets to protect and where they Many organizations already routinely perform are located. Over the past several years, many risk assessments as part of their security program. organizations have established an inventory of assets As the intelligence program progresses, there will through a data-discovery process as part of their risk be more data and better understanding which and compliance programs. can be fed into ongoing risk assessments. But it is essential for an organization to begin with a basic understanding of the threats it faces and its risk posture.12 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 15. • roadmap to intelligence-driven information security QQQ “You need to align the intelligence process with your risk- management process. How the company identifies and measures risk needs to be understood and agreed to across the organization.” ralPh saloMon Vice President, IT Security & Risk Office, step 2: make the case Global IT, SAP AG An essential component of developing an key stakeholders intelligence capability is communicating the benefits The communications strategy should not only to executive management and key stakeholders in convince key stakeholders of the benefits but also order to garner support and funding as well as to obtain their ongoing input to ensure success. Since ensure ongoing enterprise-wide involvement in the intelligence-driven security is a new approach for effort. To be successful, intelligence-driven security many organizations, often it begins with developing a must be an enterprise-wide core competency. common language to use as the basis for discussions. The list below suggests possible key stakeholders the value proposition and how they might be involved in the intelligence The main benefit is that the organization will be effort: much better protected. By maximizing the use of D Executive Management and the Board available information, the organization can create Top-level support and implement more precise defensive strategies Risk decisions against evolving threats. Security will not only improve but also become D Finance more cost-effective because it will be targeted Funding strategies at countering the most significant threats and protecting the most strategic assets. Knowledge D Human Resources will enable the security team to perform fact-based Employee-activity monitoring prioritization. They will know how to concentrate D Corporate Security their efforts and where to make the right investments Collaborative data collection and in controls. investigations An intelligence-driven approach enables the security team to actually achieve proactive security D Procurement management. By asking the right questions, Third-party risk management combining multiple pieces of key external and D Business/Mission Owners internal data, looking at the bigger picture, and Identification of strategic assets and examining threats and vulnerabilities on a longer- risks to business term horizon, an intelligence-driven approach provides a view of more than single events or day- D Production/Operations to-day incidents. It allows the team to see emerging Identification of strategic assets and risks attack patterns and developments over time, and to manufacturing operations eventually attain the necessary expertise to predict D Business Risk Officers attacks and get ahead of the threats. Enterprise view of risks RSA, The Security Division of EMC | security for business innovAtion council report | 13
  • 16. • roadmap to intelligence-driven information security D Legal of awareness among executive leaders and boards Compliance to privacy regulations regarding the risks posed by advanced threats. Legal frameworks for obtaining threat data Security teams can take advantage of this increased and sharing information with other organiza- interest to propose cyber-risk intelligence projects tions as an integrated part of their security strategy. Employee-activity monitoring Leadership may be more open to providing the required funding and support than in the past. D IT However, the proposed project must align to current Programming, analytics, and automation top priorities and be able to deliver information that IT architecture and defensive strategies is specific and critical to the business. Information on IT operations for data sharing and vague, broad risks will not be useful. service-level management More often than not, an intelligence-driven approach gets started because the security team opportunities for a “quick win” seizes an opportunity. For example, a specific risk is Strategically, developing a fully deployed identified as critical to the business and intelligence intelligence capability is going to be a multi-year is proven to be very useful in mitigating that specific effort. Typically, it makes sense for the security team risk. Or a security incident occurs and intelligence to start small with the objective of quickly showing is proven to be very useful in detecting the attack some good results. A “quick win” will help them gain and/or reducing the risk of future incidents. Chart the support and funding needed. 6 provides some possible examples of opportunities, Since cyber attacks have recently received a lot of drawn from real-world experiences of Council media attention, there is generally an elevated level members and their peers. 6. examples of “Quick win” opportunities to show value ExAmPLE oPPoRtuNIty PRojEct RESuLtS Executives express concerns Data collection and analysis on this new class of Threat briefing to regarding hacktivism based threat: executives leads to on media reports. Many other • A member of the incident-response team is support for more organizations with a similar assigned to do research on the likelihood of the technology resources risk profile are being targeted company being targeted by hacktivists, impact, for threat analysis. by hacktivists and some have and how to defend against attacks suffered shut-down of websites. • Based on research, specific adjustments made to DDoS defenses A critical component of the Data collection and analysis on a potential business Threat briefing to organization’s business strategy partner: executives leads to depends on partnering with a • Short engagement with a threat-intelligence support for more new strategic partner. service to do research on potential threats to the funding for threat- business partner and the relationship intelligence services • Based on research, specific recommendations are made regarding security requirements for doing business with the partner An insider incident involving Data collection and analysis on internal Security team systems containing IP leads environment: has support of to the awareness for increased • Security team requests assistance from business- organization to protection of particular intelligence team in developing baselines for end- expand the number of information assets. user behavior in accessing a set of critical systems systems for which to • Baselines established develop baselines of end-user behavior • Able to monitor activity on those systems for anomalies A series of suspicious Use of external threat data Security team has events leads to concern that • A short engagement with a threat-discovery support of organization certain systems have been service to monitor outgoing communications for to expand the number signs of attack based on the vendor’s attack- of systems for which compromised. indicator database to develop baselines of end-user behavior • A botnet is detected and remediated 14 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 17. • roadmap to intelligence-driven information security Petri kuivala Chief Information Security “In many organizations, improvements in security Officer, Nokia happen when there are incidents. It’s human nature. Management will listen to the security team and agree to improvements at other times but they seem to get more interested and provide funding when there is an incident.” step 3: find the right people The skill set for cyber-risk intelligence professionals is quite different from the traditional skill set within the security department. Historically, security professionals required technical skills such as system administration or network administration skills, but cyber-risk intelligence teams require a different set of skills which are focused on determining how attack techniques might be used against the organization’s IT infrastructure. It is a relatively senior role that also requires an ability to evaluate risks and make reasoned judgement calls. Analytical skills and experience are crucial in order to look at what appear to be unrelated pieces of data to draw linkages, uncover patterns, see trends, and make predictions. Knowing how to construct and refine analytical models and work detailed information on adversaries and their specific with other professionals such as programmers are plots turn to threat-intelligence services. also necessary skills, as well as specific expertise in The advantages are that the threat-intelligence network- and system-behavior analysis. services already have established methodologies One of the most important aspects of the role is for active research and have amassed a wealth of building and maintaining good relationships. experience working with a wide spectrum of clients. Communication and writing skills are essential, such The drawbacks are that the services can be costly as being able to craft messages for various audiences. for smaller organizations and an external service Other facets of the job will require skills in designing provider may not have a deep understanding of each and managing processes, developing procedures, and individual organization’s business. If an organization implementing tools for the intelligence program. works with a threat-intelligence service, internal Being inquisitive and investigative are useful traits team members must be able to define the search for performing research. Depending on the parameters so that the service provider can deliver organization’s threat level and objectives for the relevant information and also be able to put the program, there may be a need for people on the information provided in context. intelligence team who have the skills to do active The title for the emerging role of cyber-risk research such as working in “underground” channels intelligence professional is “analyst.” Job descriptions in order to collect intelligence on the adversaries. vary depending on the goals and maturity of the This could require specialized technical knowledge program as well as the organizational structure. A and skills in foreign languages and cultures. sample job description for a “Cyber-Risk Intelligence However, most organizations that decide to pursue Analyst” is provided in the sidebar on page 16. This could be challenging for a single individual“Cyber-risk intelligence requires a skill to accomplish. One approach is to have a multi- disciplinary team, combining people who have theset combining abilities to understand various requisite skills. Many organizations do notthreats, the business environment, and have the resources to build a large dedicated team,security controls in order to determine especially in the early stages of an intelligencethe risks to the business and what controls program. Instead, they might start by forming a virtual team by getting people from variouswould mitigate those risks.” departments to spend some time looking at security threats from different angles. Or, they might Dave Martin Chief Security Officer, designate existing security resources, for example EMC Corporation enlist senior members of the team to allocate time RSA, The Security Division of EMC | security for business innovAtion council report | 15
  • 18. • roadmap to intelligence-driven information security Job DescriptioN: to cyber-intelligence functions. Over time, the cyber-risk iNtelligeNce ANAlyst organization may dedicate full-time resources and/or hire people. D Determining sources of intelligence Finding the right people can be a challenge. Since D Ensuring consistent and cyber-risk intelligence is an emerging discipline, effective collection of data from the skills are not widely available yet. But there those sources are several good potential sources, including D Doing research developing people from within the existing incident- D Consuming information such as response or forensics team or hiring professionals reading bulletins, memos, and with a background in federal law enforcement, reports military intelligence, or banking-fraud analysis. D Performing tests on the IT environ- Depending on the organizational structure, the ment to check for attack indicators cyber-risk intelligence team could reside within the or known techniques information-security department or in an enterprise D Implementing automated methods intelligence “fusion center,” which includes other of consuming data analysts working in areas such as physical security, D Analyzing information supply chain, and competitive intelligence. Constructing and refining analytical models and running analytical tools Developing threat scenarios Intelligence is all about relationships. Most D Writing and presenting threat brief- ings for various audiences (daily, companies have tons of information internally weekly, and quarterly briefings) but it’s not being shared. They have tons of D Developing relationships and information accessible through their service networks of contacts providers but they’re not asking the right Internal such as IT team and business lines questions. You need people who can create External such as law enforcement, trusted communication channels to leverage all information-sharing associations, and of these sources.” peers at other companies Marene n. allison Worldwide Vice President D Developing trusted communication of Information Security, channels Johnson & Johnson D Building an end-to-end intelligence process D Working with other teams to act on the intelligence, such as improving detection or defensive strategies step 4: Build sources Good sources of cyber-risk data depend on what information is sought. Based on the current knowledge of threats and the organization’s security posture against them, the cyber-risk intelligence team needs to determine what additional data would help prevent, detect, or predict attacks. For instance, the team may decide to improve the collection of cyber-attack indicators from external sources to increase the likelihood of catching a potential problem. There may be a surge of spear- phishing emails affecting one of the business units and the team wants to know if and when other units get hit. They may see potential for an APT-style attack and want to know who could be targeting them. 16 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 19. • roadmap to intelligence-driven information security Once information requirements are determined, “If something happens at your organization, the team can seek out good sources. Various types the first question you’ll ask is, ‘Is it just me or and key factors are presented in Charts 7-11. Finding is everybody else getting hit with this attack?’ good sources is an ongoing process – information requirements need to be reviewed, current sources You can’t answer that for yourself. And it takes assessed to determine if they meet requirements, too long to call 20 of your closest friends. You’ve and new sources researched and evaluated. As well, got to be part of a larger gene pool to get an as data is collected and analyzed, sources may need immediate answer to that question.” to be adapted on-the-fly. Even trusted sources could get things wrong. Keep in mind that sources vary renee guttMann significantly in quality and scope. Some of the best Chief Information Security Officer, The Coca-Cola Company sources may cost very little and some of the worst may cost a lot. The value of the data from each source should be tracked so that, over time, the team can judge how good particular sources are. D What are the costs involved? evaluation criteria • Are there up-front costs to receive the The cyber-risk intelligence team should not only information? Is there a membership fee? consider the attributes of the source but also the Subscription-based fee? Service fee? Would it organization’s ability to make use of the data from be a custom engagement? that source. Questions include: • How many personnel will it take to collect D How trustworthy is the source? and make use of the data? • Does the source provide consistent, reliable, accurate, trustworthy data? D If it’s an information-sharing arrangement, are • Are we able to effectively collect and con- the required processes in place? sume data from this source? • Do we trust that the data we provide to others will be handled with care, for example be • Is the data machine-readable or does it re- kept confidential or de-identified if distrib- quire human intervention? uted? • If it is machine-readable, what format is it in • Do we have a policy for determining what and do we have the right tools in place to use data will be shared with external entities and it in an automated fashion? (For example, how? could we integrate the data with our Security Information and Event Management (SIEM) • Have we established the legal frameworks, system?) rules of engagement, and/or agreements (NDA) for working with this source? • If it requires human intervention, do we have the right people to review it, analyze it, and/ • How much time and effort will it require to or use it to manually perform tests on our package up our data in order to share with environment? external entities? • Do we have a data-management process that D Is the data provided by this source actionable? can ensure the confidentiality and integrity • Or is it too vague and broad to use? of the data and handle sensitive data (for D Is the data additive? example, if the source can’t be quoted)? • Does it provide corroborating information? D If the source is our internal IT infrastructure, • Or is it redundant data that we already obtain do we have the right tools to capture or generate from another source? the right data? • Could we reconfigure logging or correlation rules to get the data we need? Or would we need additional tools to generate the required data? D Do we have the time to invest in fostering the relationships that may be required to work with this source? (Internal or external sources often require relationships.) RSA, The Security Division of EMC | security for business innovAtion council report | 17
  • 20. • roadmap to intelligence-driven information security Build your source material – whether from government or commercial sources, individuals in your organization, or business-intelligence processes. Your sources have to be broad enough to catch what might be DaviD kent, Vice President, disconnected elements of a common risk.” Global Risk and Business Resources, Genzyme relationships: the underpinning of good sources Finding good sources is often predicated on building good relationships. Getting information requires having the right contacts who will share data based on trust. Relationships must be developed and maintained with colleagues throughout the organization, peers at other companies, law enforcement, government officials, and personnel from industry associations, in order to cultivate useful sources of intelligence. The team needs to collect enough information to perform meaningful analysis but the goal is not to collect data on everything from everywhere. The team has to prioritize based on the threat model and information they are trying to protect, as well as the total costs of data collection and use. In addition, it should be recognized that often the team has to begin an analysis with incomplete information. SOURCES OF Cyber-risk DATA type of Examples Data Provided key Factors Source QQQQ 7 governMent sourCes computer • U.S.: U.S.- CERT • Reports, advisories, and alerts • Threat data is mainly non- Emergency • Europe: CERT-FI (Finland), on threats and vulnerabilities automated via emails and web Response DFN-CERT (Germany), • Best practices and security tips postings Agencies GOVCERT.NL (Netherlands), • Vulnerability data often in • Attack indicators* GovCERT and CPNI (UK) machine-readable formats • India: CERT-In • Some CERTs are membership- • Global: FIRST based • Australia: AusCERT Federal • U.S.: DHS, NSA • Reports, advisories, and alerts • Publicly available data on the government • UK: GCHQ, Home Office on threats and vulnerabilities threats is mainly non- Security • Threat briefings automated via web postings • Germany: BSI Agencies • Vulnerability data sometimes • Australia: DSD • Attack indicators provided in machine-readable formats • Indicator databases starting to be available (DHS) • Classified data cannot be shared widely • Unclassified briefings provided to certain enterprises Law • Local police: cyber-crime offices • Cyber-crime reports • For specific information (versus Enforcement • National police such as: • Data on attack techniques public reports) need to navigate FBI/InfraGard (U.S.), SOCA through the system to find good • Validation of criminal activity (UK), BKA (Germany) contacts • Attack indicators • International: INTERPOL • Mostly non-automated data *Attack indicators include: black-listed IP addresses, domain names, command and control servers, phishing sites, email addresses, file names, binaries, and malware signatures. 18 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 21. • roadmap to intelligence-driven information security type of Examples Data Provided key Factors Source QQQQ 8 inDustry assoCiations anD networks Information- • U.S. sectorial: ISACs such as • Reports, advisories, and alerts • Mainly non-automated data Sharing the FS-ISAC and IT-ISAC, and on threats and vulnerabilities provided via emails and web Associations ES-ISAC • Best practices and security tips postings • U.S. Energy: EnergySec • Attack indicators • Some associations are moving • U.S. Defense Industrial Base: towards providing some auto- DCISE mated data feeds • U.S. public/private: ESF • Typically membership-based with range of fees • Europe: ENISA • UK: WARPs, UKPA • Global IT industry: ICASI • Regional: PRISEM, ACSC • Vendor: RSA eFraudNetwork Informal Informal networks of security • Information on threats and • Mostly face-to-face meetings Information- professionals from a local area or a vulnerabilities Sharing vertical industry groups Peers at other Members of the security, incident- • Best practices and security tips • Mainly non-automated data companies response, and/or intelligence teams • Validation of similar activity on shared via personal contact, their networks phone calls, and emails • Attack indicators • Presentations at conferences Security Academic or industry-supported • Vulnerability information • Mainly information provided Researchers • Potential threat scenarios through personal contact, networking events, and confer- • Defensive methods ences QQQQ 9 CoMMerCial sourCes threat Feeds ZeusTracker, Bit9, SANS Internet • Attack indicators • Typically subscription fee-based Storm Center, Malware Domain or pay-per-view List, Stopbadware, Team-Cymru, • Machine-readable data in vari-, RSA AFCC ous formats • Threat feeds are integrated with technology platforms such as threat-detection and security- intelligence systems threat- Cyveillance, iDefense, • Data on specific attackers and • Various types of engagements Intelligence iSightPartners, RSA CyberCrime their techniques as well as • Delineate services to be pro- Research Intelligence Service, Mandiant investigations of compromise vided via a statement of work Services QQQQ 10 extenDeD enterPrise sourCes business • Supply chain • Best practices and security tips • Mainly non-automated data via Partners • Business-process outsourcers • Validation of similar activity on personal contact, phone calls, their networks and emails • Service providers • Attack indicators • Include information-sharing obligations in contract managed • AT&T • Validation of similar activity on • Include information-sharing Security • Verizon other networks obligations in contract Service Providers RSA, The Security Division of EMC | security for business innovAtion council report | 19
  • 22. • roadmap to intelligence-driven information security type of Examples Data Provided key Factors Source QQQQ 11 organization’s internal sourCes Employees, • Enterprise employees • Observations of suspicious • Employee awareness required contractors • Resident contractors activities and/or incidents • Automated mechanism re- quired for handling volumes of reporting • Hot line Executives Departments such as finance, • Discussions regarding business • Executive awareness required corporate strategy, business lines strategies and associated risks • Information-sharing working groups and/or forums It and Business applications, GRC • Logs, alerts, and reports • Machine-readable data Security systems, SIEM systems, network- • Advanced analysis tools often Infrastructure monitoring systems used to amalgamate data from these sources, for example to baseline normal activity step 5: define a process For designing a cyber-risk intelligence program, fed back into the system. For example, if an action the goal is a standardized methodology that produces is taken to modify security controls, data on the actionable intelligence and ensures an appropriate updated security posture becomes new input data. response. Given the nature of intelligence, the The basic stages of a process can be described as process will need to work on both a tactical and follows: strategic timescale. Certain information such as D Obtain data precise, real-time attack indicators will call for • Input data from external and internal sources immediate action while other information such is collected and indexed. as knowledge of protracted attack techniques will require longer-term defensive initiatives. Intelligence D Filter data needs to inform not only day-to-day operations but • Data that is irrelevant, not credible, or too also provide a more strategic outlook over a period of vague is removed. years. • Irrelevant data could be exploits involving The diagram below is an illustration of a basic technologies not used or attacks targeting as- process for collecting data, extracting meaning, sets that are not owned by the organization. making risk decisions, and taking action. It is set • Data that is judged not credible could be up as a feedback loop so as knowledge is gained, it’s based on previous experience with that source providing unreliable data or on receiv- ing conflicting data. Obtain data D Perform analysis • Various pieces of data are amalgamated, cor- Filter data related, and studied to determine how they all relate. Take action The basic stages of an • Analysis is typically a mix of manual and automated techniques (from white-boarding intelligence process to interactive analytics). • Analyses include an initial assessment of the Perform analysis risk and options for risk mitigation. Make risk decision D Communicate results • Ideally, exigent risks are surfaced to an auto- mated dashboard for immediate attention by Communicate results the Security Operations Center (SOC). For example, if the analysis finds evidence within the IT environment of outbound traffic to an adversary’s command and control server. 20 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 23. • roadmap to intelligence-driven information security • For communicating the results of ongoing Rein-in access privileges for a set analyses, an effective method is a system of of critical assets. regular intelligence briefings to key Segment the network to isolate certain stakeholders. critical assets. For example, the results of analysis may include Implement encryption for certain critical intelligence on the intent of adversaries, potential business processes. opportunities available to them, and/or the capa- bilities they may have to exploit the opportunities. The cyber-intelligence team cannot work in • Briefings can be provided to different audi- isolation. The security-management process ences at various time intervals. should delineate who is involved at every stage. For For example, daily briefings to the security team, example, the team must have the right relationships weekly briefings to IT, monthly briefings to an across the organization to coordinate a response executive risk committee, and quarterly briefings to the intelligence. It will require relationships to executive leadership. with members of SOC, network operations, system • Besides regular briefings, out-of-band proce- administrators, and/or business lines, and so on. dures for communicating high risks are also Certain situations may call for outside expertise needed. such as malware forensics if not available in-house. For example, proof of an imminent attack affect- Having a flexible protection platform is also essential ing critical systems might be communicated right for rapid response. For example, with a centralized away versus indications of a possible future management architecture, large-scale firewall attack which would be included in a regular changes could be made quickly across hundreds of threat briefing. control points. Operational responsibility for information D Make risk decision security is typically dispersed throughout an • Ideally, for exigent risks, a protocol has been organization but center-led by the Chief Information set for the SOC to make a risk determination Security Officer (CISO). Therefore, creating an and take immediate action. effective cyber-risk intelligence process will • For other critical risks, once they are identi- require bridging between organizational and data- fied and communicated by the intelligence management silos. It may be possible to leverage team, depending on the risk, other stakehold- existing systems for facilitating data flows. For ers (such as IT, business/mission owners, risk example, some organizations have set up a common officers, executives) may weigh in on the risk database for all information- and physical-security assessment and options for mitigation. incidents and/or have built knowledge-management • A risk calculation is performed considering and workflow processes for an enterprise risk- the potential impact to the organization ver- management program. An intelligence program sus the costs to mitigate the risk. could piggy-back on these types of efforts. However new technologies may also be required. • A decision is made regarding actions to be taken for each specific risk. D Take action • The action required will range from reconfig- “The process needs to be fast, fluid, and enable uring security tools to overhauling network dynamic response – not be fixed, rigid, or architecture and implementing new security stratified. If the goal is for the organization to controls. outmaneuver cyber adversaries, the cyber- • A few examples of possible actions that could be taken in response to intelligence include: intelligence team can’t get bogged down by bureaucracy.” Change a firewall rule across the organization. Develop a new correlation rule for the SIEM. williaM Boni Corporate Information Security Officer (CISO), VP Enterprise Information Security, T-Mobile USA RSA, The Security Division of EMC | security for business innovAtion council report | 21
  • 24. • roadmap to intelligence-driven information security If you have intel on a threat which has not yet materialized into an attack, there may be a tendency to say, ‘Well, it has not happened to us so far, why do we vishal salvi need to worry about it now?’ Response prioritization Chief Information Security Officer becomes very important and at the same time very and Senior Vice President, HDFC Bank Limited challenging when it’s a prospective threat.” step 6: implement automation It is important to recognize, though, that implementing technology solutions does not To facilitate the intelligence process, equal developing an intelligence-analysis process. organizations should look at opportunities for Automated systems make the large data sets automation. A cyber-risk intelligence program manageable and accessible so that the analysts can inherently involves “big data.” For example, to keep more easily see relationships among disparate data up on current threats, an organization will probably types, identify connections, and notice patterns be collecting cyber-attack indicators from as many of activity forming; but they do not fulfill the reliable sources as possible. To gain insights into its requirements for the complete analysis. entire IT environment, it will be amassing logs and Although there is no silver-bullet technology for a full packet information from relevant systems and cyber-risk intelligence program, there are several network devices across the organization. technologies available today for automating elements The whole point of the intelligence effort is to of data collection, analysis, and management. There correlate and analyze data from multiple sources are four general areas in which leading organizations in order to understand the threats and the make technology investments for a cyber-risk organization’s security posture against them. This intelligence program: program can easily accumulate vast amounts of data. It’s simply not realistic to have humans handle all a. automating the consumption of threat feeds of it at every step. An effective program necessitates The format of cyber-attack indicators is automation and planning the storage, analytic, and sometimes a list of unstructured data. When it is network architectures. delivered in a non-automated fashion, such as via email text or website posting, it has to be processed manually. For example, an analyst will enter it into a database to check the IT infrastructure for these signs of attack. Fortunately, there are a growing number of government, industry-association, and commercial sources that provide automated threat feeds: machine-readable data such as comma-delimited ASCII. The technologies used to consume automated threat feeds are typically security information and event management (SIEM) systems, network- monitoring and forensics systems, and/or security- intelligence databases. One of the challenges in working with automated threat feeds is that there is no standardization for how the content is organized. The order of data fields varies from one feed to the next. Therefore, “You get a fire hose of information from potentially thousands of sources and need somewhere to put it – ideally a platform that enables fast searches in an un-normalised form, rapid analysis, and automated anomaly roBert roDger, detection.” Group Head of Infrastructure Security, HSBC Holdings plc 22 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 25. • roadmap to intelligence-driven information security“One of the biggest problems in the world c. automating log analysis and full packet captureof intelligence is that you quickly drown in An area of focus for many cyber-risk intelligence programs is gaining visibility into the organization’sdata. You get masses of data, but you have own internal IT environment. Security-datato be able to derive knowledge from it, make analytics has emerged as an innovative approachit relevant and actionable – that takes good modeled on business-intelligence systems, which process massive amounts of customer data totools and better still excellent analysts.” spot fraud or business opportunities. “Security intelligence” systems process data such as end-user ProFessor Paul Dorey, Founder and Director, CSO Confidential and behavior and system activity to spot cyber-attack Former Chief Information Security Officer, BP indicators. The concept is to aggregate data logs and full packet data, such as application-access logs or network data that many organizations already routinely collect, then perform various functions such as baseline normal activity, discover anomalies, create alerts, develop trending, and even predict the data may need to be parsed before it is readable incidents. by a particular technology platform. However, there are aggregated threat-feed services that provide d. automating the fusion of data from multiple indicators from multiple sources, pre-process the sources data, and parse it into a consistent format. Some organizations are taking an even bigger- Another way that organizations can integrate picture view and amalgamating cyber-risk data from automated threat feeds into their current both internal and external sources into a “fusion environment is by implementing technology center” or “security-data warehouse.” The idea is to platforms such as routers, anti-malware products, merge current data from the organization’s IT and and adaptive-authentication solutions that business environments with the latest information automatically contain threat data. on threats into one large-scale analysis engine to achieve precise situational awareness. b. automating the collection of employee The vision is a “big data” view of information observations security which will enable security teams to have Collecting information from thousands of real-time access to the entirety of information employees across a large global enterprise is relevant to security risks. Advances in database ultimately not feasible without some way to automate technologies, data-storage systems, computing power, the process. If the intelligence team is interested and analytics are helping organizations to realize this in gathering data from employees on potential or vision. actual incidents, reporting methods such as emails or phone calls to security simply do not scale. Increasingly, organizations implement knowledge- management systems for employees to report events to the intelligence team. These systems enable searching based on various parameters and can be customized to provide alerts. The main challenge will be getting employees to understand what events are to be reported and consistently use the system for reporting. RSA, The Security Division of EMC | security for business innovAtion council report | 23
  • 26. 5 No Organization is an Island Improving Information Sharing “Sharing information is not the end state. The end state is to get actionable information that will help improve corporations’ and governments’ cyber-security posture and continually raise the bar.” williaM Pelgrin, President & CEO, Center for Internet Security; Chair, Multi-State Information Sharing and Analysis Center (MS-ISAC); and Immediate Past Chair, National Council of ISACs (NCI)S haring cyber-risk intelligence and defensive strategies has become imperative in today’s threat landscape. No organization can Most information-security professionals have established informal networks of trusted contacts at other companies. Informal networks can be realistically sit in isolation and still be able to defend invaluable; they are often the most frequent way itself. organizations share information. However, informal One of the most propitious aspects is the networks do not enable information sharing on a exchange of cyber-attack indicators. If large large scale. communities of organizations could readily and For achieving large-scale exchange of continuously exchange data on current attack information, there are a growing number of industry methods, it would seriously impede attackers’ or government-led information-sharing initiatives as operations. With an online early-warning system, well as public/private partnerships. A few examples organizations under attack could share attack from various geographies are provided in the chart profiles, so that others could prepare to defend below. themselves against similar (or even the very same) attacks. 12. exaMPles oF inForMation-sharing initiatives geography Information sharing initiatives International • Forum of Incident Response and Security Teams (FIRST) • Industry Consortium for Advancement of Security on the Internet (ICASI) National • Computer Emergency Response Teams (CERTs) throughout Europe and Asia • Warning, Advice and Reporting Point (WARP) and CESG in the UK • Sectorial Information Sharing and Analysis Centers (ISACs), EnergySec, U.S.-CERT, Defense Industrial Base Col- laborative Information Sharing Environ- ment (DCISE), and Enduring Security Framework (ESF) in the U.S. Regional • Public Regional Information Security Event Management (PRISEM) in Wash- ington • Advanced Cyber-Security Center (ACSC) in Massachusetts24 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 27. • no organization is an island You have to invest time in being an active member of an external network. To fight threats requires data. Other companies need to be willing to share data with you.” Dr. Martijn DEKKER production programs for providing data in machine- Senior Vice President, Chief Information Security Officer, ABN Amro readable formats. As information-sharing groups have gained experience, a set of criteria has emerged as the key ingredients for a successful exchange entity including: D Trust among the participants Models of operation and profiles of members vary, D Formalized structure (charter, board members, but all of these entities have similar information- leadership, and professional staff) sharing goals. Also, since some are relatively new D Adequate funding through government and/or – formed in the past few years – they continue to membership fees evolve. Some entities have already become effective D Established protocol and clear rules for in- channels for information exchange. Other entities formation sharing (what is to be shared with have not yet reached a critical mass of participation whom) by all members. D Legal framework in which to share confidential There are many challenges to creating information (NDA, government safe harbor) information-sharing mechanisms. Participation is often hindered by a lack of resources. As well, D Standardized and reliable procedures for the confidential nature of the information makes it de-identifying confidential information to be tough to share. Organizations have good reasons not distributed to want others to know how they are being targeted D Streamlined mechanisms for submitting and by cyber adversaries. Enterprises are restricted by distributing information (secure portal, en- legal issues, competitive considerations, and fears of crypted email, and/or digitally signed machine- reputation loss. Government agencies are restricted readable data) by classification requirements and national-security D Genuine participation (through committed rep- concerns. resentatives and actual data contribution) Designing a way to deliver cyber-attack indicators is also enormously difficult. How does one create a system to distribute data that needs to be tightly held, Trust and timeliness are essential components for yet shared with the broadest amount of people in information sharing. Within existing information- the shortest amount of time in a form that they can sharing groups, trust is still largely rooted in personal immediately consume? relationships, which does not create a sustainable The good news is that, especially in the past system. Timeliness of information sharing couple of years, more organizations have started continues to be a struggle as reliance is on particular to participate and extend their contributions to individuals to post information in secure portals information-sharing initiatives. It has often been or securely email information. Automated data- individual companies which lead the way – deciding exchange systems need to be established to remove to make the “leap of faith” by being among the first the dependency on specific people. In addition, to provide data and expecting others to follow, which harmonized standards for representing attack spurs participation. information in machine-readable format, delivering Groups such as the U.S. National Council of it securely, and consuming it in real time would help ISACs are also working to increase the number to enable automation. of organizations that participate, expand sector As cyber attacks continue to threaten enterprises coverage, and improve cross-sector sharing. and governments, more organizations will likely Governments in some parts of the world are be motivated to invest in information sharing. An actually starting to mandate participation including important factor paving the way is that organizations provisions for legal protections. For example, the have the people, processes, and technologies in place government of India recently mandated participation to effectively participate in intelligence exchange. in information exchange for the banking and critical-infrastructure sectors. There are also efforts underway to facilitate sharing mass amounts of data. Several information exchanges have pilot or RSA, The Security Division of EMC | security for business innovAtion council report | 25
  • 28. 6 ConclusionT he era of advanced threats calls for a new approach to information security. When dedicated cyber adversaries against growing threats to their operations and intellectual property. have the means and methods to elude Although many corporations have commonly used defenses, such as signature- developed capabilities in competitive and based detection, it is clear that conventional market intelligence to understand their approaches are no longer sufficient. An competitors and customers, most have not intelligence-driven approach to information developed a cyber-risk intelligence program. security can deliver comprehensive Given that most business processes and situational awareness, enabling transactions are now conducted in cyber organizations to more effectively detect and space, activities such as fraud, espionage, mitigate cyber attacks. and sabotage have also moved online. Cyber-risk intelligence has become a Developing a cyber-risk intelligence required competency to understand the capability will take investments in people, online risks. process, and technology. It will challenge the information-security team to grow The guidance provided in this report is beyond the current skill set and to commit intended to help point the way forward. to a change in mind-set. And it will require By harnessing the power of information, not only the steadfast efforts of the security organizations can develop the knowledge team but also broad organizational support. they need to get ahead of advanced threats. The value proposition for a cyber-risk intelligence program includes improved security and cost-effectiveness. Defensive If you know your attackers and what they strategies can be precisely aimed at might be capable of exploiting within addressing the most significant threats your environment, you can demonstrate and protecting the most critical assets. The to your executive management that you’re security team will have the knowledge it spending money on the right controls.” needs to make informed risk decisions and Dave Cullinane, invest in the right security controls. Chief Information Security Officer and Vice President, Global Fraud, Risk & Security, eBay Organizations must begin to recognize that having a cyber-risk intelligence capability is not just for the defense establishment and national-security agencies anymore. Government entities and corporate enterprises in many sectors must start to develop this capability in order to protect26 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 29. 7 Appendices About the Security for Business security for BusinessB QQQQ innovation report series Innovation Council Initiative the tiMe is now: usiness innovation has reached the top of the Making Information Security agenda at most enterprises, as the C-suite Strategic to Business strives to harness the power of globalization Innovation and technology to create new value and efficiencies. Yet there is still a missing link. Though business Mastering the risk/ innovation is powered by information and IT rewarD equation: systems, protecting information and IT systems Optimizing Information is typically not considered strategic – even as Risks to Maximize Business enterprises face mounting regulatory pressures Innovation Rewards and escalating threats. In fact, information security is often an afterthought, tacked on at the end of Driving Fast anD ForwarD: a project or – even worse – not addressed at all. Managing Information But without the right security strategy, business Security for Strategic innovation could easily be stifled or put the Advantage in a Tough organization at great risk. Economy Charting the Path: at rsa, we Believe that iF seCurity teaMs Enabling the “Hyper- are true partners in the business-innovation Extended” Enterprise in the process, they can help their organizations achieve Face of Unprecedented Risk unprecedented results. The time is ripe for a new approach; security must graduate from a technical specialty to a business strategy. While most BriDging the Ciso-Ceo security teams have recognized the need to better DiviDe align security with business, many still struggle to translate this understanding into concrete plans of the rise oF user-Driven it: action. They know where they need to go, but are Re-calibrating Information unsure how to get there. This is why RSA is working Security for Choice Computing with some of the top security leaders in the world to drive an industry conversation to identify a way the new era oF forward. CoMPlianCe: Raising the Bar for Organizations Worldwide rsa has ConveneD a grouP oF highly when aDvanCeD Persistent successful security executives from Global 1000 threats go MainstreaM: enterprises in a variety of industries which we call Building Information- the “Security for Business Innovation Council.” Security Strategies to Combat We are conducting a series of in-depth interviews Escalating Threats with the Council, publishing their ideas in a series of reports, and sponsoring independent research that explores this topic. RSA invites you busiNess iNNovAtioN DefiNeD to join the conversation. Go to securityforinnovation to view the reports or access Enterprise strategies to enter new markets, launch new products the research. Provide comments on the reports or services, create new business and contribute your own ideas. Together we can models, establish new channels accelerate this critical industry transformation. or partnerships, or transform operations RSA, The Security Division of EMC | security for business innovAtion council report | 27
  • 30. Contributors Top information-security leaders from Global 1000 enterprises mArene n. Allison, Anish bhimAni, CISSP, WilliAm boni, CISM, CPP, rolAnd cloutier, Worldwide Vice President of Chief Information Risk CISA, Corporate Information Vice President, Chief Security Information Security, Officer, Jpmorgan chase Security Officer (CISO), Officer, automatic data Johnson & Johnson VP Enterprise Information processing, inc. Anish has global responsibility Security, t-mobile u.s.a. Prior to joining Johnson for ensuring the security Roland has functional and & Johnson, Marene was a and resiliency of JPMorgan An information-protection operational responsibility for senior security executive Chase’s IT infrastructure and specialist for 30 years, Bill ADP’s information, risk, crisis- at Medco, Avaya, and the supports the firm’s Corporate joined T-Mobile in 2009. management, and investigative- Great Atlantic and Pacific Risk Management program. Previously, he was Corporate security operations worldwide. Tea Company. She served Previously, he held senior Security Officer of Motorola Previously, he was CSO at in the United States Army roles at Booz Allen Hamilton, Asset Protection Services. EMC and held executive as a military police officer Global Integrity Corporation, Throughout his career, Bill has positions with consulting and and as a special agent in the and Predictive Systems. helped organizations design managed-services firms. He FBI. Marene is on the board Anish was selected and implement cost-effective has significant experience of directors of the American “Information Security programs to protect both in government and law- Society of Industrial Security Executive of the Year for tangible and intangible assets. enforcement, having served International (ASIS) and the 2008” by the Executive He pioneered the application in the U.S. Air Force during Domestic Security Alliance Alliance and named to of computer forensics and the Gulf War and later in Council (DSAC) and is Bank Technology News’ intrusion detection to deal federal law-enforcement President of West Point “Top Innovators of 2008” with incidents directed against agencies. Roland is a member Women. She is a graduate of list. He authored “Internet electronic business systems. of the High Tech Crime the U.S. Military Academy. Security for Business” and Bill was awarded CSO Investigations Association, the is a graduate of Brown and Magazine’s “Compass Award” State Department Partnership Carnegie-Mellon Universities. and “Information Security for Critical Infrastructure Executive of the Year – Central” Security, and Infragard. in 2007. dAvid Kent, Petri KuivAlA, dAve mArtin, CISSP, tim mcKnight, Vice President, Global Risk Chief Information Security Chief Security Officer, CISSP , Vice President and and Business Resources, Officer, nokia emc corporation Chief Information Security genzyme Officer, Petri has been CISO at Nokia Dave is responsible for northrop grumman David is responsible for the since 2009. Previously, he led managing EMC’s industry- design and management of Corporate Security operations leading Global Security Tim is responsible for Genzyme’s business-aligned globally and prior to that in Organization (GSO) focused Northrop Grumman’s global security program, China. Since joining Nokia on protecting the company’s cyber-security strategy which provides Physical, in 2001, he has also worked multibillion-dollar assets and and vision, defining Information, IT, and Product for Nokia’s IT Application revenue. Previously, he led company-wide policies Security along with Business Development organization EMC’s Office of Information and delivering security to Continuity and Crisis and on the Nokia Siemens Security, responsible for support the company. Tim Management. Previously, he Networks merger project. protecting the global digital received the Information was with Bolt Beranek and Before Nokia, Petri worked enterprise. Prior to joining Security Executive of the Newman Inc. David has 25 with the Helsinki Police EMC in 2004, Dave built Year Mid-Atlantic Award years of experience aligning department beginning in 1992 and led security-consulting and Information Security security with business goals. and was a founding member organizations focused on Magazine Security 7 He received CSO Magazine’s of the Helsinki Criminal critical infrastructure, Award in 2007. Tim has 2006 “Compass Award” Police IT- investigation technology, banking, and held management roles with for visionary leadership in department. He holds a degree healthcare verticals. He holds BAE and Cisco Systems the Security Field. David in Master’s of Law. a B.S. in Manufacturing and served with the FBI. holds a Master’s degree in Systems Engineering from the He has a Bachelor’s degree Management and a Bachelor University of Hertfordshire in and completed Executive of Science in Criminal the UK. Leadership training at the Justice. Wharton School. Tim also served as adjunct faculty at Georgetown University.28 | security for business innovAtion council report | RSA, The Security Division of EMC
  • 31. guest ContriButor As President & CEO of CIS, Will provides leadership in establishing, implementing, and WilliAm Pelgrin, esq. President & overseeing CIS’s mission, goals, policies, and core principles. He is founder and Chair of CEO, Center for Internet Security (CIS); MS-ISAC, which is the focal point for cyber-threat prevention, protection, response, and Chair, Multi-State Information Sharing and recovery for U.S. state, local, territorial, and tribal governments. He just finished serving Analysis Center (MS-ISAC); and Immediate his third term as chair of NCI, which works to advance the physical and cyber security of Past Chair, National Council of ISACs (NCI) critical infrastructure and includes representation from major national industry sectors.dAve cullinAne, dr. mArtijn deKKer, ProFessor PAul dorey, renee guttmAnn,Chief Information Security Senior Vice President, Chief Founder and Director, CSO Chief Information SecurityOfficer and Vice President, Information Security Officer, Confidential and Former Officer,Global Fraud, Risk & aBn amro Chief Information Security the coca-cola companySecurity, eBay Officer, Bp Martijn was appointed Chief Renee is responsible forDave has more than 30 years Information Security Officer Paul is engaged in the information-risk-of security experience. Prior of ABN Amro in early 2010. consultancy, training, and management program atto joining eBay, Dave was the Previously he held several research to help vendors, The Coca-Cola Company.CISO for Washington Mutual positions in information end-user companies, and Previously, she was VP ofand held leadership positions security and IT including governments in developing Information Security andin security at nCipher, Sun Head of Information Security their security strategies. Before Privacy at Time Warner andLife, and Digital Equipment and Head of Technology founding CSO Confidential, Senior Director of InformationCorporation. Dave is Risk Management in the Paul was responsible for IT Security at Time Inc. Sheinvolved with many industry Netherlands. Other positions Security and Information has also held information-associations including as included IT Architect, and Records Management security roles at Capital Onecurrent Past International Program/Portfolio Manager, at BP. Previously, he ran and Glaxo Wellcome and hasPresident of ISSA. He has and IT Outsourcing/ security and risk management been a security analyst atnumerous awards including Offshoring Specialist. at Morgan Grenfell and Gartner. Renee received theSC Magazine’s Global Martijn joined ABN Amro Barclays Bank. Paul was a 2008 Compass Award fromAward as CSO of the Year for in 1997 after completing his founder of the Jericho Forum, CSO Magazine and in 20072005 and CSO Magazine’s Ph.D. in Mathematics at the is Chairman of the Institute was named a “Woman of2006 Compass Award as University of Amsterdam and of Information Security Influence” by the Executivea “Visionary Leader of the a Master’s of Mathematics at Professionals, and a Visiting Women’s Forum.Security Profession.” the University of Utrecht. Professor at Royal Holloway College, University of London.Felix mohAn, robert rodger, rAlPh sAlomon, vishAl sAlvi, CISM,Senior Vice President and Group Head of Infrastructure Vice President, IT Security & Chief Information SecurityChief Information Security Security, Risk Office, Global IT, sap ag Officer and Senior ViceOfficer, airtel hsBc holdings plc President, Ralph is responsible for hdfc Bank limitedAt Airtel, Felix ensures that Bob has been with HSBC developing and maintaininginformation security and IT Bank since 2004. He is the global IT security strategy Vishal is responsible foralign with changes to the risk responsible for Infrastructure and operational IT security driving the Information-environment and business (IT) Security and IT Security at SAP worldwide. His Security strategy and itsneeds. Previously, he was Architecture for the Group. many accomplishments implementation acrossCEO at a security-consulting Previously, Bob was Head include integration of HDFC Bank and itsfirm, an advisor with a Big-4 of IT Security at Bank of Security, Quality, and subsidiaries. Prior to HDFC,consulting firm, and head of Bermuda and worked for the Risk Management and he headed Global OperationalIT and security in the Indian Bank of Scotland Group in IT improvements in IT Service Information Security forNavy. He was a member of Security consulting roles. He and Business Continuity Standard Chartered BankIndia’s National Task Force has over 16 years’ experience Management, which led (SCB) where he also workedon Information Security, in banking IT security, SAP to achieve ISO 27001 in IT Service Delivery,Co-chair of the Indo-U.S. designing and implementing certification and to become Governance, and RiskCybersecurity Forum, and end-to-end security solutions the first German company to Management. Previously,awarded the Vishisht Seva for internal and external- be BS25999 certified. Prior to Vishal worked at CromptonMedal by the President of facing applications. He holds SAP, Ralph worked at KPMG Greaves, Development CreditIndia for innovative work in a B.Sc.(Hons) in Information as an IT Security, Quality, Bank, and Global TrustInformation Security. Technology with applied Risk and Risk Management Bank. He holds a Bachelor’s Management. advisor and auditor. of Engineering degree in Computers and a Master’s in Business Administration in Finance from NMIMS University. RSA, The Security Division of EMC | security for business innovAtion council report | 29
  • 32. ©2012 EMC Corporation. All rights reserved. EMC, EMC2, the EMC logo, RSA and the RSA logo are registered trademarks or trademarksof EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned herein are the property of their respective owners.h9068-CISO RPT 011230 | security for business innovAtion council report | RSA, The Security Division of EMC