ADVANCED THREATS SUMMIT 2012KEY FINDINGSNovember 2012                           In September 2012, RSA, The Security Divis...
Advanced Threats Summit 2012, Key Findings                                            ADVANCED ATTACKS RISE IN FREQUENCY A...
Advanced Threats Summit 2012, Key Findings                                            ORGANIZATIONS RATE ADVANCED THREATS ...
Advanced Threats Summit 2012, Key Findings                                            SOCS PREFER CULTIVATING IN-HOUSE CAP...
Advanced Threats Summit 2012, Key Findings                                            BIG DATA YIELDS BIG INSIGHTS        ...
Advanced Threats Summit 2012, Key Findings                                         ABOUT RSA                              ...
Upcoming SlideShare
Loading in …5

Advanced Threats Summit 2012 Key Findings


Published on

Get actionable strategies from more than 100 security and risk-management executives.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Advanced Threats Summit 2012 Key Findings

  1. 1. ADVANCED THREATS SUMMIT 2012KEY FINDINGSNovember 2012 In September 2012, RSA, The Security Division of EMC, hosted its second-annual Advanced Threats Summit, an invitation-only meeting that brought together leading security thinkers and practitioners from government and business to share strategies for combating advanced threats, targeted cyber attacks conducted by technically sophisticated adversaries. More than 100 security and risk management executives participated in this year’s Summit. The closed-door meeting focused on providing actionable strategies for detecting and profiling advanced attacks and adversaries, and defeating them before losses occurred. Delegates at the Summit shared diverse perspectives and guidance regarding layered defenses, adversarial kill chain analysis, mobile risks, external threat intelligence and big data analytics for enhancing organizations’ attack detection and incident response capabilities. Reflecting the intensification of threat conditions over the past year, discussion themes at this year’s Summit were deeper and more varied than at last year’s inaugural event. A couple of themes, however, remained consistent. First, delegates affirmed that detecting and mitigating threats quickly is a far more realistic and productive goal than trying to prevent all breaches. Second, delegates said threat information-sharing and collaboration remains an urgent and largely un-met need for the security community. Delegates said they valued the Summit as a forum for sharing information about advanced threats and for stimulating new insights into how their organizations can combat them. This document highlights recurring themes and important observations from Advanced Threats Summit 2012. RSA Security Brief
  2. 2. Advanced Threats Summit 2012, Key Findings ADVANCED ATTACKS RISE IN FREQUENCY AND SOPHISTICATION More than 75 percent of Summit delegates polled at the event said that advanced cyber attacks on their organizations had increased over the past year, with 31 percent of all respondents reporting attacks had “increased dramatically.” The rise in attacks is perhaps unsurprising, given that nation-states and other well-organized adversaries continue to hone their tools and techniques for waging cyber attacks. As these tools andWhich of these techniques improve, advanced adversaries increasingly regard the cyber vector as aprospective comparably convenient and cost-effective way to acquire valuable information and fulfill their intelligence-gathering requirements.adversaries pose Cyber adversaries are also using more sophisticated techniques to perpetrate theirthe greatest cyber threat crimes, including by: • Injecting malware to run attacks directly from memory, including decrypting data into your organization? memory; • Employing new root kits to change data and logs to help mask illicit activities andNation states 43.5% prolong their presence in sensitive systems; • Exploiting application logic in software platforms, possibly by gaining access to sourceOrganized code;crime groups 31.0% • Attacking high-value targets by first compromising parts of their information supply chains; andRogue insiders 18.0% • Using distributed denial-of-service attacks or other noisy diversionary tactics to hide more serious illicit activity.Hacktivists 7.5% Summit delegates from the financial services industry noted that criminal actors are becoming more ambitious in the amounts stolen through fraudulent wire transfers.From Advanced Threats Summit 2012 Delegates theorized that criminal groups are using stolen funds—sometimes amountingon-site audience poll to the millions—to underwrite other cyber attacks and criminal endeavors. ADVERSARIES ALLY TO GET SMARTER, BETTER, FASTER Summit delegates who see threat intelligence from broad cross-sections of organizations have observed adversaries’ capabilities improving at suspiciously fast rates. This prompted some to theorize that nation states and criminal groups may be sharing technologies and training each other. Criminal groups may be farming out their cyber skills to nation states, creating classes of cyber mercenaries. Nation states are rumored to be buying compromised log-in credentials and intelligence on zero-day vulnerabilities to advance their attack capabilities. Nation states and their state-owned companies may also be working together on cyber attacks to gather competitive intelligence and misappropriate intellectual property. Some Summit delegates also reported discovering evidence of collaboration between rogue insiders and criminal groups as well as insiders and hacktivists. This approach aligns with traditional pre-Internet-era intelligence gathering methods for nation state, criminal groups and other 2
  3. 3. Advanced Threats Summit 2012, Key Findings ORGANIZATIONS RATE ADVANCED THREATS A TOP SECURITY CONCERN Approximately 93 percent of Summit delegates have invested in countering advanced threats, with 60 percent of all respondents describing advanced threats as a “topmost security concern” that they’re “very focused” on combatting.Rate your organization’s Despite advanced threats rising as a chief concern, only 20 percent of all delegatesability to counter responding to the Summit’s on-site poll characterized themselves as “highly effective” inadvanced threats defeating attacks from advanced adversaries. About 39 percent of respondents characterized their organizations as vulnerable, and 37.5 percent of respondents characterized their organizations as having shown some proficiency in defeating advanced attacks.Highly vulnerable 14.0% CYBER THREATS WIDEN THEIR LEAD ON CYBER LEGISLATIONSomewhat The gap is growing between cyber threats and the legislation to address them. Summitvulnerable 25.0% participants expressed frustration with Congress’s inaction in updating laws to reflect the Digital Age and in lowering barriers to sharing threat information.Not sure 3.5% Despite greater awareness of cyber threats among members of Congress and bipartisan cooperation on the issue, cyber legislation is stalled. Congress is considering forming bicameral committees on cyber threats. The specter of regulation, however, elicits aSomewhat “radioactive” response among many legislators: they’re reluctant to introduce a neweffective 37.5% regulatory authority for cyber threats, preferring to implement cyber regulations through the existing regulatory agencies (e.g., nuclear, energy, communications). Additionally, the government is shaping security practices by including new and potentially disparateHighly effective 20.0% cyber security requirements into Department of Defense and other federal contracts.From Advanced Threats Summit 2012on-site audience poll INTELLIGENCE SHARING REMAINS ELUSIVE Challenges in exchanging threat intelligence were a recurring theme throughout the Summit. While sharing with external parties remains challenging, some delegates said it could also be difficult to share threat information internally with other parts of their own organizations. Some also questioned whether the mere act of sharing devalues intelligence by raising the risk of data leakage outside the trusted community. Delegates repeatedly discussed the need to create and consume indicators of compromise faster—machine to machine. Some delegates pointed out, however, that threat intelligence is not just about sharing indicators of compromise; it’s also about cultivating knowledge of adversaries’ techniques and trade craft. Because such knowledge cannot be neatly expressed in machine code, delegates believe there will always be the need for person-to-person intelligence sharing. THREAT ANALYSTS AND DATA SCIENTISTS WANTED Skilled security talent with experience in advanced threats is scarce. About 59 percent of Summit delegates cited skills shortages as their organizations’ “greatest deficiency in detecting and defeating advanced threats.” Summit delegates observed that everyone in the room was vying for the same type of talent: people experienced in advanced threat techniques, data science and predictive analytics. page 3
  4. 4. Advanced Threats Summit 2012, Key Findings SOCS PREFER CULTIVATING IN-HOUSE CAPABILITIES TO OUTSOURCING Despite the difficulty in finding experienced security talent, only 32 percent of those at the Summit planned to fill their needs by partnering with external service providers and consultants; 63 percent said they intended to fill their needs in-house. These preferences may not represent the security community at large, however, since Summit participants come from many of the world’s most advanced security operations centers (SOCs) and are thus less likely to outsource security functions. Summit delegates conceded it makes sense in some cases to work with an ecosystem of partners to address specific deficiencies within their SOCs. Delegates saw value in using managed security service providers (MSSPs) as “information sharing factories” that could help enhance threat detection by analyzing incidents across a spectrum of customers. MSSPs could also achieve economies of scale in processing external intelligence feeds or to perform specific tasks such as malware analysis to augment internal capabilities. Summit delegates said security concerns are impeding IT outsourcing. Chief among their concerns is the lack of real-time visibility into the security performance of service providers. Summit delegates decried prevailing practices for proving performance, saying SLAs and contracts are useful after the fact only to attorneys. Delegates called for service providers to not just report performance but show how they’re doing, perhaps through an appliance or interface that lets organizations monitor changes in the supplier’s security posture in real time. EXPLOIT ADVERSARIES’ PERSISTENCE TO GAIN INTEL Security teams can take advantage of cyber adversaries’ desire to remain within target IT systems to study attackers’ behaviors and techniques. The more an adversary tries to infiltrate systems, the more opportunities a SOC has to gather indicators. By analyzing attackers’ progression through the “kill chain”—the necessary attack phases adversaries must go through to achieve their objectives—SOCs can pick up on subtle, recurring indicators to help detect and disrupt subsequent attacks using similar techniques. LAYERED DEFENSES AND DETECTION REACH NEW DEPTHS Organizations with experience successfully countering advanced threats say layered defenses are essential to success: they make it difficult and costly for cyber adversaries to execute their attacks. Summit delegates discussed security practices such as dynamic segmentation with VDI and network admission control (NAC). Summit delegates also advocated for taking a broader view of detection: catching threats at their point of intrusion is only one of several opportunities in an attack sequence for SOCs to uncover threats and prevent damage. SOCs can extend detection capabilities to look for changes in their systems, hunt for command-and-control activity and examine installations of 4
  5. 5. Advanced Threats Summit 2012, Key Findings BIG DATA YIELDS BIG INSIGHTS Security leaders at the Summit showcased examples of data analytics being used to enhance IT situational awareness. One Summit delegate said his SOC used data analytics to help identify newly compromised systems, usually within 30 to 60 minutes. If attacks can be detected and disrupted within that period, it’s highly unlikely adversaries would have had sufficient time to execute their plans.What’s your biggest Also, applying data analytics to security can help compensate for shortcomings in signature-based detection systems by analyzing vast volumes of data to assess risks anddeficiency in to pinpoint potential problems for further investigation. Summit delegates said the ability to reconstruct network sessions is especially helpful in improving defenses, because itdetecting and defeating allows security analysts to study adversaries’ techniques and the progression of attacks. Representatives from the financial services industry mentioned they were also applyingadvanced threats? big data analytics to uncover illicit insider activity. BREACH PREVENTION PROGRAMS FOCUS ON PEOPLETechnology for early Many of the preventative security measures discussed at the Summit focused on people,detection and attack not systems. Delegates generally observed a trend toward treating internal employees ascontainment 21% “a less-trusted space.” Some delegates said their organizations conduct phishing attacks against employees as a way of fostering security awareness. Organizations are also reducing administrator privileges among IT staff. They’re testing mobile securityIn-house analysts technologies on senior executives rather than beginning with lower-level employees, because executives often have the most valuable data to protect and the newest devices.experienced in advanced They’re limiting access to social media and proscribing the posting of job descriptionsthreat techniques, data and titles on LinkedIn to make it harder for employees to be or predictive MOBILE SECURITY MUST SCALE TO POTENTIAL RISKSanalytics 49% Security teams tend to view mobile security as a field fraught with new, unique challenges. Delegates found that calibrating users’ expectations was often the biggestDeeper threat expertise – challenge in implementing mobile security practices. Users expect everything on mobilewe are turning to external devices to be fast and easy; it’s hard for them to accept that mobile security controls must scale to potential risks.consultants/service To the extent possible, organizations should implement technologies that keep corporateproviders 10% data on servers rather than on devices. The goal is to control data, regardless of where it is. VDI, applications based on HTML5 and the practice of driving mobile traffic through centralized clouds with built-in data controls were all cited at the Summit as promisingExternal threat intelli- techniques for enhancing mobile enterprise security.gence to improve ourunderstanding of the LEVERAGE CORPORATE POLICIES TO WIN C-SUITE ADVOCATES FORthreat environment 20% SECURITY As corporate boards of directors take a greater interest in cyber security risks and theirFrom Advanced Threats Summit 2012 reputational and business impact, security executives are increasingly expected to reporton-site audience poll on their programs to address advanced threats. Security leaders should frame strategic initiatives within the context of their organizations’ policies. Board of Directors and top executives do not want to have a “how to” discussion; they want to understand “what” the security team aspires to do and the potential results or consequences of those actions. Execution happens in committees with the chair reporting progress to the board. Also, to win top-level support of security initiatives, it helps to quantify hypothetical consequences—especially public relations and reputational impact—and to include external viewpoints and best practices. page 5
  6. 6. Advanced Threats Summit 2012, Key Findings ABOUT RSA RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, data loss prevention, continuous network monitoring, and fraud protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA. com and EMC2, EMC, the EMC logo, RSA, and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other products or services mentioned are trademarks of their respective companies. © Copyright 2012 EMC Corporation. All rights reserved. Published in the USA. H11240-atf-brf-1112