Cybercrime is nothing new. What is different now is the intimacy, reach and size of those attacks. There are hundreds of billions in losses each year. This unsettling state of affairs has created a binary world with really only two kinds of companies: those that have been hacked and admit it, and those that have been hacked and don't admit it or don’t know it yet. Worse yet, for the vast majority of individuals, very few of us have been untouched whether we know it or not. In NTT i³’s book “CyberCrime: Radically Rethinking the Global Threat,” Rich Boyer, Chief Architect for Security and Dr. Kenji Takahashi, VP Product Management for Security examine the current arms race between cybercriminals and their diverse and agile toolkits and the radically new approaches to cybersecurity that the enterprise must adopt to compete and win.

1. 1 NTTI3.COM
CYBERCRIME:
RADICALLY RETHINKING
THE GLOBAL THREAT
NTT INNOVATION INSTITUTE, INC.

2. 2 NTTI3.COM
Cybercrime is nothing new. What is different now is the intimacy of those
attacks. It is no longer only about some big name company looking foolish.
Cybercrime now touches the lives of everyone in society. The enormous
profit to criminals and the risk to individuals bring the scope of the evolution
of cybercrime directly into every house and home – everyday, everywhere.
In the 1970s and 1980s, there were stories of individual bank teller
embezzlements, ‘phone phreaks’ manipulating computerized systems in
search of free long distance service, and college students breaking into
Department of Defense communications systems. In the late 1990s and
early 2000s, several computer viruses drew attention to expanding threats
and resulted in the birth of a whole new industry of anti-virus software.
And in the year 2000, there was the first documented denial-of-service
(DoS) attack traced back to a 15 year old Canadian who called himself
‘mafiaboy,’ causing more than a billion dollars in damage against a number
of prominent e-commerce sites.
All of this pales in size, sophistication, reach, and intent to the organized
and highly sophisticated global cybercrime we have seen steadily growing
over the past 15 years.
Today, cybercriminals and ‘black hat’ attackers look less like yesterday’s
nerdy hackers hunched over computers in basements while harboring a
vendetta against “the system.” Now they act more like Mafioso versions
of sophisticated Silicon Valley startups. The digital criminal element has
worked harder, become more innovative, and successfully broadened their
toolset in order to compete, and outstrip, the efforts of the established
enterprise security industry. They are more sophisticated and agile than
• Senior Executives – looking
to protect their company
against the rising risk of
cybercrime, the impact to
shareholders, and company
assets and partners.
• The Three Percent of
Internet Users – who don’t
think they or their organization
will be targeted.
• Strategic Business
Thinkers - who need to realign
their organizations due to the
pervasive nature of cybercrime.
• Organizational Resource
planners – who manage the
proactive, reactive and ongoing
defenses against cybercrime.
• The 100% of Technology
users - who are intentionally
targeted.
WHO NEEDS TO CARE
ABOUT CYBERCRIME?

3. 3 NTTI3.COM
the companies they attack. They are masters at taking full advantage of
the cloud, crowdsourcing, open exchange of data, and technologies often
untethered to any particular infrastructure.
The result of this? Hundreds of billions in losses each year. This unsettling
state of affairs has created a binary world with really only two kinds of
companies: those that have been hacked and admit it, and those that have
been hacked and don’t admit it or don’t know it yet. Worse yet, for the vast
majority of individuals, very few of us have been untouched whether we
know it or not.
In order to compete with the scale and agility of modern cybercriminals,
forward-thinking enterprises and security leaders must begin to relate to
them as some of the most powerful and innovative digital competitors
that they will ever face. Security needs to be reframed in a larger strategic
context as a value-creating investment rather than a value-protecting
investment.
With the move to digital ‘everything,’ cybercrime is a bigger risk now than
ever before due to the sheer number of connected people and devices.
The analog world is shrinking rapidly, being replaced by an always-on,
always-connected digital one. It’s only going to get worse if we don’t pay
attention now and rethink security strategies and technologies.
ESCALATING COST OF
CYBERCRIME
2014:
$575B
2013:
$400B
2012:
$274B
2011:
$114B
1
Rich Boyer Dr. Kenji Takahashi

4. 4 NTTI3.COM
TABLE OF CONTENTS CHAPTER 1
Evolution and Drivers of Cybercrime 5
• What is Cybercrime?
• Economic, Cultural and Social Drivers
• Technology Drivers
• Cybercrime Toolset
CHAPTER 2
The Changing Landscape of Enterprise Security 11
• Lateral Attacks
• The Perimeter Is the User
• The New IT Challenges of Agile Cybercrime
CHAPTER 3
The Need to Evolve Enterprise Security in the 21st Century 21
CHAPTER 4
New Security Approaches and Solutions 26
• Threat Intelligence
• Security as a Service
• Communities of Sharing

5. 5 NTTI3.COM
TABLE OF CONTENTS CHAPTER 5
Questions for the Near Future of Security 32
APPENDIX 35
• About NTT Innovation Institute Inc.
• About the Authors
• Resources and Citations

6. 6 NTTI3.COM
CHAPTER 1
Evolution
and
Drivers of
Cybercrime
WHAT IS CYBERCRIME?
ECONOMIC, CULTURAL AND
SOCIAL DRIVERS
TECHNOLOGY DRIVERS
CYBERCRIME TOOLSET

7. 7 NTTI3.COM
While cybercrime may be simply
defined as “unlawful acts wherein
the computer is either a tool or
target or both” – the way in which
it manifests today is much more
complicated and expansive than this
simple definition.
Cybercrime is ultimately about
leveraging flaws in security coverage
in order to steal, manipulate, and
monetize data. The strategy of
the criminal is relatively simple
- pursue a course of hacking
and monetizing someone’s lack
of security vision or incomplete
implementation in order to maximize
their own revenues or capabilities.
While this is the strategy, the way
individual cybercriminals pursue this
varies based on the focus of each
organization.
Just like in the world of physical
crime, some cybercriminals are
opportunistically focused on simple
‘smash and grab’ opportunities.
Others are selective in biding their
time and maximizing their ROI
by picking their targets based on
success potential and long term
upside. Some cybercriminals
provide products and services for
others to use in monetization. Other
cybercriminals simply focus on
opening up opportunities. In short,
if it were not for the deeply illegal
nature of their activities, it would
be hard to distinguish their working
ecosystem from those of legitimate
organizations.
Ultimately, criminal enterprises look
to leverage opportunity, maximize
returns, hedge their risks, and work
more efficiently. Hackers track
weak and strong points in legitimate
organizations and industries, and
then strategize (just like other
businesses do) using the same
drivers for usability, cost reduction,
geographical reach and go-to-
market forces to shape their targets
and approaches.
Just as broad social, cultural,
economic and technology
trends reshape legitimate global
businesses, those same forces
impact cybercrime. To get ahead
of cybercrime and create intelligent
and robust security capabilities for
legitimate organizations, it is crucial
to understand cybercrime from this
point of view. Only then can digital
security truly compete with this
fast-paced and constantly evolving
criminal industry.
WHAT IS CYBERCRIME?
“Hackers are breaking
the systems for
profit. Before, it was
about intellectual
curiosity and pursuit of
knowledge and thrill,
and now hacking is big
business.”
- Kevin Mitnick, noted computer
security consultant, former hacker,
and one of the few individuals ever
convicted of cybercrime.

8. 8 NTTI3.COM
The new and powerful economic,
cultural and social factors that are
reshaping modern businesses are
also enabling cybercrime to further
pierce global borders. The result is
the creation of newly empowered
and agile networks of international
cybercriminals.
These include:
• Digitally native hackers become
mercenaries deployed against
‘good enough’ security measures in
increasingly complex multi-vendor,
multi-partner systems.
• Inconsistent laws across the globe
make tracking and prosecuting
criminals difficult and time
consuming.
• The increasing value that can be
extracted from the sale of raw data
changes the risk-reward ratio of
cybercrime.
• The ease with which malicious
software can be distributed across
systems and people shortens
deployment time and extends the
reach of cybercrime.
• The rise of the Dark Web
continues to drive marketplaces for
the fruits of cybercrime.
• Public sympathy for some forms
of ‘hactivism’ can blur the lines
between social activism and crime.
A majority of the most powerful
technology drivers of legitimate
business are also fueling the
relentless engine of modern
cybercrime. These include: cloud
services, crowdsourcing, the
democratization and monetization
of data, unlinking of capability and
infrastructure, and the pervasiveness
of mobile and wireless technologies.
ECONOMIC, CULTURAL
AND SOCIAL DRIVERS
“We are building our
lives around our wired
and wireless networks.
The question is, are we
ready to work together
to defend them?”
- FBI

9. 9 NTTI3.COM
The Cloud
Cloud services are abundant and
widely available. Criminals use
inexpensive, reliable, and publicly
accessible cloud computing and
network resources. This allows fast
startup, usage, and abandonment.
The resources that formerly required
extensive efforts to establish and
maintain have been transformed.
Many are now available for rent, with
the cost distributed across a large
set of criminal entities. Cybercrime
services are now called on-demand,
rather than burdened upon a
single entity to own, maintain, and
monetize.
Crowdsourcing
Crowdsourcing is rapidly growing
as a means of accessing talent,
strategy, and information.
Underground cybercrime enterprises
create fast-to-market and innovative
Software as a Service (SaaS)
offerings, housed within seemingly
legitimate corporations easily
found on the Dark Web. A prime
example of this is DDoS-for-hire,
masquerading as a legitimate
‘network stressing’ service.
Democratization and Monetization
of Data
Underground brokerages and
marketplaces are extensive and
produce the environment to sell
stolen data. This started with high-
value data goods such as credit
cards, personal information, and
credentials. This then moved
into broader intellectual property
and data secrets exchanges and
services to map professional
capabilities to willing clients. The
collection and dissemination of
stolen data works just like any other
resale business, including finding
the right cost structure, customer
research, sales, and marketing.
Mobile Technology and Wireless
Networks
Widespread and pervasive use
of these technologies enables
criminals to work virtually anywhere
and anytime - beyond enterprise
perimeters. This is to their
advantage, allowing them to attract
top talent driven by results and
verified reputation, not by the whims
corporate politics.
TECHNOLOGY DRIVERS

10. 10 NTTI3.COM
The cybercriminal’s world revolves
around looking across the full
stack of IT infrastructure for
vulnerabilities. Those vulnerabilities
are then leveraged against all attack
vectors that will provide access to
the desired data. Even the most
meandering paths are pursued.
Cybercriminals are relentlessly
agile and invest heavily in new
technologies and techniques. Like
legitimate businesses, being nimble
and effective is vitally important to
their survival. This has given rise
to the development, availability,
and commoditization of powerful
cybercrime tools and infrastructure
across the Dark Web.
In the world of cybercrime, results
matter and are constantly on display.
If you win big and win often, you get
the premiums. Just like any other
business, to be successful and in
demand, you just need to maintain
your relevance and skills.
The cybercrime toolset can be
defined as a true multi-sided,
distributed digital platform that
includes a full range of products
and services from many vendors.
There are probably a greater variety
of cybercrime tools and solutions
available than security products and
services. These include:
• Hosted malware
• Denial of Service (DoS) as a
Service
• Exploit kits for sale or rent
The cybercrime toolset can deliver
a ‘soup to nuts’ capability for
individual hackers or vast cybercrime
organizations. Any criminal can
start small and then scale to meet
their needs. Any combination of
technology capabilities is possible
through on-demand or long-term
committed talent that is available via
either insourcing or outsourcing.
CYBERCRIME
TOOLSET
• Malware as a service – Malware can be provided today via
self-service models, and then managed, distributed and utilized to
deliver specific capabilities to an attacker.
• DDOS as a service – Often masquerading as legitimate
‘network stressor’ services, they can be purchased by the minute
and directed against any target in the world.
• Skill sets on demand – Individuals with specialist capabilities
are able to be accessed and ‘spun-up’ on short notice. They deliver
those capabilities on demand, and disappear once the task is
accomplished
• Vulnerabilities for sale – New and valuable vulnerabilities
and the tools to exploit them are hunted, marketed and sold on a
commodity market. Values in this market are set by the vulnerability
and the effectiveness of the exploit.
• Attack vectors for sale – Complete blueprints are available
documenting the precise ways that hackers have successfully
infiltrated an organization. Step-by-step mechanisms, with support
and success guarantees, are provided.

11. 11 NTTI3.COM
The community that has formed
around the cybercrime toolset
represents many users extending,
integrating, and utilizing a growing
number of specialized technologies
from this vast distributed
community. Looking in from the
outside, their actions appear to
be a coherent, customizable, and
possessing global attack capability.
Generalists use the tools already
available and contribute their
knowledge, updates in successful
techniques, and modifications to
tools. Specialists focus on their
specific domains, reselling their
tools and services to almost anyone.
Purchasable cybercrime services
have lowered the barriers to
entry and dramatically simplify
the attacker’s job, while also
serving as important sources
of low overhead and reduced
risk income. There are probably
a greater variety of cybercrime
tools and solutions available than
security products and services.
These commoditized services have
allowed a newer generation of less
‘experienced’ cybercriminals to be
increasingly effective. Newcomers
can now leverage, rent, or reuse
the capabilities and code of other
specialists to launch their own
attacks, rather than investing the
time to build from scratch. As
hackers find markets for leveraging
each other’s skillsets and code,
individual hackers and small
collectives can flourish alongside
massive criminal organizations.
Organizations grow, change, and
refocus as rapidly as success
and common desires are aligned
and disband, or morph into new
capabilities as priorities change.
Unsophisticated hackers using
commoditized tools are not
necessarily more successful. In
many cases, they simply create
more noise. But this noise can be
used as ongoing crowdsourced
cover for many other successful
attacks and reconnaissance. While it
is common in the industry to dismiss
much of this noise as useless data,
many retrospectives reveal evidence
of iterative failed attempts within
this noise well before a successful
security breach.
The commoditization of cybercrime
skills and tools has also made it
cost-effective to attack cheaper
and less lucrative targets. As a
result, the criminal industry is no
longer exclusively focused on
traditional strongholds. They are
motivated to invade easier, more
accessible targets such as supply
chains and tangentially associated
organizations. These efforts enable
them to establish backchannels
into better-secured targets and
enterprises. Digitization has made
organizations increasingly security
risk interdependent.
“In the past,
cybercrime was
committed mainly by
individuals or small
groups. Today, we
are seeing criminal
organizations working
with criminally
minded technology
professionals to
commit cybercrime
often to fund other
illegal activities.
Highly complex, these
cybercriminal networks
bring together
individuals from across
the globe in real time
to commit crimes on
an unprecedented
scale. “
- Interpol

12. 12 NTTI3.COM
CHAPTER 2
The
Changing
Landscape
of
Enterprise
Security
and Attacks
LATERAL ATTACKS
THE PERIMETER IS THE USER
THE NEW IT CHALLENGES OF
AGILE CYBERCRIME

13. 13 NTTI3.COM
The state of today’s enterprise
environment varies wildly in terms
of the effectiveness of security
practices. However, there are
many common truths regardless of
size, regulatory requirements and
effectiveness of risk management in
the organization.
Security infrastructures are by
nature under-resourced and are
usually the last consideration in
feature and functionality-driven
IT environments. The resources
that do exist are often under-
implemented with little ongoing
consideration being given to the
alignment between holistic security
and effective IT functionality. Many
assumptions about the effectiveness
of security, even for the few well-
resourced organizations, are hard
to validate with quality metrics.
Even the most well-intentioned and
well-funded efforts seem to focus
more on taking current security
capabilities forward, rather than
discovering meaningful measures to
identify threats and prevent attacks
in the future.
Given this state of the security
environment of most global
enterprises, there are three key
trends in cybercrime that demand
a radical shift in perspective and
strategy.
Lateral Attacks are on the Rise
Security breaches are originating
in one organization, but spreading
to partner networks as businesses
become increasingly interconnected
– often in unexpected ways.
Users are the New Perimeter of IT
Security
The trend of bring-your-own-
device combined with increased
telecommuting and technology
use across organizations have
resulted in a dramatic increase in
security vulnerabilities. This can be
attributed to the behaviors of end
users both inside and outside the
physical walls of organizations.
Cybercrime’s Agility Presents New
Challenges
The increasing speed and global
resources of cybercrime innovation
puts pressure on security
professionals to move faster,
smarter and more efficiently – if they
hope to keep pace and outsmart
their criminal counterparts.

14. 14 NTTI3.COM
Most businesses have succeeded in
putting the basics of ‘front door’ data
security in place. This has merely
driven cybercriminals to move away
from direct attacks. When thefront
door’ is successfully locked, they
move on to alternate indirect or
‘lateral’ attack paths. These new
paths lead into the organization
through other organizations such
as the business’ unsuspecting, and
often less secure, partners.
Lateral attacks can occur in any
industry. Any company with multiple
outside partner relationships with
little direct insight into their networks,
infrastructure, and security measures
is at risk. Businesses are often
unknowingly at the mercy of the
security practices of their external
organizations.
Many organizations, especially
those farther removed from a
cybercriminal’s juicy target, have the
attitude of “I don’t have anything of
value”. Even when that is true (and it
often is not), the value they do have
is, quite simply, their relationships
- especially trust relationships. In
2014, the Target breach was directly
related to a heating and cooling
contractor who had access to the
retail chain’s infrastructure. The
contractor likely had very little of
cyber-value, except for that access
to Target. That access made all the
difference to the criminals with loss
estimates ranging from $250M to
more than $1B for Target.
To successfully gain entrance to a
company, an attacker might spend
some effort attacking their vendors,
suppliers, or third-party logistics
network. These are considered
‘gateway’ organizations. Once they
LATERAL ATTACKS

15. 15 NTTI3.COM
have this foothold, they will not
only directly gather what valuable
information they can from the
partner organization, but also
manipulate the trusted connections
between partners to gain access to
the main target.
Consider that an organization
or business is composed of
not only their primary technical
interconnections, but also numerous
social, relationship, media, manual
and logical connections. With
this kind of complex system, any
organization of any size will have
thousands of touch points that are
exploitable by cybercriminals across
the side or lateral boundaries.
Take the case of a large company that
books corporate travel and provides
concierge services to its business
clients. In the course of its daily
operations, large amounts of data
are accessed from multiple service
providers around the world. This could
include destination information, weather
forecasts, travel restrictions, and details
about special events. The aggregation
and presentation of this multi-source
data is key to the company’s core
business of value-add service offerings.
With so many data and service providers
located in various locations around the
globe – it is nearly impossible for the
business to understand and manage the
specifics of ownership and legitimacy of
its partners. As a result, no set security
controls are in place for integrating
outside vendors’ and partners’ systems.
So what happens?
A team of hackers has the opportunity
to quickly and quietly take control of a
defunct partner, and redirect that partner
to an illegitimate provider. It is then a
simple task to reconstitute services to
appear to be real and trustworthy, while
redirecting the real business’ customers
through intermediate rogue services.
Their credit card information is copied
‘in-flight’ before completing transactions
on legitimate services. All of this would
be completely unknown to the travel
company or its clientele.
This kind of problem can exist for
significant periods of time before
detection, resulting in significant financial
losses and damaged trust and reputation
The Story of a Lateral Attack

16. 16 NTTI3.COM
Steps – Lateral Attack
1. Attacker compromises a downstream
logistics company that has less
security than the actual target, a
manufacturer.
2. The attacker utilizes existing IT
resources to find trusted relationships
between the two companies.
3. The trusted relationship with the
actual ‘victim’ is used to gain access
into the manufacturer.
4. Data is exacted from the victim
(exploiting internal IT resources is
typically cheap and easy, once inside)
and moved back to the logistics
company.
5. The data is then extracted from the
logistics company placed into the
hands of the cybercriminals.
Attacker Company A
user
Company A
IT resources
Company B
IT resources
STEP 1:
Attack
STEP 2:
Attack
STEP 3:
Latral attack
exploiting trust
relationship
STEP 4:
Extract valuable
dataSTEP 5:
Extract data
Using internal IT
resources
CRM integration
with trust
relationship

17. 17 NTTI3.COM
There has been a massive increase
in mobile devices and the trend
towards using those devices not
only at work, but at home, outside
the known security measures of
corporate networks. More than ever
before, this has set up the untrained
end user as the most desired
entry point into a cybercriminals’
targeted business. This person can
be anyone - a trusted long-term
employee or a loosely connected
service provider.
The result is that today - the end
user and their device is now the new
perimeter for business security.
A company and its data are only
as secure as the practices of the
weakest employee. Most individuals
in an organization don’t adhere to
a company’s security policies as
strictly as they should. This is largely
a result of perceived inconvenience
and the desire to get work done
quickly. Unless a company has
technical controls in place that force
certain security measures – like a
base example of automatic locking of
an idle laptop and required password
protection – employees will opt for
the fastest and easiest route to their
desired outcome.
The challenge is to protect end users
against attacks no matter where they
are. It is difficult enough to maintain
patch levels on a single server farm,
much less thousands of end-user
machines. The ultimate impact is
that the massive investment in onsite
corporate security infrastructures is
failing to protect end user systems.
Consequently, they have become
a critical liability as they leave the
corporate security envelope and
return to work with a compromised
THE PERIMETER IS THE
USER
GLOBAL THREAT INTELLIGENCE REPORT 2015:
7 of the Top 10 Vulnerabilities are with end users
1. Outdated Java Runtime Environment
2. Oracle Java SE Critical Patch Update
3. Multiple Vulnerabilities In Java Web Start
4. Missing MS Windows Security Updates
5. Outdated Flash Player Version
6. Outdated Adobe Reader And Acrobat
7. Outdated Internet Explorer
8. Multiple Oracle Vulnerabilities
9. Outdated/Missing Patches Oracle DB
10. Outdated OpenSSH Version
√
√
√
√
√
√
√

18. 18 NTTI3.COM
device. This device then becomes
a potential gateway for attackers
looking to penetrate the organization.
While many attacks are detected
and blocked on the user device by
onboard security, many more get
through due to the varied landscape
and the constant race between
the cybercriminal element and
security vendors. It is typical for an
organization to see a significant rise
of detected compromised machines
after they have been out of the
enterprise security envelope. This
is true when machines are taken
out of the office environment for the
weekend. They become targeted
and compromised (without the
knowledge of their uers) and then
are returned to the greater security
detection capabilities inside the
enterprise.
Detection and remediation are
critical to protecting the network.
It is safe to assume that the data
available to the user has a high
likelihood of exposure over the
course of time. A percentage of the
compromise will not be revealed,
even by internal enterprise security
measures. NTT research studies1
have shown that approximately 50%
of end-user compromise attempts
are detected by onboard capabilities
(anti-virus and other software) and
the remainder by internal IT. That
scenario may take days, weeks,
months or longer for the specific
problem to be identified and
addressed. These figures imply that
detection rates show only a limited
view of security problems, and the
impact of undetected compromises
is nearly impossible to measure.
The ultimate impact is that the
massive investment in traditional
onsite corporate security
infrastructures is failing to protect
end user systems that are often
outside of the network.
“A company can
spend hundreds of
thousands of dollars
on firewalls, intrusion
detection systems and
encryption and other
security technologies,
but if an attacker
can call one trusted
person within the
company, and that
person complies, and
if the attacker gets in,
then all that money
spent on technology is
essentially wasted”
- Kevin Mitnick

19. 19 NTTI3.COM
Employees use a variety of cloud-based
applications such as Dropbox or Google
Drive to not only share files with each
other, but also to make them accessible
from devices they may have at home.
Sometimes these files have highly
sensitive information. This is where a
security problem can begin, without the
knowledge of the employee.
If an employee uploads a document to
the cloud to access from their home
computer or mobile device, and then
makes changes to and saves that
document back to the cloud, corporate
security controls are being bypassed.
Whatever bots or malware that may have
been residing on the home computer
can use those same channels to copy
files and setup executables to run when
they are back inside the corporate
network. Even with security controls in
place, those same services can facilitate
the transfer of sensitive files that can
end up in the hands of a hacker. When
an organization has thousands of
employees who unintentionally perform
this type of insecure behavior on a
daily basis, the business risks become
substantial.
Most IT security is focused
on the straight-line protection
of a user accessing the
Internet. When a user moves
outside of the corporate
security environment and
is directly exposed to the
Internet, it is often the user
that becomes the last line
of cybercrime defense. The
same holds true then a
compromise occurs inside
an organization. It is typically
an untrained user who holds
security ownership, as one of
very few potentially effective
defenses.
INTERNET
No corporate security
when user takes
devices outside. User
is mostly responsible
for security
Corporate perimeter
Proxy
Prevents bad
site browsing
DLP
Detects data
leaks
WAF
Detects web
attacks and
blocks
IDS
Detects attacks
and blocks
them
Firewall
Blocks most
unwanted traffic
Router
Removes
malformed
traffic
Compromised
internal
system
Connecting to Internet -
corporate security provides
perimeter
Connecting to
inside resource
there’s little or no
perimter
The User as the Security
Permieter

20. 20 NTTI3.COM
The increasing speed and global
resources of cybercrime innovation
puts pressure on security
professionals to move faster,
smarter and more efficiently if they
hope to keep pace and outsmart
their criminal counterparts.
In the world of legitimate enterprise
business, security has been
driven by waves of products and
services. Each one focused on the
next big thing: anti-virus, firewalls,
intrusion detection, proxies, data
loss, web application firewalls, and
advanced persistent threats. While
these technologies are designed
to address what is perceived to be
the latest and most critical threat,
none cover more than a fraction of
the true risk that comes from the
massive range of available security
exploits.
When new major vulnerabilities
make the news, many enterprise
IT managers react with changes in
their organization that are driven
by fears of that new exploit or
attack vector. Big events such as
Heartbleed or Shellshock caused
a reset in the entire security space.
In these instances, companies
and security vendors focused on
fixing immediate security threats,
rather than taking a long-term view
of effective security management.
Some of this is justified, as these
types of vulnerabilities are serious.
Yet periods of heightened security
focus do not solve the underlying
problem of how to own and manage
the security control process in an
ongoing effective way.
While parts of the criminal element
may be driven by the same cycle of
awareness and focus as enterprise
IT managers, they have an added
advantage. They are incredibly
agile. They can mount their attack
on a business’ vulnerability faster
than most organizations can
understand, acquire, implement, and
operationalize the corresponding
defenses. In fact, the Dark Web
is filled with support structures
for criminals to exchange and
sell information, follow vendor
advisories, and track researchers. All
of this is in the service of discovering
a new vulnerability to exploit before
anyone can detect or patch it.
While agile attackers aim for new
vulnerabilities, they also realize
that it is much easier to target the
massive quantity of persistent or
legacy vulnerabilities existing in
corporate infrastructure. What the
industry sees and attackers exploit,
is the awareness cycles that do not
drive software patching initiatives in
the long term. The 2015 NTT Global
Threat Intelligence Report2
revealed
that 76% of identified vulnerabilities
were more than 2 years old, and
almost 9% were over 10 years old.
In fact, the biggest vulnerabilities of
2014 (Heartbleed and Shellshock)
have been present in software for as
many as 25 years.
THE NEW IT CHALLENGES
OF AGILE CYBERCRIME
In 2014, 76% of
identified security
vulnerabilities were
more than 2 years old,
and almost 9% were
over 10 years old.

21. 21 NTTI3.COM
WATERFALL ENTERPRISE IT AGILE CYBERCRIME
WHAT DRIVES
CHANGE?
Change is based on supporting
past big successes and building
on those to create timelines and
priorities set on an annual basis
and typically tied to budgeting
cycle.
Change is tied to repeatable fast
failure. Success is measured in
tiny increments. Many small trials
occur on a rapid basis, with the
assumption that most, if not all,
will fail. The intention is to iterate
against one or many enterprises,
or resources in an enterprise, until
successes happen.
HOW ARE
SUCCESS AND
FAILURE HANDLED
AND MEASURED?
Success and failure are based on
measured opportunity to improve
the environment, provide new
capabilities while minimizing user
impact so that buy-in can be
achieved.
Failures represent lessons that are
learned quickly, with adjustments
made as quickly as possible.
Knowledge of success and
failure is shared on an ongoing
basis. When new ideas are
successful, they quickly propagate
and become ingrained into
cybercrime’s capabilities.
HOW IS CHANGE
MANAGED?
Change tends to be very
measured and stepwise so as
to maintain uptime, rather than
failing fast and recovering quickly
as that has significant impacts on
customers (end users).
Changes are immediately put into
testing in real world scenarios
where the point is not to get buy-
in, but rather demonstrate forward
momentum.

22. 22 NTTI3.COM
CHAPTER 3
The Need
to Evolve
Enterprise
Security
for 21st
Century
Security
Risks

23. 23 NTTI3.COM
The challenge for today’s enterprise
is in understanding that security is
not the typical organization’s core
business. A company can excel
in their specific industry, yet have
little knowledge or capability for
addressing the security that it so
desperately needs. The world of
cybercrime is exactly the opposite.
Hacking security is their core
business. This makes cybercriminals
the most powerful competitors that
legitimate businesses face in this
area.
For example, auto manufacturers
do not need to provide the best
tire manufacturing capabilities, HR
software, or gasoline production.
Rather, they acquire those from
other providers. On a global scale,
this is exactly what protection from
cybercriminals requires organizations
to do – manage complex systems
with diverse components that are
outside of their area of expertise, but
upon which their business relies.
The Scope of the IT Security
Challenge
Enterprises face complex multi-
faceted security concerns due to:
1. A shortage of skilled security
engineers
2. Out of date conventional security
practices and technologies
3. Organizations that tap into IT
resources outside their own security
boundaries
4. The diversity and complexity of the
modern hybrid IT environment
5. The consumption of cheap and
sophisticated services outstripping
the ability to create a single cohesive
control model

24. 24 NTTI3.COM
1. A shortage of Skilled Security
Engineers
Companies are essentially up
against cybercrime specialists and
must invest without the benefit
of receiving immediate bottom
line ROI. When combined with a
shortage of trained engineers, this
impacts the organization’s ability to
address threats. IT organizations
must constantly invest, respond,
and strategize or become targets.
In effect, the global IT industry
has failed to recognize and treat
cybercrime as a digital business,
resulting in an ineffective response to
addressing the problem globally.
2. Out of Date Conventional Security
Practices and Technologies
Conventional security frameworks
were designed to fight a very
different battle. Conventional security
control is accomplished using the
hierarchy of networks and products
to create a ‘wall’ to protect endpoints
and servers as well as valuable data
and information. Often this structure
fails to create a single control point
between the organization and their
cybercriminal competitor. Walls and
barriers to entry are breached with
each group of hackers progressing
a little further into the defensive
patchwork of technologies. They can
then report and sell that information
to the next criminal group.
Manufacturing companies are at huge
risk of falling victim to cybercrime.
This results largely from their lack of
awareness of how incredibly vulnerable
they are. In addition, they are often
not financed to address that burden of
security vulnerability.
Let’s take the example of a simple
polymer manufacturer that has been
in business for decades. Since the
company uses processes that are largely
standardized throughout the industry
and have no substantial Intellectual
Property to protect, they believe they
have next to nothing to safeguard. The
only systems with real safeguards (e.g.
no Internet connections) are the physical
plants themselves. Manufacturing control
system vendors are now pushing to
connect those plants. Consequently,
they don’t invest in any sort of significant
security measures or controls. This can
turn out to be a fatal assumption.
While a company may not think it has
specific IP to protect, it may well have
massive security risks as a result of the
prominence of its senior executives.
Cybercriminals have the ability to create
havoc through false identities that enable
them to use the manufacturer’s own
processes to commit bank fraud. How
can that happen?
A company may have well-known senior
executives who speak at many industry
events, appear on news programs,
and are increasingly in the public
eye. Hackers can create fake emails
appearing to come from senior officials
in the organization. They can use those
email identities to authorize fraudulent
money transfers, supposedly between
the company and its suppliers.
The money then ends up in offshore
accounts while the company’s suppliers
lose millions of dollars. Did the company
have nothing at risk? Yes and no. Maybe
not in the traditional “you’ll steal my
intellectual property way”, but that is
certainly not the only secret the company
needs to protect. If a supplier loses
millions, who holds the responsibility and
the liability?
This particular example is fictitious.
Nonetheless, it is a scenario that occurs
every day, and demonstrates the need
for stringent security measures – even
when a company thinks it has nothing to
worry about. Hence, the goal of global
organizations should be to consider what
secrets they do have. Anything that can
be kept as a secret is something the
attacker is always looking to access and
monetize.
The Potential for Cybercrime in
Manufacturing

25. 25 NTTI3.COM
3. Organizations that tap into IT
resources outside their own security
boundaries
Organizations large and small have
grown beyond their traditional
physical boundaries, reaching
out of local infrastructures and
national borders to tap resources
and capabilities around the world.
This effectively creates stateless
infrastructure that represents many
vulnerable entry points that need
to be continuously protected.
Cybercriminals also reach across
borders and into the same niches
occupied by legitimate businesses.
They are masters of applying
resources in an ‘anything, anywhere,
anytime’ model.
The rise of borderless capabilities
often breaks the implementation
of traditional security controls as
organizations are faced with different
control structures, implementations,
policies, and capabilities across
locations.
4. The diversity and complexity of
the modern hybrid IT environment
The diversity of the modern hybrid
IT environment widens the attack
landscape, creating a dramatic
increase in the complexity of
managing security operations. This
complexity requires management
that is not just confined to the local
infrastructure, but spans across the
organization into many areas that
may not be recognized as part of
the traditional domain. This includes
Shadow IT, third parties, partners,
supply chains, and the mobile
workforce.
Cybercriminals, on the other hand,
are global, well-funded, skilled, and
easily outnumber security staffers at
most organizations. Hiring particular
skill sets on the Dark Web often
requires only a few minutes of effort
in their hybrid world.
The Connected Car offers consumers
many features and conveniences that
allow for connectivity to the world at
large – including telematics systems,
satellite communications/navigation
systems, USB ports, digital sound
systems, onboard WiFi, streaming
media, and more. Yet these same
conveniences provide numerous points
of entry to hackers, very much like a
company with employees using multiple
applications and devices outside the
walls of corporate security.
In the Connected Car, everything is
intertwined while originating from several
disparate sources. Car manufacturers
are ultimately responsible for all the
various parts that come as standard
or added features in their cars. They
have no real way of ensuring that all
these entry points are protected and
secure, since they come from different
providers and networks. This means
that safeguarding communications and
enacting strict security controls can
be extremely difficult in a multi-vendor
environment.
How do we need to rethink cybercrime
and security in a world where these
kinds of questions become real?
• What protections need to be in place
to prevent the hijacking of a car, or
even to provide a warning that there
is tampering underway within a
single system?
• As the environment around a car
becomes more infused with sensors
that supply real-time data to the
vehicle, what happens if those
systems are attacked?
The Potential for Compromised
Security in the Connected Car

26. 26 NTTI3.COM
5. The consumption of cheap and
sophisticated services outstrips the
ability to create a single cohesive
control model
Organizations are driven by the
ability to put products and services
in front of the customers who
demand them. Enterprise IT has
historically pursued this path for
its internal corporate customers.
However, over the past four to
five years there has been a shift
brought about by the increased
outsourcing of many IT capabilities
as speed and cost concerns have
become paramount. This has
resulted in many departments and
individuals outside the world of IT
taking responsibility and action
for acquiring services for their
departments’ needs – often without
an educated concern for the overall
security impacts on the organization.
We need to evolve enterprise
security for 21st century threats and
risks
Cybersecurity threats are never
static. We need to leave behind the
silver bullets, perimeter defenses
and ‘security-last’ mentalities of the
past. Even the old trust models need
to be inverted. We need change
in the attitudes and platforms that
we use to fight this battle. Our new
approaches need to be as radical
and agile as the cybercriminals
themselves.

27. 27 NTTI3.COM
CHAPTER 4
Radical New
Security
Approaches
and
Solutions
THREAT INTELLIGENCE
SECURITY AS A SERVICE
COMMUNITIES OF SHARING

28. 28 NTTI3.COM
It has become clear that if
businesses continue to pursue the
same fixed security strategies of
the past, they are sure to lose to
the more agile cybercriminal. It will
require a radical new approach to
security for businesses to have a
fighting chance, much less win this
battle outright. Companies must
begin to share what they learn
about security threats with their
colleagues, other companies and
customers. The bad guys already
readily share, and they win as a
result of that shared knowledge.
Organizations cannot continue to
apply the same security patterns of
the past and expect different results.
Those results show consistent
failure to change the trajectory of
cybercrime. At best, most enterprise
security measures have slowed
and redirected attacks - but not
stopped or significantly reduced
them. A persistent attacker does not
look at a new technology, service
or operational change and give
up. They see this as a challenge to
be overcome. Once they have an
opening, it is aggressively targeted
until well-known mechanisms
for managing the challenge are
developed.
How can this kind of challenge be
addressed?
It’s as if the zombies are coming
and no matter how many we kill,
two seem to take every fallen one’s
place. It is time to do things that
are radical and social in nature,
and ultimately, things that are very
uncomfortable to the status quo.
The current path only leads to more
of the same – security failure. To
expect something different is foolish
at best, and ultimately disastrous.
Below are three different ways
we may change the trajectory of
cybercrime. Each one is more
radical than the last, but with the
likelihood of producing a tangible
result. These new approaches are:
threat intelligence, security as a
service, and communities of sharing.

29. 29 NTTI3.COM
Right now, hundreds if not
thousands of organizations, are
rushing to put threat intelligence
capabilities into the market. The
premise is rather simple. The more
we know about cybercriminals by
gathering and correlating from vast
number of sources, the better we
are equipped to stop their actions.
Having knowledge about enterprise
security at the threat stage is not
unlike shining a light to drive away
the cockroaches.
On its own, threat intelligence is
neither that interesting or valuable.
The power to combat cybercrime
comes from:
• The way it is integrated with
other data sources
• How computation and analytics
are applied
• How that intelligence is
translated into action inside the
enterprise
To derive value from threat
intelligence, organizations must use
the information to drive proactive
change within their IT environment.
Security decisions must be informed
with verified, live, and actionable
data. This data must be aligned with
knowledge of what is happening
in the outside world and inside
the infrastructure. This is no small
task. Our IT infrastructures are ill-
prepared to do this. Most managers
of IT are adverse to turning over
control and decision-making on the
basis of information that is at best
fragmentary, and at worse incorrect.
In the larger context – here is the
task we need to do. Bite that bullet.
Take that leap of faith.
We have made this kind of change
many times before. The first was
when we shifted our workloads
away from centralized, mainframe
dependent processing with massive
reliability. Our organizations did
not end when we moved from
decentralized processing to clusters,
or from virtual machines to clouds.
Each of these created hurdle after
hurdle for reliability, uptime and
control.
THREAT INTELLIGENCE

30. 30 NTTI3.COM
The second change was when
we put a firewall in the path of the
organization. Firewalls stopped
traffic, blocked applications and
prevented business as usual, yet the
organizations thrived. Now these are
standard features for the modern
business.
Threat intelligence is gaining
traction as the way to instantly
adapt to the attacker. It holds the
radical promise to do just that. This
allows organizations to engage
with threat intelligence as part of
the corporate decision-making
processes. In the past, enterprise
security has been reactive in nature.
To compete with the cybercrime
industry, organizations must shift
to a more radical approach. The
focus must be on places where
change addresses threats, rather
than reacting to attacks and threat
intelligence. If threats intelligence
can meet this aspirational goal,
it can be a powerful tool against
cybercrime.
Threat
Sensors
Intelligence
Vendors
Managed
Platform
Analytics
Open
Intelligence
NTT Search Engine
Threat Intelligence
NTT Global IP
Network Streaming
Analytics
Intelligence
Dashboards
Localized
Threat
Feeds
Global API/
Local API
Caching Proxy
Device
Orchestration
(RSE)
COLLECT
ANALYZE
DELIVER
GLOBAL
DATA
SOURCES
LOCAL
CONTROL
1. Threat information is collected from a
wide range of threat sources including:
• Sensors that are targets for bad
guys to attack and watch them
• Multiple Intelligence Vendors of
security capabilities across the
industry
• Managed platform analytics and
services for monitoring enterprise
infrastructure from a security
perspective
• Open intelligence from sources on
the Internet
• Search engine intelligence
• IP network streaming analytics
reflecting the data of a collection of
attacks reflected in traffic numbers
on core nodes of the Internet
2. The data is analyzed and additional
non-security (but related) data is
added. This data is examined for
mistakes and duplicates. It is then
correlated with other data with human
analysts identifying the individuals and
groups behind the attacks.
3. The data is delivered to a customer
based on the context they have
specified for action. These include:
• Via API – direct interaction at the
programmatic level
• Via feeds – one way threat
identification and notifications
• Dashboards – user interactive
dashboards
• Device orchestration – automatic
applying of security controls
across the enterprise
PROACTIVE THREAT
PROTECTION

31. 31 NTTI3.COM
An even more radical concept
is security as a service. In its
base form, this is an extension of
managed security services, which
move the management of security
infrastructure out of organizations
that are not security experts, and
into the hands of qualified third
parties. The solution of managed
services is that security as a service
is outcome driven, rather than event
or technology driven. It addresses
the question:
“Do you want a vendor or do you
want to define a set of results?”
Typically, internal security teams in
enterprise organizations simply do
not have enough capability, tools
or processes to see and respond
to all vulnerabilities and attacks,
or to manage the issues that they
face daily. The concept of security
as a service is to blackbox security
technologies and processes, and
wrap the service as a capability. It
answers the question:
“When an event happens, do you
want to be informed of the event or
do you want it to be automatically
resolved under a specific set of
agreed upon parameters?”
The issue with this approach is
that an enormous amount of trust
is given to the security vendor to
know how to do the right thing
and manage the outcome. The
promise of Security as a Service
(SECaaS) is that it offers enterprise
software and hardware tools as an
on-demand solution. They are then
managed with corporate governance
standards to achieve the desired
outcome. SECaaS combines
diverse, modular capabilities that
overlap, require different skill sets,
and address different parts of the
security landscape. IT organizations
within the enterprise control the
policy they want to implement. Using
agile iterative mechanisms, they
can add capabilities or implement
functionality on a continuous
integrated basis, supported and
substantiated by the platform.
The vendor takes the risk of doing
the right things and providing the
appropriate tools, processes, and
trained personnel. This approach
is in essence no different in
outsourcing the brakes on a car to
a brake manufacturer. It is their job
to know the right thing and do it.
They are the specialist, not the auto
manufacturer.
SECURITY AS A SERVICE

32. 32 NTTI3.COM
Communities of sharing are the most
radical, and likely the most effective,
of the ideas suggested here. The
concept is based on a very simple
premise - one that is perhaps
difficult to swallow. The cybercrime
community succeeds because they
collaborate in a way unlike any other
industry in the world. Ideas, data
and capabilities move rapidly and
seamlessly from organization to
organization, individual to individual.
This is always done with cash flow,
or at least a palatable return on
investment (if only in credibility),
attached.
Until the legitimate community can
match the velocity of the cybercrime
community, it will be difficult
not to continually be at a severe
disadvantage.
The radical ideas we need to
embrace are to:
• Open up our organizations
• Expose our vulnerabilities
• Be upfront on our breaches and
attacks
• Show our weaknesses to each
other
We need to do this both knowing
and being comfortable with the
concept that information will be
leaked to cybercriminals. Indeed,
this is a radical theory on first
glance, yet it holds logic. Give it
some thought. A vulnerability only
exists while it is unknown and/
or unaddressed. By opening up
or stretching out, we force three
important social changes:
1. Accountability for our
weaknesses and vulnerabilities.
Once exposed, it’s all hands on
deck to stop exposure.
2. Drive to change processes which
are ‘too entrenched’ to address
the rapid evolution of putting new
solutions in place. The excuse of
“You’ll break existing processes
and stop the business” is no
longer acceptable.
3. Move security to the forefront of
corporate culture. “My disease
may make someone else sick;
therefore, I need to wear a
surgical mask to protect society.”
COMMUNITIES OF SHARING

33. 33 NTTI3.COM
CHAPTER 5
Questions
for the Near
Future of
Security

34. 34 NTTI3.COM
To stay competitive and prepare for
the future of cybercrime innovation,
security professionals and enterprise
leaders need to ask themselves
and their partners the following
question: What’s next for strategy
and architecture?
Let’s start the conversation with 3
important questions.
1. While new technological
advances are introduced and
legislative measures enacted,
cybercriminals continue to have the
upper hand. No matter how much
money or resources a company
throws at the problem, success
continually falls on the wrong side of
the law. Given this, what options do
organizations really have?
In order to have any sort of
profound impact on cybercrime,
we need to first follow the example
of regulated industries, which
understand better than any
other that revenue generation is
a nefarious organization’s first
priority. This means they’ll stop at
nothing to succeed. Failure puts
them out of business. Once we
accept that and change our actions
to halt cybercrime efforts as our
first priority, we can begin to see
the baseline of criminal activity
decelerate. This is difficult, as it is
not our core business. Yet ultimately
it needs to be.
‘Good enough’ security and ‘we
have nothing of value’ are the
vulnerable gateways into our
infrastructure.
Second, we need to change our
approach from security being merely
an afterthought and have it become
the primary decision for new
business objectives and changes.
Otherwise ‘too little, too late’ will
continue to be the status quo when
it comes to any efforts to prevent the
upward trend in cybercrime.
We need to focus significant
efforts on educating individual
users about the importance of
consistently following standard
security practices. It can no longer
be acceptable to give them free rein
to break protocol and opt for what’s
fast and personally convenient.
Only when security measures are
followed by all employees, can we
really start to make a significant
impact in this area.

35. 35 NTTI3.COM
2. What steps should organizations
take to protect themselves when
they have little to no control over
what security measures their
partners and suppliers have in place,
or how strongly they enforce them?
The first step is purely contractual.
Any third parties and partners must
understand that strict security
standards are non-negotiable and
that they (the company) hold their
business partners to the same
standards as they do their own
employees.
Organizations need to clearly
understand the various points of
contact and information exchange
between each other, and limit those
points of exchange to very specific
data and capabilities. These are
the vulnerable points of entry for
cybercriminals. Any company
that makes security a top priority
should have the power to review,
enforce and even stop or change
any security policies between
themselves and other organizations.
This must be true even if it means
ending the business relationship
until such time as measures are
correctly enacted.
3. How can we convince our own
companies to allocate more dollars
and resources towards protecting
our data from a fierce competitor
– cybercriminals – when the
organization doesn’t even realize
how great the threat really is?
The most important thing to do
is know what data, capabilities or
connections are in danger of falling
into the wrong hands within the
organization, even if the general
perception in the company is that
there is nothing at risk. A calculation
can then be made to estimate
the cost to the company if data,
capability, or connection do indeed
fall into the wrong hands.
It may be necessary to work with
external organizations to find the
types, quantities and details of any
company information that is already
vulnerable, or worst case, already
being sold on the “Dark Web.” It is
critical to demonstrate to company
officials the expense related to these
efforts compared to the total cost
or liability if the data is hacked and
stolen for financial gain.

36. 36 NTTI3.COM
APPENDIX
ABOUT NTT INNOVATION
INSTITUTE, INC.
ABOUT THE AUTHORS
OTHER BOOKS FROM
NTT INNOVATION
INSTITUTE, INC.
RESOURCES AND CITATIONS

37. 37 NTTI3.COM
NTT Innovation Institute, Inc. is
the Silicon Valley-based, open
innovation/applied research and
development center of NTT Group.
NTT i3
builds platforms that are
transforming today’s enterprises
into the digital businesses of the
future. Our platforms help clients
engage with customers and markets
in exciting new ways by pushing
the boundaries of cloud computing,
information security, machine
learning, and the Social Network
of Things. NTT i3
builds on the vast
intellectual capital base of NTT
Group, which invests more than
$2.2 billion a year in R&D, with an
extensive network of technology
partners, engineers, and scientists.
NTT i3
’s Core Platforms
for Agile IT
In order to build the agile and
hybrid IT systems required by
the emerging digital generation
of insurance companies, robust
and well-designed technological
and strategic platforms must
be put into place, often inareas
outside of the traditional IT domain.
Legacy systems must be modified
and integrated in a way that
acknowledges complex privacy,
speed, and reliability needs that
were inconceivable at the time
of their original design. And all
of these IT systems need to be
integrated and orchestrated in a
way that makes the management
of a dynamic hybrid information
environment possible.
NTT i3
offers three platforms to
help IT departments tackle these
challenges:
Cloud Services Orchestration
Platform
that allows IT departments to
understand their application
portfolios, migrate the most suited
applications to the cloud and
provide a seamless way to manage
this new hybrid environment.
Global Threat Intelligence Platform
that brings real-time data-driven
insights into the identification and
understanding of cyber-security
threats and needs.
An Elastic Services Infrastructure
that leverages network function
virtualization (NFV) to push virtual
network functions (VNF) to the edge
of the enterprise’s network, bringing
agility, security, and flexibility into
the infrastructure.
ABOUT NTT INNOVATION
INSTITUTE, INC.

38. 38 NTTI3.COM
About the Authors
Rich Boyer
Chief Architect, Security
At NTT Innovation Institute, Inc.
Rich Boyer is the Chief Architect for
Security. He has over 25 years of
experience in security and network
technology across a variety of
global organizations. Currently Rich
is designing and implementing the
Global Threat Intelligence Platform
(GTIP) in support of NTT’s global
security strategies around threat
intelligence, analytics, identity and access management and response and
recovery. He is part of the analysis team for NTT’s Global
Threat Intelligence Report. Before building the Global Threat Intelligence
Platform, Rich held many security positions in large international enterprise
organizations both as a senior executive and consultant. He has performed
a wide range security services roles including managing security strategy,
security infrastructure design, operationalization of organizations,
development of GRC processes and embedding security processes at the
executive level. Rich has a diverse IT background outside of security
including infrastructure, coding, networking, security, risk management,
and systems development. Rich has a BA in Computer Science from the
College of Wooster.
Dr. Kenji Takahashi
Vice President, Product Management, Security
Kenji has over 29 years of
experience in Research and
Development on information
and communication technology
for NTT Group in both US and
Japan. Currently Kenji is leading
the development of Global Threat
Intelligence Platform (GTIP) through
open innovation with the global
ecosystem consisting of clients,
partners, academia and open source communities. Previously Kenji was
President and CEO of NTT Multimedia Communication Laboratories,
Inc. (NTT MCL) in Silicon Valley. At NTT MCL, he successfully launched
and led open source, open standard-based cloud and SDN projects,
which resulted in the world first OpenFlow based global network service
offering by NTT Communications. Prior to this, Kenji led many projects
at NTT R&D in Japan, including cloud computing, software engineering,
digital identity management, collaboration environment, and ubiquitous
computing. He is one of the pioneers of federated identity management,
which provides users with secure, easy to use, and privacy-friendly
experiences across organizational and geographical borders. Kenji
received BS, MS, and Ph.D. in Computer Science from Tokyo Institute of
Technology. He was also a visiting scientist at the College of Computing at
Georgia Institute of Technology.

39. 39 NTTI3.COM
The following books can be found at:
www.NTTI3.com/publications
Digital Business Transformation
The Social Network of Things
Agile IT: Today’s IT for Tomorrow’s Solutions
The Automotive Industry as a Digital Business
Insurance as a Digital Business
OTHER BOOKS FROM
NTT INNOVATION
INSTITUTE INC.

40. 40 NTTI3.COM
CITATIONS
1
2014 - http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
2013 - http://www.mcafee.com/us/resources/reports/rp-economic-impact–cybercrime.pdf
2012 - http://us.norton.com/cybercrimereport
2011 - http://www.symantec.com/about/news/release/article.jsp?prid=20110907_02
2
NTT Group 2014 Global Threat Intelligence Report. https://nttgroupsecurity.com/articles-content/articles/download-the-2014-report
3
NTT Group 2015 Global Threat Intelligence Report. https://nttgroupsecurity.com
Page 13 Ken Wolter / Shutterstock.com
PHOTO CREDITS