The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
1. TAKING CHARGE OF SECURITY IN A
HYPERCONNECTED WORLD
How Organizations Can Improve Breach Readiness
and Cyber Security Maturity
October 2013
Authors
KEY POINTS
James Lugabihl, Global CIRC Senior
Manager, EMC Corp.
• Organizations are taking responsibility for proactively improving security, not just for
themselves but for customers and business/supply chain partners.
Dylan Owen, Cybersecurity Manager for
Cybersecurity and Special Missions,
Raytheon Company
Timothy A. Rand, Senior Manager,
Advanced Cyber Defense Practice,
RSA, The Security Division of EMC
Peter M. Tran, Senior Director, Advanced
Cyber Defense Practice,
RSA, The Security Division of EMC
• Rising numbers of organizations are conducting assessments of their business risks
and security practices before breaches occur.
• Most breaches result from organizations stumbling on basic security practices. The
following deficiencies play a contributing role in most security breaches:
–Neglecting basic security hygiene
–Relying exclusively on traditional threat prevention and detection tools
–Mistaking compliance for security
–Inadequate end user training
• An organization’s optimal security posture will change as its business, risk, and threat
environment changes. Good security is less about achieving a static goal state as it is
about building capabilities for continuous evaluation and improvement.
• Of the many recommendations that emerge from security assessments, 20 percent will
likely yield 80 percent of the benefits. The following areas for improvement typically
generate high impact:
–Locate and track high-value digital assets
–Model threats and address top vulnerabilities
–Master change management processes
–Deploy security staff selectively and strategically
–Integrate security processes and technologies to scale resources
–Invest in threat intelligence capabilities
RSA Security Brief
–Conduct all-inclusive risk and security assessments
–Quantify the impact of security investments
2. RSA Security Brief, October 2013
RSA Security Briefs provide security leaders and risk
management executives with essential guidance on
today’s most pressing information security threats and
opportunities. Each Brief is created by a select team of
experts who connect experiences across organizations to
share specialized knowledge on a critical security topic.
Offering both big-picture insight and practical technology
guidance, RSA Security Briefs are vital reading for
today’s forward-thinking security and risk management
practitioners.
Contents
“Good” security is a relative condition......................................................................... 3
Security programs still stumble on the basics............................................................... 4
Neglecting basic security hygiene.......................................................................... 4
Relying exclusively on traditional threat prevention and detection tools.................. 5
Mistaking compliance for good security................................................................. 5
Inadequate user training....................................................................................... 6
Beyond the basics................................................................................................ 6
Security stewardship means continuous improvement................................................. 7
Conduct all-inclusive risk and security assessments............................................... 7
Locate and track high-value digital assets.............................................................. 7
Model threats and address top vulnerabilities....................................................... 8
Master change management processes................................................................. 8
Deploy security staff selectively and strategically................................................... 9
Integrate security processes and technologies to scale resources........................... 9
Invest in threat intelligence capabilities............................................................... 10
Quantify the impact of security investments........................................................ 10
Conclusion................................................................................................................. 11
About the Authors..................................................................................................... 12
Security Solutions for Improving Breach Readiness......................................................14
From Raytheon Company......................................................................................14
From RSA, The Security Division of EMC.................................................................14
3. RSA Security Brief, October 2013
The boundaries have blurred between internal and external networks. Employees
increasingly use their own devices, home networks, and public Wi-Fi to access
corporate resources. Partners, customers, and vendors have greater access to what
were exclusively internal resources, and the integration of private networks with public
clouds has culminated in hybrid clouds with dynamic and complex boundaries. In a
world where digital boundaries are ever-changing and hard to define, building stronger
perimeter defenses, while still necessary, are inadequate to ensure sufficient security.
In today’s highly interconnected business environment, information security can no
longer be an isolated endeavor: it must be the responsibility of an entire business
ecosystem or value-chain.
“Attackers look for
the easiest means of
compromise. That’s why
attacks are moving from
more security-mature
organizations down to
less mature, typically
smaller, partners.
Attackers can exploit
the trust relationships
between companies to
infiltrate well-protected
targets through supply
chain partners with less
security experience.”
Dylan Owen, Raytheon Company
This idea has gained widespread recognition at the international level. For example, the
World Economic Forum (WEF) is exploring how responsibility for cyber security can be
shared among companies, industries, and governments. In its 2012 report, “Risk and
Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience,” the
WEF concluded:
Increasing dependence on connectivity for the normal functioning of society
makes the protection of connectivity a critical issue for all; it is a shared
resource, like clean air or water. No one organization can resolve the issue by
itself; a collaborative, multi-stakeholder approach must be taken. Even
competitors in a given industry must become partners in the effort to ensure a
stable and trusted environment.
The idea that creating a stable, trusted cyber environment should be a collaborative
endeavor also appears to be gaining traction among private enterprise and
governments. Two trends in the global security community point to this:
1. Participation in threat intelligence-sharing groups has widened over the past few
years beyond the traditional circles of defense and financial services. Nowadays, it’s
common to see industrial manufacturers, retail chains, utilities, and technology
companies exchanging cyber threat intelligence.
2. Rising numbers of organizations are conducting assessments of their business risks
and security practices to improve their overall security posture proactively. These
security assessments have historically been done in the wake of serious incidents or
breaches, but they are now increasingly done as a precautionary measure before
trouble has been detected.
“GOOD” SECURITY IS A RELATIVE CONDITION
Organizations are conducting proactive assessments not only to improve their own
security postures but to protect their business relationships. Advanced cyber attacks
have been known to attack their primary targets by exploiting business partners with
weaker defenses. Rather than combat the well-protected computer networks of a target
company, cyber attackers try instead to infiltrate the organization through its
connections to trusted partners with less-developed security practices. In recent
incidents, cyber attackers have sought to cover their tracks by routing data stolen from
a company through the computer networks of a business partner.
page 3
4. RSA Security Brief, October 2013
Because information security within a supply chain is only as strong as its weakest link,
organizations today must improve security measures not just for themselves but for
their partners and customers. Every organization should achieve “appropriate” levels of
security for their business requirements and risks—which also means evaluating how
their security practices could affect customers and partners, should something go
wrong. Of course, appropriate security measures will vary greatly from organization to
organization. For example, security practices considered appropriate for an industrial
manufacturer might have very different characteristics than security practices for a
regional consulting firm or a global technology company.
“We see security
assessments trending
toward improvement
and a more proactive
approach. There’s a
general sense that,
because my buyer or my
business partner just got
hacked, maybe I should
think about this now. The
tough part is getting your
stakeholders to realize
they’re on borrowed
time, because they’re
still thinking, ‘Well,
nothing has happened to
us, so why should we do
this?’”
Peter Tran, RSA
Identifying appropriate levels of security can prove challenging, because it’s an
exercise based on risk and relativity. Appropriate security should be determined by four
factors:
1. The organization’s risks and requirements, which change over time and are unique
for each organization
2. The value of information assets being protected, with high-value assets monitored
more closely and subject to more controls
3. The security risks and threats the organization can reasonably expect to face,
considering that attack techniques are constantly changing and rising in
sophistication
4. Prevailing security practices for the organization’s peers, with the organization
aiming to be at or above the group “average” so as to not make itself an easy target
The first three conditions listed above are associated with internal assessments. The
fourth condition is a relative measure that relies in part on external knowledge of
“reasonable” security practices within an industry peer group. Industry associations,
information sharing and analysis centers (ISACs), or outside consultants can often help
provide this comparative context.
Another way organizations can diagnose security performance on a relative basis is
through self-assessment tools. Many consulting firms and security service providers
offer proprietary “security maturity” models. Each has merits and deficiencies, but they
all aim to provide a progressive framework for measuring security performance. An
example of a security maturity framework is shown in Figure 1.
SECURITY PROGRAMS STILL STUMBLE ON THE BASICS
In analyzing security programs across different industries, it seems many organizations
today still fall down on basic execution. The following deficiencies commonly contribute
to security breaches.
Neglecting basic security hygiene
In forensic evaluations following attacks, missed software updates frequently surface
as exploited vulnerabilities. Sometimes, these are zero-day vulnerabilities, but in most
cases antivirus and software updates had simply not been done. Perhaps a system was
scheduled for patching at a later date after the organization could compatibility-test the
patch. More likely, the system was overlooked for patching entirely because it had been
added to the network without being properly cataloged: IT didn’t know the system
existed so they did not know to patch it. Basic security maintenance is an all-toocommon deficiency.
page 4
5. RSA Security Brief, October 2013
Figure 1: Security Maturity Framework
Level 1.
Product-driven security
Level 2.
Compliance-driven security
Level 3.
IT Risk-driven security
Level 4.
Business Risk-driven security
policy
• Enforced employee
compliance
• Management reinforces
cooperation
• Reasons for non-compliance
explored
• None
• Changes in policies and
regulations
• Changes in IT threats
• Continuous business risk
assessments
• No reporting
• Ad-hoc incident reports
• Scheduled reporting
• Real-time reporting
• None
• Auditor checklist
• IT infrastructure checklist
• Business risk checklist
• Technology: low
• Business: low
• Technology: medium
• Business: low
• Technology: high
• Business: medium
• Technology: high
• Business: high
• None
• Contingent on policy
changes and incidents
• Regular communication
• Pro-active, two-way
communication between
security and businesses
{Employee training
process
• Sporadic and inconsistent
• Product training
(not mandatory)
• Regulations training
(mandatory for some)
• IT infrastructure threats
(mandatory for all)
• Role-specific training
(mandatory for all)
|Selection criteria
• Trends,
vendors
• Legal/regulatory
requirements
• Specific to IT
infrastructure
• Based on business
implications
}Technology focus
• Managing patchwork of
security tools
• Compliance monitoring and
reporting
• Threat detection and
response
• Business risk monitoring and
predictive analytics
uEnforcement
vUpdate trigger
wReporting schedule
xUpdate trigger
product
people
yLeadership
capabilities
zManagement
communication
Relying exclusively on traditional threat prevention and detection tools
“There’s no magic bullet
for improving security or
your breach readiness.
There’s no secret to it,
other than you have to
master the basics before
you take on anything
else. You have to
execute—get your hands
dirty, move rocks.”
James Lugabihl, EMC
In general, organizations relying on firewalls, antivirus scanners, and intrusion
detection systems (IDS) for security will never discover the truly serious problems. Yet,
most security teams still wait for signature-based detection tools to identify problems
rather than looking for more subtle indicators of compromise on their own. Part of the
reason for this is most security teams have not done the hard work of integrating their
logs, security processes, and tools, making it challenging to correlate events or
determine causality.
Mistaking compliance for good security
Many companies are on an accelerating treadmill with their compliance programs.
They’re so busy keeping up with mounting compliance requirements, whether from
increased government regulations or internal oversight requirements, that proving
compliance becomes a goal in and of itself.
Most compliance mandates reflect best practices that should be interpreted as
minimum standards, not sufficient levels, of security. For example, organizations may
audit their privileged IT administrator accounts only once a quarter because that’s the
interval specified by internal policies. However, cyber adversaries waging targeted
page 5
6. RSA Security Brief, October 2013
“Developing a highperforming security
program—what we call
an ‘intelligence-driven’
organization—is a journey.
Focus on the basics first,
paying attention to the
people, process, and
technology. Then, you
can make improvements
incrementally by adding
capabilities such as
forensic analysis, malware
reverse engineering, and
threat intelligence.”
Timothy A. Rand, RSA
attacks often phish for privileged accounts to do the most damage in the shortest
amount of time. In most cases, the quarterly intervals for inspecting privileged accounts
may be woefully inadequate for managing risk.
The Payment Card Industry Data Security Standard (PCI DSS) serves as an example in
which good compliance does not always translate into breach avoidance. Companies
compliant with PCI DSS have been hacked. For this reason, the latest version of PCI DSS
provides direction for implementing security into business-as-usual (BAU) activities and
underscores the need to maintain ongoing compliance.
Inadequate end user training
Employees and other end users of corporate IT assets should be regarded as the
organization’s first line of defense—even more so than firewalls and IDS. Threats will
inevitably get through perimeter defenses, but employees can alert security teams to
suspicious emails, unusual activity, or performance changes in systems.
Many organizations don’t invest enough time and resources in user training. While
annual security training is the interval frequently mandated in corporate policies, it’s
not frequent enough to protect end users from phishing, malicious links, and other
security hazards. Also, most organizations fail to provide differentiated training for
employees more likely to be targeted by cyber attackers: finance executives, IT
administrators, R&D scientists, and others.
Beyond the basics
While the basic deficiencies described above contribute to the majority of security
breaches, other shortcomings also surface over and over again. The chart in Figure 2
itemizes ten of the most common problems identified in security assessments.
Figure 2: Top 10 security deficiencies found in security assessments
• Infrequent user training on security hazards such as spear-phishing
People
• Inadequate security staff, both in terms of numbers and training
• Security team’s roles and responsibilities not clearly defined
• Poor patch management processes
Process
• Reliant on ad hoc incident response and other security procedures in the absence of well-defined processes
• “Enterprise amnesia” resulting from responding nonstop to fire drills without taking time to improve based on
post-incident lessons learned
• No centralized or real-time monitoring and alerting—analysts must log into different consoles to collect alerts
Technology
• Poor incident response-tracking and workflow systems
• Insufficient tools to conduct forensic analysis
• No threat intelligence collection or analysis capabilities
page 6
7. RSA Security Brief, October 2013
SECURITY STEWARDSHIP MEANS CONTINUOUS IMPROVEMENT
An organization’s optimal state of security will vary as its business, risk, and threat
environment changes. What this means is that good security is not about achieving a
static optimal state; it’s about building capabilities, or agility, for continuous
assessment and improvement.
The focus on improving security seems to have intensified. Two years ago, organizations
commissioning outside security assessments were primarily interested in remediating
vulnerabilities following a breach. Now, more organizations are requesting proactive
help to improve breach readiness and incident response. Even medium-size companies,
under pressure from larger business partners, are striving to proactively advance their
security practices ahead of a serious incident.
Because “good” security is not a one-size-fits-all condition, the needed improvements
will vary greatly from organization to organization. Any organization that has conducted
a rigorous security assessment can attest that the list of recommendations resulting
from such assessments is almost endless. The key to executing a successful security
improvement plan is to identify and implement the 20 percent of changes that will yield
80 percent of the benefits.
The recommendations and best practices described below often fall into the top 20
percent of changes that generate the greatest improvement in organizational readiness
for responding to and recovering from cyber threats.
Conduct all-inclusive risk and security assessments
Risk assessments should include not just digital assets but an all-inclusive risk
evaluation of facilities, suppliers, and even how you sell your goods and services. For
example, if your organization sells in distant geographic regions through channel
partners, these partners should be factored into risk evaluations for two reasons. First,
these partners are essentially your organization’s face to the world within their
respective regions. Second, they’re likely to be attractive, vulnerable targets for spearphishing, as they potentially represent a convenient vector for attacking your company.
Digital risk assessments should be done at least once per year. If you stand up a new
service or enter a new market, a corresponding risk assessment should be included as
part of the project management process, baking security into the implementation.
Locate and track high-value digital assets
While keeping track of valuable digital assets sounds straightforward, many companies
say this is one of the toughest challenges they face. Tracking high-value information
assets can be tricky because of shadow IT in which processes run on systems that
aren’t managed by the enterprise IT team. This could run the gamut from a business unit
storing sensitive information in a SaaS application to an accountant in your finance
department running a spreadsheet of critical financial data on his unsecure home
computer.
Tracking high-value information is a critical capability in incident response and
remediation. When threats or problems are first detected, you have to know how to
isolate or effectively protect critical assets as fast as possible. Organizations must
document where high-value assets are, who has access to them, who within the
business owns the risk, and how the risk can be managed. IT and security teams can
provide the right frameworks and tools for auto-discovery, including creating a single
repository to track and manage key assets.
page 7
8. RSA Security Brief, October 2013
Model threats and address top vulnerabilities
Part of any security assessment should be threat modeling, which can be boiled down
to a simple formula:
Threat x Vulnerability x Potential Cost of Loss = Risk
Stakeholders in business units and IT often don’t understand the need for threat
modeling, and many security practitioners don’t have sufficient experience to do it well.
A common pitfall is organizations tend to underestimate internal threats. The mostoverlooked internal risks are not disgruntled employees acting out of malice; they’re
often well-intentioned employees making critical mistakes—oversights in documenting
changes to an IT system’s software application is a typical example.
Threat modeling should be a collaborative, multi-disciplinary process, not an isolated
exercise within the security team. Participants should work together on scoping out
threats to the organization and how each may affect business units or assets. Ideally,
threat modeling should be a creative process: organizations must plan with the same
imagination and cunning as prospective adversaries.
Threat models should also build on forensic evaluations of previous threats observed in
your environment with the goal of identifying ways to neutralize cyber adversaries. For
example, threat models should identify the organization’s most frequent historical
threat vectors. Then, if you discover that the number one point of compromise for your
organization is phishing attacks, you’ll know to implement processes, technology, and
training programs to reduce the effectiveness of spear phishing.
“Good change
management can have a
huge preventive impact.
Some people think that
change management just
slows them down, but
consider what’s the cost to
your business if you don’t
do this and something gets
compromised? It’s rarely
worth the risk.”
Dylan Owen, Raytheon Company
Master change management processes
Security change management procedures help track and respond to changes in IT
assets and business processes that have material impact on security risks. It’s a hard
discipline to manage consistently, especially since many stakeholders in IT, the
business, and even in security mistake it for an administrative checkbox that simply
slows them down. So, they may forego documenting systems and processes because
they’re under pressure to complete a project quickly and believe they can circle back
and report on additions and modifications later. But then key people on the
implementation team leave, first-hand knowledge is lost, and dependencies are never
recorded. Such omissions present unnecessary risks that can have serious
consequences later.
Change management processes should be factored into project management
schedules. You should qualify the risks and rewards of change management
requirements so stakeholders understand the potential cost to the business if
something gets missed and contributes to a compromise. Train people to understand
the impact of their actions. Simultaneously, stakeholders should evaluate how to fulfill
change management requirements in the most efficient and expedient way possible.
Part of change management is the discipline of identifying and documenting
interdependencies between systems so IT and security teams are aware of how changes
made to one system affect the state of another. Reconfiguring one part of your IT
environment could create vulnerabilities somewhere else. For example, if an
organization’s back-end database provider releases a patch that’s incompatible with
the ERP implementation to which the organization’s database is tied, then the database
can’t be patched until a fix can be arranged. Instead, the IT team must document why
the patch was not installed and work with the security group to make sure
vulnerabilities in the database system can be mitigated until updates can take effect.
page 8
9. RSA Security Brief, October 2013
Deploy security staff selectively and strategically
In many security operations centers (SOCs)—a designation that this paper also uses to
refer to critical incident response centers or teams (CIRCs/CIRTs) —the roles and
responsibilities for in-house personnel are not clearly defined. Analysts are accountable
for many things simultaneously without clear direction on priorities. The adage “if you
try to do everything, you wind up doing nothing well” applies here.
Many SOCs would benefit from revisiting their staffing models, evaluating the
capabilities of individual team members to put the right people in the right roles. That
way, people with advanced or specialized skills are deployed in a way that best serves
the needs of the security organization.
A recent report from the Security for Business Innovation Council titled “Transforming
Information Security: Designing a State-of-the-art Extended Team” recommends that
organizations focus on building security capabilities in four key areas that will be new
to most SOCs: cyber risk intelligence and data analytics, security data management,
risk consultancy, and controls design and assurance. These emerging skills are seen by
the Council’s members as essential to providing the security capabilities needed to
defend organizations against escalating cyber threats.
Integrate security processes and technologies to scale resources
Almost every security operations team today faces staffing shortages. The capabilities
of in-house security personnel are usually stretched, and new headcount is hard to
authorize. Most security professionals spend too much time on mundane tasks such
patch management or manually pulling data from different systems or sorting through
volumes of event logs, alerts, and threat intelligence with no categorization of relevance
or importance.
The productivity of security personnel can be dramatically raised through technology
and process integration initiatives. As detailed in a February 2013 RSA Technical Brief
“Building an Intelligence-driven Security Operations Center,” integrating security
operations processes and technologies is arguably the single most beneficial thing that
SOCs can do to boost staff productivity.
Process and technology integration provides valuable context for analyzing triggered
events. For example, proper context can determine whether events are related to highvalue assets such as mission-critical systems and applications, business processes
handling sensitive data, or privileged users such as CIOs, CFOs, and IT administrators.
This type of context can help establish event severity and criticality, directing analysts’
attention to where it’s needed most.
Another huge potential time-saver involves integrating various security tools so they
feed into a central incident management console. Many security teams have yet to
invest in centralized, real-time monitoring, and alerting. Instead, they compel security
analysts to log into different systems (firewalls, IDS, and more) to collect alerts.
Security tools should be integrated to push alerts into a central repository that provides
a single-console view of aggregated events and alerts. Such consoles should track and
coordinate workflows. This way, multiple analysts and users can work in parallel on
different aspects of the same incident. A unified console presents all the contextual
information for threats in one place; analysts don’t have to chase down data scattered
among disparate systems and locations to get the background needed for accurate
decision-making. In addition to saving analysts’ time, tool integration can also manage
workflows to facilitate adherence to procedural best practices.
page 9
10. RSA Security Brief, October 2013
Data aggregation could happen within a traditional log/event-oriented SIEM system, for
example. For organizations with mature SIEM capabilities, the next phase of
improvement is to enhance their central data monitoring with greater visibility (network
and endpoint) as well as analytic capabilities that can automate the early phases of
threat detection and shorten analysts’ investigation times.
Invest in threat intelligence capabilities
“In threat intelligence,
data is king and context is
queen. You can’t be secure
without mastering both.”
James Lugabihl, EMC
Threat intelligence, long the domain of large enterprises and government agencies, is
now being used by mid-sized and smaller companies to become more proactive and to
protect their business relationships. Threat intelligence can sound daunting, but it does
not necessarily need to involve ISACs and government agencies. For example, if you
learn that the registrant of a bad domain linked to threat activity on your network has
also registered 50 other domains, you could block them all. This is an example of
leveraging intelligence to proactively improve your defenses.
The simplest way to mine threat intelligence is to leverage the information already on
your systems and networks. Many organizations don’t fully mine logs from their
perimeter devices and public-facing web servers for threat intelligence. For instance,
organizations could review access logs from their web servers and look for connections
coming from particular countries or IP addresses that could indicate reconnaissance
activity. Or they could set up alerts when biographies of employees with privileged
access to high-value systems attract unusual amounts of traffic, which could then be
correlated with other indicators of threat activity to uncover signs of impending spearphishing attacks.
Quantify the impact of security investments
Finding budget is a common constraint that security teams cite for not making the
investments needed to improve incident response and readiness. ROI is very difficult to
prove because it requires that organizations measure return on solutions to security
problems that may never materialize. Yet, to build support from business units for
funding security initiatives, it helps to compare the cost of proactive remediation with
the potential cost of compromise.
The cost of security controls needs to be balanced against the business harm likely to
result from security failures. That’s where “what if” scenarios can prove helpful. In
modeling “what if” scenarios, try to capture the full costs. For example, in addition to
projecting the business and reputational costs of a breach within critical systems, also
consider the costs for deploying backup systems while infected systems are taken
down and cleaned.
Quantifying the potential impact of new security investments can help security teams
win support for new investments. It can also help organizations identify and prioritize
investments that are most likely to result in substantial security improvements.
page 10
11. RSA Security Brief, October 2013
CONCLUSION
As information security becomes an ecosystem-wide endeavor, organizations will have
to demonstrate they’re doing their part to improve security for all. Organizations will
have to become more disciplined about basic “security hygiene,” which remains a
consistent stumbling block. Organizations will also have to embark on thorough
assessments to improve their organizational readiness in responding to and recovering
from cyber threats.
Security assessments can be handled in-house by experienced staff, but many
organizations choose to enlist outside help. External consultants can provide objective
evaluations of the organization’s current security practices, as well as contribute
insights on best practices from multiple industries.
Regardless of who conducts security assessments or what recommendations emerge for
improvement, organizations should prioritize a limited number of investments that can
deliver the greatest security benefits. Targeting the highest-impact investments can be
done by quantifying the risks that would be mitigated by new controls or by seeking
outside counsel on what has proven beneficial to other organizations.
page 11
12. RSA Security Brief, October 2013
ABOUT THE AUTHORS
James Lugabihl
Global CIRC Senior Manager
EMC Corporation
James Lugabihl took over EMC’s Critical Incident Response Center in June of 2010. He is
responsible for monitoring EMC’s global network and responding to threats that directly
impact the organization.
Since February 2005, James has been a part of EMC’s Global Security Organization
developing the framework for risk and security administration services and worked as
an internal consultant for the CSO. Mr. Lugabihl began his information security career
more than 15 years ago with the U.S. Navy’s Fleet Information Warfare Center handling
network monitoring and incident response.
Dylan Owen
CISSP, ISSEP, ISSMP, GPEN, GCFA, ITIL
Cybersecurity Manager for Cybersecurity and
Special Missions
Raytheon Company
Dylan Owen is responsible for developing and providing computer network defense
solutions to Raytheon’s government and commercial customers. He helps Raytheon
customers review and improve their security readiness, focusing on organizational
alignment as well as reviewing security architectures and SOPs. Mr. Owen has helped
design and implement SOCs/CERTs and threat intelligence programs for government
organizations and large companies. He has also helped clients stand up CERTs,
including developing core processes, hiring staff, and implementing technology
solutions. In previous positions at Raytheon, Mr. Owen developed expertise in
certifying and accrediting IT systems, conducting computer security awareness training,
managing vulnerability assessments, and investigating many different types of
computer-related breaches.
Timothy A. Rand
Senior Manager
Advanced Cyber Defense Practice
RSA, The Security Division of EMC
Tim Rand is responsible for professional services engagements for incident response/
discovery (IR/D), breach readiness, remediation, SOC/CIRC design, and proactive
computer network defense. Prior to RSA, he was a lead security engineer for the Mitre
Corporation. Earlier, he led enterprise-wide computer emergency response, attack
sensing and warning, and proactive cyber operations for the Raytheon Company’s Cyber
Threat Operations team. Mr. Rand has more than 16 years of experience in developing
technical staff and programs, cyber investigations, Advanced Persistent Threat (APT)
defense, focused threat analysis, operations, and projects. He has held various
technical leadership roles, including director for an environmental analysis laboratory
and senior scientist for various enterprises such as the Lockheed Martin Company.
(Continued on the next page)
page 12
13. RSA Security Brief, October 2013
Peter M. Tran
Senior Director
Advanced Cyber Defense Practice
RSA, The Security Division of EMC
Peter Tran leads RSA’s Advanced Cyber Defense Practice, which offers world-class
professional services for global incident response and discovery (IR/D), breach
readiness, remediation, SOC/CIRC redesign, and proactive computer network defenses.
Mr. Tran has more than 18 years of government, commercial, and research experience
in the fields of computer forensics, information assurance, and security. He is a
recognized expert within the Department of Defense and U.S. federal law enforcement
communities on computer forensics, malicious code, computer crime investigations,
foreign counterintelligence, technology transfer, network security, and cyber espionage.
He has authored several defense periodicals for his work involving distributed computer
forensics and data analysis.
Prior to RSA, Mr. Tran led Raytheon’s commercial cyber professional services, as well as
its enterprise Cyber Threat Operation Programs for SOC/CERT, IR/D, intelligence, APT
threat analysis, technical operations, exploitation analysis, adversarial attack
methodologies, and research and tools development. He held senior technical
leadership roles with Northrop Grumman and Booz Allen Hamilton. Mr. Tran also worked
as a Federal Law Enforcement Special Agent, forensic analyst, systems/security
engineer, software product designer, and consultant in both technology prototyping
and production.
page 13
14. RSA Security Brief, October 2013
SECURITY SOLUTIONS FOR IMPROVING BREACH READINESS
The products and services described below are designed to align with the best
practices described in this RSA Security Brief. This security solutions overview is
not intended to provide a comprehensive list of applicable products and services.
Rather, it’s intended to serve as a starting point for security practitioners wanting
to learn about some of the options available to them.
From Raytheon Company
Insider Threat and Counter Intelligence – Raytheon is the largest provider of
insider threat solutions to the U.S. Government. Raytheon’s SureView™ product
enables safe and effective use of mission-critical technologies by capturing human
behavior technical observables, which include policy violations, compliance
incidents, or malicious acts that could be warning signs of a security breach.
Trusted Thin Client® (TTC) – Trusted Thin Client is Raytheon’s commercial-off-theshelf (COTS) solution that provides end users access to all allowable networks from
a single device. TTC ensures homeland and corporate security while enabling the
fast-paced exchange of data to foster seamless global collaboration across
disparate classified or sensitive networks.
Trusted Gateway System™ (TGS) – A commercial-off-the-shelf (COTS) transfer
solution, Trusted Gateway System provides exceptional built-in manual review and
automatic validations, such as virus scanning, file type verification, dirty word
search, and deep content inspection, enabling safe and simultaneous data
movement between networks at different sensitivity levels.
From RSA, The Security Division of EMC
RSA Advanced Cyber Defense Practice has been developed to help clients
safeguard their organizational mission by focusing on the protection of high-value
assets, which are often the object of targeted attacks, and by developing the
readiness, response, and resilience of their security operations. The practice’s
consultants are highly skilled security practitioners, each with 10-plus years’
average experience in incident response planning and in building, operating, and
managing SOCs. RSA’s security consultants don’t just provide reports and
recommendations; they also provide hands-on assistance with developing and
improving incident-handling processes and procedures, automating securityrelated workflows to drive operational efficiencies, and generating actionable
intelligence by gathering multiple sources of information and cultivating data
analytics capabilities. Finally, the practice’s consultants provide technology-neutral
guidance on selecting and implementing security solutions that adapt to variable
levels of risk. Collectively, the practice’s consultants and services help clients shift
from a reactive security stance to a proactive, advanced cyber-defense posture.
RSA Archer® GRC Suite is a market-leading solution for managing enterprise
governance, risk, and compliance (GRC). It is designed to provide a flexible,
collaborative platform to manage enterprise risks, automate business processes,
demonstrate compliance, and gain visibility into exposures and gaps across the
organization. The RSA Archer GRC platform is engineered to draw data from a wide
variety of systems to serve as a central repository for risk-, compliance-, and
security-related information. The RSA Archer Security Operations Management
module is designed to provide a software system that manages incident workflows,
page 14
15. RSA Security Brief, October 2013
reporting and notification requirements, staffing and work allocations, as well as
other capabilities needed to efficiently manage a security operations center. This
system also provides the required business and technical context (such as asset
information) for incidents during investigations.
RSA® Education Services provide training courses on information security geared to
IT staff, software developers, security professionals, and an organization’s general
employees. Courses combine theory, technology, and scenario-based exercises to
engage participants in active learning. RSA Advanced Cyber Defense Training
offerings are a series of instructional courses focused on improving the skills of
security analysts in areas such as incident handling, the use of threat intelligence,
malware analysis, and the detection and investigation of advanced threats. These
courses are taught by expert personnel from the RSA Advanced Cyber Defense
Practice.
RSA® Enterprise Compromise Assessment Tool (ECAT) is an enterprise threat
detection and response solution designed to monitor and protect IT environments
from undesirable software and the most elusive malware—including deeply hidden
rootkits, advanced persistent threats (APTs), and unidentified viruses. RSA ECAT is
engineered to automate the detection of anomalies within computer applications
and memory without relying on virus signatures. Instead of analyzing malware
samples to create signatures, RSA ECAT establishes a baseline of anomalies from
“known good” applications, filtering out background noise to uncover malicious
activity in compromised machines. The RSA ECAT console presents a centralized
view of activities occurring within a computer’s memory, which can be used to
quickly identify malware, regardless of whether a signature exists or if the malware
has been seen before. Once a single malicious anomaly is identified, RSA ECAT can
scan across thousands of machines to identify other endpoints that have been
compromised or are similarly at risk.
The RSA Live platform is engineered to help organizations capitalize on the
collective intelligence and analytical skills of the global security community in
detecting and countering advanced threats and other cyber attacks. The RSA Live
platform is designed to gather advanced threat intelligence from a broad range of
respected, reliable security service providers, including RSA researchers. RSA’s
expert researchers and analysts process security information from these myriad
sources and deliver the most relevant data to the RSA Live community directly
through RSA Security Analytics.
RSA® Security Analytics is designed to provide security organizations with the
situational awareness needed to deal with their most pressing security issues. By
analyzing network traffic and log event data, the RSA Security Analytics system
helps organizations gain a comprehensive view of their IT environment, enabling
security analysts to detect threats quickly, investigate and prioritize them, make
remediation decisions, take action, and automatically generate reports. The RSA
Security Analytics solution’s distributed data architecture is engineered to collect,
analyze, and archive massive volumes of data – often hundreds of terabytes and
beyond – at very high speed using multiple modes of analysis. The RSA Security
Analytics platform also is designed to ingest threat intelligence about the latest
tools, techniques, and procedures in use by the attacker community to alert
organizations to potential threats that are active in their enterprise.
page 15