16
Bret Hartman Chief Technology Officer RSA, the Security Division of EMC, and EMC Fellow David Martin Vice President, Chief Security Officer EMC Corporation Dennis R. Moreau, Ph.D. Senior Technology Strategist RSA, the Security Division of EMC Kathleen M. Moriarty GRC Strategy, Office of the CTO EMC Corporation Eddie Schwartz Vice President and CISO RSA, the Security Division of EMC Peter M. Tran Senior Director, Advanced Cyber Defense Practice RSA, the Security Division of EMC Breaking Down Barriers to Collaboration in the Fight Against Advanced Threats RSA Security Brief Authors February 2012 Key points Advanced attacks compel organizations to shift their security strategy from attack prevention to attack detection and mitigation. (Page 1) Sharing information and collaborating on advanced threats can help organizations scale their security expertise, speed up attack detection and improve remediation. (Page 2) Data standards for describing and transmitting threat information have advanced significantly, but much progress is needed to extend existing standards and drive wider adoption in vendor solutions. (Page 3) Threat information-sharing and collaboration programs help organizations augment their expertise and capabilities in detecting and remediating advanced threats, but most sharing programs are hindered by a heavy reliance on manually intensive, non-scalable processes and workflows. (Page 5) Organizations cannot wait indefinitely for ideal information- sharing conditions to emerge. Instead, the global security community must move forward with practical security collaboration solutions offering immediate, incremental improvements. (Page 5) RSA has created an experimental, cloud-based framework to test and refine prospective solutions to broaden and enhance cyber security collaboration. In its initial implementation, the collaboration framework is designed to help security teams integrate external security experts and service providers into internal workflows for incident detection, investigation and response. (Page 7)

RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

Bret Hartman

Chief Technology Officer

RSA, the Security Division of EMC, and EMC Fellow

David Martin

Vice President, Chief Security Officer

EMC Corporation

Dennis R. Moreau, Ph.D.

Senior Technology Strategist

RSA, the Security Division of EMC

Kathleen M. Moriarty

GRC Strategy, Office of the CTO

EMC Corporation

Eddie Schwartz

Vice President and CISO

RSA, the Security Division of EMC

Peter M. Tran

Senior Director, Advanced Cyber Defense Practice

RSA, the Security Division of EMC

Breaking Down Barriers toCollaboration in the FightAgainst Advanced Threats

RSA Security Brief

Authors

February 2012

Key points

– Advanced attacks compel organizations to shift their security

strategy from attack prevention to attack detection and

mitigation. (Page 1)

– Sharing information and collaborating on advanced threats

can help organizations scale their security expertise, speed

up attack detection and improve remediation. (Page 2)

– Data standards for describing and transmitting threat

information have advanced significantly, but much progress

is needed to extend existing standards and drive wider

adoption in vendor solutions. (Page 3)

– Threat information-sharing and collaboration programs help

organizations augment their expertise and capabilities in

detecting and remediating advanced threats, but most

sharing programs are hindered by a heavy reliance on

manually intensive, non-scalable processes and workflows.

(Page 5)

– Organizations cannot wait indefinitely for ideal information-

sharing conditions to emerge. Instead, the global security

community must move forward with practical security

collaboration solutions offering immediate, incremental

improvements. (Page 5)

– RSA has created an experimental, cloud-based framework to

test and refine prospective solutions to broaden and

enhance cyber security collaboration. In its initial

implementation, the collaboration framework is designed to

help security teams integrate external security experts and

service providers into internal workflows for incident

detection, investigation and response. (Page 7)

Page 2: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

RSA Security Briefs provide security leaders and other executives

with essential guidance on today’s most pressing information

security risks and opportunities. Each brief is written by a select

response team of security and technology experts who mobilize

across companies to share specialized knowledge on a critical

emerging topic. Offering both big-picture insight and practical

technology advice, RSA Security Briefs are vital reading for today’s

forward-thinking security practitioners.

Contents

Protection by Detection: Advanced Security for Advanced Threats 1

High Hopes and High Barriers for Cyber Security Collaboration 2

Standards and Partnerships Break down Barriers to Collaboration 3

IODEF: an open standard for encoding threat information 3

RID: an open standard to transmit threat information securely 4

Security standards for advanced threats 4

Security collaboration programs push the bounds of trust 5

Experimental Platforms Explore New Concepts in Security Collaboration 5

Conclusion: Moving Toward Frictionless Collaboration 9

Appendix: About the Authors 10

Related RSA Solutions 12

RSA Security Brief, February 2012

WHAT IS AN ADVANCED THREAT?

Advanced threats are cyber attacks custom-designed to

breach an organization’s defenses for these purposes:

— To steal valuable information

— To plant false information

— To disrupt strategic services

— To damage systems or other infrastructure

— To monitor operations or actions

Attackers typically go to great lengths to make their

activities hard to detect and track. For more information,

please read

“When Advanced Persistent Threats Go Mainstream,” a

report from the Security for Business Innovation Council.

Page 3: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

1

Protection by Detection: Advanced Security for Advanced Threats

Determined cyber adversaries have proven over the past couple of years that they can defeat the

protections of even the world’s most sophisticated security organizations. They’re compiling custom

malware to evade signature-based detection tools such as antivirus scanners. They’re using social

engineering techniques on unsuspecting employees to circumvent organizations’ perimeter defenses.

They’re covering their tracks within systems and leveraging techniques they have perfected across

multiple targets.

Today, security experts concede it’s unrealistic to keep attackers entirely out of most networks and

systems. Cyber adversaries have the skills, resources and motives to assail their high-value targets

repeatedly, trying various techniques, until they succeed (see Figure 1: Anatomy of an Attack). In this

persistent threat environment, preventing attacks becomes impractical. Instead, detecting attacks and

mitigating their damage becomes the primary focus.

Rapid detection of security breaches is the best way for organizations to minimize their window of

vulnerability. Detecting advanced attacks, however, has become increasingly difficult. Today’s complex

IT environments give cyber adversaries many places to hide and ways to mask their illicit activities.

Security teams are inundated with disparate data from log files, IDS/IPS alerts, network management

tools and SIEM platforms and are looking for innovative ways to achieve the situational awareness

needed to combat advanced threats. Many organizations are increasingly applying advanced full-

packet capture, malware identification and log management tools that look at data in context, not at

static signatures, to find stealthy, nuanced threats that defy traditional defenses. Some security teams

are also deploying “big data” tools to ingest and normalize large volumes of security information and

applying analytics tools to security data to spot unusual patterns and behaviors.

Advanced data analytics can offload many routine threat detection functions from security analysts,

enabling continuous monitoring of IT environments and resulting in speedier incident detection and

response. Many security teams, however, cannot resolve the problems discovered because they often

lack the in-house experience and expertise to determine if alerts point to serious threat activity or

harmless anomalies. Security staff may not have sufficient experience with cyber adversaries to profile

their objectives and attack methods. Security teams may not be able to reverse-engineer new malware

to understand how it works and what it’s targeting. After cleaning infected network nodes or end

points, they may not know how to update their defenses to avoid being compromised again.

RSA Security Brief

RSA Security Brief, February 2012

1. Identifying “the mark”Attackers pinpoint individuals with the accessprivileges they need.

2. Spear-phishing Attackers send spoofed e-mails withmalicious links or attachments to infectspecific, high-value employees’machines.

3 Organization mappingOnce inside, attackers mapthe organization’s IT environ-ment to identify strategicassets, privileged nodes andemployees with more usefulprivileges.

4. Privilege escalationAttackers elevate privileges through additional spear phishingor by decrypting adminis-trative credentials.

5. Stealth fightersAttackers install malware to hijacksystems, creating backdoors andestablishing “back connect” functionality to communicate withcommand and control servers.

6. D-dayAttackers activate command-and-controlinfrastructure to steal,encrypt, compress andtransmit information.

Figure 1: Anatomy of an Attack

Advanced attacks use multiple techniques custom-tailored to the

target. The techniques depicted here are similar to those used in

Operation Aurora against private sector corporations.

Page 4: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

2 RSA Security Brief

In these situations, security teams find it helpful to engage

the expertise of others in the security community, whether

vendors, service providers, government agencies or even

colleagues at rival organizations. Collaborating on cyber

threats enables security teams to scale their expertise and

address attacks faster and more effectively. Collaboration

also aids in early detection—even prevention—of threats,

because security teams are alert to the techniques and

indicators of other recent attacks on similar or related targets

and can act preemptively.

High Hopes and High Barriers to Cyber SecurityCollaboration

Security leaders see vast potential for organizations to tap

into threat information from outside sources, ranging from machine-readable attack indicators to

general intelligence about cyber adversaries. At the RSA-sponsored Advanced Persistent Threats (APT)

Summits in 2011, more than 180 senior leaders from government and business identified threat

information exchange as a top priority for the global security community in combating advanced threats.

The summits’ key findings included this call to action:

We must work more closely together than ever before: international cooperation and collaboration

between companies and the public sector are essential to developing advanced “indicators” that will

help identify and mitigate threats.

Business and security leaders, including the executive delegates at the APT Summits, say they’re willing

to collaborate with outsiders—even competitors—to pool resources, exchange threat information and

mount a stronger defense.

Although organizations have the collective will to work together, they don’t have the means to do so

easily or effectively. Six common barriers stand in the way:

1. Lack of interoperable standards to describe advanced threats – The security industry has yet to

align behind a set of uniform, machine-readable standards to capture, integrate and communicate

threat information. While some leading-edge organizations have standardized data formats for

internal systems, extensive manual processing is still the norm when sharing threat indicators,

attack forensics or security intelligence with outside parties. Not only must the global security

community harmonize data formats for describing basic incidents, it must also establish

consistency in expressing the variability and nuances inherent in advanced threats.

2. Risk of information leakage – Concerns about unintended disclosure and attribution have

historically been powerful inhibitors to information sharing. Organizations have legal, financial and

publicity concerns about revealing they’ve been attacked. Also, incident and attack information is

valuable only until cyber attackers learn how their presence, methods and identities are being

recognized and tracked. Once that happens, they inevitably adapt, forcing security teams back to

square one in detecting and monitoring activities from these adversaries.

3. Untested methods for governing use of sensitive information – As organizations share information

about security incidents or threats, no widely accepted mechanisms exist to restrict who sees their

information and at what level of detail. Organizations must be able to set and enforce

differentiated policies for the people, processes and technologies with access to sensitive

information, especially when sharing or collaborating with larger groups.

4. Challenges in validating data quality and reliability – Security teams must have sufficient

assurances that threat information comes from trustworthy origins, especially when data is from

anonymous or obfuscated sources. Models for assessing the accuracy, relevance and integrity of

threat indicators in an automated, scalable way are still largely theoretical and unproven.

Independent qualification is essential to fostering and scaling trust in shared data.

RSA Security Brief, February 2012

In addition to advanced tools and network

instrumentation to detect abnormal activity,

organizations also need to develop processes and

expertise to use the growing variety and volume of

security data. For in-depth guidance on adapting

people, processes and technologies to combat

targeted cyber attacks, please read “Getting Ahead

of Advanced Threats: Achieving Intelligence-Driven

Information Security,” a report from The Security for

Business Innovation Council, available at

www.rsa.com/innovation.

Page 5: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

3RSA Security Brief

5. Shortage of skilled security expertise – Organizations often cannot find security analysts

experienced in combating advanced threats, as demand for this specialized skill set currently

outstrips supply. Moreover, cultivating new competencies in threat information-sharing may not

be something many organizations have the people or budget to support: most security teams are

already stretched to their limits keeping up with everyday security functions. This is especially

true among mid-size companies and within industries that haven’t historically had to deal with

cyber espionage. The disparity in advanced threat experience and expertise among organizations

from different industries further hinders prospects for mutually valued collaboration among

dissimilar sharing partners.

6. Legal and data confidentiality restrictions – Organizations often must go through several levels of

approval before they’re authorized to share information about security incidents or observed

threats. While hardly insurmountable, gaining the requisite approvals to participate from in-house

lawyers and/or government authorities can be complicated and time-consuming. Not only must

organizations repeat approval processes for each new partner with whom they want to exchange

security information, they also must shoulder the costs of obtaining and maintaining approvals

for participation.

These concerns are formidable barriers to greater collaboration in cyber security. Breaking down these

barriers is a complex, laborious process because solutions require diverse groups to coordinate their

activities and drive progress on many fronts simultaneously.

Industry groups and public-private initiatives have begun dismantling the barriers to collaboration.

Most notably, they are codifying technical standards to define information exchange formats and to

institute controls over how data is used and shared. Security leaders see the standardization

happening in these areas as crucial to making threat information interpretable with less human

intervention and thus faster and easier to act on and share.

Standards and Partnerships Break down Barriers to Collaboration

The global security community is developing consistent electronic languages to capture and integrate

threat information and transmit it across many different computing systems and security management

platforms. Several emerging cyber security standards show early promise. Two of them, the Incident

Object Description Exchange Format (IODEF) and Real-time Internetwork Defense (RID) could

potentially play a pivotal role in protecting incident-related communication between sharing partners.

IODEF: an open standard for encoding threat information

The Incident Object Description Exchange Format, or IODEF (pronounced “I-O-def”), was developed by

several international computer security incident response teams (CSIRTs) and industry representatives

in the IETF to provide a standard way to describe and package information about security incidents.

The IODEF data model defines an XML schema to encode threat information so it can be conveyed

consistently to other parties or administrative domains. IODEF documents describe threat-related

information such as IP addresses, domain names, traceroutes, platform types, vulnerabilities, exploits

and the resulting impact on affected assets.

Because IODEF documents use an open standard and are machine-readable, the encoded information

they contain can be automatically parsed and transferred to a recipient’s chosen incident management

system. The automated handling of IODEF documents reduces the need for security analysts to read

and categorize free-form text or otherwise normalize data from outside sources. Integrating IODEF

feeds into incident management systems can slash the time required to process threat data from days

to minutes.

IODEF is gaining traction in the international security community. IODEF documents are already used

by several country-level CSIRTs to exchange threat information, including the US CERT. The IODEF

framework has also been adopted by the Research and Education Networking Information Sharing and

Analysis Center (REN-ISAC), the Antiphishing Working Group and other notable cyber security

organizations.

RSA Security Brief, February 2012

Page 6: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

RID: an open standard to transmit threat information securely

The Real-time Internetwork Defense, or RID, standard provides “envelopes” to share and transmit IODEF

documents securely among organizations. RID messages can also manage information about any kind

of electronic incident to outside parties, not just security incidents.

The RID standard takes advantage of the W3C’s XML security and privacy features to convey essential

security controls indicating how incident information can be used and how it should be protected. For

example, RID messages provide four data sensitivity classifications to establish sharing restrictions and

other policy requirements for threat information. RID interprets the classifications to protect data

appropriately with XML encryption.

In order to enforce those restrictions and policies, however, organizations must first establish

agreements with their sharing partners on how policies are interpreted. The RID standard recommends

that organizations create “trust profiles”—uniform security settings that map specific requirements and

controls to the sensitivity of data a sharing partner will likely see. RID does not, however, specify how to

implement mapping at the application layer, because organizations have widely divergent platforms for

enforcing data security. The RID standard simply provides policy considerations and technical controls

to help sharing partners build enforceable trust profiles.

Regarding technical controls, RID offers authentication, confidentiality, integrity and authorization-

security features—protections necessary for organizations to control their threat information in

compliance with policies. Information sources can digitally sign portions of the IODEF document for

which they’re responsible, enabling recipients to authenticate the originator. These protections also

give users assurance that threat information is indeed from the specified source and was not modified

in transit.

Security standards for advanced threats

While open standards such as IODEF and RID can help organizations communicate threat information

and enforce sharing policies, additional cyber security standards are needed to represent the complex

indicators, behaviors and forensics information typically associated with advanced threats.

Several standards are emerging to improve accuracy and consistency in encapsulating and sharing

information on advanced threats. A few prominent examples are summarized below:

– Malware Attribute Enumeration and Classification, or MAEC (pronounced “mike”), is a specialized

language to describe malware based on how it operates and the specific actions it performs. MAEC

uses abstract patterns, not physical signatures, to detect malware, to assess what malicious code is

attempting to accomplish and to gauge the corresponding risks to the organization. MAEC is

developing rapidly and appears to be gaining support among security vendors.

– Common Attack Pattern Enumeration and Classification, or CAPEC, describes common methods for

subverting software, including phishing, SQL injections, cache poisoning and code-signing defeats.

– Cyber Observable eXpression, or CybOX, is an open standard that specifies, captures, characterizes

and communicates any event or condition observable in the cyber domain – what CybOX describes as

“cyber observables.” CybOX provides a structured schema for representing cyber observables in a

variety of security use cases such as event management/logging, malware characterization, intrusion

detection and incident response/management. The schema is flexible enough to represent both

abstract patterns of activity that may be targets for further monitoring and analysis, as well as

detailed descriptions of events that have been measured in an operational context.

– Advanced Forensics Framework 4, or AFF4, is a universal framework for storing, managing and

sharing digital evidence used in both cyber crime forensics and cyber defense. It offers several

enhancements to earlier versions of AFF, most notably the ability to store multiple kinds of evidence

from myriad devices in a single archive. Conversely, a single archive of evidence can be used by many

different platforms, including workstations, relational databases or object management systems,

without necessitating changes to forensic software.

4 RSA Security Brief

RSA Security Brief, February 2012

Page 7: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

– Security Content Automation Protocol, or SCAP, is increasingly used to assess the vulnerability and

exploitability of software, as well as security-related configuration issues. SCAP is a set of data

representations that provide a context for understanding even zero-day exploits, which are often

used in advanced attacks.

Security collaboration programs push the bounds of trust

Most threat information-sharing programs have either been built

around specific industries (e.g., the Electric Sector ISAC, the

Financial Services ISAC, the Information Technology ISAC) or set

up as private-public partnerships (e.g., the Defense Security

Information Exchange, the Enduring Security Framework).

Information-sharing and security collaboration programs vary

widely in capabilities and maturity. In general, however, they typically issue regular reports, advisories

and alerts on security threats, both cyber and physical, for the groups they serve. Information-sharing

programs may also share security tips and best practices with their members.

For the most part, information distributed by sharing programs are not in machine-readable formats,

meaning security personnel must sift through emails, website postings or other communications from

the sharing group. In some public-private programs dealing with highly sensitive security threats,

information is exchanged mostly through offline methods such as hand-delivered documents, phone

calls on secure lines and in-person meetings at secure facilities. For the vast majority of information-

sharing groups, exchanging threat data remains reliant on non-automated, manually intensive

processes, which by their nature are not readily scalable.

Some sharing groups, including the Financial Services ISAC and the Research and Education Network

ISAC, have moved to automated data feeds for threat information. Member organizations connect their

incident management platforms to these ISACs via APIs. The platform integration process can be

complex, requiring many one-off implementations.

While much work needs to be done to enable threat information sharing at machine speed, today’s

sharing groups are tackling one of the toughest challenges in cyber security collaboration: establishing

the legal and procedural frameworks to mediate and manage trust across multiple member

organizations. Through their membership agreements, sharing groups have made substantial headway

in codifying what information can be shared, how it can be shared and how it should be protected.

Establishing these participation terms helps the broader security community normalize classifications

for data sensitivity, identify relevant data types and define appropriate policies and controls. These

developments, in turn, help shape technical standards and commercial products.

Information sharing communities have become vital proving grounds for advancing security

technologies and processes, as well as for expanding the security expertise of participants. The

security community has seen sufficient interest and progress in information-sharing programs to

consider next steps. The industry dialog on security collaboration is now shifting from “can we do it?”

to “how can we do it better?”

Experimental Platforms Explore New Concepts in Security Collaboration

Because detecting and remediating advanced threats requires highly specialized security expertise,

collaboration with outside partners is often the most efficient and convenient way to scale advanced

threat capabilities and talent. With advanced attacks escalating in frequency and sophistication, the

global security community sees an urgent need to move forward with information-sharing and

collaboration programs. In the absence of mature standards and collaboration models, pragmatism,

not perfection, is the go-forward approach to threat information exchange and collaboration.

5RSA Security Brief

RSA Security Brief, February 2012

To learn more about information sharing and analysis

centers (ISACs), please visit the National Council of

ISACs’ webpage: http://www.isaccouncil.org/.

Page 8: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

6 RSA Security Brief

RSA is developing an experimental technical framework that facilitates collaboration between

organizations and outside security experts in detecting, investigating and remediating advanced

threats. RSA’s new threat response collaboration framework is built upon the foundations of what’s

achievable today, technologically, legally and procedurally. It’s important to note that the framework is

not a commercial offering; it’s an experimental cloud-based platform to test and explore new methods

for improving threat information exchange and collaboration at a broader scale.

The framework builds on top of existing capabilities in the RSA NetWitness Live™ service and the RSA

Archer™ eGRC Suite to connect security teams and their advanced security systems with a trusted set of

external service providers offering world-class expertise in combating advanced threats. Security teams

could tap into these outside providers for a variety of services:

– Threat intelligence feeds to improve detection capabilities

– Attack-specific intelligence that can assist in attribution

– Advanced forensics services such as malware reverse-engineering, memory analysis and network

packet capture analysis

– Remediation recommendations or direct actions such as writing a new detection rule for specific

security systems

Service providers connected to the collaboration framework would be best-in-breed specialists with

whom enterprise security teams have already established working relationships. All participating

entities would be governed by their existing service contracts.

In its initial implementation, the experimental collaboration framework would serve as a cloud delivery

platform for specialized security services. (See Figure 2: Threat Response Collaboration Framework)

Compared to conventional processes for collaborating on threat detection and response, the

collaboration framework is designed to confer several important advantages:

– Augments in-house security capabilities with on-demand external expertise – The collaboration

framework puts world-class advanced threat expertise “on tap” so organizations can integrate

outside specialists into the internal workflows of their security operations centers (SOCs). This is

particular beneficial when in-house resources detect a potential problem they cannot fully analyze or

remediate themselves.

– Provides security, policy and data leakage protection – The collaboration framework makes full use

of the RSA NetWitness® platform’s encryption and obfuscation capabilities to protect detection rules.

Rules are automatically decrypted and operationalized within the RSA NetWitness appliance, but they

can never be read in the clear. This minimizes the risks of attack indicators and their origins getting

leaked. Also, the collaboration framework will take advantage of security and policy management

features inherent in the RID messaging and transport standards. RID messaging provides

authentication, confidentiality, integrity and authorization-security protections. RID transport

provides session-layer encryption to bolster security for data in transit and to prevent session

hijacking.

– Coordinates workflows for incident handling and response – The collaboration framework will use

RID messaging communication flows to facilitate queries, requests and other communications

between security teams and outside parties. Organizations can track the status of their incident-

related requests through the RSA Archer™ eGRC suite.

– Automates routine steps in threat sharing and collaboration – The collaboration framework will

integrate with security tools already deployed within many organizations today. Also, the framework

will use the IODEF open data format to facilitate communication among collaborating parties. The

collaboration framework’s integration features and its use of open standards should reduce manual

processing tasks for security teams, helping speed threat detection, investigation and response.

RSA Security Brief, February 2012

Page 9: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

IP

.exe

7RSA Security Brief

• Incident investigation – To save analysts time, future iterations of the collaboration framework will

automatically populate threat information from the RSA NetWitness platform into well-structured

IODEF documents augmented with detailed forensic artifacts. The IODEF document, along with

supporting forensic evidence, is then ready for review by a security analyst, who can then send it

to outside experts for further analysis, if necessary.

• Incident remediation – Security teams can choose to automatically ingest and operationalize new

threat detection and remediation rules through the RSA NetWitness Live component of the

collaboration framework. Alternatively, the framework can generate remediation tickets through

its integration with incident management tools, such as the incident management module in the

RSA Archer eGRC Suite.

• Threat intelligence sharing – Security service providers can stream newly emerging threat

information to their subscriber communities through the RSA NetWitness Live platform.

Simultaneously, security teams can elect to accept and operationalize threat information

automatically from trusted services providers. In the near future, security teams will be able to

contribute new detection and remediation rules developed through their incident by uploading

them through the RSA NetWitness Live service.

RSA Security Brief, February 2012

1 RSA NetWitnessmonitoring detects anetwork node sending anexecutable to a rarelyused port on a server inthe enterprise.

2 The security team conducts aninvestigation and can find no legitimatereason for the network node tocommunicate with the server. It also findsthat the server is a source controlmanagement server. The priority of theevent is escalated in RSA Archer IncidentManagement.

3 The security team packagesincident-related information in anIODEF document with additionalinformation encapuslated in a PCAPfile and sends it to an externalnetwork analyst for investigation.

4 The network analystextracts and analyzesthe executable, finds itto be malicious andrecommends a forensicinvestigation of theserver.

5 The security teamcaptures a memory dumpof the server and sends itto another external expertspecializing in end pointanalysis.

9 A new ticket is initiated inthe RSA Archer IncidentManagement modulerequesting end pointremediation. Another ticketis initiated requestingserver remediation.

6 The end point analystfinds evidence of thecompromise andrecommends monitoringany activity associatedwith a newly identifiedcommand-and-control IPaddress.

8 The security team elects toshare the new command-and-control IP addresswith other organizationsthrough the RSANetWitness Liveintelligence service.

Figure 2: Threat Response Collaboration Framework

RSA NetWitnessplatform

RSA NetWitness Live service

RSA Archer eGRC Suite Threat ResponseCollaboration Framework

1 23

4

5

6

8

9

7

7 The security team updates the RSANetWitness platform with a new alerting ruleto monitor traffic associated with the newlyidentified command-and-control IP address.

Page 10: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

8 RSA Security Brief

RSA Security Brief, February 2012

– Provides performance monitoring and trust measures – The collaboration framework will track basic

measures of service provider performance, such as the number of requests a provider has handled

through the platform, a provider’s average response time and the average lifespan of incidents, from

start to close. These basic measures can help security teams benchmark their incident management

performance over time and compare the responsiveness or efficacy of various service providers. The

performance monitoring capabilities of the collaboration framework could ultimately include more

revealing measures of trust, such as user-contributed ratings of vendors and reputation scoring. Such

community-generated information could help security teams qualify service providers to help with

new incidents or future attacks.

RSA expects its new experimental collaboration framework to help the broader security community

explore new ideas and methods for sharing threat information and for coordinating responses to

advanced attacks. Also, the collaboration framework could help scale the advanced threat expertise of

mid-size companies or organizations with less developed information security capabilities.

Figure 3: Threat ResponseCollaboration Framework

A web-based interface enables security

teams to engage external security experts

in investigating and analyzing advanced

attacks and other complex security inci-

dents.

Page 11: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

9RSA Security Brief

RSA Security Brief, February 2012

Conclusion: Moving Toward Frictionless Collaboration

Real-time information-sharing and highly automated processes for threat detection, analysis and

remediation are the goal states for future security collaboration programs. Although skilled analysts

will always need to manage security incidents and determine what information can be shared, process

automation can greatly curtail the time required to neutralize advanced threats, offload mundane

tasks from busy security teams and reduce the potential for error in human handling of data.

The global security community has made notable progress on collaboration initiatives. The

combination of IODEF and RID, for instance, shows promise as a trusted communication mechanism

for general threat information. Additional standards such as CybOX, MAEC and SCAP are being refined

to represent threats as nuanced patterns of behavior rather than as static signatures. Numerous

public-private information sharing programs and ISACs are also refining models for security

collaboration, working toward greater automation of sharing processes.

To move collaboration practices forward, RSA sees three important areas for future development within

the global security community.

– Reliable methods to establish and monitor trust for collaborating parties – Referrals, qualifications

and performance benchmarks are important proxies for trust, but they’re difficult to represent

consistently or concisely. As information-sharing groups and data exchanges grow in number,

aggregating member-submitted reviews and ratings may become an efficient, reliable way to scale

trust monitoring. Threat information-sharing and collaboration programs could also require all

participants to comply with a common code of conduct, which could be enforced by periodic audits.

– Trusted service delivery infrastructure – Organizations must be assured that collaboration partners

and service providers have taken appropriate measures to secure the systems and processes

handling shared threat information. To give sharing partners confidence that sensitive threat

information is not leaking from compromised assets, the global security industry should

standardize mechanisms for establishing, managing and verifying trust in the infrastructure hosting

threat information exchange and collaboration processes. One emerging way to provide such

assurance is to standardize access to Trusted Platform Modules (TPMs) and the “root of trust”

evidence that TPMs generate. By employing roots of trust to verify the identity, integrity and location

of key components within the service delivery chain, sharing partners can provide each other with

detailed evidence of platform security, creating trust based on proof, not promises.

– Automation of information-sharing functions within security management tools – Security vendors

should enhance their solutions to facilitate information sharing. This requirement could include

adapting data formats for threat indicator feeds so they can be readily integrated and analyzed with

other information sources. Incident management tools could automate the capture of data related

to suspicious activities and forward the information for review and further action by a security

analyst. Data loss prevention systems could be extended to scan threat information before it’s sent

to outside partners to prevent accidental disclosure of sensitive data.

Solutions to these challenges will require a coordinated effort within the global security community:

companies, government agencies, industry groups, service providers and solutions vendors all have

important parts to play.

For our part, RSA is evaluating the implementation of adoption-ready standards such as IODEF and RID

across our security management portfolio. RSA is also contributing to various industry groups

developing information-sharing standards and frameworks, as well as public-private initiatives to

collaborate on security. The new experimental threat response collaboration framework developed by

RSA can help the security community explore new methods for managing trust among multiple

organizations. We hope this, in turn, will accelerate industry efforts to scale security expertise and to

expand participation in threat collaboration programs.

Page 12: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

10 RSA Security Brief

RSA Security Brief, February 2012

Bret Hartman, Chief Technology Officer, RSA, the Security Division of EMC and EMC Fellow

Bret Hartman is responsible for defining the corporate security technology strategy for EMC, as implemented by

the RSA division. Prior to RSA, Mr. Hartman was Chief Technology Officer, Information Security, at EMC

Corporation.

Mr. Hartman has more than 30 years of experience building information security solutions for major

enterprises. His expertise includes service oriented architecture (SOA) and web services security, policy

development and management, and security modeling and analysis. Mr. Hartman has spoken at dozens of

security and privacy industry events and is a recognized authority on distributed systems security.

Prior to EMC, Mr. Hartman was Director of Technical Services for SOA Appliances at IBM Corporation and was

also Vice President of Technology Solutions at DataPower Technology, which was acquired by IBM. Mr.

Hartman’s previous roles include Chief Technology Officer at Quadrasis Security (Hitachi Computer Products);

Vice President, e-Security Services and Chief Security Architect at Concept Five Technology; President and Co-

Founder of BlackWatch Technology Inc; and Director of Information Security at Odyssey Research Associates.

Mr. Hartman began his distinguished career as a U.S. Air Force officer assigned to the U.S. National Security

Agency.

At the U.S. National Security Agency, Mr. Hartman helped to create the “DoD Trusted Computer System

Evaluation Criteria” (Orange Book). He was a co-author of Object Management Group’s CORBA Security

specification, and co-edited the Security Scenarios document produced by the WS-I Basic Security Profile

Working Group. Mr. Hartman also co-authored Mastering Web Services Security (Wiley 2003), Enterprise

Security with EJB and CORBA (Wiley 2001), and U.S. patent 6,807,636: “Methods and Apparatus for Facilitating

Security in a Network.”

David Martin, Vice President, Chief Security Officer, EMC Corp.

Dave Martin manages EMC’s industry-leading Global Security Organization focused on protecting the

company’s multi-billion dollar assets and revenue. As EMC’s most senior security executive, he is responsible

for establishing EMC’s brand of trust with its customers and for providing business protection operations

worldwide.

Mr. Martin is a Certified Information Systems Security Professional and brings a range of experience to EMC in

information security and management developed through more than a decade of professional business

protection experience from various roles in internal audit, security services development and consulting.

Prior to joining EMC, Mr. Martin built and led security consulting organizations, focusing on critical

infrastructure, technology, banking and healthcare verticals, where he developed and delivered enterprise

security programs, incident response, investigations, policy and assessment practices.

Mr. Martin holds a BEng in manufacturing systems engineering and provides frequent testimony to the U.S.

Congress and government agencies as an expert witness on corporate enterprise protection issues.

Dennis R. Moreau, Ph.D., Senior Technology Strategist, RSA, the Security Division of EMC

Dennis Moreau specializes in the application of leading-edge technologies to the solution of complex problems

in information systems management and security domains. His primary focus is in developing solutions to

improve IT efficiency and effectiveness for service, systems, security, compliance and configuration

management/optimization. He works actively with the National Institute of Standards and Technology (NIST),

the U.S. Department of Defense (DoD) and the Mitre Corporation on the development of security information

standards.

Dr. Moreau has more than 35 years of experience in designing systems and security management solutions.

Prior to joining RSA, he was a founder and the CTO for Configuresoft and CTO for Baylor College of Medicine. He

holds a doctorate in computer science and has held faculty positions in computational medicine and computer

science, conducting research programs under the sponsorship of the National Aeronautics and Space

Administration, Jet Propulsion Laboratories, the National Institutes of Health, the National Library of Medicine,

Bell Laboratories and IBM. He speaks regularly at IT management and security conferences worldwide.

About the Authors

Page 13: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

11RSA Security Brief

RSA Security Brief, February 2012

Kathleen M. Moriarty, GRC Strategy, Office of the CTO, EMC Corporation

Kathleen Moriarty works in the EMC Office of the CTO, shaping technology strategy and standards for

information governance, risk, and compliance, with a focus on incident response and related areas. Ms.

Moriarty is the primary author of multiple published standards, and she actively contributes to security

standards development in both the ITU-T and the IETF. She currently chairs the IETF’s Managed Incident

Lightweight Exchange (MILE) working group.

Previously, as the practice manager for security consulting at EMC, Ms. Moriarty developed security programs

for clients and oversaw key projects, including serving as the acting CISO of a global investment banking

firm. Before joining EMC, Ms. Moriarty was the head of IT security at the Massachusetts Institute of

Technology Lincoln Laboratory, where she was responsible for all unclassified information security programs,

including managing the incident response team and coordinating incident handling. She also served as

director of information security at FactSet Research Systems, a provider of financial information and analytical

applications to the global investment community.

Ms. Moriarty is a Certified Information Systems Security Professional (CISSP). She holds a Master of Science

in Computer Science from Rensselaer Polytechnic Institute and a Bachelor of Science in Mathematics and

Computer Science from Siena College.

Eddie Schwartz, Vice President and CISO, RSA, the Security Division of EMC

Eddie Schwartz is Chief Information Security Officer (CISO) for RSA and has 25 years of experience in the

information security field.

Previously, he was CSO of NetWitness (acquired by EMC), CTO of ManTech, EVP and General Manager of

Global Integrity (acquired by INS), SVP of Operations of Guardent (acquired by VeriSign), CISO of Nationwide

Insurance, a Senior Computer Scientist at CSC, and a Foreign Service Officer with the U.S. Department of

State. Mr. Schwartz has advised a number of early stage security companies, and served on the Executive

Committee for the Banking Information Technology Secretariat (BITS).

Mr. Schwartz has a B.I.S. in Information Security Management and an M.S. in Information Technology

Management from the George Mason University School of Management.

Peter M. Tran, Senior Director, Advanced Cyber Defense Practice, RSA, the Security Division of EMC

Peter Tran leads RSA’s new Advanced Cyber Defense Practice, which offers world-class professional services

for global incident response and discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and

proactive computer network defenses.

Mr. Tran has more than 17 years of government, commercial and research experience in the fields of

computer forensics, information assurance and security. He is a recognized expert within the Department of

Defense and U.S. federal law enforcement communities on computer forensics, malicious code, computer

crime investigations, foreign counterintelligence, technology transfer, network security and cyber espionage.

He has authored several defense periodicals for his work involving distributed computer forensics and data

analysis.

Prior to RSA, Mr. Tran led Raytheon’s commercial cyber professional services, as well as its enterprise Cyber

Threat Operation Programs for SOC/CERT, IR/D, intelligence, APT threat analysis, technical operations,

exploitation analysis and adversarial attack methodologies, research and tools development. He held senior

technical leadership roles with Northrop Grumman and Booz Allen Hamilton. Mr. Tran also worked as a

Federal Law Enforcement Special Agent, forensic analyst, systems/security engineer, software product

designer and consultant in both technology prototyping and production.

Mr. Tran holds a Master of Forensic Sciences from the George Washington University and is a graduate of the

MIT Sloan School of Management Executive Programs in Strategy and Innovation, Technology Operations and

Value Chain Management. He is also a graduate of the FBI Cyber Training Program, the Federal Law

Enforcement Training Center (FLETC) and the John E. Reid Technique for interview and interrogation. While a

postgraduate research fellow at the Harvard University Graduate School of Arts and Sciences, his research

focused on automated comparative forensic analysis and applied network authentication technologies.

The authors acknowledge and thank Kevin Bowers, Roy Hodgman, Erik Mogus, Lorenzo Montesi and Uri Rivner

of RSA for their invaluable contributions to this security brief.

Page 14: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

RSA Security Brief, February 2012

Related RSA Solutions

RSA® Archer™ eGRC Suite

The RSA Archer eGRC Suite is the market-leading solution for managing enterprise governance, risk and compliance (eGRC). It

provides a flexible, collaborative platform to manage enterprise risks, automate business processes, demonstrate compliance

and gain visibility into exposures and gaps across the organization. The RSA Archer eGRC Suite is designed to serve as a

central repository for information about threats, drawing risk- and security-related data from a variety of systems. The RSA

Archer Threat Management solution is a centralized early-warning system for tracking threats. RSA Archer Incident

Management solution helps organizations escalate problems according to policies, track the progress of investigations and

coordinate problem resolution. The Suite’s ability to integrate information on security alerts and threats, to gather and present

metrics about the effectiveness of security controls and processes and to analyze contextual information about the security

and business environment helps create actionable, real-time intelligence across the enterprise

RSA NetWitness Live™ Service

The RSA NetWitness Live platform is engineered to help organizations capitalize on the collective intelligence and analytical

skills of the global security community in detecting and countering advanced threats and other cyber attacks. The RSA

NetWitness Live platform is designed to gather advanced threat intelligence from a broad range of respected, reliable service

providers in the security community. RSA’s expert researchers and analysts process security information from these myriad

sources and deliver the most relevant data to the RSA NetWitness Live community. By fusing up-to-the-minute external threat

intelligence with internal network traffic through the RSA NetWitness platform, organizations can greatly enhance their ability

to identify advanced threats within their IT environments, thus minimizing their windows of vulnerability.

12 RSA Security Brief

Page 15: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

13RSA Security Brief

RSA Security Brief, June 2010

This page intentionally left blank.

Page 16: RSA Security Brief · 2012-12-09 · Protection by Detection: Advanced Security for Advanced Threats Determined cyber adversaries have proven over the past couple of years that they

RSA Security Brief, February 2012

EMC2, EMC, the EMC logo, RSA, the RSA logo, Archer, NetWitness, and NetWitness Live are registered trademarks ortrademarks of EMC Corporation in the United States and/or other countries. All other products or services mentioned aretrademarks of their respective owners. ©2012 EMC Corporation. All rights reserved. Published in the USA.

H9084 APTBDB BRF 0212