Embed Size (px)
Citation preview
Bret Hartman
Chief Technology Officer
RSA, the Security Division of EMC, and EMC Fellow
David Martin
Vice President, Chief Security Officer
EMC Corporation
Dennis R. Moreau, Ph.D.
Senior Technology Strategist
RSA, the Security Division of EMC
Kathleen M. Moriarty
GRC Strategy, Office of the CTO
EMC Corporation
Eddie Schwartz
Vice President and CISO
RSA, the Security Division of EMC
Peter M. Tran
Senior Director, Advanced Cyber Defense Practice
RSA, the Security Division of EMC
Breaking Down Barriers toCollaboration in the FightAgainst Advanced Threats
RSA Security Brief
Authors
February 2012
Key points
– Advanced attacks compel organizations to shift their security
strategy from attack prevention to attack detection and
mitigation. (Page 1)
– Sharing information and collaborating on advanced threats
can help organizations scale their security expertise, speed
up attack detection and improve remediation. (Page 2)
– Data standards for describing and transmitting threat
information have advanced significantly, but much progress
is needed to extend existing standards and drive wider
adoption in vendor solutions. (Page 3)
– Threat information-sharing and collaboration programs help
organizations augment their expertise and capabilities in
detecting and remediating advanced threats, but most
sharing programs are hindered by a heavy reliance on
manually intensive, non-scalable processes and workflows.
(Page 5)
– Organizations cannot wait indefinitely for ideal information-
sharing conditions to emerge. Instead, the global security
community must move forward with practical security
collaboration solutions offering immediate, incremental
improvements. (Page 5)
– RSA has created an experimental, cloud-based framework to
test and refine prospective solutions to broaden and
enhance cyber security collaboration. In its initial
implementation, the collaboration framework is designed to
help security teams integrate external security experts and
service providers into internal workflows for incident
detection, investigation and response. (Page 7)
RSA Security Briefs provide security leaders and other executives
with essential guidance on today’s most pressing information
security risks and opportunities. Each brief is written by a select
response team of security and technology experts who mobilize
across companies to share specialized knowledge on a critical
emerging topic. Offering both big-picture insight and practical
technology advice, RSA Security Briefs are vital reading for today’s
forward-thinking security practitioners.
Contents
Protection by Detection: Advanced Security for Advanced Threats 1
High Hopes and High Barriers for Cyber Security Collaboration 2
Standards and Partnerships Break down Barriers to Collaboration 3
IODEF: an open standard for encoding threat information 3
RID: an open standard to transmit threat information securely 4
Security standards for advanced threats 4
Security collaboration programs push the bounds of trust 5
Experimental Platforms Explore New Concepts in Security Collaboration 5
Conclusion: Moving Toward Frictionless Collaboration 9
Appendix: About the Authors 10
Related RSA Solutions 12
RSA Security Brief, February 2012
WHAT IS AN ADVANCED THREAT?
Advanced threats are cyber attacks custom-designed to
breach an organization’s defenses for these purposes:
— To steal valuable information
— To plant false information
— To disrupt strategic services
— To damage systems or other infrastructure
— To monitor operations or actions
Attackers typically go to great lengths to make their
activities hard to detect and track. For more information,
please read
“When Advanced Persistent Threats Go Mainstream,” a
report from the Security for Business Innovation Council.
1
Protection by Detection: Advanced Security for Advanced Threats
Determined cyber adversaries have proven over the past couple of years that they can defeat the
protections of even the world’s most sophisticated security organizations. They’re compiling custom
malware to evade signature-based detection tools such as antivirus scanners. They’re using social
engineering techniques on unsuspecting employees to circumvent organizations’ perimeter defenses.
They’re covering their tracks within systems and leveraging techniques they have perfected across
multiple targets.
Today, security experts concede it’s unrealistic to keep attackers entirely out of most networks and
systems. Cyber adversaries have the skills, resources and motives to assail their high-value targets
repeatedly, trying various techniques, until they succeed (see Figure 1: Anatomy of an Attack). In this
persistent threat environment, preventing attacks becomes impractical. Instead, detecting attacks and
mitigating their damage becomes the primary focus.
Rapid detection of security breaches is the best way for organizations to minimize their window of
vulnerability. Detecting advanced attacks, however, has become increasingly difficult. Today’s complex
IT environments give cyber adversaries many places to hide and ways to mask their illicit activities.
Security teams are inundated with disparate data from log files, IDS/IPS alerts, network management
tools and SIEM platforms and are looking for innovative ways to achieve the situational awareness
needed to combat advanced threats. Many organizations are increasingly applying advanced full-
packet capture, malware identification and log management tools that look at data in context, not at
static signatures, to find stealthy, nuanced threats that defy traditional defenses. Some security teams
are also deploying “big data” tools to ingest and normalize large volumes of security information and
applying analytics tools to security data to spot unusual patterns and behaviors.
Advanced data analytics can offload many routine threat detection functions from security analysts,
enabling continuous monitoring of IT environments and resulting in speedier incident detection and
response. Many security teams, however, cannot resolve the problems discovered because they often
lack the in-house experience and expertise to determine if alerts point to serious threat activity or
harmless anomalies. Security staff may not have sufficient experience with cyber adversaries to profile
their objectives and attack methods. Security teams may not be able to reverse-engineer new malware
to understand how it works and what it’s targeting. After cleaning infected network nodes or end
points, they may not know how to update their defenses to avoid being compromised again.
RSA Security Brief
RSA Security Brief, February 2012
1. Identifying “the mark”Attackers pinpoint individuals with the accessprivileges they need.
2. Spear-phishing Attackers send spoofed e-mails withmalicious links or attachments to infectspecific, high-value employees’machines.
3 Organization mappingOnce inside, attackers mapthe organization’s IT environ-ment to identify strategicassets, privileged nodes andemployees with more usefulprivileges.
4. Privilege escalationAttackers elevate privileges through additional spear phishingor by decrypting adminis-trative credentials.
5. Stealth fightersAttackers install malware to hijacksystems, creating backdoors andestablishing “back connect” functionality to communicate withcommand and control servers.
6. D-dayAttackers activate command-and-controlinfrastructure to steal,encrypt, compress andtransmit information.
Figure 1: Anatomy of an Attack
Advanced attacks use multiple techniques custom-tailored to the
target. The techniques depicted here are similar to those used in
Operation Aurora against private sector corporations.
2 RSA Security Brief
In these situations, security teams find it helpful to engage
the expertise of others in the security community, whether
vendors, service providers, government agencies or even
colleagues at rival organizations. Collaborating on cyber
threats enables security teams to scale their expertise and
address attacks faster and more effectively. Collaboration
also aids in early detection—even prevention—of threats,
because security teams are alert to the techniques and
indicators of other recent attacks on similar or related targets
and can act preemptively.
High Hopes and High Barriers to Cyber SecurityCollaboration
Security leaders see vast potential for organizations to tap
into threat information from outside sources, ranging from machine-readable attack indicators to
general intelligence about cyber adversaries. At the RSA-sponsored Advanced Persistent Threats (APT)
Summits in 2011, more than 180 senior leaders from government and business identified threat
information exchange as a top priority for the global security community in combating advanced threats.
The summits’ key findings included this call to action:
We must work more closely together than ever before: international cooperation and collaboration
between companies and the public sector are essential to developing advanced “indicators” that will
help identify and mitigate threats.
Business and security leaders, including the executive delegates at the APT Summits, say they’re willing
to collaborate with outsiders—even competitors—to pool resources, exchange threat information and
mount a stronger defense.
Although organizations have the collective will to work together, they don’t have the means to do so
easily or effectively. Six common barriers stand in the way:
1. Lack of interoperable standards to describe advanced threats – The security industry has yet to
align behind a set of uniform, machine-readable standards to capture, integrate and communicate
threat information. While some leading-edge organizations have standardized data formats for
internal systems, extensive manual processing is still the norm when sharing threat indicators,
attack forensics or security intelligence with outside parties. Not only must the global security
community harmonize data formats for describing basic incidents, it must also establish
consistency in expressing the variability and nuances inherent in advanced threats.
2. Risk of information leakage – Concerns about unintended disclosure and attribution have
historically been powerful inhibitors to information sharing. Organizations have legal, financial and
publicity concerns about revealing they’ve been attacked. Also, incident and attack information is
valuable only until cyber attackers learn how their presence, methods and identities are being
recognized and tracked. Once that happens, they inevitably adapt, forcing security teams back to
square one in detecting and monitoring activities from these adversaries.
3. Untested methods for governing use of sensitive information – As organizations share information
about security incidents or threats, no widely accepted mechanisms exist to restrict who sees their
information and at what level of detail. Organizations must be able to set and enforce
differentiated policies for the people, processes and technologies with access to sensitive
information, especially when sharing or collaborating with larger groups.
4. Challenges in validating data quality and reliability – Security teams must have sufficient
assurances that threat information comes from trustworthy origins, especially when data is from
anonymous or obfuscated sources. Models for assessing the accuracy, relevance and integrity of
threat indicators in an automated, scalable way are still largely theoretical and unproven.
Independent qualification is essential to fostering and scaling trust in shared data.
RSA Security Brief, February 2012
In addition to advanced tools and network
instrumentation to detect abnormal activity,
organizations also need to develop processes and
expertise to use the growing variety and volume of
security data. For in-depth guidance on adapting
people, processes and technologies to combat
targeted cyber attacks, please read “Getting Ahead
of Advanced Threats: Achieving Intelligence-Driven
Information Security,” a report from The Security for
Business Innovation Council, available at
www.rsa.com/innovation.
3RSA Security Brief
5. Shortage of skilled security expertise – Organizations often cannot find security analysts
experienced in combating advanced threats, as demand for this specialized skill set currently
outstrips supply. Moreover, cultivating new competencies in threat information-sharing may not
be something many organizations have the people or budget to support: most security teams are
already stretched to their limits keeping up with everyday security functions. This is especially
true among mid-size companies and within industries that haven’t historically had to deal with
cyber espionage. The disparity in advanced threat experience and expertise among organizations
from different industries further hinders prospects for mutually valued collaboration among
dissimilar sharing partners.
6. Legal and data confidentiality restrictions – Organizations often must go through several levels of
approval before they’re authorized to share information about security incidents or observed
threats. While hardly insurmountable, gaining the requisite approvals to participate from in-house
lawyers and/or government authorities can be complicated and time-consuming. Not only must
organizations repeat approval processes for each new partner with whom they want to exchange
security information, they also must shoulder the costs of obtaining and maintaining approvals
for participation.
These concerns are formidable barriers to greater collaboration in cyber security. Breaking down these
barriers is a complex, laborious process because solutions require diverse groups to coordinate their
activities and drive progress on many fronts simultaneously.
Industry groups and public-private initiatives have begun dismantling the barriers to collaboration.
Most notably, they are codifying technical standards to define information exchange formats and to
institute controls over how data is used and shared. Security leaders see the standardization
happening in these areas as crucial to making threat information interpretable with less human
intervention and thus faster and easier to act on and share.
Standards and Partnerships Break down Barriers to Collaboration
The global security community is developing consistent electronic languages to capture and integrate
threat information and transmit it across many different computing systems and security management
platforms. Several emerging cyber security standards show early promise. Two of them, the Incident
Object Description Exchange Format (IODEF) and Real-time Internetwork Defense (RID) could
potentially play a pivotal role in protecting incident-related communication between sharing partners.
IODEF: an open standard for encoding threat information
The Incident Object Description Exchange Format, or IODEF (pronounced “I-O-def”), was developed by
several international computer security incident response teams (CSIRTs) and industry representatives
in the IETF to provide a standard way to describe and package information about security incidents.
The IODEF data model defines an XML schema to encode threat information so it can be conveyed
consistently to other parties or administrative domains. IODEF documents describe threat-related
information such as IP addresses, domain names, traceroutes, platform types, vulnerabilities, exploits
and the resulting impact on affected assets.
Because IODEF documents use an open standard and are machine-readable, the encoded information
they contain can be automatically parsed and transferred to a recipient’s chosen incident management
system. The automated handling of IODEF documents reduces the need for security analysts to read
and categorize free-form text or otherwise normalize data from outside sources. Integrating IODEF
feeds into incident management systems can slash the time required to process threat data from days
to minutes.
IODEF is gaining traction in the international security community. IODEF documents are already used
by several country-level CSIRTs to exchange threat information, including the US CERT. The IODEF
framework has also been adopted by the Research and Education Networking Information Sharing and
Analysis Center (REN-ISAC), the Antiphishing Working Group and other notable cyber security
organizations.
RSA Security Brief, February 2012
RID: an open standard to transmit threat information securely
The Real-time Internetwork Defense, or RID, standard provides “envelopes” to share and transmit IODEF
documents securely among organizations. RID messages can also manage information about any kind
of electronic incident to outside parties, not just security incidents.
The RID standard takes advantage of the W3C’s XML security and privacy features to convey essential
security controls indicating how incident information can be used and how it should be protected. For
example, RID messages provide four data sensitivity classifications to establish sharing restrictions and
other policy requirements for threat information. RID interprets the classifications to protect data
appropriately with XML encryption.
In order to enforce those restrictions and policies, however, organizations must first establish
agreements with their sharing partners on how policies are interpreted. The RID standard recommends
that organizations create “trust profiles”—uniform security settings that map specific requirements and
controls to the sensitivity of data a sharing partner will likely see. RID does not, however, specify how to
implement mapping at the application layer, because organizations have widely divergent platforms for
enforcing data security. The RID standard simply provides policy considerations and technical controls
to help sharing partners build enforceable trust profiles.
Regarding technical controls, RID offers authentication, confidentiality, integrity and authorization-
security features—protections necessary for organizations to control their threat information in
compliance with policies. Information sources can digitally sign portions of the IODEF document for
which they’re responsible, enabling recipients to authenticate the originator. These protections also
give users assurance that threat information is indeed from the specified source and was not modified
in transit.
Security standards for advanced threats
While open standards such as IODEF and RID can help organizations communicate threat information
and enforce sharing policies, additional cyber security standards are needed to represent the complex
indicators, behaviors and forensics information typically associated with advanced threats.
Several standards are emerging to improve accuracy and consistency in encapsulating and sharing
information on advanced threats. A few prominent examples are summarized below:
– Malware Attribute Enumeration and Classification, or MAEC (pronounced “mike”), is a specialized
language to describe malware based on how it operates and the specific actions it performs. MAEC
uses abstract patterns, not physical signatures, to detect malware, to assess what malicious code is
attempting to accomplish and to gauge the corresponding risks to the organization. MAEC is
developing rapidly and appears to be gaining support among security vendors.
– Common Attack Pattern Enumeration and Classification, or CAPEC, describes common methods for
subverting software, including phishing, SQL injections, cache poisoning and code-signing defeats.
– Cyber Observable eXpression, or CybOX, is an open standard that specifies, captures, characterizes
and communicates any event or condition observable in the cyber domain – what CybOX describes as
“cyber observables.” CybOX provides a structured schema for representing cyber observables in a
variety of security use cases such as event management/logging, malware characterization, intrusion
detection and incident response/management. The schema is flexible enough to represent both
abstract patterns of activity that may be targets for further monitoring and analysis, as well as
detailed descriptions of events that have been measured in an operational context.
– Advanced Forensics Framework 4, or AFF4, is a universal framework for storing, managing and
sharing digital evidence used in both cyber crime forensics and cyber defense. It offers several
enhancements to earlier versions of AFF, most notably the ability to store multiple kinds of evidence
from myriad devices in a single archive. Conversely, a single archive of evidence can be used by many
different platforms, including workstations, relational databases or object management systems,
without necessitating changes to forensic software.
4 RSA Security Brief
RSA Security Brief, February 2012
– Security Content Automation Protocol, or SCAP, is increasingly used to assess the vulnerability and
exploitability of software, as well as security-related configuration issues. SCAP is a set of data
representations that provide a context for understanding even zero-day exploits, which are often
used in advanced attacks.
Security collaboration programs push the bounds of trust
Most threat information-sharing programs have either been built
around specific industries (e.g., the Electric Sector ISAC, the
Financial Services ISAC, the Information Technology ISAC) or set
up as private-public partnerships (e.g., the Defense Security
Information Exchange, the Enduring Security Framework).
Information-sharing and security collaboration programs vary
widely in capabilities and maturity. In general, however, they typically issue regular reports, advisories
and alerts on security threats, both cyber and physical, for the groups they serve. Information-sharing
programs may also share security tips and best practices with their members.
For the most part, information distributed by sharing programs are not in machine-readable formats,
meaning security personnel must sift through emails, website postings or other communications from
the sharing group. In some public-private programs dealing with highly sensitive security threats,
information is exchanged mostly through offline methods such as hand-delivered documents, phone
calls on secure lines and in-person meetings at secure facilities. For the vast majority of information-
sharing groups, exchanging threat data remains reliant on non-automated, manually intensive
processes, which by their nature are not readily scalable.
Some sharing groups, including the Financial Services ISAC and the Research and Education Network
ISAC, have moved to automated data feeds for threat information. Member organizations connect their
incident management platforms to these ISACs via APIs. The platform integration process can be
complex, requiring many one-off implementations.
While much work needs to be done to enable threat information sharing at machine speed, today’s
sharing groups are tackling one of the toughest challenges in cyber security collaboration: establishing
the legal and procedural frameworks to mediate and manage trust across multiple member
organizations. Through their membership agreements, sharing groups have made substantial headway
in codifying what information can be shared, how it can be shared and how it should be protected.
Establishing these participation terms helps the broader security community normalize classifications
for data sensitivity, identify relevant data types and define appropriate policies and controls. These
developments, in turn, help shape technical standards and commercial products.
Information sharing communities have become vital proving grounds for advancing security
technologies and processes, as well as for expanding the security expertise of participants. The
security community has seen sufficient interest and progress in information-sharing programs to
consider next steps. The industry dialog on security collaboration is now shifting from “can we do it?”
to “how can we do it better?”
Experimental Platforms Explore New Concepts in Security Collaboration
Because detecting and remediating advanced threats requires highly specialized security expertise,
collaboration with outside partners is often the most efficient and convenient way to scale advanced
threat capabilities and talent. With advanced attacks escalating in frequency and sophistication, the
global security community sees an urgent need to move forward with information-sharing and
collaboration programs. In the absence of mature standards and collaboration models, pragmatism,
not perfection, is the go-forward approach to threat information exchange and collaboration.
5RSA Security Brief
RSA Security Brief, February 2012
To learn more about information sharing and analysis
centers (ISACs), please visit the National Council of
ISACs’ webpage: http://www.isaccouncil.org/.
6 RSA Security Brief
RSA is developing an experimental technical framework that facilitates collaboration between
organizations and outside security experts in detecting, investigating and remediating advanced
threats. RSA’s new threat response collaboration framework is built upon the foundations of what’s
achievable today, technologically, legally and procedurally. It’s important to note that the framework is
not a commercial offering; it’s an experimental cloud-based platform to test and explore new methods
for improving threat information exchange and collaboration at a broader scale.
The framework builds on top of existing capabilities in the RSA NetWitness Live™ service and the RSA
Archer™ eGRC Suite to connect security teams and their advanced security systems with a trusted set of
external service providers offering world-class expertise in combating advanced threats. Security teams
could tap into these outside providers for a variety of services:
– Threat intelligence feeds to improve detection capabilities
– Attack-specific intelligence that can assist in attribution
– Advanced forensics services such as malware reverse-engineering, memory analysis and network
packet capture analysis
– Remediation recommendations or direct actions such as writing a new detection rule for specific
security systems
Service providers connected to the collaboration framework would be best-in-breed specialists with
whom enterprise security teams have already established working relationships. All participating
entities would be governed by their existing service contracts.
In its initial implementation, the experimental collaboration framework would serve as a cloud delivery
platform for specialized security services. (See Figure 2: Threat Response Collaboration Framework)
Compared to conventional processes for collaborating on threat detection and response, the
collaboration framework is designed to confer several important advantages:
– Augments in-house security capabilities with on-demand external expertise – The collaboration
framework puts world-class advanced threat expertise “on tap” so organizations can integrate
outside specialists into the internal workflows of their security operations centers (SOCs). This is
particular beneficial when in-house resources detect a potential problem they cannot fully analyze or
remediate themselves.
– Provides security, policy and data leakage protection – The collaboration framework makes full use
of the RSA NetWitness® platform’s encryption and obfuscation capabilities to protect detection rules.
Rules are automatically decrypted and operationalized within the RSA NetWitness appliance, but they
can never be read in the clear. This minimizes the risks of attack indicators and their origins getting
leaked. Also, the collaboration framework will take advantage of security and policy management
features inherent in the RID messaging and transport standards. RID messaging provides
authentication, confidentiality, integrity and authorization-security protections. RID transport
provides session-layer encryption to bolster security for data in transit and to prevent session
hijacking.
– Coordinates workflows for incident handling and response – The collaboration framework will use
RID messaging communication flows to facilitate queries, requests and other communications
between security teams and outside parties. Organizations can track the status of their incident-
related requests through the RSA Archer™ eGRC suite.
– Automates routine steps in threat sharing and collaboration – The collaboration framework will
integrate with security tools already deployed within many organizations today. Also, the framework
will use the IODEF open data format to facilitate communication among collaborating parties. The
collaboration framework’s integration features and its use of open standards should reduce manual
processing tasks for security teams, helping speed threat detection, investigation and response.
RSA Security Brief, February 2012
IP
.exe
7RSA Security Brief
• Incident investigation – To save analysts time, future iterations of the collaboration framework will
automatically populate threat information from the RSA NetWitness platform into well-structured
IODEF documents augmented with detailed forensic artifacts. The IODEF document, along with
supporting forensic evidence, is then ready for review by a security analyst, who can then send it
to outside experts for further analysis, if necessary.
• Incident remediation – Security teams can choose to automatically ingest and operationalize new
threat detection and remediation rules through the RSA NetWitness Live component of the
collaboration framework. Alternatively, the framework can generate remediation tickets through
its integration with incident management tools, such as the incident management module in the
RSA Archer eGRC Suite.
• Threat intelligence sharing – Security service providers can stream newly emerging threat
information to their subscriber communities through the RSA NetWitness Live platform.
Simultaneously, security teams can elect to accept and operationalize threat information
automatically from trusted services providers. In the near future, security teams will be able to
contribute new detection and remediation rules developed through their incident by uploading
them through the RSA NetWitness Live service.
RSA Security Brief, February 2012
1 RSA NetWitnessmonitoring detects anetwork node sending anexecutable to a rarelyused port on a server inthe enterprise.
2 The security team conducts aninvestigation and can find no legitimatereason for the network node tocommunicate with the server. It also findsthat the server is a source controlmanagement server. The priority of theevent is escalated in RSA Archer IncidentManagement.
3 The security team packagesincident-related information in anIODEF document with additionalinformation encapuslated in a PCAPfile and sends it to an externalnetwork analyst for investigation.
4 The network analystextracts and analyzesthe executable, finds itto be malicious andrecommends a forensicinvestigation of theserver.
5 The security teamcaptures a memory dumpof the server and sends itto another external expertspecializing in end pointanalysis.
9 A new ticket is initiated inthe RSA Archer IncidentManagement modulerequesting end pointremediation. Another ticketis initiated requestingserver remediation.
6 The end point analystfinds evidence of thecompromise andrecommends monitoringany activity associatedwith a newly identifiedcommand-and-control IPaddress.
8 The security team elects toshare the new command-and-control IP addresswith other organizationsthrough the RSANetWitness Liveintelligence service.
Figure 2: Threat Response Collaboration Framework
RSA NetWitnessplatform
RSA NetWitness Live service
RSA Archer eGRC Suite Threat ResponseCollaboration Framework
1 23
4
5
6
8
9
7
7 The security team updates the RSANetWitness platform with a new alerting ruleto monitor traffic associated with the newlyidentified command-and-control IP address.
8 RSA Security Brief
RSA Security Brief, February 2012
– Provides performance monitoring and trust measures – The collaboration framework will track basic
measures of service provider performance, such as the number of requests a provider has handled
through the platform, a provider’s average response time and the average lifespan of incidents, from
start to close. These basic measures can help security teams benchmark their incident management
performance over time and compare the responsiveness or efficacy of various service providers. The
performance monitoring capabilities of the collaboration framework could ultimately include more
revealing measures of trust, such as user-contributed ratings of vendors and reputation scoring. Such
community-generated information could help security teams qualify service providers to help with
new incidents or future attacks.
RSA expects its new experimental collaboration framework to help the broader security community
explore new ideas and methods for sharing threat information and for coordinating responses to
advanced attacks. Also, the collaboration framework could help scale the advanced threat expertise of
mid-size companies or organizations with less developed information security capabilities.
Figure 3: Threat ResponseCollaboration Framework
A web-based interface enables security
teams to engage external security experts
in investigating and analyzing advanced
attacks and other complex security inci-
dents.
9RSA Security Brief
RSA Security Brief, February 2012
Conclusion: Moving Toward Frictionless Collaboration
Real-time information-sharing and highly automated processes for threat detection, analysis and
remediation are the goal states for future security collaboration programs. Although skilled analysts
will always need to manage security incidents and determine what information can be shared, process
automation can greatly curtail the time required to neutralize advanced threats, offload mundane
tasks from busy security teams and reduce the potential for error in human handling of data.
The global security community has made notable progress on collaboration initiatives. The
combination of IODEF and RID, for instance, shows promise as a trusted communication mechanism
for general threat information. Additional standards such as CybOX, MAEC and SCAP are being refined
to represent threats as nuanced patterns of behavior rather than as static signatures. Numerous
public-private information sharing programs and ISACs are also refining models for security
collaboration, working toward greater automation of sharing processes.
To move collaboration practices forward, RSA sees three important areas for future development within
the global security community.
– Reliable methods to establish and monitor trust for collaborating parties – Referrals, qualifications
and performance benchmarks are important proxies for trust, but they’re difficult to represent
consistently or concisely. As information-sharing groups and data exchanges grow in number,
aggregating member-submitted reviews and ratings may become an efficient, reliable way to scale
trust monitoring. Threat information-sharing and collaboration programs could also require all
participants to comply with a common code of conduct, which could be enforced by periodic audits.
– Trusted service delivery infrastructure – Organizations must be assured that collaboration partners
and service providers have taken appropriate measures to secure the systems and processes
handling shared threat information. To give sharing partners confidence that sensitive threat
information is not leaking from compromised assets, the global security industry should
standardize mechanisms for establishing, managing and verifying trust in the infrastructure hosting
threat information exchange and collaboration processes. One emerging way to provide such
assurance is to standardize access to Trusted Platform Modules (TPMs) and the “root of trust”
evidence that TPMs generate. By employing roots of trust to verify the identity, integrity and location
of key components within the service delivery chain, sharing partners can provide each other with
detailed evidence of platform security, creating trust based on proof, not promises.
– Automation of information-sharing functions within security management tools – Security vendors
should enhance their solutions to facilitate information sharing. This requirement could include
adapting data formats for threat indicator feeds so they can be readily integrated and analyzed with
other information sources. Incident management tools could automate the capture of data related
to suspicious activities and forward the information for review and further action by a security
analyst. Data loss prevention systems could be extended to scan threat information before it’s sent
to outside partners to prevent accidental disclosure of sensitive data.
Solutions to these challenges will require a coordinated effort within the global security community:
companies, government agencies, industry groups, service providers and solutions vendors all have
important parts to play.
For our part, RSA is evaluating the implementation of adoption-ready standards such as IODEF and RID
across our security management portfolio. RSA is also contributing to various industry groups
developing information-sharing standards and frameworks, as well as public-private initiatives to
collaborate on security. The new experimental threat response collaboration framework developed by
RSA can help the security community explore new methods for managing trust among multiple
organizations. We hope this, in turn, will accelerate industry efforts to scale security expertise and to
expand participation in threat collaboration programs.
10 RSA Security Brief
RSA Security Brief, February 2012
Bret Hartman, Chief Technology Officer, RSA, the Security Division of EMC and EMC Fellow
Bret Hartman is responsible for defining the corporate security technology strategy for EMC, as implemented by
the RSA division. Prior to RSA, Mr. Hartman was Chief Technology Officer, Information Security, at EMC
Corporation.
Mr. Hartman has more than 30 years of experience building information security solutions for major
enterprises. His expertise includes service oriented architecture (SOA) and web services security, policy
development and management, and security modeling and analysis. Mr. Hartman has spoken at dozens of
security and privacy industry events and is a recognized authority on distributed systems security.
Prior to EMC, Mr. Hartman was Director of Technical Services for SOA Appliances at IBM Corporation and was
also Vice President of Technology Solutions at DataPower Technology, which was acquired by IBM. Mr.
Hartman’s previous roles include Chief Technology Officer at Quadrasis Security (Hitachi Computer Products);
Vice President, e-Security Services and Chief Security Architect at Concept Five Technology; President and Co-
Founder of BlackWatch Technology Inc; and Director of Information Security at Odyssey Research Associates.
Mr. Hartman began his distinguished career as a U.S. Air Force officer assigned to the U.S. National Security
Agency.
At the U.S. National Security Agency, Mr. Hartman helped to create the “DoD Trusted Computer System
Evaluation Criteria” (Orange Book). He was a co-author of Object Management Group’s CORBA Security
specification, and co-edited the Security Scenarios document produced by the WS-I Basic Security Profile
Working Group. Mr. Hartman also co-authored Mastering Web Services Security (Wiley 2003), Enterprise
Security with EJB and CORBA (Wiley 2001), and U.S. patent 6,807,636: “Methods and Apparatus for Facilitating
Security in a Network.”
David Martin, Vice President, Chief Security Officer, EMC Corp.
Dave Martin manages EMC’s industry-leading Global Security Organization focused on protecting the
company’s multi-billion dollar assets and revenue. As EMC’s most senior security executive, he is responsible
for establishing EMC’s brand of trust with its customers and for providing business protection operations
worldwide.
Mr. Martin is a Certified Information Systems Security Professional and brings a range of experience to EMC in
information security and management developed through more than a decade of professional business
protection experience from various roles in internal audit, security services development and consulting.
Prior to joining EMC, Mr. Martin built and led security consulting organizations, focusing on critical
infrastructure, technology, banking and healthcare verticals, where he developed and delivered enterprise
security programs, incident response, investigations, policy and assessment practices.
Mr. Martin holds a BEng in manufacturing systems engineering and provides frequent testimony to the U.S.
Congress and government agencies as an expert witness on corporate enterprise protection issues.
Dennis R. Moreau, Ph.D., Senior Technology Strategist, RSA, the Security Division of EMC
Dennis Moreau specializes in the application of leading-edge technologies to the solution of complex problems
in information systems management and security domains. His primary focus is in developing solutions to
improve IT efficiency and effectiveness for service, systems, security, compliance and configuration
management/optimization. He works actively with the National Institute of Standards and Technology (NIST),
the U.S. Department of Defense (DoD) and the Mitre Corporation on the development of security information
standards.
Dr. Moreau has more than 35 years of experience in designing systems and security management solutions.
Prior to joining RSA, he was a founder and the CTO for Configuresoft and CTO for Baylor College of Medicine. He
holds a doctorate in computer science and has held faculty positions in computational medicine and computer
science, conducting research programs under the sponsorship of the National Aeronautics and Space
Administration, Jet Propulsion Laboratories, the National Institutes of Health, the National Library of Medicine,
Bell Laboratories and IBM. He speaks regularly at IT management and security conferences worldwide.
About the Authors
11RSA Security Brief
RSA Security Brief, February 2012
Kathleen M. Moriarty, GRC Strategy, Office of the CTO, EMC Corporation
Kathleen Moriarty works in the EMC Office of the CTO, shaping technology strategy and standards for
information governance, risk, and compliance, with a focus on incident response and related areas. Ms.
Moriarty is the primary author of multiple published standards, and she actively contributes to security
standards development in both the ITU-T and the IETF. She currently chairs the IETF’s Managed Incident
Lightweight Exchange (MILE) working group.
Previously, as the practice manager for security consulting at EMC, Ms. Moriarty developed security programs
for clients and oversaw key projects, including serving as the acting CISO of a global investment banking
firm. Before joining EMC, Ms. Moriarty was the head of IT security at the Massachusetts Institute of
Technology Lincoln Laboratory, where she was responsible for all unclassified information security programs,
including managing the incident response team and coordinating incident handling. She also served as
director of information security at FactSet Research Systems, a provider of financial information and analytical
applications to the global investment community.
Ms. Moriarty is a Certified Information Systems Security Professional (CISSP). She holds a Master of Science
in Computer Science from Rensselaer Polytechnic Institute and a Bachelor of Science in Mathematics and
Computer Science from Siena College.
Eddie Schwartz, Vice President and CISO, RSA, the Security Division of EMC
Eddie Schwartz is Chief Information Security Officer (CISO) for RSA and has 25 years of experience in the
information security field.
Previously, he was CSO of NetWitness (acquired by EMC), CTO of ManTech, EVP and General Manager of
Global Integrity (acquired by INS), SVP of Operations of Guardent (acquired by VeriSign), CISO of Nationwide
Insurance, a Senior Computer Scientist at CSC, and a Foreign Service Officer with the U.S. Department of
State. Mr. Schwartz has advised a number of early stage security companies, and served on the Executive
Committee for the Banking Information Technology Secretariat (BITS).
Mr. Schwartz has a B.I.S. in Information Security Management and an M.S. in Information Technology
Management from the George Mason University School of Management.
Peter M. Tran, Senior Director, Advanced Cyber Defense Practice, RSA, the Security Division of EMC
Peter Tran leads RSA’s new Advanced Cyber Defense Practice, which offers world-class professional services
for global incident response and discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and
proactive computer network defenses.
Mr. Tran has more than 17 years of government, commercial and research experience in the fields of
computer forensics, information assurance and security. He is a recognized expert within the Department of
Defense and U.S. federal law enforcement communities on computer forensics, malicious code, computer
crime investigations, foreign counterintelligence, technology transfer, network security and cyber espionage.
He has authored several defense periodicals for his work involving distributed computer forensics and data
analysis.
Prior to RSA, Mr. Tran led Raytheon’s commercial cyber professional services, as well as its enterprise Cyber
Threat Operation Programs for SOC/CERT, IR/D, intelligence, APT threat analysis, technical operations,
exploitation analysis and adversarial attack methodologies, research and tools development. He held senior
technical leadership roles with Northrop Grumman and Booz Allen Hamilton. Mr. Tran also worked as a
Federal Law Enforcement Special Agent, forensic analyst, systems/security engineer, software product
designer and consultant in both technology prototyping and production.
Mr. Tran holds a Master of Forensic Sciences from the George Washington University and is a graduate of the
MIT Sloan School of Management Executive Programs in Strategy and Innovation, Technology Operations and
Value Chain Management. He is also a graduate of the FBI Cyber Training Program, the Federal Law
Enforcement Training Center (FLETC) and the John E. Reid Technique for interview and interrogation. While a
postgraduate research fellow at the Harvard University Graduate School of Arts and Sciences, his research
focused on automated comparative forensic analysis and applied network authentication technologies.
The authors acknowledge and thank Kevin Bowers, Roy Hodgman, Erik Mogus, Lorenzo Montesi and Uri Rivner
of RSA for their invaluable contributions to this security brief.
RSA Security Brief, February 2012
Related RSA Solutions
RSA® Archer™ eGRC Suite
The RSA Archer eGRC Suite is the market-leading solution for managing enterprise governance, risk and compliance (eGRC). It
provides a flexible, collaborative platform to manage enterprise risks, automate business processes, demonstrate compliance
and gain visibility into exposures and gaps across the organization. The RSA Archer eGRC Suite is designed to serve as a
central repository for information about threats, drawing risk- and security-related data from a variety of systems. The RSA
Archer Threat Management solution is a centralized early-warning system for tracking threats. RSA Archer Incident
Management solution helps organizations escalate problems according to policies, track the progress of investigations and
coordinate problem resolution. The Suite’s ability to integrate information on security alerts and threats, to gather and present
metrics about the effectiveness of security controls and processes and to analyze contextual information about the security
and business environment helps create actionable, real-time intelligence across the enterprise
RSA NetWitness Live™ Service
The RSA NetWitness Live platform is engineered to help organizations capitalize on the collective intelligence and analytical
skills of the global security community in detecting and countering advanced threats and other cyber attacks. The RSA
NetWitness Live platform is designed to gather advanced threat intelligence from a broad range of respected, reliable service
providers in the security community. RSA’s expert researchers and analysts process security information from these myriad
sources and deliver the most relevant data to the RSA NetWitness Live community. By fusing up-to-the-minute external threat
intelligence with internal network traffic through the RSA NetWitness platform, organizations can greatly enhance their ability
to identify advanced threats within their IT environments, thus minimizing their windows of vulnerability.
12 RSA Security Brief
13RSA Security Brief
RSA Security Brief, June 2010
This page intentionally left blank.
RSA Security Brief, February 2012
EMC2, EMC, the EMC logo, RSA, the RSA logo, Archer, NetWitness, and NetWitness Live are registered trademarks ortrademarks of EMC Corporation in the United States and/or other countries. All other products or services mentioned aretrademarks of their respective owners. ©2012 EMC Corporation. All rights reserved. Published in the USA.
H9084 APTBDB BRF 0212
