ATechnologyBluewhitepaper

Highperformancecyberspacesecurity
Improvingoperationalresponsetocyberspacethreats

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats

ATechnologyBluewhitepaper

Highperformancecyberspacesecurity
Improvingoperationalresponsetocyberspacethreats

Leadingorganizationsareinvestingheavilyincybersecurity technologiesandsolutionstomitigatetheriskofcyber attack.Yetunfortunatelymanyarejustgettingstarted. Failuretoclosegapsincyberdefensessoonenoughcould resultincatastrophicleveleventsthatthreatenthe continuityofabusiness.

Cybersecuritythreats representoneofthe mostseriousnational security,publicsafety, andeconomic challengeswefaceas anation. 2010National SecurityStrategy

Introduction
Fromatechnologyperspective, cyberspaceisdefinedastheglobal networkofinterdependentinformation technologyinfrastructures, telecommunicationsnetworksand computerprocessingsystems.Froman individualperspective,cyberspaceishow ideasareexchanged,informationis shared,businessisconducted,gamesare playedandpeopleareconnected.Yet despiteimmenseopportunity,cyberspace, asdescribedinourNations2010National SecurityStrategy,enablesoneofthe mostseriousnationalsecurity,public safety,andeconomicchallengesweface asanation. Overthepast10yearsthenumberof peoplearoundtheworldconnectedtothe internethasincreasedfrom360millionto over2billion,andthistrendisexpectedto continueatanexponentialrateintothe future.Collaborationisoccurringatarate 2

likeneverbefore,innovativecreationsare improvingqualityoflife,andopportunity ismadeavailablewhereonceitwasnot. Unfortunatelythosesameopportunities arereadilyavailabletothosewith maliciousintentaswell. TheUnitedStatescriticalinfrastructure thatenablesourqualityoflifeenergy, banking,finance,transportation, communicationanddefenseallrelyon cyberspace.Countlessideas,monies, informationandcommunicationsflow throughcyberspaceeverysecond.And withwidespreadavailabilityofinternet capabletechnologies,thenumberof threatsagainstcyberassetshasincreased immensely.Asstatedinthe2010 NationalSecurityStrategy,Thevery technologiesthatempowerustoleadand createalsoempowerthosewhowould disruptanddestroy.

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats

ATechnologyBluewhitepaper

Theverytechnologies thatempowerusto leadandcreatealso empowerthosewho woulddisruptand destroy. 2010National SecurityStrategy Pentagonreveals 24,000filesstolenin cyberattack. Globalcyberattack underwayfor5years

Keycyberspacechallenges
Asthenumberofnetworkedsystems, devicesandplatformscontinuestogrow, cyberspaceisbecomingmoredeeply embeddedinthecriticalinfrastructureof ourhomes,businessesandnation.Given theincreasingnumberandcomplexityof cyberthreats,itisunderstandablethat securingcyberspacedominatesthe agendasofbusiness,communityand governmenttechnologyleadership. Theverytechnologicalinnovationsthat enableourwayoflifehavesimultaneously madeourcyberassetsmoredifficultto protect. Connectivity:Asmoreandmoredatais migratedonline,companiesareexpected tobemoreconnectedandopenby allowingmobile,homecomputersand otherinternetreadydevicestoaccess networksandservices.While organizationsareexpectedprovidenew internetcapabilitiestosupportaglobal economy,cyberactorsareableto

optimizetheirattacksacrossmultiple platformsanddevices.Effectivecyber securityrequiresinnovativeintegrationof technologiesthatkeeppacewiththe rolloutofnewpublicfacingcapabilities. Evolution:Therateatwhichcyberthreats evolveisofconcern.Cyberadversaries arecontinuallydevelopingmore sophisticatedanddangerouscapabilities thateludetraditionalcybersecurity measures.Asmoreadversaries collaborateandcombineresources,the levelofinnovationincyberattack capabilitiesquicklyoutpacestheabilityto adequatelydefendagainstthem.Evolving cyberthreatinnovationsarebecoming smallerandmoredifficulttodetect,yet haveanequalorgreaterimpacttocyber assets.Effectivecyberdefenserequires anabilitytoevolvefasterthanour adversaries. Speed:Cyberattacksarecommonly consideredfastmalicioushackers identifyatarget,andtheattackisover

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats

ATechnologyBluewhitepaper

Theinternetande commercearekeysto oureconomic competitiveness,but cybercriminalshave costcompaniesand consumershundreds ofmillionsofdollars andvaluable intellectualproperty. 2010National SecurityStrategy Sophisticatedcyber attackhitsEnergy DepartmentsPacific NorthwestNational Laboratory. Citigroupthelatest tofallvictimtocyber crime

almostasquicklyasitbegan;howeverfast attacksarenottheonlyconcern.In2010 morethan75,000computersystemsat nearly2,500companiesaroundtheworld werehackedinoneofthelargestand mostsophisticatedcyberattackstodate. Theattacknotonlyshowsthelevelof sophisticationoftheattackers.Italso displaysoneofthegreatestchallengesto adequatelysecuringcyberassets:the attack,discoveredinJanuary2010,began inlate2008.Cyberattacksarenotalways quick.Sometaketimetounfoldas computersareremotelycontrolledbythe attackers,slowlyinfiltratingcomputers andnetworksuntiltheendgoalis achieved.Safelysecuringcyberassets requiresanabilitytodetectmalicious cyberactivityoverlongerperiodsoftime. Bigdata:Theamountofdatagenerated eachdayaboutcyberassetsiscontinually increasingatastaggeringrate.Large enterprisesgenerateterabytesofdata eachyearrelatedtonetworkevents,data downloads,runningprogramsandvarious anomalies.Enablingeffectivecyber securityprotectionrequiresanabilityto quicklydiscernanacceptableeventfroma questionableone,identifyitsrelationship tootherevents,andidentifypatternsthat signifytheoccurrenceofacyberattack. Decisioning:Proactivecybersecurityis baseduponthequalityofstrategicand operationaldecisionsthataremade duringcriticaltimes.Andthequalityof decisionsisadirectreflectionofthe knowledgeandunderstandingofpast, presentandfutureunderstandingwhat happened,knowingwhatishappening,

andproactivelyadjustingstrategiesand operationstoprotectagainstwhatcould happeninthefuture.Individualsand organizationsallmakedecisionsusinga processsimilartotheOODALoop(Figure 1).Withthegrowingpotentialof catastrophiccyberattacks,acyber securityOODAprocessmustbemeasured inmilliseconds,notseconds,minutesor hours.Effectivecybersecurityrequires automationofsystemsanddecision makingprocesses.Decisioningmustbe fastandagiletokeeppacewithever evolvingadversariesandoperational conditions,andensuretheprotectionof cyberassets. Resources:AswithmanyITleadership agendas,doingmorewithlesshas dominatedthestrategiclandscapeover thepastfewyears.Currentapproachesto protectingagainstcyberthreatsputs demandsonlimitedresourcesandcan increasesystemsdevelopmentand maintenancecosts.Effectivecyber securityrequiresarobustframeworkof integratedtechnologiesthatminimizethe strainonITresources.Theframework mustbeautomated,scalable,performing, andbecapableofempoweringsecurity expertstoefficientlygather,analyzeand makedecisionsaboutimmenseamounts ofdata. Currentapproachesarenotenough Toprotectagainstcyberthreats, enterpriseshavedeployedawiderangeof hardwareandsoftwaredefenses. IntrusionPreventionSystems(IPS), IntrusionDetectionSystems(IDS),

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats ATechnologyBluewhitepaper

Moreover,thespeed ofcyberattacksand theanonymityof cyberspacegreatly favortheoffense. 2010Quadrennial DefenseReview Report HongKongtrading haltedbyDDoSattack

antivirus,firewallsandothernetwork managementsolutionsarestrategically deployedtogenerate,identifyand respondtoeventsthatmeetthe characteristicsofmaliciouscyberactivity. Whilethesetoolsandtechnologiesare sufficienttoaddresspartoftheproblem, theyarenotenough.Asthe sophisticationofcyberattacksincreases andthelevelofnetworkexposure continuestooutpaceprotection,these toolsandtechnologiesfailtoadapt quicklyenoughtoprotectagainstsavvy attackers.UnfortunatelymanyITleaders arecontinuallyoverwhelmedbythe challengesthattheseinsufficiencies breed,andfindthemselvesinanever endingbattletofightcyberattackersfrom areactiveposture.

Acybersecurityframework
TheOODALoop(Figure1)isaprocessfor performingstrategicandtacticaldecision making.DevelopedbyUSAFCol.John Boyd(Ret.),OODAisbasedonan understandingthatallorganizations undergoacontinuouscycleofinteraction withtheirenvironment.Thecycleis brokendownintofouroverlapping processes:Observation:thecollectionof data;Orientation:theanalysisand synthesisofdatatoformperspective; Decision:thedeterminationofacourseof action;andAction:theimplementationof thedecisions.Withinthecontextof combat,thekeytovictoryistobeableto createsituationswhereinonecanmake appropriatedecisionsquickerthanones opponent.

Figure1:OODADecisionLoop

Observation
Capture,store,aggregate,filterand visualizeeventdatafromvarious sourcesthroughoutthe infrastructure.

Orientation
Analyzecaptureddatatoidentify patternsandeventcorrelations thatsignifysecurityholesorattacks inprogress.

Action
Implementpoliciesintooperational systemstoautomatethreat responseorproviderealtime decisionsupport.

Decision
Executewhatifscenariosand analyticalgorithmstofindnew strategies,policiesandcoursesof actiontomitigatethreats.

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats Everyyear,an amountofintellectual propertylargerthan thatcontainedinthe LibraryofCongressis stolenfromnetworks maintainedbyU.S. businesses, universities,and government departmentsand agencies. Departmentof DefenseStrategyfor Operatingin Cyberspace(July 2011) ParisG20filesstolen incyberattack. Emergingcyber threat:Advanced EvasionTechniques thatcombineto conquer. Withinthecontextofcybersecurity, organizationsthatcanexecutetheOODA processquicklycangainanadvantage overadversaries.Whenmanaged effectively,afoundationalOODAprocess enablesanorganizationtoproactively closesecuritygaps,assesspotentialrisks andimpacts,alterstrategiesandupdate operationalsystemswithagility, consistencyandprecision. Byunderstandingthecorepurposesof eachphaseandhowtheyrelateto technologicalcapabilities,the performanceofeachphaseoftheloop canbetransformedandoptimizedto effectivelyprotectagainstcyberthreats. Whenintegrated,thetechnologicalresult isaframeworkcapableofrapidevolution andresponseagainstcyberattackers characterizedbypersistence, coordination,purpose,sophisticationand multilateralcapabilities. Observation:datacollection Thefirstframeworkcomponentenables captureandhighlevelcorrelationof eventdata.Multiple,dispersedsensors collectdatafromeventsourcesacrossthe enterprise.Realtimeeventcorrelation providesthefirstlineofcyberdefenseby identifyingeventsequences,orlack thereof,thatsignifymaliciousbehavior. Basedoncustomizablepolicies,realtime eventsarestreamedtoautomated decisionenginesforimmediateresolution. Asdataarecollectedtheyarestoredin operationaldatastoresandwarehouses tosupporttheOrientationphaseofthe process.

ATechnologyBluewhitepaper

Orientation:formingperspective Thesecondframeworkcomponent combinesdatamining,analyticsand visualizationtoenabledeeperanalysisof events.Predictivemodelsleverage operationalandhistoricaldatato determinethelikelihoodthatacyber attackisinprogress.Themodelsare designedtoconsidervastamountsof data,andarepowerfulenoughtoidentify patternsthataretoovastandcomplexfor humanidentification.Predictive capabilitiesenableproactiveclosingof gapsthatarebeingexploited,andprovide foresightintootherareasofriskinthe cybersecuritygrid. Decision:courseofaction Thethirdframeworkcomponentenables cybersecurityexpertstoassessrisksand developmitigationstrategiesusing innovativedecisionoptimization technologies.Decisionmodelsare developedtorepresentthecurrentcyber securityinfrastructureinthephysical domain.Byutilizingcapturedeventdata andperspectivesfrompredictiveanalytic assessments,cyberexpertsareableto simulateandmodelvariousattack scenariosusingrobustsolverstobetter evaluatecyberrisks(Figure2).Whatif capabilitiesfacilitateprioritizationof countermeasures,andcreateabetter understandingofpotentialimpactsto infrastructureandoperationalsystems. Action:implementation Thefourthframeworkcomponent

Highperformancecyberspacesecurity Figure2:Decisioning Improvingoperationalresponsetocyberspacethreats Byutilizingcapturedeventdata andperspectivesfrompredictive analyticassessments,cyber expertsareabletosimulateand modelvariousattackscenarios usingrobustsolverstobetter evaluatecyberrisks. Whatifcapabilitiesfacilitate prioritizationofcounter measures,andcreateabetter understandingofpotential impactstoinfrastructureand operationalsystems.

ATechnologyBluewhitepaper

ScreenshotscourtesyofFICO (www.fico.com)

Defendingagainst thesethreatstoour security,prosperity, andpersonalprivacy requiresnetworksthat aresecure, trustworthy,and resilient. 2010National SecurityStrategy

leveragesrealtime,operational decisioningcapabilitiestoefficiently respondtooperationalconditions. Automateddecisionsareauthoredand exposedasapplicationservicesthat implementthepolicies,tacticsand practicesofthecybersecuritystrategies. Responsesareintheformofcontext sensitiverecommendations,orautomated responsestoreroutenetworktrafficto compensateforoutagesorsecurity compromises.

Visualization
Ahighperformingcybersecurity frameworkprovidesenhancedsituational awarenessthroughdynamic,interactive visualizationofeventdata.Eventcapture, correlationanddecisioningcapabilities areintegratedinasingleinterfaceto

providerealtimeperspectiveofongoing cybereventsthroughouttheenterprise (Figure3).Thevisualizationcomponentof theframeworkisthecoreinterface throughwhichcyberexpertsperform tasksspecifictoeachphaseoftheOODA loop.Cyberexpertsleveragea customizablefrontpaneldisplayof visualizationsincludingnetworkdiagrams, eventseveritiesandgeographicmapsto performanalyses,drawconclusionsand makedecisionsaboutcurrentand potentialsituations.Interfaceinteractivity enablesspecialiststodrilldowninto eventstodisplayrelationalinformation, runpredictivemodelsorlaunch optimizingsolverstodetermineplausible coursesofaction. Accesstorealtime,meaningfuland decisionorientedinformationenables

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats ATechnologyBluewhitepaper

Futureadversaries willlikelypossess sophisticated capabilitiesdesigned tocontestordeny commandoftheair, sea,space,and cyberspacedomains. 2010Quadrennial DefenseReview Report

expertstodevelopnewpoliciesfor proactivelyreducingtheexistenceand threatofcyberattacks.Wherevolumesof informationexceedanabilitytoconsume itandreasonuponit,theinnovative, integratedtechnologiessynthesizedeeper levelsofmeaningacrossdata,further heighteningsituationalawarenessofthe enterprisecyberdomain.Whereonce sophisticatedattackscouldgounnoticed, aproactivecybersecurityframework ensuresoperationalsystemsengage adversarieswithfast,automated responsesthatclosesecuritygapsbefore significantdamageisdone.

winthecyberwar,cybersecuritymustbe anenterpriseproblem.Byfocusingonkey taskstheyaretransformingtheir approachtocybersecurity,and developingproactivecapabilitiesthat reducethepotentialforcatastrophic cyberbreaches. CyberStrategy Highperformingorganizationsare weavingcybersecurityintotheirdayto daybusinessstrategies.Theyare implementingtechnologicalframeworks thatincreasevisibilityintotheircyber domainandprotecttheircyberassets fromattack.Inaddition,theyareactively educatingtheirorganizations,fromClevel toprogrammerstoassistants,on approachestoreduceinternalcyberrisks aswell.Cyberstrategyhasbecome equallyimportantasotherenterprise

Achievinghighperformance
Cybersecurityhastraditionallybeen consideredatechnologyproblem. Howeverhighperformingorganizations arelearningthattoeffectivelyfightand

Figure3:Visualization Accesstorealtime,meaningful anddecisionoriented informationenablesexpertsto developnewpoliciesfor proactivelyreducingthe existenceandthreatofcyber attacks.

ScreenshotcourtesyofEdgeTechnologies,Inc. (www.edgeti.com)

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats

ATechnologyBluewhitepaper

Wewillcontinueto investinthecutting edgeresearchand development necessaryforthe innovationand discoveryweneedto meetthese challenges. 2010National SecurityStrategy

initiativessuchasCRMandSOA.Cyber strategyisbecomingaplanningand executioncomponentofnewbusiness initiatives,productrolloutsand partnerships.Newpositionsarebeing created,includingChiefInformation SecurityOfficers,furthersolidifyingthe dedication,andsignalingthecriticality,of protectingenterprisecyberassetsfrom maliciousadversaries. Findingthegaps Highperformingorganizationsare conductingwargamingsessionsthat simulatecyberattackstouncover vulnerabilitiesandgapsinhardwareand softwaresecurity.Theirfindingsleadto newstrategiesandcapabilitiesthat effectivelyclosesecuritygaps,and identifyareasforimprovement throughouttheenterprise.Armedwith thisknowledge,organizationscanbegin thetransformationtodevelopaproactive, leanforwardposturerequiredto effectivelycombatcyberattackers. Embraceinnovation Effectivecybersecurityrequires innovation.Thesophisticationofassaults andcomplexityofITenvironmentshas increasedbeyondthecapabilitiesof traditionaltoolsandtechnologies.High performingorganizationsrealizethat addressingthischallengerequiresa relianceonresource,technologicaland organizationalinnovation.Technological

innovationisattheforefront,and emergingtools,technologiesand solutionsareempoweringorganizationsin thefightagainstcyberattackerslikenever before.Highperformingorganizationsare alsoheavilyinvestinginacquiringand developingcyberexpertise,capableof leveraginginnovationstocreateagile, performingandscalablecyberdefenses.

Growingexpectationsforhow organizationspartner,interactwithand shareinformationwithindividualsand otherorganizationsiscontinuallypushing theenvelopeofcybersecurity.The numberofcybertargetscontinuesto grow,givingcyberattackersample opportunitytodisrupt,stealanddestroy cyberspaceassets. Thegoodnewsisthatmanyorganizations arealreadyworkingtoreachhigherlevels ofcybersecurityperformance.Thesame technologiesthatenablecyberattackscan alsobeusedtodefendourassetswith equaleffectiveness.Successrequires organizationstoinvestinnewstrategies thatempowerusers,systemsand infrastructures,andtechnologicallyenable fasterdecisionmakinginthefacedynamic operatingenvironments. ClayeGreene,ManagingDirectorof TechnologyBlue,isanITstrategist focusingontransformationand modernizationinitiatives.Contactusat info@technologyblue.com.

Tolearnmorepleasevisit http://www.technologyblue.com/cybersecurity.htm 9

Highperformancecyberspacesecurity Improvingoperationalresponsetocyberspacethreats TechnologyBluehelpsbringaboutmeaningfulchangeandlastingsuccess throughabroadrangeofoutsourcingservicescovering: WhypartnerwithTechnologyBlue? Enhancecorecapabilitiesinkeyareas Leverageexpertisetoincreaseinnovation Liberateresourcestofocusoncorecompetencies Improveservicequality Reducecosts Speedtimetomarket Increasebusinessperformance Maximizeprofitability Solidifycompetitiveadvantage Strategy Application Infrastructure Management ATechnologyBluewhitepaper

Copyright2011TechnologyBlue,Inc. Allrightsreserved.

AboutTechnologyBlue TechnologyBlueisaninformation technologystrategyfirmbasedin Pittsburgh,Pennsylvania. Withastrongcommitmenttodeliver valuethroughinnovativeapproaches, toolsandtechnologies,Technology Bluepartnerswithitsclientstohelp themtransformandmodernizeto achievehigherperformance. Itshomepageis www.technologyblue.com.

10