1511-1740046 active defense report-laser-single

Insights ongovernance, riskand compliance

Enhancing your security operations with Active Defense

ContentsIntroduction 1

What is Active Defense? 3

Preparing an Active Defense 5

Conducting an Active Defense 7

Is Active Defense right for me? 15

1Enhancing your security operations with Active Defense |

Security operations professionals have read the headlines and seen the reports of cyber attackers growing more sophisticated and ever more destructive. According to the trends identified by EY’s latest Global Information Security Survey* (GISS), most organizations are struggling to keep pace. Our 2014 survey indicated that 49% of respondents expected their security budgets to remain “about the same.” Although our 2015 survey saw this figure drop to 39%, the percentage of organizations that reported plans to increase spending by 5%-25% grew by a mere 4%. Many security teams will face another year with the same or fewer resources than they had this year.

Being able to effectively deploy the security resources that have been allocated can also challenge an organization. Seventy-one percent of respondents rated the likelihood that their organization would detect a sophisticated cyber attack at less than 50%. The most common obstacle cited for security program effectiveness was “budget constraints” at 62% with “lack of skilled resources” close behind at 57%. The cumulative effect of all these difficulties is well documented; the average time elapsed between breach occurrence and breach discovery remains at 205 days!1

How can organizations improve? EY believes that the answer is Active Defense.

The following four chapters of this report will introduce EY’s perspective on Active Defense and will show cyber defenders how their organization could adopt it to help enhance its cybersecurity:

What is Active Defense?• EY’s vision of Active Defense defined

• What does Active Defense add to the existing security operations program?

• How does Active Defense fit into a holistic cybersecurity program?

Preparing an Active Defense • What are the prerequisites to establishing an Active Defense program?

• What must I understand about my organization to enable Active Defense?

• What must I understand about my adversaries for an Active Defense to succeed?

Conducting an Active Defense• What are the components of an Active Defense?

• What is an Active Defense mission?

• What types of missions can I conduct with Active Defense?

Is Active Defense right for me? • What are the benefits of an Active Defense?

• Is my organization ready to implement an Active Defense?

• How can EY help me prepare to conduct an Active Defense in the future?

The next iteration of continuous improvement

Introduction

1M-Trends 2015: A View from the Front Lines — Annual Report, Mandiant (a Fire Eye company), 2015.

* Results shown in this report are based on findings from EY’s Global Information Security Survey 2015 — ey.com/giss2015


Creating trust in the digital worldEY’s Global Information SecuritySurvey 2015

88%of Information Security functions do not fully meet the organizational needs*

11%of GISS respondents reported using data analytics to detect security breaches.

2 | Enhancing your security operations with Active Defense


What is Active Defense?To understand how Active Defense can help improve security program effectiveness, we need an analogy. Many organizations think of the ideal enterprise network as a castle or fortress: this mental model includes thick stone walls, guard towers and maybe even a moat. Castles may keep real-world invaders at bay, but we have learned time and again that determined attackers nearly always succeed in penetrating even the most secure networks via targeted attacks. Security professionals can’t rely on the integrity of the network’s perimeter and must operate under the assumption that undetected malicious activity is present nearly all the time.

A more appropriate analogy might be the enterprise network as a contemporary city. This analogy works on several levels. Consider the evolving ways that we access data. Users have multiple routes into and out of the network through company workstations, personally owned mobile devices, cloud storage and more. This means that legitimate users and intruders both have numerous opportunities to engage in unseen activities. Just as any city of sufficient size experiences near-constant unpoliced criminal activity, expanding network size and complexity have confounded defenders’ ability to monitor in near real-time as well. Indeed, respondents to EY’s 2015 GISS that reported experiencing significant incidents revealed that only 45% of detected incidents were discovered by the Security Operations Center (SOC). To maintain order, the castle guards of old evolved into the modern police, and security operations professionals must evolve as well.

What does Active Defense add to the existing security operations program? Let’s carry our analogy into the SOC. The security operations team comprises the enterprise’s network police force. Security monitoring with network and endpoint tools is akin to sending officers out to enforce speed limits and watch for crime. In the real world, patrol officers are effective at deterring and defeating the criminals that they can actually see. However, they aren’t effective at defeating the sophisticated crime that occurs behind closed doors and in areas that aren’t patrolled. For this, the city needs detectives. Rather than patrolling and monitoring, detectives cultivate informants, investigate leads, analyze evidence and actively hunt suspects.

How does Active Defense fit into a holistic cybersecurity program?Most security operations teams lack the “detective” capability, and this is where Active Defense can enhance organizational effectiveness. By employing a deliberate operational cycle to plan, execute, and review intelligence-driven activities to help implement targeted countermeasures, fortify defenses and hunt intruders, Active Defense practitioners provide the organization with the capability to identify and help eradicate latent attackers that circumvent traditional security monitoring and target your intellectual property and business systems.

Active Defense is a deliberately planned and continuously executed campaign to identify and help eradicate hidden attackers and defeat likely threat scenarios targeting your most critical assets


Preparing an Active DefenseWhat are the prerequisites to establishing an Active Defense program?Active Defense results from the fusion of timely threat intelligence with deliberately planned and executed proactive measures that help combat specific threat scenarios. Active Defense does not replace traditional security operations. Instead, Active Defense organizes and enhances the existing security operations program. Conducting an Active Defense requires some preparation in order to achieve maximum effectiveness.

First, cyber defenders must ensure that they have a clear understanding of the assets most coveted by potential attackers. In EY’s 2015 GISS, 23% of organizations with an SOC stated that their SOC, “does not interact with the business” and only 23% reported that their SOC “is tightly integrated, meeting with the heads of business operations regularly to understand business concerns and risks.” This interaction is key and also missing from many security programs.

Thoughtful conversations between security practitioners and business leaders produce a listing of assets to be defended. These are generally associated with critical business functions and consist of important applications and systems along with sensitive

Securitymonitoring

Incidentresponse

Operate

Monitor Secure Enable

Integrate

Vulnerability management

Attack and penetration

Global integrated security operations Research and development

Software security

EY datascientists

EY attack and penetration

team

Cyber research

laboratory

Cyber threatintelligence

Service integration layer

Attack life cycle analysis

Defended asset identification

Missionplanning

Indicator analysis and prioritization

Threat actor identification and

targeting

Anomaly analysis

Surge monitoring

Cyber recon-by-fire activities

Proactive endpoint forensics

Hunting

Fortification

Analysis

ActiveDefense

Complex vulnerability identification

Counter-measuredevelopment

Countermeasure deployment

Threat scenario validation

Inpu

tsO

pera

tion

s

Active Defense integration into security operations


data repositories. Relevant assets will be those that subject the business to serious consequences should they be manipulated, stolen, or taken offline. Examples include intellectual property, research and development data supporting future innovation, employees’ or customers’ personally identifiable information, payment card information for clients, and the industrial control systems that support critical business functions.

What must I understand about my organization to enable Active Defense?Next, defenders must develop an understanding of what “normal” means for the network. Typically, this is referred to as a “baseline” in the context of security. However, much of this baseline lives in the minds of the IT staff rather than in security monitoring tools. This understanding is important for enhancing the security operations function, because Active Defense includes strong anomaly analysis and hunting components. Many activities executed by intruders avoid triggering automated security monitoring tools because they don’t fit the typical procedures, inputs or models of known attack signatures. Instead, they use compromised credentials or illicit accounts and blend with regular user behavior. However, alert and experienced security analysts may recognize malicious activity when they see it, provided they have a model for normal behavior on the network.

What must I understand about my adversaries for an Active Defense to succeed?Finally, defenders need an understanding of the threat actors that are likely to target their organization. Many security teams simply assume that they are targeted by the big-three nation state adversaries, organized crime groups and hacktivists. Although this may be true, additional insight is required in order to craft an Active Defense. Within each group, motivations and capabilities vary widely. Defenders should work closely with threat intelligence providers to paint an accurate portrait of the threat landscape with as much detail as possible. If possible, specific threat actors should be named and analyzed to gain insight that will be leveraged in defensive activities.

23%of organizations with an SOC stated that their SOC “does not interact with the business.”*

23%of organizations reported that, “Our SOC is tightly integrated, meeting with the heads of business operations regularly to understand business concerns and risks.”*

Identify internal critical assetsDescriptively profile at both business and technical level

Add environmental contextDevelop/leverage network and endpoint activity baselines

Identify and profile most likely threat actors

Inject timely intelligence to drive mission selection

Conduct Active Defense missions

Plan, execute, review, repeat

Active Defense

Insi

ght

Stage 4

Stage 3

Stage 2

Stage 1


Conducting an Active DefenseActive Defense consists of deliberately planned and executed defensive actions called “missions.” Each mission is followed by activities designed to capture lessons learned and enhance organizational learning. Missions include one or more specific objectives and a defined end-state, and they may last between one day and several weeks. Mission objectives typically include the implementation of one or more targeted countermeasures to defeat specific threat scenarios or deliberately planned activities to identify hidden intruders (hunting).

Although individual missions may take the form of projects, an Active Defense program is conducted as an iterative operational cycle. Each cycle focuses on defending a specific asset or group of assets from a specific threat actor and may include one or more missions. The operational cycle includes phases for planning, mission execution (of one or more missions) and cycle review. Each mission within the operational cycle also includes analogous phases for planning, execution and review.

Deliberately planned, mission

focusedHunting or fortification

Complicate

Harden

Maintain

Review

Weekly CTI brief

Achieve desired end-state

Define desired end-state

Realize improvements

Capture lessons learned

High-value assetor adversary

focused

AnalyzeIdentify likely

threat actors and scenarios Plan

Execute


What are the components of an Active Defense?Cyber threat intelligence (CTI) helps lay the groundwork for Active Defense and provides context and guidance during operations. Once likely adversaries have been identified, defenders work with their threat intelligence provider to identify specific tactics via cyber kill chain analysis. Kill chain analysis is the division of the steps taken by an adversary as part of an attack into individual “buckets” that correspond to the links of the kill chain. Although researchers from Lockheed-Martin originally introduced this concept in a 2011 white paper,3 there are a number of variants. Regardless of variant, identification and analysis of tactics is key.

3Hutchins, Eric, Michael Cloppert, and Rohan Amin, “Intelligence-Driven Computer Network Defense Informed by

Analysis of Adversary Campaigns and Intrusion Kill Chains” Lockheed Martin Corporation, 2011.

Typical attack lifecycle

Tactics

Targets

APT X Priority 1 R&D

Intelligence gathering

Background research

Escalate privilege

Gather and encrypt data

Steal dataInitial attack Establish

footholdEnable

persistenceMove

laterallyEnterprise

reconnaissance

Initial exploitation Command and control Privilege escalation Data exfiltration

• Search engines

• Public releases

• External scanning

• Zero days

• Social engineering

• Spear phishing

• Water holing

• Malware installation

• Stolen credentials

• Root kits

• Trojans

• Account creation

• Establish VPNs

• Network scanning

• Shares

• Workstations

• Servers

• Routers

• Shares

• Workstations

• Servers

• Routers

• Shares

• Workstations

• Servers

• pdf, doc, xls, ppt

• Admin accounts

• Servers

• Routers

• Web servers

• External applications

• Social media

• Executives and assistants

• Remote workers

• Workstations

• Web servers

• pdf, doc, xls, ppt

• R&D data

• Security applications

• Operating systems

• FTP and email

• Web posting

• Encrypted C2 tunnels

• Root kits

• Trojans

• Account creation

• FTP and email

• ZIP and RAR compression

• Malware encryption

• Stolen credentials

• Remote desktop connections


Besides known tactics, additional data collected and mapped for relevant threat actors includes:

• Attacker source IP ranges

• Malware metadata

• Typical hardware or software leveraged by the attacker

• Typical hardware or software targeted by the attacker

• Typical times of attacker operations

For each defended asset, defenders also gather:

• Hardware or software used to access the sensitive data and business processes

• Patch level and patching schedule for identified hardware and software

• Previous attack information

• Detailed identity and access information associated with the resource

This information is supplemented with intelligence about current events in the organization’s industry to determine who is attacking peers and for what purpose. Industry peers are a great source to develop first-hand insight about the latest tools, tactics and procedures used by attackers.

31%of respondents say their SOC has individuals focused solely on cyber threat intelligence

50%of responders say their SOC has analysts that read and subscribe to specific open-source resources

35% of respondents say that they have a mature or very mature information security strategy

Only 12% of organizations perform all security operations functions in-house

23% of SOCs do not interact with the business

29% of SOCs collaborate and share data with other public SOCs

43% of SOCs collaborate and share data with others in their industry

42% of SOCs have not detected a significant incident

Only 19% of SOCs have discovered a significant cybersecurity incident

Only 47% of organizations think their SOC would be likely to detect a sophisticated attacker.


What is an Active Defense mission?A key facet of Active Defense is the enhanced operational focus and effectiveness realized through the deliberate planning of Active Defense missions. Security teams typically harden their defenses on an ad hoc basis, implementing industry best practices when they have time or in reaction to high-profile vulnerability announcements. By contrast, Active Defense missions are planned and executed to proactively defeat specific threat scenarios and uncover hidden intruders in the network. This means that defenders’ time is spent deterring and defeating the enterprise’s most likely attackers rather than an undefined or nonspecific adversary.

What types of mission can I conduct with Active Defense?The use of the term “mission” conveys the fact that the operational process proceeds with a significant amount of analytical rigor and discipline in order to achieve maximum effectiveness in accomplishing the organization’s security goals. Missions are planned in response to specific threat intelligence in the unique context of the defended organization; and by focusing on the threat to the business from real-world threat scenarios, Active Defense practitioners can maximize their defensive capabilities for their security budget.

Although Active Defense is inherently adversary focused, it is also tailored for specific defended assets — typically the organization’s most valuable proprietary data and business systems. An Active Defense mission can include any activities that meet this description. However, we find that a few general categories of activities tend to generate the greatest returns.

Active Defense mission categories

Fortification Hunting

Network reconnaissanceManual identification and validation of complex vulnerabilities and threat scenarios and development of network situational awareness for decision makers

Anomaly analysisFocused investigation for anomalous and malicious activity that cannot be detected by automated security monitoring tools

Targeted countermeasuresLeverage insight from the intelligence process to design and implement counter-measures that defeat specific threat scenarios

Trapping and coercionAlter network and endpoint conditions to provoke a hidden attacker into engaging in malicious activity liable to be detected by targeted intensive monitoring


FortificationThe first category of Active Defense mission includes those activities that help improve the enterprise’s defenses against specific tactics that may be used by specific attackers.

Network reconnaissanceNetwork reconnaissance missions develop the organization’s understanding about its own level of risk to specific threat actors or threat scenarios. Missions of this type are generally more complex than straightforward vulnerability scanning and may include mock attacks or red team exercises. An example of an information gathering mission would be a multi-day experiment to determine whether existing security monitoring tools are able to identify the use of a particular piece of malware on the network.

Tailored countermeasuresTailored countermeasures are most often focused on network and endpoint fortification and attempt to deter, degrade or defeat specific adversary tactics. Active Defense fortification activities differ from hardening activities executed by traditional security operations teams in that they are executed deliberately in response to timely threat intelligence about a threat actor or threat scenario rather than as “industry best practices” on an ad hoc basis.

• “Cyber clear-and-hold” is an example of a network and endpoint fortificationA type of network and endpoint fortification, clear-and-hold is a strategy employed to help prevent intruders from re-occupying territory from which they have been ejected by defenders. Clearing is done via hunting or proactive forensics. After the clearing stage, the holding stage is usually characterized by regular inspections, surveillance and the improvement of defenses.

A clear-and-hold mission may be warranted due to a number of internal or external factors. Defenders may learn about an attack against an industry peer and may wish to apply clear-and-hold tactics to protect the data types that were taken in that attack. Another driver could be the discovery of a vulnerability that cannot be patched in a critical system. Hosts on the same network segment could then be cleared to ensure that they are not currently harboring attackers who could take advantage of the weakness.

Activities of this nature can usually only be sustained for a brief period of time before resources must be redeployed to other areas. For example, a clear-and-hold mission would likely be appropriate during the period when a merger/acquisition is being planned (from the earliest stages) and executed. Once the merger is announced publicly and completed, the protection provided by clear-and-hold tactics is no longer necessary around the systems containing merger data.

41%of responders say their SOC has a paid subscription to cyber threat intelligence feeds


HuntingHunting missions attempt to discover latent (but active) attackers on the network, or previously unknown evidence of past attacks. By actively examining seemingly benign activity or artifacts in the context of known tactics and techniques of particular threat actors or in the context of specific threat scenarios, Active Defense practitioners take the initiative against attackers and reduce the time that attackers can expect to operate inside the network before being identified and eradicated. Hunting missions fall generally into two categories.

Anomaly analysisThese missions examine artifacts located on particular hosts along with patterns of network traffic to identify malicious activity that automated security monitoring tools miss. Although the organization may have a sophisticated and comprehensive deployment of sensors to conduct security monitoring for network segments and endpoints, there are many forms of malicious activity that thwart automated detection but are plainly obvious to human analysts.

As we discussed previously, the ability to identify anomalous activity is one of the key enablers of Active Defense and is critical to hunting missions. Anomalous activity is any activity that is strange, abnormal or doesn’t belong in the context in which it is seen. This context could include the user who is engaging in the activity, the time when the activity is observed, the frequency with which the activity occurs and other circumstances. In addition to hunting for anomalous activity in new event streams, defenders should ensure that they search historical data as well. The time when defenders become aware of a particular malicious behavior is always after the time when attackers began using it: thus, historical logs must be searched to ensure that a compromise hasn’t already occurred.

• Identify cyber staging areasAnomaly analysis can be used to identify cyber staging areas, and to deter or defeat sensitive data exfiltration. Attackers often form a beachhead within a compromised network. This is a host from which they launch sorties against other hosts on the network and on which they may store stolen data. Often this data is compressed, obfuscated, or even encrypted, to make it look like something it isn’t. For instance, defenders may discover a large data cache rolled into several encrypted and compressed RAR files that have had their file extensions altered to make them look like video clips.

This beachhead concept is important because hackers must prepare a staging ground within one or two “hops” from a location on the network from which data will be stolen. Not only is this required in order to limit the amount of activity on a target host to prevent detection, but routing connections and data through additional systems is technically complicated and subject to discovery as well.

To identify staging areas, defenders search likely beachhead locations near sensitive systems for stolen data and stored tools. In enterprises that enforce data storage locations for users, such as those that require all personal files to be saved to a network-shared folder, this search can be straightforward. Searching may also be aided by enterprise file naming schemes. These often aren’t apparent to outsiders, so attackers may inadvertently create filenames that immediately appear anomalous.

47%of respondents reported that their organization does not currently have an SOC*

26%of respondents that do have an SOC, 26% outsource real-time security monitoring*


Trapping and coercionThese missions attempt to compel latent attackers to perform activities that will cause them to be discovered. Once an attacker gains access to the network, escalated privileges and established persistence, they are unlikely to engage in additional overt malicious activity. This is because they likely have gained access to legitimate account credentials or have had the opportunity to install malicious software to mask, clean or hide their activities. By altering conditions on the network, defenders can impose a dilemma on hidden attackers. They must either work to maintain their access and subject themselves to the scrutiny of alert Active Defense practitioners, or they will lose access. Here are examples of this type of mission:

• Malware starvationMany types of malware emit a regular “beacon” or “heartbeat” to a command and control (C&C) server as long as they are active. This serves two purposes. First, it acts as a remote notification to an attacker that his access to the network is still available. Second, it provides automated control systems with an opportunity to deliver orders to fielded malware instances (implants).

Highly sophisticated attackers may employ multiple cooperating malware implants that watch each other to provide backup. If one implant sees that its partner has been eradicated or is no longer communicating on the network, it activates and takes over the beaconing and malicious activity. EY has seen one network that had primary implants installed on more than 20 servers, with alternate or backup implants hiding on another 14. The alternates weren’t detected until after the primaries had all been eradicated — the point when an incident response team would usually close the case and go home.

Changes in network connectivity are usually the cause that results in the activation of dormant implants. Consider simulating this to “starve” malware of its network access and change its behavior. Network segments can be cut off from one another temporarily to prevent cooperating malware samples from seeing or interacting with one another; this can result in backup malware spinning up and trying to take over for what it thinks is an eradicated primary.

• DNS manipulationMalware authors typically use hostnames to configure malware C&C servers rather than IP addresses. This improves resiliency for the malware, since defenders typically block outgoing traffic to specific IP addresses (routers and switches don’t know about hostnames). Using a hostname allows the malware’s C&C server to be located at any IP address. The attacker just needs to register it, and DNS servers around the world will carry the news to his deployed malware. Defenders who have tried to squash a malware infection have probably seen this behavior before: they block outgoing traffic from beaconing malware only to see it shift to new destination addresses every few hours.

By resetting the network’s DNS cache, defenders force renewed resolution of every hostname across the network — including those used by malware. Within a few hours or days, defenders can then examine the contents of the DNS cache for low-density hostnames or hostnames that were resolved at odd hours. A boatload of connections to www.google.com at noon on a Tuesday shouldn’t raise any eyebrows, but a single connection to www.malwaremothership.com at 2 a.m. on a Tuesday warrants closer inspection.

12%of respondents that do have an SOC reported being able to fulfill all functions in-house


EY considers the ability to mount an effective Active Defense as a strategic end-state for the enterprise security program, and the journey to establishing an effective Active Defense varies for every organization. According to EY’s 2015 GISS, 47% of respondents reported that their organization does not currently have an SOC; of those that do, 26% outsource real-time security monitoring, and only 12% reported being able to fulfill all functions in-house.

Is my organization ready to implement an Active Defense?EY’s cybersecurity offerings help develop the security program with an eye toward establishing an Active Defense. However, if any of the following statements reflect your organization, then Active Defense may be right for you:

We have an SOC, but we still aren’t finding evidence of advanced attackers. We have an SOC, but we still had a major breach. We have had an SOC for a few years, but we need to evolve beyond

static monitoring. We have strong business pressures to defend intellectual property or confidential

business information (R&D, M&A, ICS/SCADA, etc.). We have an outsourced SOC, but we don’t believe that our most valuable data and

systems are truly secure.

How can EY help me prepare to conduct an Active Defense in the future?Many organizations can benefit from the enhanced operational discipline and adversary focus inherent to Active Defense. However, effectiveness from an Active Defense program requires appropriate maturity levels in a range of security competencies, including security operations, security monitoring, asset identification and classification, IT operations, threat intelligence, security architecture and others. By focusing on an Active Defense capability as a strategic goal, decision-makers and security practitioners can engage in meaningful discussion about the steps for organizational improvement that will help realize the benefits described herein.

When this occurs, the benefits of an Active Defense can be:

• For the security operations team, Active Defense helps provide a defined set of improvement activities rationalized by threat intelligence and security analytics; and then connected to achievable objectives. The team builds countermeasures, hunts hidden intruders and bolsters defenses on the basis of real reporting about the behavior of real attackers.

• For decision-makers, Active Defense helps connect resource deployment directly to measures of cybersecurity program effectiveness. Instead of focusing on performance measures like “number of patches applied” and “number of tickets closed,” effectiveness can be demonstrated via, for example a decrease in successful targeted attacks or a decrease in the time required to discover and eradicate the attacks that were successful.

An organization’s intellectual property and critical business systems have substantial monetary value, and organization leaders expect their security programs to keep the data secure and the attackers out. To this end, the effectiveness of the organization’s security operations can be significantly enhanced by an Active Defense guided by deliberate planning, a defined strategic end-state and an adversary focus. By organizing and integrating the organization’s existing security operations, Active Defense can help reduce the number of successful targeted attacks and decrease the amount of time that intruders can operate before being ejected from the network.

Is Active Defense right for me?

What are the benefits of an Active Defense?• An agile operational

cycle designed to help achieve rapid results and accelerate learning

• Cyber threat intelligence (CTI) analysis that helps yield new insights about adversaries or the enterprise and generates recommendations

• Active Defense missions focused on hunting or fortification

• Active Defense helps enhance but does not replace security monitoring and incident response

47%of respondents reported that their organization does not currently have an SOC*


Want to learn more?Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you with valuable insights about our perspective. Please visit our Insights on governance, risk and compliance series at www.ey.com/GRCinsights.


Cyber Program Management

Creating the path forward

Cybersecurity and the Internet of Things

Insights on governance, risk and compliance

March 2015

Cyber breach response managementBreaches do happen.Are you ready?

Cyber Threat Intelligence − how to get ahead of cybercrime www.ey.com/CTI

Security Operations Centers — helping you get ahead of cybercrime www.ey.com/SOC

Achieving resilience in the cyber ecosystem www.ey.com/cyberecosystem

Managed SOC — EY’s Advanced Security Center: world-class cybersecurity working for youhttp://www.ey.com/managedSOC

Cybersecurity and the Internet of Things www.ey.com/IoT

Using cyber analytics to help you get on top of cybercrime: Third-generation Security Operations Centers www.ey.com/3SOC

Cyber Program Management: creating the path forward www.ey.com/CPM

Cyber breach response management — Breaches do happen. Are you ready? www.ey.com/cyberBRM

Insights on governance, risk and compliance

December 2014

Achieving resilience in the cyber ecosystem


Creating trust in the digital worldEY’s Global Information SecuritySurvey 2015

Creating trust in the digital world: EY’s Global Infomation Security Survey 2015www.ey.com/GISS2015

http://www.ey.com/cyberecosystem

http://www.ey.com/managedSOC

http://www.ey.com/IoT

http://www.ey.com/3SOC

http://www.ey.com/cyberBRM

If you were under cyber attack, would you ever know?As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless. When one tactic fails, they will try another until they breach an organization’s defenses. At the same time, technology is increasing an organization’s vulnerability to attack through increased online presence, broader use of social media, mass adoption of mobile devices, increased usage of cloud services, and the collection and analysis of big data. Our ecosystems of digitally connected entities, people and data increase the likelihood of exposure to cybercrime in both the work and home environment. Even traditionally closed operational technology systems are now being given IP addresses, enabling cyber threats to make their way out of back-office systems and into critical infrastructures such as power generation and transportation systems.

For EY Advisory, a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses. We’ve shaped a global ecosystem of consultants, industry professionals and business alliances with one focus in mind — you.

Anticipating cyber attacks is the only way to be ahead of cyber criminals. With our focus on you, we ask better questions about your operations, priorities and vulnerabilities. We then collaborate with you to create innovative answers that help you activate, adapt and anticipate cyber crime. Together, we help you design better outcomes and realize long-lasting results, from strategy to execution.

We believe that when organizations manage cybersecurity better, the world works better.

So, if you were under cyber attack, would you ever know? Ask EY.

The better the question. The better the answer. The better the world works.

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2015 EYGM Limited. All Rights Reserved.

EYG no. AU3672

1511-1740046 MW ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com/cybersecurity Global Risk Leader

Paul van Kessel +31 88 40 71271 [email protected]

Area Risk Leaders

Americas

Amy Brachio +1 612 371 8537 [email protected]

EMEIA

Jonathan Blackmore +971 4 312 9921 [email protected]

Asia-Pacific

Iain Burnet +61 8 9429 2486 [email protected]

Japan

Yoshihiro Azuma +81 3 3503 1100 [email protected]

Our Cybersecurity leaders are:

Global Cybersecurity Leader

Ken Allan +44 20 795 15769 [email protected]

Area Cybersecurity Leaders

Americas

Bob Sydow +1 513 612 1591 [email protected]

EMEIA

Scott Gelber +44 207 951 6930 [email protected]

Asia-Pacific

Paul O’Rourke +65 6309 8890 paul.o’[email protected]

Japan

Shinichiro Nagao +81 3 3503 1100 [email protected]

Our Risk Advisory Leaders are:

EY | Assurance | Tax | Transactions | Advisory

About EY’s Advisory Services In a world of unprecedented change, EY Advisory believes a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize and protect their businesses.

Through a collaborative, industry-focused approach, EY Advisory combines a wealth of consulting capabilities — strategy, customer, finance, IT, supply chain, people advisory, program management and risk — with a complete understanding of a client’s most complex issues and opportunities, such as digital disruption, innovation, analytics, cybersecurity, risk and transformation. EY Advisory’s high-performance teams also draw on the breadth of EY’s Assurance, Tax and Transaction Advisory service professionals, as well as the organization’s industry centers of excellence, to help clients realize sustainable results.

True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk management when working on performance improvement, and performance improvement is top of mind when providing risk management services. EY Advisory also infuses analytics, cybersecurity and digital perspectives into every service offering.

EY Advisory’s global connectivity, diversity and collaborative culture inspires its consultants to ask better questions. EY consultants develop trusted relationships with clients across the C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to leading disruptive innovators. Together, EY works with clients to create innovative answers that help their businesses work better.

The better the question. The better the answer. The better the world works.

mailto:sgelber%40uk.ey.com?subject=

1511-1740046 active defense report-laser-single

Documents