Cyber Security Update
November 2012
Oil & Gas Center
A new approach to finding the needle in a haystack
Using analytics to address todays cybersecurity threats
The Security Analytics Framework from Ernst & Young takes an innovative approach to harness large quantities of disparate security data to create an actionable decision matrix allowing security professionals to make factbased security decisions
By Jose Granado and Anil Markose
In recent years, US companies in the oil and gas and chemical sectors have spent millions of dollars on security, deploying a wide range of security technologies designed to protect their most valuable intellectual property. Yet these sectors including some of their largest players remain extremely vulnerable to the very real threats of targeted espionage. Despite the dollars spent, many oil and gas and chemical companies are actually unprepared in security given the sophistication and skill of the enemy. These US companies are targeted thousands of times daily by well-funded, highly trained teams of hackers, sometimes backed by foreign governments, who are seeking information on pending lease bids, insider knowledge on upcoming acquisitions or mergers, geoseismic or engineering data, technology research, chemical formulas or recipes, and even telemetry data from oil wellsin operation. These attacks are well planned and can be active for multiple years. They often take a multi-pronged approach to penetrate a targeted company although digital data may be the target, the attackers may combine techniques such as such as socially engineering current employees, inserting moles into the company and launching cyber attacks over an extended period to achieve their goals. The goals canvary by attacker, from stealing valuable data to gaining accesstoprocess control networks, all in an attempt to intentionallydamage or disrupt operations. Companies facing these attacks agree that this is a top issue and is costing them significant amounts in lost opportunities, future revenue and market share.
Despite the investments in security made over the years, all that stands between your enterprisenetwork and a damaging cyber attack isthe technical experience and gut instincts ofyour ITstaff.
�Security professionals face informationoverload
Although US companies have made significant investments in security technologies, the major bottleneck in the current approach to cyber security is the sheer amount of information these technologies generate. There are millions of IT security technologies on the market today, and companies typically use a number of different ones, running simultaneously, to manage various systems and threats. These technologies generate large volumes of data every day in forms such as system logs, archives, alerts, notifications, user transactions and access data overwhelming IT staff who have no consistent method of digesting and analyzing the information. In addition to internal data, most IT organizations are also overwhelmed with additional data points from external threat information from blog sites, subscription services, chatter on hacker forums and much more. Over the last few years, many organizations invested heavily in security information and event management (SIEM) tools to help manage the large volumes of data. But while SIEM combines data from multiple software systems to provide a central view, it is still difficult to make sense of the vast amount of security information flowing in every hour of every day. Gaining actionable intelligence is almost impossible When this data is added to other sources of information, such as internal audit findings and customer/vendor security assessments, it creates an overwhelming amount of information but not necessarily knowledge. Staff cant possibly sort through everything to identify thereal risks. Eventually, these technologies are either ignored, or the data and alerts presented are filed away without action. IT security personnel are left with little predictive capability in place to enhance detection of real risks or guide the companys response when legitimate threats appear. In most cases, this data is used only after an incident has occurred to analyze the steps a potential attacker may have taken. In other words, despite the investments in security made over the years, all that stands between your enterprise network and a damaging cyber attack is the technical experience and gut instincts ofyour IT staff.
A new approach
The challenge for IT professionals is identifying what data is relevant amid a virtual flood of information from multiple sources. One potential approach is Ernst & Youngs Security Analytics Framework, which is customizable and technology-enabled, helping security professionals to use existing technologies to make fact-based decisions. The framework has three components: External threat analysis Understanding the external threats that are relevant to your organization and its assets Inside risk analysis Understanding how the companys internal assets (people and systems) behave within the environment Third-party risk evaluation Understanding how your external assets (customers, suppliers, vendors, contractors and partners) impact your security The three components help to organize the large volumes of data and provide an interwoven method for integrating disparate groups of information. Of the three components, the greatest emphasis is placed on the inside risk analysis since it will have the most real-time and accurate data that is generated by the companys internal assets. Once the insider risk profiles are created, the other two components are linked to various company assets based on their ability to impact internal assets. Three differentiators allow this approach to security to be better aligned with environments with large amounts of security data: 1. Asset mapping: A primary challenge within todays security data is that it does not easily tie back to an inside asset (person or system), so alerts from these technologies often require a significant amount of manual work to understand. How would your organization report on the number of alerts a given individual has across the enterprise (failed logons, data loss prevention (DLP) alerts, web gateway violations)? For most organizations, this data resides in silos and cannot be correlated back to a single asset. The Security Analytics Framework maps all key alerts and security information back to an actual inside asset using a correlation engine. In doing this, connections between unconnected activities that may warrant an asset being labeled as high risk are possible. For example, asset mapping would alert you that suspect malware is trying to steal sensitive data from a server that has an antivirus alert, or an IP address thats hit a number of DLP technology alerts.
Oil & Gas Center | Cyber Security Update
� Data theft is often considered to be an IT issue rather than a true enterprise risk, but the reality is that cyber security is absolutely critical to success in todays world.
2. Behavior-based analysis: The challenge with many technologies today is that they are signature-based, which requires a clear set of criteria to be established for the technology to work correctly. In the example of a SIEM, one has to define what abnormal is for it to create an alert. In most cases, the SIEM is creating more alerts than are manageable. In taking a behavior-based approach, normal is defined by profiling the expected behavior of the companys inside assets (people and systems). Once this profile is created, specific behavior-based technologies are used to identify abnormal behavior. For example, a user normally logs in from a US IP address during the hours of 9:00 a.m. and 6:00 p.m. and logs onto a known list of applications for his or her day-to-day activities. When this user account logs in at 3:00 a.m. from a non-US IP address, alerts are now generated. A similar approach is used for all individuals and systems if there is enough historical data about their activities. 3. Peer analysis: A very big concern with todays security data is the number of false positives. To address this, the Security Analytics Framework uses system transaction data to group people and systems with other people and systems that behave in a similar manner. An abnormal behavior alert is generated only if the asset is behaving differently than its profile and the profiles of its peers. For instance, although a behavior alert is received due to users activity at 3:00 a.m., we can rule out that this is a false positive if all her peers are also active at that time possibly because the entire team is working long hours due to a particular deadline. This peer-level comparison is taken into account before atrue alert is generated.
The above three differentiators can be utilized to rank risk inside assets (employees and systems), while the data points from the other two framework components (external threat analysis and thirdparty risk evaluation) can be utilized to adjust the risk scores using a customized scoring mechanism. Ultimately, security professionals are able to detect where their greatest security exposure exists and react in a timely manner to address this risk. Since the security analytics dashboard is technology enabled, and data driven, a security professional can utilize an enterprise view that incorporates all three components of the framework, or drill down to individual data points within any of the components all the way to the actual security technology that generated the original alert or data point. This approach can empower a smaller security function to be more impactful by focusing on the right risks that pose the greatest threats. This holistic view of security threats cuts through the information overload and highlights the proverbial needle in a haystack thethreats that are truly meaningful to your company.
How it works an example
During the initial phase, the development team works to understand what is sensitive and what security data exists around these highvalue assets within the company (logs, alerts, archives, feeds, etc.). We then map the security data within the clients environment to its assets. The team will determine asset value and peer groups by reviewing the type of data each asset can access and by analyzing transaction logs to understand behavior. The peer grouping will analyze up to a years worth of historical data within logs and then similarly behaving assets will be grouped. Once the inside profiles are complete, theteam correlates external threat feeds andthird-party information to each of the inside assets and creates the security analytics dashboard. Upon implementing the program, the external threat dashboard would highlight relevant external threats such as information that a well known hacker group could be targeting US companies in certain countries due to US policies with respect to those countries. These threat feeds will be factored into the framework and used to adjust the risk score for assets in these select countries. Within hours, the security analytics dashboard will report that a highrisk employee has an extremely low security rating (due to the adjusting of risk scores for assets in this location). The employees heightened score will draw attention to suspicious activities in a high-risk area due to this approach. Otherwise, this employees alerts would be buried in large logs that no one would notice.
Ernst & Young security analytics framework explained
(access logs, security alerts, vulnerability scans, etc.)
Asset information
Inside risk analysis External threat information
Security analytics
(news feeds, government agencies, alert subscriptions, etc.)
External threat analysis
Third-party risk evaluation
Third-party risk information
(vendor risk assessments, third- party security audits, etc.)
Enable fact-based security decisions
Oil & Gas Center | Cyber Security Update
�Due to the security rating, the IT security team drills down from the dashboard to its existing log monitoring software and discovers that the employee has an unusual level of security alerts and network activity compared with his peer group. After looking at the various alerts that the security analytics dashboard had mapped to the employee, the IT team can determine that the employee clicked on a link within a phishing email that originated from a vendor that has a low security score in the third-party risk evaluation dashboard. The IT team can then quickly quarantine the employees system and update the email filters to look for additional emails coming from this vendor. The security team will notify the vendor that it has probably been hacked and is now launching phishing emails from its environment. Without a holistic program that utilizes the Security Analytics Framework, these events would likely have been investigated separately, or not at all, and the company would not have been able to react as quickly.
Ernst&Young Assurance | Tax | Transactions | Advisory
About Ernst&Young Ernst&Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst&Young refers to the global organization of member firms of Ernst&Young Global Limited, each of which is a separate legal entity. Ernst&Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. Ernst&Young LLP is a client-serving member firm of Ernst&Young Global Limited operating in the US. How Ernst & Youngs Global Oil & Gas Center can help your business The oil and gas industry is constantly changing. Increasingly uncertain energy policies, geopolitical complexities, cost management and climate change all present significant challenges. Ernst&Youngs Global Oil & Gas Center supports a global practice of over 9,000 oil and gas professionals with technical experience in providing assurance, tax, transaction and advisory services across the upstream, midstream, downstream and oilfield service sub-sectors. The Center works to anticipate market trends, execute the mobility of our global resources and articulate points of view on relevant key industry issues. With our deep industry focus, we can help your organization drive down costs and compete more effectively to achieve its potential.
Threat is real
With all the software vendors involved in this space, why is the Security Analytics Framework necessary? At Ernst & Young, we believe the answer is that the current problem cannot be solved with another technology but requires an analytics-based approach customized to the companys data and risk profile. This a detailed effort that is better suited to a company that specializes in helping clients understand and manage risk. Our approach takes the software currently in use by clients and integrates it so that various programs are working together to provide data that can be measured against customized risk factors to provide a realistic and manageable view of cyber security threats. Still, the major challenge to effectively monitoring and responding to cyber risks is an internal one. Many companies today are in denial about these very real threats to their proprietary information, and they hesitate to invest in more security, regardless of its benefits. Data theft is often considered to be an IT issue rather than a true enterprise risk, but the reality is that cyber security is absolutely critical to success in todays world. In recent years, several of the countrys largest energy and chemical firms have experienced problems caused by hackers gaining access to their networks problems that were first identified by outside agencies such as the FBI or the Department of Homeland Security rather than internal security staff. Competitive companies are realizing that they cannot effectively manage risk in a global environment if they ignore the threat of cyber theft. There is one other certainty. As the industrys search for global reserves and profits heatsup, the cyber war will as well.
2012 Ernst&Young LLP. All Rights Reserved. SCORE no. DW0193 WR no. 1209-1395674
Who to contact
Jose Granado +1 713 750 8671 [email protected] Anil Markose +1 214 969 9734 [email protected]
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst&YoungLLP nor any other member of the global Ernst& Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. ED None
