Predictive Intelligence PI Actionable Insight for the Digital Enterprise

Transcription

Predictive Intelligence PI Actionable Insight for the Digital Enterprise
Predictive Intelligence
PI
Actionable Insight for the Digital Enterprise
AUGUST 2014
PI = [ C4S + G4S + I4S + CR ] x MP
What problems are we trying to
help clients solve?
Managing the Threat Landscape
Organizations are increasingly vulnerable to business disruptions. These disruptions
may be caused intentionally — by individuals or groups intending to do harm or
to steal intellectual property, or unintentionally — as a result of the geographic or
socio-political operating environment. All aspects of the organization are vulnerable,
from employees to business partners, and from supply-chain to IT assets.
Organizations need to manage these risks and take advantage of the data and
analytics to start to thrive and not just survive.
How do we anticipate future
attacks and take defensive actions
before the attacks occur?
What is the current level and
business impact of cyber risks
to our company?
How do I identify salient
threats to my global operations,
executives and workforce?
Analytics
Tradecraft
How can we provide timely,
actionable intelligence to executive
decision makers to manage risk, protect
their organization but also thrive?
What type of cyber incidents
or breaches do we detect in
a normal week?
How trained is our workforce
to prevent, detect and respond to a
cyber breach?
Technology
Workforce
What is the status of my incident
response activities and are we ready
and prepared?
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
How can I detect subtle
but potentially violent shifts in
local threat environments?
How do we detect insider threats
before rogue employees can do
significant damage?
How compliant is our cyber security
and supply chain vulnerabilities
program with emerging regulations?
2
Overview
Failure is not an Option
The sheer number, speed and sophistication of attacks against today’s
organizations are rapidly increasing. And so are the stakes. These threats
take many forms including cyber and insider attacks, physical destruction
and personal harm. And worse, these threats are constantly evolving so
the risk is ever present despite current security measures. For most
organizations, it is no longer a question of if but when. And more urgently,
what can be done to effectively mitigate the risk and secure critical assets
before the next attack.
200 Attacks
$11.56 Million
26% Increase
32 Days
33% Increase
11% Insiders
Average annualized number
of successful cyber attacks
per company in the United
States.1
Average annualized cost of
a successful cyber attack in
the United States.1
Net increase in cost over the
past year. Represents an
additional average annualized
cost of $3 million per
successful cyber attack in
the United States.1
Average time to resolve a
cyber attack.1
Net increase in time to
remediate attack over the
past year. Represents an
additional 10 days per
successful cyber attack in
the United States.1
Annualized percent of cyber
attack cost attributed to
malicious insiders.1
1 2013 Cost of Cyber Crime Study: United States, Ponemon Institute, October 2013.
BREAKING NEWS
►
Target Data Breach;
CEO and CIO resign
►
Pro-Russia Hacktivists
attack NATO website
►
Heartbleed Flaw in
Internet Explorer
►
Al Qaeda kidnapping
attempt in Yemen
►
Protests hit Brazil
ahead of World Cup
Dec 18, 2013
Mar 15, 2014
Apr 7, 2014
May 11, 2014
May 15, 2014
Target breach compromises 110
million payment cards
Group disrupts NATO websites in
response to activities in Ukraine
Vulnerability exposed impacting 17%
of the internet's secure web servers
Al Qaeda gunmen tried to kidnap two
U.S. Embassy employees in Yemen
Demonstrations held in 18 cities
protesting billions spent on games
instead of housing and health care
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
3
Overview
The Time to Act is Now
Organizations that wait and respond to events after they occur miss the critical window to
capitalize on the power of foresight. By using Predictive Intelligence to anticipate and prevent
critical attacks from happening or from reaching their full objectives; organizations can
significantly lessen the negative impacts of a successful attack.
Hours
Days
Advanced Adversary
Hunting
Detect
Threats
Probabilistic
Warnings
Anticipate
Threats
Minutes
Where
Do You
Fit?
INTELLIGENCE
Weeks
Global Situation
Awareness
Sanitize
Breaches
Respond to
Attacks
Prevent
Damage
Continuous
Diagnostics
Minutes
Hours
Days
DECISION MAKING
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
4
Policies &
Compliance
Weeks
Staying Ahead of the Curve
Today’s global environment is wrought with potential threats, risks, and opportunities. Success
is predicated on an organization’s ability to successfully sense, anticipate, and adjust course to
mitigate risks, seize opportunities, and defeat adversaries. Achieving this outcome requires
access to a diverse set of skills, techniques and technologies that enable an organization to
become and remain predictive. While many competitors have one or two of these offerings, only
Booz Allen’s Predictive Intelligence has the end-to-end solutions needed to holistically address
both the scale and severity of the current threat landscape.
1
Specialized Tradecraft
2
Big Data & Analytics
3
Advanced Technology
4
Workforce Readiness
Threat actor, linguistic, socio-cultural and attack-surface intelligence
PI
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
5
Proprietary analytics and data libraries
Systems integration and application development
Threat readiness and incident response solutions
PI = [
C4S
Predictive
Intelligence
+
G4S
I4S
+
+
CR
] x
MP
Predictive Intelligence combines tradecraft, big data & analytics, technology and
workforce to help clients anticipate, prevent, detect and respond to global threats and
global opportunities with real-time actionable insight about their environment — internally,
externally, globally and socially — so they can take action to be ready, to manage risk,
to protect assets and to thrive.
Major Product Lines and Solutions
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
Cyber4Sight®
Insider4SightTM
MissionPlatform
Tailored, anticipatory threat
intelligence provides actionable,
near-real time alerts of specific
impending malicious cyber attacks.
Holistic approach tailored to mitigate
insider risk using advanced detection
and analytical tools.
Technology architecture and tool
suite for data collection, storage,
processing, analytics, and userfocused visualizations, and includes
talent management to leverage these
solutions.
Global4SightTM
CyberReadyTM
Threat and business intelligence
derived from social media and global
datasets enables anticipatory actions,
rapid threat mitigation, and strategic
positioning.
Continuous, automated diagnostics
to discover vulnerabilities and to
quickly sanitize breaches.
6
Product Lines
Cyber4Sight
C4S
®
Cyber4Sight tailored threat intelligence products and services pro-actively defend our client’s
organizations against the most sophisticated cyber attacks. With Cyber4Sight products and
services, clients receive actionable intelligence of future attacks in near real time to avoid
tactical and strategic surprise.
Cyber4Sight threat intelligence products and services collect and analyze the motivations,
intentions, objectives, and capabilities of specific threat actors around the world most likely to
launch an attack against a client — and provide an early warning capability at a fraction of the
cost to build a comparable intelligence analysis center internally.
OFFERINGS
SOLUTIONS
Threat Alerting and Warning Services
“On-Call” Intelligence Analysis Services
OSIRIS
Anticipatory cyber threat alerts and warnings of
impending future attacks, providing clients with an
“early warning system” to defend their enterprise.
On-demand services to answer client-submitted cyber
threat intelligence questions that require in-depth
analysis, which may be related to virtually any cyber
threat intelligence topic.
Open Source Information Research and Investigation
System
• Automated data collection and ingestion
• Automated filtering, correlation, and analysis
• Visualization and alerting dashboard for analysts
• Customized client collection plans based upon
business priorities and protected assets
Deep Web Intelligence Analysis Services
Advanced intelligence tradecraft service to monitor
specific threat actor’s intentions, motivations and
objectives to provide actionable insights for high risk,
high consequence cyber threats.
Specialized Cyber Threat Intelligence Studies
Cyber Threat Intelligence Summary Products
Services Availability & Support
Daily compendium report on global cyber threats and
incidents with a focus on nation states, known
hacktivist groups, and criminal syndicates.
Cyber4Sight services operate 24 hours per day, 365
days per year. Intelligence analysts are always
available for help and support around the clock via a
telephone hotline, email, and Web portal access.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
In direct consultation with our clients, we create deepdive, open-source analytic products that present
extensive views of current cyber threats and risks.
7
ThreatBaseTM
Near Real-Time Knowledge Repository
• Automatic meta data ingestion and tagging
• Link and timeline analysis
• Object-based queries and advanced search and
pattern recognition capabilities
• Web Portal access for clients
Solutions
C4S
TM
ThreatBase
ThreatBase is the knowledge repository for Cyber4Sight® finished
intelligence products, accessible by clients via a secure portal to provide an
overview of recent threat trends, including tracking actors, threat origins, and
most popular TTPs (Tactics, Techniques and Procedures).
The ThreatBase knowledge repository contains all Cyber4Sight finished
intelligence, cross referenced and fully searchable. There are more than a
dozen search options, each of which can also be used to pivot between
attributes of interest.
The ThreatBase knowledge repository dynamically maps the relationships
between threat actors, their tactics, techniques, and procedures, and their
targets. Threat statistics, patterns and trends may be analyzed, linking threat
actors with targets, attack vectors, and exploits being used.
Geo-location intelligence is stored as well, tracking threat actor locations
over time using “based near” correlations.
Threat actor profiles depict the
relationships between threat actors, their
targets, and the methods of attack, allowing
analysts to “pull the threat” from multiple
entry points, enriching analysis and
providing a more complete picture for
clients.
ThreatBase Screenshots
// Secure Client Portal
// Advanced Search
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
// Relationship Finder
8
Case Study
C4S
Global Enterprise Services Firm
Defending Intellectual Property and Trade Secrets
Through Anticipatory Threat Intelligence
Results Achieved
The Challenge
A global enterprise services firm with large-scale briefings for government
and commercial clients was stung by a string of network beaches that
undermined its intellectual capital and market reputation. The organization’s
cyber defense was reactive so its analysts had no intelligence to prioritize
resource allocation and thwart dangerous threats that compromised its
networks. To protect sensitive data and its critical infrastructure, the firm
needed to implement a world-class Critical Incident Response Team/Security
Operations Center (CIRT/SOC) — or risk losing billions of dollars in
reputation and future earnings. The company turned to Booz Allen Hamilton
and its Cyber4Sight® team for help.
The Solution
Cyber4Sight intelligence reports help predict malicious actors’
intentions, capabilities and probabilities of success before major
events occur — enabling the client to prepare for attacks in advance
and effectively mitigate risk in real-time.
The insight provided by Cyber4Sight
analysts allows the client to better prepare
for major cyber events before they occur,
avoiding multi-million dollar losses of
intellectual property and brand equity.
The Cyber4Sight team implemented 24x7 Threat Alerting and Warning
Services, combined with strategic intelligence capabilities, to substantially
elevate the client’s security posture — using an intelligence-driven computer
network monitoring and defense capability that includes Tripwire Alerts, Spot
Reports, Situation Reports (SITREPS), and Daily and Monthly Intelligence
summaries. The Cyber4Sight team began transforming the client’s critical
data into informed, proactive computer network defense activities.
The Cyber4Sight team also delivers daily threat intelligence reports and
briefings to alert the client to potential threats. The Cyber4Sight team
continues to field regular Requests for Information (RFIs) from the client to
identify and understand developing threats.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
In the first four months alone, the Cyber4Sight team delivered more
than 100 serialized threat intelligence summaries and 700 analytic
insights. Daily threat intelligence briefings helped guide the client’s
ongoing tactical operations, fostering an anticipatory approach that
exponentially decreased cyber events.
9
Product Lines
Global4Sight
G4S
TM
Global threats and global market opportunities can take many forms including threat
intelligence monitoring, message and influence monitoring, and supply chain risk assessment.
To protect their competitive advantage and to capitalize on new opportunities, organizations
need comprehensive and actionable information.
Global4Sight threat and competitive intelligence products and services combine a strong
heritage of cloud architecture and applications development with leading edge open source
and social media research and intelligence analysis tradecraft to provide actionable information
on global threats and global market opportunities.
OFFERINGS
SOLUTIONS
Threat Intelligence
FinSight
Attack the Network Tool Suite
Monitor strategic and tactical environment to alert &
inform clients of emerging and ongoing threats to
people, facilities, and operations.
Thwart illicit actors taking advantage of new
opportunities using alternative payment systems.
Suite of Tools Enabling “Analytic Hunt”
• Geospatial, thematic, and string-based
investigations against raw and machine extracted
content
• Rapid cross-corpus search of all data types
• Visualization and displays to facilitate interrogation
of data
Global Advantage
Executive Protection
Anticipate and mitigate physical, reputational and
financial risk to individuals created through
vulnerabilities exposed online.
Conduct business research and analysis on
opportunities for and threats to market advantage in
new environments.
Application & Architecture Development
Supply Chain Risk Assessment
Assess third party suppliers to alert clients to business
risks.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
Develop innovative solutions to track, visualize, and
alert users to threats and opportunities by monitoring
vast government, commercial, and publicly available
data sets.
10
Weatherman Analytic
Value-Chain Analytic to Track Global Threats
• Models and identifies relationship between
activities within an enemy network
• Analyzes value chain “nodes” and tracks hits
against keywords that signify activity
• Provides geospatial and temporal view of the
changes in the value chain status
Solutions
G4S
OSIRIS
OSIRIS (Open Source Information Research and Investigation System)
fulfills four principal functions: targeted collection, ingestion of information
feeds, correlation, and visualization.
•
•
•
•
Number of Categorized Authors Per Hour
Automated data collection and ingestion from 1,250 data feeds
Ingestion of 1 Terabyte of data each day into a data lake and proprietary
cloud environment
Automated filtering, correlation, and analysis
Visualization and alerting dashboard for analysts
OSIRIS’ unique client dashboards provide extensive collection and analysis
customization and client data segregation including quick assessments into
Twitter feeds. In the example shown right, OSIRIS shows the distribution of
pro- and anti-government Twitter authors geotagged at a rally for the Turkish
prime minister at the Istanbul airport on 6-7 June, 2014.
OSIRIS Screenshots
// Targeted Collection
// First-Order Correlation
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
// Analytics Center
11
Number of unique authors in the immediate
vicinity of the Istanbul airport from June 6
through June 7 categorized by pro- and
anti-government hashtags.
Case Study
G4S
Supply Chain Risk Assessment
Assessing supply chain vulnerabilities to make informed
decisions on risk
Results Achieved
The Challenge
A government client required assistance in understanding the risk of using
certain manufacturers of a high tech component for a critical operational
system. The field of possible manufacturers of this new technology was
large, operated around the globe, and most had multiple global business
partners. The risks the client was concerned about included
quality/counterfeit products that could put safety of personnel and operations
at risk, or cyber threats from embedded malware or Trojans capable of
stealing Intellectual Property. The client did not have a method for assessing
the list of companies against relevant risk factors to reduce the number of
companies to a manageable size for further research before selecting the
right manufacturing partner.
The Solution
Global4SightTM intelligence analysts employed open source research and
analysis against a proprietary risk framework, developed through years of
supply chain assessments with both government and commercial clients, to
evaluate the commercial vulnerability of the new technology across six
distinct attributes. Our supply chain vulnerability framework is a proven,
repeatable process that we tailor to specific client needs. A final, prioritized
list of eight companies confirmed to be working with the technology of
interest, and presenting a low risk as a manufacturing partner, was
recommended to the client.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
12
Global4Sight products and services provided valuable insight into
the companies involved with the technology of interest while
prioritizing overall risk. Our risk methodology is applicable to all
technologies or systems to evaluate supply chain vulnerabilities
quickly and efficiently. Our Supplier Risk service offering protects
clients against working with suppliers and manufacturers who
present a higher risk to the quality, performance or security of
component parts integrated into larger systems.
Our supply chain vulnerability framework is
a proven, repeatable process that we tailor
to specific client needs.
Case Study
G4S
Reputation and Safety Risk for Corporate
Sponsor of International Events
Protecting the safety and security of personnel, assets and
corporate reputation
Results Achieved
The insights provided by the Global4SightTM intelligence analysts
allowed the client to better prepare for and respond to major events
thereby avoiding loss of human life, loss of physical assets, and
millions of dollars in reputational loss.
The Challenge
A global corporation is sponsoring an international event being held under
the cloud of local protests. The protests have included negative sentiment
against the country’s leadership for putting money into the event rather than
using the money to support transportation, health, and labor issues that
plague the local population. The global corporation is concerned that
protests leading up to and during the event may turn violent and put the
safety and security of senior executives attending the event, and its
corporate reputation as a key sponsor, at risk. The company turned to Booz
Allen with its Threat Intelligence, Executive Protection and Global Reputation
Intelligence Services for help.
The Solution
Booz Allen provided intelligence analysts and socio-cultural linguists to
monitor local, national and international media, social media and other open
source data for indications and warning of emerging protests and other
events. Applying a diverse list of geo-political indicators against the diverse
data sets, the analysts and linguists were able to provide early warning
alerts, daily updates, weekly trend reports, and deep dive studies on
emerging events, protest and other group leaders that informed decisions on
safety and security precautions, as well as strategic communications for
influencing local and global attitudes about the corporation and the good
work they do to support local and national interests and needs.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
13
The insights provided by Global4Sight
intelligence analysts allowed the client to
better avoid loss of human life, loss of
physical assets, and millions of dollars in
reputational loss.
Case Study
G4S
Actionable Competitive Intelligence
Informing a client’s decision on the type of cross-border
alliance strategy to pursue
Results Achieved
The Challenge
Booz Allen uncovered unique new and actionable insights into
successful prior cross-border alliances engaged in by the client’s
competitors. These insights informed the client’s overall alliance
strategy, resulting in the client choosing to execute a JV with their
intended Chinese partner. Booz Allen’s insights informed how the
client presented their case for a JV to the CFIUS. Our insights
contributed to the client’s design of their JV in order to minimize
risks of unintended leakage of intellectual property to the Chinese
JV partner.
Our client, a Fortune 100 industrial products manufacturer, wanted to
establish a strategic alliance with a publicly traded Chinese corporation.
While there was an abundance of information about the partnering firm, the
client sought further competitive intelligence on how other US and foreign
companies had designed and executed similar alliances. In particular, the
client was concerned about how an equity based transaction, such as a
merger or joint venture (JV), would be treated by the Committee on Foreign
Investment in the United States (CFIUS). The CFIUS is a Treasury
Department led inter-agency committee authorized to review transactions
that could result in control of a U.S. business by a foreign entity. The CFIUS
had obstructed other deals in the past, resulting in lost opportunities and
significant expenditure of resources on plans that did not materialize. Our
challenge was to collect insights into best practices that would inform how
the client designed their alliance, and how it was presented to the CFIUS.
TM
The Solution
Booz Allen used a tailored combination of competitive intelligence
techniques and a wide range of novel data sources to identify over 40
different alliances in China involving firms comparable to our client. Alliances
were characterized by type. Repeatable, though not widely publicized, steps
that ensured positive results in CFIUS review, were identified. Insights into
best practices used to minimized unintended leakage of IP were also
uncovered and tabulated for the client to use as needed.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
14
The insights provided by Global4Sight
intelligence analysts contributed to the
client’s design of their JV in order to
minimize risks of unintended leakage
of intellectual property to the Chinese
JV partner.
Product Lines
Insider4Sight
I4S
TM
Organizations face increasing risk from insider threats posed by employees,
contractors and business associates who possess legitimate placement and access
and thus are often unseen by network audit tools focused on protecting networks and
information from outside intervention and compromise.
Insider4Sight behavior-based assessment tools are applied against expected role
models to detect rogue insiders before significant damage occurs. The benefits of
Insider4Sight tools and services include reduced implementation cost, improved
detection probability, predictive identification of risks and coordinated repeatable
response.
OFFERINGS
SOLUTIONS
Maturity Assessments & Benchmarking
Data & Architecture Services
Beacon
Baseline assessment of a client’s insider threat program
maturity, using a reference model to assess risk across
people, process and technology dimensions. The
maturity model uses control families and control
objectives measured against industry best practices.
An opportunity roadmap is created mapped to key risks
and business objectives.
Evaluation of existing applications and available data to
establish a baseline technology architecture for an
insider threat program. Data fusion and machine
analytics design services to close information gaps,
based upon the goals of the overall program.
Automated Workflow and Analytic Environment
• Guides the analyst in the response while providing
an audit trail and chain of custody documentation.
• Enables behavioral analysis against Use Cases
(spies, fraud)
Insider Threat Monitoring Services
I4S Signature Repository
Managed security services to monitor a client’s
enterprise 24 hours per day, 365 days per year, using a
customized alerting dashboard to collect evidence of
rogue insider activities. Near real time alerts are
escalated within the organization, applying analytic
tradecraft and case management techniques. We
continuously update and evolve expected role
behaviors, develop and deploy anomaly triggers,
evolve machine analytics, and update tool
configurations based upon changing risks and critical
asset priorities.
Library of Behavioral and Risk Activity Triggers
• Provides indications of anomalous activity
indicative of likely-threat behavior
• Evaluates multiple data sets (email, chat, badge
activity) against baseline actor thresholds to
characterize and cluster on behavior profiles
Program Design Services
Insider threat program design services to create a
customized program for a client’s organization. Services
include policy development, critical asset analysis, role
and behavioral modeling, governance and oversight
design, privacy and legal assessment, security design,
technology planning and roadmap development.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
15
Solutions
I4S
BEACON
BEACON provides automated workflow and case management of risk alerts
to detect, assess and secure against the risk of anomalous behavior.
Insider threat audit relies on several key technology platforms to deliver and
aggregate the required data for effective detection, analysis and resolution or
investigation. Depending on the event, a repeatable workflow process is
tailored to the alert and an organization’s normal operating procedures.
Analysts utilize contextual information to help determine if the anomaly is
within the scope of expected role behaviors or it if warrants escalation.
When escalation is recommended, the analyst creates a package which
contains all the relevant data regarding the alert/behavior and all collected
contextual information. The Escalation Package is transferred to an
appropriate investigative authority.
BEACON tracks and documents all of the analyst’s activities to ensure that
chain of custody is maintained for reported data and escalation packages.
Whether benign or malicious, all activity is captured and stored for future
reference and statistical purposes.
Anomalies in user activity are detected and
compared against expected role behaviors.
The analyst then assesses the risk of
malicious behavior.
BEACON Screenshots
// List of Potential Issues
// Potential Issue Details
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
// Escalation Package
16
Case Study
I4S
National Security Client
Defending Sensitive and Classified National Security
Information Through Anticipatory Threat Intelligence
Results Achieved
The Challenge
An overarching degree of trust given to an employee with access to highly
classified information without the balance of auditing and analysis presents a
high degree of risk. The WikiLeaks disclosures exposed the need for
systemic oversight of policy compliance for any agency using classified
information systems. Executive Order 13587, “Structural Reforms to Improve
the Security of Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information,” codified many steps for agencies to
take in order to protect classified information. The EO affirmed that agencies
bear the primary responsibility for the minimum standards regarding
information security, personnel security, and systems security which includes
establishing an integrated capability to monitor and audit information for
insider threat detection and mitigation and gathering information for a
centralized analysis, reporting and response capability. These new
requirements require an approach that maximizes detection results within
resource and budget constraints.
Booz Allen partnered with an Intelligence Community client to
deploy an integrated monitoring capability on both unclassified and
classified networks and a centralized analysis and response
capability. Our expert analyst reviewed an alert for an employee
who used a thumb drive in an unclassified laptop and desktop
system, in violation of standard DoD policy. By leveraging internal
databases, our analyst put context around the event and
determined the employee had a written exception for use while
performing legitimate work functions. Noting that files were on the
thumb drive prior to the employee’s employment, our analyst
applied a suite of tools against the thumb drive files and identified
anomalies that indicated a potential compromise of the network.
The analyst immediately completed a detailed report into the
malware discovered, an overview of possible APT actors and made
a recommendation to escalate the event to appropriate government
investigative agencies. The APT was subsequently isolated and
removed from the network.
The Solution
Leveraging behavioral psychologists, we developed triggers around known
use cases of malicious insiders, resulting in an 88% increase in the
probability of detecting an event that required escalation (investigation). By
trending data over time against expected role behaviors, we reduced the
number of false positives from over 200 per day to 23 per week, dramatically
reducing the number of labor hours required to investigate all of the false
positive alerts.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
17
Reduced the number of false positives
from over 200 per day to 23 per week,
dramatically reducing the number of labor
hours required to investigate all of the false
positive alerts.
Product Lines
CyberReady
CR
TM
Without the ability to take action, even anticipatory threat intelligence is useless. So
organizations need full command and control over their IT infrastructure, so that proactive
changes can be made to mitigate risks.
CyberReady products and services provide advanced technologies, dynamic algorithms, and
sophisticated tradecraft to actively mitigate (not just discover) cyber risks, and to sanitize
organizations in the event of a breach. Automated diagnostics — running against fused data —
assess vulnerabilities, detect persistent threat actors, and enable fixes to be prioritized. And
our National Security Cyber Assistance Program (NSCAP) accredited team of cyber incident
responders can act quickly to drive intruders out.
OFFERINGS
SOLUTIONS
Continuous Diagnostics & Mitigation Services
NSCAP-Accredited Incident Response Services
CyberReady Codex
Shortening the time between identifying and fixing
vulnerabilities is the key to pro-active threat mitigation.
Our continuous diagnostics and mitigation services can
help clients achieve real-time risk awareness, and
better close gaps in their infrastructure
Booz Allen is one of only six companies who are
accredited by the US Government to conduct incident
response activities, due to our highly skilled and qualified
staff, repeatable processes, and custom tradecraft.
•
•
•
NetRecon and Red Team Services
Algorithm & Analytics Development Services
Fast, accurate, and decision-reliable algorithms are the
heartbeat of any cyber operations center. Our team of
data scientists has created a library of common
analytics, and can create new ones — on almost any
tools platform.
Policy Compliance Automation Services
Tracking and accurately measuring cyber policy
compliance eliminates manual assessment and
reporting practices. This allows clients to better assess
the “cost of compliance” and make better prioritization
decisions.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
Understanding how a client’s organization looks to an
outside attacker helps clients reduce their attack surface
and proactively defend against cyber threats. Our team
of white hat hackers can quickly identify vulnerabilities in
client’s systems.
An integrated library of cyber analytics and indicators
User Interface to create new analytics
Based on 5+ years experience supporting some of the
nation’s largest cyber security operations centers
Automated First Responder (AFR)
•
•
•
Custom-built incident response platform
Identifies one-off malware and persistent threat
actors, even if no signatures exist for the threat
Zero persistent install for quick deployment
Tools Integration and Data Fusion
CyberReady Command and Control Dashboards
Integrating cyber tools to support decision-making is
critical to pro-active threat mitigation. Our team’s datacentric approach helps extract decision-making data
from tools, allowing a more holistic, analytics-driven
approach.
•
•
18
Visualizes fused data pulled from a variety of sources
Supports Executive-level decision making, incident
response, and CIRT/SOC functions
Solutions
CR
TM
CyberReady NetRecon
One of the best techniques an organization can employ to shore up their
cyber defenses is “acting like attacker.” This means taking an external view
of their enterprise, and trying to breach the network perimeter using any
means necessary. While many automated vulnerability scanning tools exist,
these are frequently rigid, rule-based and reliant on published vulnerabilities.
CyberReady NetRecon overcomes these limitations and provides a holistic,
comprehensive view of an organization’s vulnerabilities. We provide:
•
The Attacker Perspective: Extensive discovery techniques and years of
intelligence analysis experience allow us to quickly get results.
•
Actionable Intelligence: We provide a customized report for each client,
that takes into account unique elements of each business.
•
More Than Red Teaming: We find more vulnerabilities across the milewide surface area of an organization’s network, providing clients more
visibility and a better understanding of where defenses are needed.
Examples of issues uncovered in our reports include: Undisclosed internet
Points of Presence and disaster recovery locations; High value projects
unknowingly correlated to undisclosed locations; Protocol eavesdropping
analysis; Unknowingly published sensitive information.
Screenshots
// Reconnaissance
Reports
// Vulnerability
Dashboards
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
Our highly-trained team of CyberReady
NetRecon analysts is why we’re different.
They connect the dots, skillfully deploy
state-of-the-art tools, and apply extensive
research and training to each engagement.
// Attack Surface
Modeling
19
Case Study
CR
Commercial Financial Institution
Sanitizing a Breached Network and Driving Out Persistent
Threat Actors
Results Achieved
The Challenge
A large commercial financial institution detected anomalous activity on their
network, which posed a significant threat to their business operations and
reputation. To determine the extent of the damage, shore up cyber defenses,
and systematically drive out the intruders, the firm needed a multi-disciplined
team of incident responders who could lead, coordinate, and execute a
full-scale incident response activity. The organization turned to Booz Allen
and its CyberReadyTM Incident Response Team for help.
The Solution
Booz Allen’s CyberReady Incident Response activities are accredited by the
National Security Cyber Assistance Program 1, which ensures highly-skilled
staff can provide state-of-the-art services within 21 separate Incident
Response areas.
Within 24 hours, Booz Allen deployed a CyberReady Incident
Response team within the organization and completed an initial
Breach Assessment using a rapid response mobile toolkit. An Initial
Malware Triage was completed within 36 hours, which allowed
containment and remediation measures to begin. Within 72 hours,
the team deployed custom tools to capture and analyze 62+ billion
encrypted Packet Capture (PCAP) packets, and 200,000+ firewall,
application, and web logs, and to conduct forensics analysis on
60+ hard drives.
The CyberReady Incident Response team produced a detailed
event log with 5,000+ discrete intruder actions, delivered a 400
page legal / technical report with 15,000+ additional exhibits, and
supported the organization’s legal, law enforcement, media, and
customer outreach efforts. Before concluding, the team conducted
an independent verification of the organization’s cyber defenses, to
make sure that there were no additional avenues of attack.
Typical activities we provide to our clients include:
•
Rapid, comprehensive impact assessments
•
On-the-ground team of Subject Matter Experts (SMEs) that integrate
with existing technical teams (e.g., CIRT/SOC) and non-technical staff
(e.g., law enforcement, media relations)
•
Systematic breach response to drive intruders out, quickly patch
vulnerabilities, and maintain situational awareness
•
Thorough forensics analysis and evidentiary support
•
Comprehensive vulnerability assessment to proactively identify and
remediate additional threat vectors
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
Booz Allen’s CyberReady Incident
Response provides rapid, on-the-ground
support to quickly sanitize an enterprise’s
IT infrastructure in the event of a breach.
1 http://www.nsa.gov/ia/programs/cyber_assistance_program/
20
Product Lines
MP
MissionPlatform
Underpinning the Predictive Intelligence’s product lines is a set of core capabilities that
provides the technology foundation, a cadre of trained staffing resources, and the mission
understanding required to first establish, then scale, and finally realize the full potential of the
Predictive Intelligence suite of offerings.
Mission Platform is an enabling product line that acts as a force multiplier by providing a robust
data analytic platform for rapid data integration and exploitation; proven methodologies for
creating and evolving a PI workforce; and a pool of specialized subject matter experts that
possess the deep mission understanding necessary to tailor people, process, and technology
to mitigate potential threats and capitalize on advantage opportunities in multiple domains.
OFFERINGS
PI Platform Development and Integration
Design, develop, and field data analytic platforms and
analytical tools. Integrate new Predictive Intelligence
technology with legacy capabilities to expose and enable
analytics on all available data. Provided in multiple
deployment models (remote-hosting, on premise).
SOLUTIONS
Talent Management and Workforce
Development
Advanced training, exposure to new technologies, and
lab rotations are designed to cultivate and nurture the
next generation Predictive Intelligence workforce.
Next Generation Analysts
Rapid Prototyping
“Quick-win” design, development, and rapid fielding of
new technology focused on experimentation of novel
approaches to current technical challenges. Provides
users with tangible capabilities for direct feedback and
collaboration on follow-on iterations.
Methodology, training, and lessons learned for building
and operating innovative analytic teams (IATs) focused
on new methodology creation, rapid prototyping, and
innovation solution development.
Cloud Analytic Architecture
• Enables rapid integration, processing, and analysis of
large volume and diverse datasets
• Designed for rapid integration of new data sources
(<1 day)
• Provides advanced entity extraction, natural language
processing, and automated risk assessments
• Packaged for cloud-based, remote, and on premise
deployments
SCARAB
•
•
Software Development Center
An incubation lab focused on the invention of new
Predictive Intelligence capabilities. Staff are assigned on
a rotational basis and execute Agile development
projects to turn new ideas into innovative solutions.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
PI Data Analytic Platform
21
Distributed, dynamic network for low and
mis-attributable collection of internet-based content
Provides disposable, virtual client machines executed
through cloud service providers
Case Study
MP
Global Financial Services Institution
Protecting Personal Information and Banking Infrastructure
through an Established Cyber Security Capability
Results Achieved
The Challenge
A global financial services company with diverse business segments, making
it one of the world’s prominent financial services institutions, was breached
and personal information accessed. Recognizing it faced a continuous threat
environment as a high-value target by internal and external actors, the client
required a robust strategy to establish a workforce capable of addressing its
unique risk/threat profile. To prevent attackers’ intended ability to gain a
privileged look at, disrupt, or manipulate, its core business functions, the
institution turned to Booz Allen for an independent, third-party validation of its
cybersecurity workforce readiness capability.
In under six weeks, the MissionPlatform team identified critical
talent gaps, sub-optimal performance risks, and flawed hiring
practices. Also revealed were organizational misalignments of
workforce, increasing the firm’s exposure to risk and limiting the
ability of systems to meet cybersecurity requirements, as well as a
cyber security talent deficit. The analysis implemented strategic
plans to close gaps were limited, including inaccurate position
targets and compensation projections at nearly 60% under market.
Briefings to Risk Management, Information Systems and Human
Resources established an action plan for adjusting the human
capital strategy and making targeted investment decisions to
expand capability.
The Solution
The MissionPlaform team built a customized set of Cyber Talent
Management Interventions to close organizational capability gaps.
Interventions were designed to meet the unique risk/threat profile of the
institution and achieve short- and long-term risk mitigation objectives.
Reports guided the client in identifying critical positions, examining cyber
workforce distribution and establishing a Cyber Security Job Family.
The institution turned to Booz Allen for an
independent, third-party validation of its
cybersecurity workforce readiness strategy.
MissionPlatform activities launched initial stages of a comprehensive cyber
security workforce strategy to effectively safeguard client information and
infrastructure, critical to both U.S. national security and global economic
prosperity.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
22
PI = [
C4S
Predictive
Intelligence
Points of Contact
+
G4S
I4S
+
+
CR
] x
MP
Predictive Intelligence combines tradecraft, big data & analytics, technology and
workforce to help clients anticipate, prevent, detect and respond to global threats and
global opportunities with real-time actionable insight about their environment — internally,
externally, globally and socially — so they can take action to be ready, to manage risk,
to protect assets and to thrive.
Angela M Messer, Executive Vice President
Predictive Intelligence
703-902-5666
messer_angela@bah.com
Cyber4Sight®
Insider4SightTM
MissionPlatform
Randy Hayes
Vice President
703-377-5501
hayes_randy@bah.com
Randy Hayes
Vice President
703-377-5501
hayes_randy@bah.com
Brad Medairy
Senior Vice President
703-902-5948
medairy_brad@bah.com
Global4SightTM
CyberReadyTM
David Kletter
Senior Vice President
703-902-3808
kletter_david@bah.com
Brad Medairy
Senior Vice President
703-902-5948
medairy_brad@bah.com
Raynor Dahlquist
Vice President
703-984-7886
dahlquist_raynor@bah.com
Leslie Raimondo
Vice President
703-984-0126
raimondo_leslie@bah.com
Cyber4Sight® is a registered trademark of Booz Allen Hamilton Inc. Global4Sight™ , Insider4Sight ™, CyberReady ™, and ThreatBase™ are trademarks of Booz Allen Hamilton Inc.
Booz Allen Hamilton Inc. Copyright 2014. Proprietary.
23