Is A ctive D ef ense right f or me? EY considers the ability to mount an effective Active Defense as a strategic end-state for the enterprise secu rity program, and the j ou rney to estab lishing an ef f ective A ctive D ef ense varies for every organization. According to EY’s 2015 GISS, 47% of respondents reported that their organization does not currently have an SOC; of those that do, 26% outsource real- time security monitoring, and only 12% reported being able to fulfill all functions in-house. Is m y organiz ation ready to im p l em ent an A ctiv e D efense? 4 7 % EY’s cybersecurity offerings help develop the security program with an eye toward of respondents reported that establishing an Active Defense. However, if any of the following statements reflect their organization does not your organization, then Active Defense may be right for you: currently have an SOC* We have an SOC, but we still aren’t finding evidence of advanced attackers. W e have an S O C , b u t w e still had a maj or b reach. W e have had an S O C f or a f ew y ears, b u t w e need to evolve b ey ond W hat are the static monitoring. We have strong business pressures to defend intellectual property or confidential benefits of an business information (R&D, M&A, ICS/SCADA, etc.). A ctiv e D efense? We have an outsourced SOC, but we don’t believe that our most valuable data and • A n agile operational sy stems are tru ly secu re. cy cle designed to help achieve rapid resu lts How can EY help me prepare to conduct an Active and accelerate learning Def ense in the f u tu re? • C y b er threat intelligence Many organizations can benefit from the enhanced operational discipline and adversary (CTI) analysis that helps f ocu s inherent to A ctive D ef ense. H ow ever, ef f ectiveness f rom an A ctive D ef ense program y ield new insights ab ou t req u ires appropriate matu rity levels in a range of secu rity competencies, inclu ding secu rity adversaries or the operations, security monitoring, asset identification and classification, IT operations, threat enterprise and generates intelligence, secu rity architectu re and others. B y f ocu sing on an A ctive D ef ense capab ility recommendations as a strategic goal, decision- makers and secu rity practitioners can engage in meaningf u l • A ctive D ef ense missions discussion about the steps for organizational improvement that will help realize the benefits f ocu sed on hu nting or describ ed herein. fortification When this occurs, the benefits of an Active Defense can be: • A ctive D ef ense helps • For the security operations team, Active Defense helps provide a defined set of enhance b u t does improvement activities rationalized by threat intelligence and security analytics; and not replace secu rity then connected to achievable objectives. The team builds countermeasures, hunts monitoring and hidden intru ders and b olsters def enses on the b asis of real reporting ab ou t the incident response b ehavior of real attackers. • For decision-makers, Active Defense helps connect resource deployment directly to measu res of cy b ersecu rity program ef f ectiveness. Instead of f ocu sing on perf ormance measu res like “ nu mb er of patches applied” and “ nu mb er of tickets closed,” ef f ectiveness can b e demonstrated via, f or ex ample a decrease in su ccessf u l targeted attacks or a decrease in the time req u ired to discover and eradicate the attacks that w ere su ccessf u l. An organization’s intellectual property and critical business systems have substantial monetary value, and organization leaders expect their security programs to keep the data secure and the attackers out. To this end, the effectiveness of the organization’s security operations can be significantly enhanced by an Active Defense guided by deliberate planning, a defined strategic end-state and an adversary focus. By organizing and integrating the organization’s existing security operations, Active Defense can help reduce the nu mb er of su ccessf u l targeted attacks and decrease the amou nt of time that intru ders can operate b ef ore b eing ej ected f rom the netw ork. E nhancing y ou r secu rity operations w ith A ctive Def ense | 15