Using Cyber Analytics to help you get on top of Cybercrime
Insights on governance, risk and compliance Using cyber analytics to help you get on top of cybercrime Third-generation Security Operations Centers
Contents Introduction 1 Why have Security Operations Centers needed to change? 3 How can Active Defense be driven by threat intelligence? 7 Can data science be integrated into security operations? 11 Conclusion 15 B | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
Introduction Can using cyber analytics help you stay ahead of cybercrime? In an increasingly online world, securing an organization’s digital assets is a key business concern. Cybersecurity is no longer regarded as a technical issue but is recognized as a fundamental business challenge for most organizations. As the threatscape continues to evolve rapidly in both sophistication and scale, the need to protect organizations’ intellectual property, operations, brand and shareholder value, in addition to their customers’ data, is ever more critical. Advancements in the security industry have not kept pace with today’s diverse set of threat actors; organizations therefore find themselves in a position where off-the-shelf products and traditional services are not sufficient to address the risk. 12% Indeed, there is a need for bolder strategies and innovation in cybersecurity. Preparing Only 12% of organizations for known attacks is challenging enough. But how do organizations build controls for the consider themselves very likely security risks they don’t even know about yet? to detect a sophisticated attack Leading organizations are doing more than improving on their current state. They are seeking to expand their efforts — to take bolder steps — to combat cyber threats and to keep pace with, or even get ahead of, the cyber attackers. Rather than waiting for the threats to come to them, these organizations are leveraging threat intelligence to prioritize efforts that enhance visibility and enable an Active Defense through tailored monitoring, analytics, hunting and prompt detection for their most critical proprietary data and business systems. In recent years, organizations have recognized the benefits of having a well-functioning Security Operations Center (SOC). These include enabling cybersecurity functions to respond faster, work more collaboratively and share knowledge more effectively. First 46% generation SOCs tended to focus upon signature-based controls, such as antivirus and intrusion detection systems, allowing organizations to detect “known bad” artifacts of organizations do not have associated with an attack. The second generation of SOCs heralded the advent of 24x7 a SOC operations in recognition that attackers don’t close for the day, even if your business does. EY is now seeing the emergence of the third generation of Security Operations Centers based around the development of professionally analyzed threat intelligence and cyber analytics to enable an Active Defense. Leading organizations seek to leverage cyber analytics platforms built on large-volume data-processing architecture, or so-called “lambda architecture”. This architecture combines batch and real-time processing and enables anomaly detection capabilities based on mathematics and statistical modelling that can handle terabytes worth of data daily. The third generation of security operations also facilitates proactive breach hunting, the integration of an enterprise cyber threat-management framework and the convergence of data science with security operations, enabling organizations to process large volumes of data for possible early indicators of compromise. A key advantage to deploying a cyber analytics platform is its agility in using data science to speed up the ability to detect and respond to security incidents. This includes mechanisms to slow down the attackers through custom models that prevent them from replicating environments and learning to circumvent deployed controls. All results shown in this report are based on Creating trust in the digital world: EY’s Global Information Security Survey 2015 www.ey.com/GISS2015 Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 1
2 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
Why have Security Operations Centers needed to change? What does a SOC do? A well-functioning Security Operations Cente can form the heart of effective detection. It can enable information security functions to respond faster, work more collaboratively and share knowledge more effectively. This document is intended to provide the reader with insights into the evolving state of SOCs in the context of emerging cyber threats. For a more introductory overview of fundamental SOC principles, we recommend reading Security Operations Centers — helping you get ahead of cybercrime. www.ey.com/SOC How SOCs keep up with the latest threats 0% 10% 20% 30% 40% 50% 60% Our SOC has analysts that read and subscribe to specific open 50% source resources Our SOC collaborates and shares data 43% with others in our industry Our SOC has a paid subscription to 41% cyber threat intelligence feeds Our SOC has dedicated individuals focusing solely on 31% cyber threat intelligence In comparison with last year’s Our SOC collaborates and results, respondents to the 2015 shares data with other public SOCs 29% survey recorded a marked increase in activity across all aspects of how their SOCs keep abreast of the None of the above 10% latest threats. This indicates that organizations are making more Don’t know concerted efforts to formalize 13% and expand their SOC capabilities to better address emerging and increasingly sophisticated threats. 51% 23% Only 51% of organizations with a Only 23% consider their SOC to SOC initiate an investigation within be tightly integrated with heads of one hour of a discovered incident business to regularly understand business concerns Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 3
Third-generation SOC principles While detecting signatures of known bad activities remains a relevant function of a SOC, third-generation SOCs have evolved to focus on identifying new threats for which no previous baseline has been observed. To achieve this capability, organizations need to integrate and align their various cybersecurity resources and investments, as outlined in the following guiding principles. 42% • Integrated security operations While organizations continue to significantly enhance their cybersecurity investments, of organizations claim not to have threats continue to accelerate and outpace traditional security defenses and operational had a significant incident approaches. This causes many organizations to struggle to identify where to focus their investment and performance-improvement initiatives. Against this background, the need to establish richer context to aid operational and strategic cybersecurity decision-making is key. The third generation of security operations requires an enterprise-wide approach that integrates an organization’s various cybersecurity investments and activities. • Enterprise cyber threat management framework A third-generation SOC requires an enterprise cyber threat-management framework to be designed and fully integrated around key business needs. Leveraging an appropriate cyber threat-management framework allows an organization to align its cybersecurity objectives with the rapidly accelerating threat landscape, its business priorities and its risk appetite. Such frameworks also enable organizations to maximize individual cybersecurity investments that may have already been made across the organization. Enterprise cyber threat management framework Enterprise cyber threat-management framework a n y t a i l r y u t c i e c S s Threat intelligence Prioritized risks s e R i Security Vulnerability t i i r monitoring identification s o k i r Data and context a p p sse tep ni Incident Remediation eti su response B Reactive and proactive actions Counter-measure planning Complicate and detect Decision enablement 4 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
• Third-generation security operations operating model The third-generation SOC principles empower an organization to implement an operating model for its SOC that supports the organization’s wider cyber threat-management framework and seamlessly integrates all cybersecurity disciplines, including threat management, threat intelligence, vulnerability management and cyber analytics. Third-generation Security Operations Operating Model Threat management/threat intelligence platform Cybersecurity incident response t External assessment of Computer Detect Hunt Respond potential attackers Threat intelligence security incident collection response team sis (CSIRT) analy Cyber reconnaissance sis Playbooks/use cases/DDoS at managemen by fire e Threat intelligence analysis Playbooks/use cases/unauthorized access hr T SOC analy Continuous monitoring e Alert triage Playbooks/use cases/malware ens Kill chain mapping f sis Anomaly analysis e De analy Risk assessment of 24 X 7 New rules Automation Y Activ Counter-measure critical assets E deployment Prequalification New patterns EY advanced cyber Platform analytics technology t Visual analysis t Maintain Maintain yber s Maintain Enhance s infrastructure data lake t platform analytics ybert t t ormt tis configuration tis onmen Operate onmen f cien ch ccien vir technology vir ar ational c e suppor suppor Maintain Y platsuppor a s Maintain Maintain s a s Y en Y en Maintain integrated E dat visualization integrated e dat E Integrate with E omnia platform systems dashboards systems Y r CSIRT Y oper E E Furthermore, these principles help an organization to define a set of clear improvement activities that are connected to achievable objectives. The team builds counter-measures, hunts hidden intruders and fortifies defenses based on real reporting about the behavior of real attackers. This enables decision-makers to connect resource deployment directly to measures of cybersecurity program effectiveness. Instead of focusing on performance measures like “number of patches applied” and “number of tickets closed,” effectiveness is demonstrated via a decrease in successful targeted attacks and a decrease in the time required to discover and eradicate the attacks that were successful. For further guidance on building an effective cybersecurity program, please refer to our Cyber Program Management — Identifying ways to get ahead of cybercrime report. www.ey.com/CPM Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 5
6 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
How can Active Defense be driven by threat intelligence? Active Defense is a deliberately planned and continuously executed campaign to identify and eradicate hidden attackers and defeat likely threat scenarios targeting an organization’s most critical assets. It is an agile operational cycle designed to achieve rapid results and accelerate learning. Cyber Threat Intelligence (CTI) analysis can yield new insights about adversaries or the enterprise and generate actionable recommendations that allow the Active Defense team to execute missions focused on hunting or fortification. It is key to note that Active Defense enhances but does not replace security monitoring and incident response. Keeping pace with determined attackers requires constant research and the ability to translate business strategy into actionable intelligence, understanding what it is that makes the business successful and then applying the cyber lenses to understand: • Who would want to attack the organization (e.g., nation-state, activists or cyber criminals)? • What would the adversaries be after? Organizations must understand what their most critical business assets are. • How would the adversaries try to attack the organization? This includes understanding what types of techniques they would use (e.g., phishing campaigns, social engineering, etc.). Organizations must track their adversaries’ strategic goals, technical tactics and motives. Typical attack lifecycle Typical attack life-cycle Intelligence gathering Initial exploitation Command and control Privilege escalation Data exfiltration Background research Initial Establish Enable Enterprise Move Escalate Gather and Steal data attack foothold persistence recon laterally privilege encrypt data Advanced M&A plan Persistent Threat Priority 1 R&D (APT) X Executive comms Organized crime Y Priority 2 R&D Industrial control APT Z systems (ICS) Payment card industry (PCI) Highest-maturity SOCs have deeply embedded functional awareness of their organization’s high-value assets and external threat factors. • They integrate threat intelligence, security monitoring, incident response and network and application vulnerability management to understand likely • advanced attack paths and deploy counter-measures. By infusing the SOC with actionable threat intelligence, the organization maps the attackers’ likely paths and tactics, techniques and procedures (TTPs) • to its most critical assets. Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 7
Step 1: Identify high-value assets and critical information Step 2: Identify likely adversaries (intelligence/previous incidents) Step 3: Identify likely courses of action for potential adversaries Step 4: Leverage threat intelligence to identify tactics and preferred targets of the most dangerous/most likely adversary Leverage threat intelligence to identify tactics Typical attack life-cycle Intelligence Initial exploitation Command and control Privilege escalation Data exfiltration gathering Background Initial Establish Enable Enterprise Move Escalate Gather and Steal data research attack foothold persistence recon laterally privilege encrypt data Google Zero days Malware Root kits Network Stolen Root kits FTP and FTP and • • • • • • • • • Public Social installation Trojans scanning credentials Trojans email email Tactics • • • • ZIP & RAR Web posting releases engineering Stolen Remote • • • Account • Account credentials • desktop • Compression External Spear creation creation Encrypted • • connections • scanning phishing Malware C2 tunnels Establish • • encryption Water VPNs • holing Organized Priority 1 crime Y R&D Web Executives Work- • Security Shares • Shares • Admin • Shares • pdf, doc, • • • applications • accounts xls, ppt servers and stations Work- Work- Work- External assistants Web Operating • • Servers • R&D data • • • stations stations • stations • apps Remote servers systems • Servers • Routers Servers Targets Social workers • Servers • • • Routers Routers pdf, doc, media • • • xls, ppt Who or what do you consider the most likely source of an attack? 0% 10% 20% 30% 40% 50% 60% 70% Criminal syndicates 59% Responses on the most likely sources of Employee 56% an attack have remained relatively static between 2014 and 2015. The key exception Hacktivists 54% is in relation to more organized (and often Lone wolf hacker 43% more sophisticated) external actors such as criminal syndicates, state-sponsored External contractor 36% attackers and hacktivists. This increased working on our site concern about skilled manual external State-sponsored attacker 35% attackers is consistent with a year that Supplier 14% has seen several very high-profile and Other business partner 13% sophisticated Advanced Persistent Threat (APT) attacks. Organizations are increasingly Customer 12% aware of the need to address the threat Other (please specify) 3% posed by skilled manual adversaries and not just commodity malware. 8 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
Once organizations understand the business needs, risk appetite, industry-specific threat intelligence, threat-based security monitoring and vulnerability management, they need to map these to the kill chain. This provides the ability to see which types of attack techniques are used and the type of assets the attacker would target throughout the life cycle of the attack. With a well-mapped kill chain, organizations will be best placed to conduct counter- measure planning, hunting, anomaly analysis and more. Active Defense does not replace traditional security operations capabilities. However, 60% maximum effectiveness from an Active Defense program requires appropriate maturity levels in a range of competencies. These include security operations competencies, such say that handling of serious as security monitoring and threat intelligence, in addition to activities such as asset incidents and evaluation identification and classification. By focusing on an Active Defense capability as a desired is regularly presented to maturity level, decision-makers and security practitioners can engage in meaningful top governing structure in discussions about the steps for organizational improvement that will realize the benefits organization described herein. Activities include: 1. Fortification a. Tailored counter-measures: leverage insight from the intelligence process to design and implement counter-measures that defeat specific threat scenarios b. Network reconnaissance: manual identification and validation of complex vulnerabilities and threat scenarios and the development of network situational awareness for decision-makers 2. Hunting a. Proactive forensics: focused investigation for anomalous and malicious activity that cannot be detected by automated security-monitoring tools 33% b. Trapping and coercion: alter network and endpoint conditions to provoke a of organizations do not have hidden attacker into engaging in malicious activity liable to be detected by targeted a threat intelligence program intensive monitoring Data and outputs from cyber analytics and threat intelligence enable Active Defense activities to take place — i.e., an effective Active Defense framework provides the “execution” element of cyber analytics and threat intelligence. It enables the definition of third-generation playbooks and use cases, to be leveraged by the data scientists for the creation of the models to identify and respond to cyber attacks. 36% of organizations have a formal threat intelligence program Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 9
10 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
Can data science be integrated into security operations? Data science, based on business-focused playbooks and identified use cases, can be leveraged to apply scoring to events, and combinations of events, in order to: 1. Produce continuous behavioral monitoring tools 2. Prioritize events for incident response and hunting 3. Provide agile response in the face of innovative attackers Behavioral analytics for continuous monitoring Leveraging analytics allows organizations to extract and present meaningful patterns from data. In the context of security, this has traditionally meant that rules and patterns can be extracted from past attacks and then matched against incoming data feeds. With the evolution of the third generation of Security Operations Centers, behavioral analytics is extending previously accepted cyber analytics uses and capabilities by measuring the deviation from past behavior. Using statistical modeling, anomalies can be identified that indicate changes in behavior consistent with attackers. A major advantage of behavioral methods is that they do not require evidence of past malicious behavior and can be self-learning. Turn them on, expose them to data, and they will start learning what is “normal” versus what is “abnormal.” Attack (kill) chain progression Attack (kill) chain progression Background research Initial Establish Enable Enterprise Move Escalate Gather and Steal data attack foothold persistence recon laterally privilege encrypt data Probability that Probability that Probability that communication with reconnaissance privilege escalation attacker exists behavior exists behavior exists Probability that email Probability that is malicious exfiltration behavior exists Probability that transversal behavior exists Probability that Probability that programs or services staging behavior are malicious exists Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 11
The difficulty lies in identifying rare behavior that is consistent with attacks, not just rare but benign behavior. This is where data science needs to borrow from operational knowledge, in the form of incident response and penetration testers, to make sure that the statistical questions are being asked of the right data, in the right way, to trigger awareness when a rare event is consistent with attack behavior. It is rare to find data scientists with the combination of cybersecurity experience and data modeling skills, which is why acquiring 35% this as a service is the primary delivery mechanism for many organizations. 70%@40 transparency By building statistical models to represent past behavior, organizations are beginning to say a zero-day attack threat score currently observed data and drive third-generation security-monitoring detection has been a high priority over mechanisms. Sufficiently unusual events trigger alerts that are fed to dashboards or other the last 12 months reporting mechanisms to give to incident-response front-line detectors. 62% Statistical hunting 61% Leveraging analytics allows organizations to extract and present meaningful patterns from data. In the context of security, this has traditionally meant that rules and patterns can be 61% extracted from past attacks and then matched against incoming data feeds. 54% of organizations say security Statistic hunting testing is a medium or low priority A s t r t e a k c c k a a t n t d a l p a e n n r e e t t r n a i t d New model development ion n a la er( nre b/d txe eul la et- eR ma )s New continuous monitoring tool 12 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
70%@40 transparency 62% 61% Continuous innovation The innovation speed of adversaries is far higher than that of the defense. Previously 54% unknown, or so-called zero-day, vulnerabilities are commonplace. Even more challenging is the fact that attackers need only to identify one new method of attack behavior to avoid detection, whereas defenders need to cover all possible concepts of operations — an 54% impossible task. Defensive tools suffer from the need to undergo product sales cycles that are in the order of years to bring new methods to market. Finally, the underlying network of organizations do not technology is constantly changing underneath the defenders, with the advent of “Bring currently have a role or Your Own Device” and the Internet of Things (IoT). There is a need to accelerate defensive department focused on the operations, and data science can help. impact of emerging Through interaction with hunting teams, incident responders and penetration testers, data technologies on scientists can rapidly deploy new methods for detection, acting directly on operational data information security to produce new continuous-monitoring tools and future indicators of attack. Organizations 70%@40 transparency need to be able to ask thousands of questions of their data, determine which are effective and bring those rapidly into production. Red teaming 62% The terms “red team” and “blue team” derive from traditional military war games: red teams are the attackers and blue teams are the defenders. In current cybersecurity usage, a red 62% team is a group that actively challenges an organization to improve the effectiveness of its of organizations say security via specific exercises that leverage techniques including penetration testing and that securing emerging 61% social engineering, among others. technologies (e.g., cloud, Such exercises should be undertaken regularly to monitor that both the organization as a virtualization, mobile) is a whole and the platform architecture itself are secure from attack, using techniques similar medium or low priority to those exhibited by real attackers. Organizations need to ensure that any findings are fed back into the development life cycle for remediation. 54% Running red team versus blue team scenarios enables organizations to see how the cyber platform detects attacks and where opportunities exist to modify or build new detection models throughout the attack kill chain. Along with identifying potential blind spots within the network, this has the added benefit of training the new generation of hunters using controlled exercises. This is especially effective when a red team member is paired with the blue team, notifying the blue team of progress and validating detection. Red team intelligence should be sourced from a variety of locations, including research papers, presentations and forums. By applying this information to the platform, an organization can determine how effective the cyber analytics are and whether there is a need for new models and anomaly-detection modules to be developed. Red team attack tools and methodologies are evolving faster than defensive tools and methodologies, so pairing red team researchers with data scientists and blue team hunters rapidly reduces the time to generate new models and modules. The red team can simulate the new attacks within the network to validate platform detection. Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 13
14 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
Conclusion Security Operation Centers can make your business safer in the digital world The ever-changing threatscape of an increasingly digital world challenges the defensive capabilities of even the most mature organizations. How can EY help? A well-functioning SOC can form the heart of effective defense and provide a safe Whether you are designing a SOC from environment for the business to deliver on its core strategic objectives. scratch or improving your existing We are witnessing the convergence of specialist skill sets from disciplines related to capabilities, EY can help you through cybersecurity, data science and analytics into advanced SOC ecosystems, where the whole every step of the journey. is greater than the sum of its parts. Our approach of integrating threat The driver behind third-generation security operations is an integrated cyber threat- intelligence, security monitoring, incident management program. It integrates and enhances the enterprise’s existing security response and security analytics reflects capabilities to achieve greater effectiveness against persistent attackers through an Active the reality of detecting APT-style Defense. By implementing and executing an iterative cycle with built-in mechanisms for behaviour on your network, including continuous learning and improvement, powered by cyber analytics and threat intelligence, endpoint threat detection and data organizations can realize gains in efficiency, accountability and governance capabilities. exfiltration. These gains translate directly into an improved return on investment for security programs Threats continue to evolve; your SOC by increasing the effectiveness of security operations and reducing the effectiveness of must too. Our services are designed to targeted attacks. wrap experienced people and efficient processes around leading technologies to provide a business-focused SOC that can evolve with your organization’s needs and the changing threat landscape. Questions for the board How confident are you that your organization is not currently compromised? How do you know? Do you have the right skills within your team to detect and respond to a targeted cyber attack? Are you maximizing the return on your cybersecurity investments by integrating them under an aligned common framework? Is your decision-making informed by accurate, intelligence-driven information? Is your SOC aligned with your business strategy to ensure focus is retained on high-value assets? Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 15
Want to learn more? Insights on governance, risk and compliance is an ongoing series of thought leadership reports focused on IT and other business risks and the many related challenges and opportunities. These timely and topical publications are designed to help you understand the issues and provide you with valuable insights about our perspective. Please visit our Insights on governance, risk and compliance series at: www.ey.com/GRCinsights. Creating trust in the digital world: Managed SOC: EY’s Advanced Security Achieving resilience in the cyber ecosystem EY’s Global Information Security Center: world-class cybersecurity www.ey.com/cyberecosystem Survey 2015 working for you www.ey.com/GISS2015 www.ey.com/managedSOC Reducing risk with Cyber Threat Cybersecurity and the Internet of Things Cyber program management: identifying Intelligence www.ey.com/IOT ways to get ahead of cybercrime www.ey.com/CTI www.ey.com/CPM Get ahead of cybercrime: EY’s Global There’s no reward without risk: Unlocking the value of your program Information Security Survey 2014 EY’s global governance. risk and investments: How predictive analytics can www.ey.com/GISS2014 compliance survey 2015 help in achieving successful outcomes www.ey.com/GRC2015 www.ey.com/PRM 16 | Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers
If you were under cyber attack, would you ever know? As many organizations have learned, sometimes the hard way, cyber attacks are no longer a matter of if, but when. Hackers are increasingly relentless. When one tactic fails, they will try another, until they breach an organization’s defenses. At the same time, technology is increasing an organization’s vulnerability to attack through increased online presence, broader use of social media, mass adoption of mobile devices, increased usage of cloud services, and the collection and analysis of big data. Our ecosystems of digitally connected entities, people and data increase the likelihood of exposure to cybercrime in both the work and home environment. Even traditionally closed operational technology systems are now being given IP addresses, enabling cyber threats to make their way out of back-office systems and into critical infrastructures such as power generation and transportation systems. For EY Advisory, a better working world means solving big, complex industry issues and capitalizing on opportunities to deliver outcomes that grow, optimize and protect our clients’ businesses. We’ve shaped a global ecosystem of consultants, industry professionals and alliance partners with one focus in mind — you. Anticipating cyber attacks is the only way to be ahead of cyber criminals. With our focus on you, we ask better questions about your operations, priorities and vulnerabilities. We then work with you to find innovative answers that help you activate, adapt and anticipate cyber crime. Together, we help you deliver better outcomes and long-lasting results, from strategy to execution. We believe that when organizations manage cybersecurity better, the world works better. So, if you were under cyber attack, would you ever know? Ask EY. The better the question. The better the answer. The better the world works. Using cyber analytics to help you get on top of cybercrime — Third-generation Security Operations Centers | 17
EY | Assurance | Tax | Transactions | Advisory About EY’s Advisory Services About EY In a world of unprecedented change, EY Advisory believes a better working world means EY is a global leader in assurance, tax, solving big, complex industry issues and capitalizing on opportunities to help deliver transaction and advisory services. The insights outcomes that grow, optimize and protect clients’ businesses. and quality services we deliver help build Through a collaborative, industry-focused approach, EY Advisory combines a wealth trust and confidence in the capital markets of consulting capabilities — strategy, customer, finance, IT, supply chain, people and and in economies the world over. We develop organizational change, program management and risk — with a complete understanding outstanding leaders who team to deliver on of a client’s most complex issues and opportunities, such as digital disruption, innovation, our promises to all of our stakeholders. In so doing, we play a critical role in building a analytics, cybersecurity, risk and transformation. EY Advisory’s high-performance better working world for our people, for our teams also draw on the breadth of EY’s Assurance, Tax and Transaction Advisory service clients and for our communities. professionals, as well as the organization’s industry centers of excellence, to help EY refers to the global organization, and may clients deliver sustainable results. refer to one or more, of the member firms of True to EY’s 150-year heritage in finance and risk, EY Advisory thinks about risk Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global management when working on performance improvement, and performance improvement Limited, a UK company limited by guarantee, is top of mind when providing risk management services. EY Advisory also infuses does not provide services to clients. For more analytics, cybersecurity and digital into every service offering. information about our organization, please visit ey.com. EY Advisory’s global connectivity, diversity and collaborative culture inspire its consultants © 2015 EYGM Limited. to ask better questions. EY consultants develop trusted relationships with clients across the All Rights Reserved. C-suite, functions and business unit leadership levels, from Fortune 100 multinationals to EYG no. AU3587 leading disruptive innovators. Together, EY works with clients to co-create more innovative ED None answers that help their businesses work better. The better the question. The better the answer. The better the world works. In line with EY’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content. This material has been prepared for general informational With 40,000 consultants and industry professionals across more than 150 countries, we purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer work with you to help address your most complex industry issues, from strategy to to your advisors for specific advice. execution. To find out more about how our Risk Advisory services could help your ey.com/GRCinsights organization, speak to your local EY professional or a member of our global team, or view: ey.com/advisory Our Risk Advisory Leaders are: Global Risk Leader Paul van Kessel +31 88 40 71271 [email protected] Area Risk Leaders Americas Amy Brachio +1 612 371 8537 [email protected] EMEIA Jonathan Blackmore +971 4 312 9921 [email protected] Asia-Pacific Iain Burnet +61 8 9429 2486 [email protected] Japan Yoshihiro Azuma +81 3 3503 1100 [email protected] Our Cybersecurity Leaders are: Global Cybersecurity Leader Ken Allan +44 20 795 15769 [email protected] Area Cybersecurity Leaders Americas Bob Sydow +1 513 612 1591 [email protected] EMEIA Scott Gelber +44 207 951 6930 [email protected] Asia-Pacific Paul O’Rourke +65 8691 8635 paul.o’[email protected] Japan Shinichiro Nagao +81 3 3503 1100 [email protected]