CIRT A Balanced Approach
CIRT_A_Balanced_Approach-3a.pdf
1
CIRT_A_Balanced_Approach.pdf
C
M
Y
CM
MY
CY
CMY
K
7/6/12
1
1:24 PM
7/6/12
12:02 PM
C
M
Y
CM
MY
CY
AccessData Group
CMY
K
The Shift to Integrated Incident Response Capabilities White Paper
A Pioneer in Digital Investigations Since 1987
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:10 PM
Table of Contents Introduction .................................................................................................................................................. 3 Incident Response Standards ...................................................................................................................... 3 Scenarios .................................................................................................................................................... 4 AccessData ® Cyber Intelligence and Response Technology (CIRT)—The New Paradigm ......................... 5 Conclusion ...................................................................................................................................................8
C
M
Y
CM
MY
CY
CMY
K
2 : The Shift to Integrated Incident Response Capabilities
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:11 PM
Introduction Despite increased regulation, oversight and spending, corporate and government organizations continue to see an increase in cyber security breaches. According to the October 2011 GAO Information Security report 1, there’s been a 650% increase in federal government security incidents over the last five years. And corporate incidents have gone up, not only due to the infiltration of mobile devices—both corporate-owned and employee-owned—but computer-based as well. In an interview on March 28, 2012, Shawn Henry, the FBI’s executive assistant director, stated that the US is not winning the battle of keeping hackers away from corporate networks 2. Historically, organizations have relegated incident response and remediation to a disparate array of tools used and managed by different teams—teams unable to easily collaborate due to the number of different tools in use. This is analogous to trying to bake a single cake, but using five different bakers, each with different recipes. Alone they will all get you “a” cake, but not the same cake. Given the increase in the number of attacks and exploits, the time is right to break down the barriers between teams, optimize response and collaboration across internal incident response boundaries and enable integration among the teams tasked with protecting the organization. A new approach is needed. One that involves not just new technologies, but a whole paradigm shift in the approach organizations take toward cyber security. C
M
Y
CM
MY
CY
In a June 2010 article in the DoD blog, Armed with Science, head of US Cyber Command, General Alexander, stated the need for the new paradigm, “…we have been leaning forward and building an organization and a mission alignment that is more integrated, synchronized and effective….” “Integrated, synchronized and effective” must extend beyond people and processes to include the technology deployed to carry out incident response and create an approach that empowers all of an organization’s security experts to collaborate and seamlessly hand information off to one another in order to reduce response time and cost.
CMY
K
Incident Response Standards To effectively identify and address security incidents, seven standard incident response capabilities are needed. These capabilities are the same regardless of the size of the organization or the people and the processes and technology in place. 1. 2. 3. 4. 5. 6. 7.
Network forensics Monitoring Host forensics Malware analysis Data auditing Collaboration and reporting Remediation
Most organizations tackle each of these capabilities with a variety of different tools run by different teams, such as the incident response team, information assurance team, network security team, compliance team, and computer forensics team. Correlating the intelligence gathered with these different tools among these different teams is largely a manual—and often hit-and-miss—process; one that slows time-to-remediation and future prevention.
The Shift to Integrated Incident Response Capabilities : 3
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:13 PM
Compliance
Compliance
Computer Forensics
Computer Forensics
Network Security
Network Security
Incident Response Information Assurance
Incident Response
Information Assurance
Traditional approach: Point solutions don’t provide a true 360-degree view of what is happening across the organization.
Paradigm shift: Integrated analysis in single platform with built-in remediation.
C
M
Y
CM
MY
CY
CMY
K
What’s needed is a way to quickly and easily merge the needed capabilities into an interface and communication flow that can be used by and shared among all teams in order to create a highly effective, collaborate incident response flow that keeps each teams’ expertise working for the organization, while creating a pathway of information exchange that facilitates a faster time to full remediation and future prevention due to recurrence. What’s needed is a way to integrate all seven incident response requirements into a single cyber intelligence and response platform that works within existing IT infrastructures and delivers visibility, integration, automation and collaboration.
Scenarios Historical Scenario—Infected Word File in E-Mail An e-mail is received within the organization. The e-mail includes an attachment—one that looks like an innocent Word file. The file contains a virus, one that doesn’t launch immediately, so the end user innocently forwards it on to a handful of colleagues. The process repeats itself. Eventually, the virus starts wreaking havoc on valuable corporate assets—end users’ computers and their productivity. The incident response team responsible for suspicious e-mails identifies the offending e-mail and fixes the first few users’ computers. But, unbeknownst to them, the e-mail has been sent on and deleted, but the infected file left behind and even transmitted over a corporate share. The team responsible for suspicious e-mails doesn’t get around to telling other incident response teams for a while. The team that would find and wipe out the offending file from computers, servers and network drives, doesn’t learn for over a week that they need to act. In the interim, thousands of hours of productivity have been wasted on downed computers and time to remediate—over and over again.
4 : The Shift to Integrated Incident Response Capabilities
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:14 PM
The New Paradigm—Infected Word File in E-Mail In the new paradigm where people, processes and technology are integrated, the team responsible for suspicious e-mail is using the same interface as the team responsible for wiping bad files. The e-mail team can triage the infected computer and identify the suspicious behaviors and quickly track the problem to the file and the e-mail contained it, while they continue working to fix affected computers. An alert has shown the team responsible for wiping bad files that the infected Word file is bad news and they immediately batch wipe it from every computer, server and drive in the network—even those currently off the network the minute they log back on—and stop the offending process. Thousands of hours of productivity are saved. They can even search the network for keywords contained in the file in case someone renamed it, and wipe those files as well.
Historical Scenario—Binary with Sandbox Avoidance Capabilities Makes It onto the Network A file comes from a vendor over the ftp site. It’s infected, and like any file coming on to the network is sandboxed. But the offending binary was built to disguise itself when sandboxed. It passes through the sandbox and ends up on several machines before the bad executable begins to do damage.
The New Paradigm—Binary with Sandbox Avoidance Capabilities Never Makes It onto the Network C
M
Y
CM
The file is triaged because it includes some suspicious attributes. It’s suspicious enough that it’s automatically placed into stage two analysis where parts of the code are run without the entire executable being run. This gives the initial incident response team insight into the file and its capabilities. They quickly pass it along to the escalation team, who quickly identifies the files full intent and wipe it from the network and prevent it from ever entering the network again.
MY
CY
CMY
K
Scan a system or image for executable binaries.
through network or host analysis are automatically given a threat score.
Basic and advanced disassembly extracts arguments to determine what binary is capable of doing.
Interact with the results to perform deeper analysis.
Set a threat score threshold: If threat ≥ 30, automatically sent to stage two analysis.
User can feed signatures into forensics software to catch threats as they come in the front door.
Note: Malware analysis is happening on the agent.
The value from the user perspective.
AccessData ® Cyber Intelligence and Response Technology (CIRT)—The New Paradigm The new paradigm, where people, processes and technology integrate and collaborate is made possible by AccessData ® Cyber Intelligence and Response Technology (CIRT). CIRT allows all incident response teams to detect and quickly and effectively analyze a threat from multiple vantage points and perform thorough remediation by allowing teams to achieve: The Shift to Integrated Incident Response Capabilities : 5
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:17 PM
Increased Intrusion Detection and Decreased Recovery Time Incident response teams can more quickly validate alerts and decipher event logs with real-time visualization of network traffic, as well as integrated correlation of associated host data. Even when signature-based solutions fail, organizations can detect threats through automated enterprise scanning, as well as graphic illustration of network communication flows to identify anomalous behavior. When a potential threat is detected, responders can drill down into suspect nodes and see what is happening in real-time, along with automated threat scores of binaries. An integrated platform will then do automated disassembly and data flow analysis of suspect binaries to determine behavioral intent. This allows for the detection and validation of malicious code without waiting for another team to perform heuristics or dynamic analysis.
C
M
Y
CM
MY
CY
CMY
K
Built-in analysis.
Finally, after scanning to identify all affected computers, batch remediation can be performed.
Continuous Monitoring, Even When Assets Aren’t Logged On to the Network Unlike other network monitoring solutions, the integrated AccessData platform isn’t blinded when a laptop user leaves the network. Integrated host-based network forensics technology allows everything leaving from and coming onto a laptop (disconnected node) to be recorded. In addition, the platform monitors files being copied to or from removable media.
Detection and Remediation of PII and Classified Spillage By performing regularly scheduled automated audits of the enterprise, organizations can detect spillage that DLP (data leakage protection) solutions routinely miss. Once spillage is detected, integrated network and host analysis allows information assurance (IA) teams to identify the origin of the spill, how it happened, as well as all other compromised assets. Finally, IA teams are able to perform batch wiping when policies allow.
6 : The Shift to Integrated Incident Response Capabilities
CIRT_A_Balanced_Approach-Web.pdf
1
CIRT_A_Balanced_Approach.pdf
7/6/12
1
2:40 PM
7/6/12
12:18 PM
A Proactive Approach to Addressing Internal Threats Incident response and IA teams can proactively scan for unauthorized applications and access. The ability to correlate data at rest with data in motion allows these teams to determine the behavior and intent of an employee, and built-in remediation allows unauthorized applications to be removed or disabled. Once a potentially malicious insider has been identified, personnel are able to monitor all the suspect’s actions on and off the network, including use of removable media.
Achieving a Collaborative, Synchronized Environment Integrated cyber-intelligence and response technology creates a collaborative ecosystem, providing different views into the network environment, tailored to suit the needs of the various teams using the solution. Multiple responders and analysts can be permitted to log in to the platform to work an incident simultaneously and to report real-time status and metrics up and down the chain of command.
TRAVELING EXECUTIVE Exec’s laptop checks in at intervals to be scanned for anomalies that are all recorded, including network and USB activity. Remote monitoring helps identify any instance of IP theft.
CLASSIFIED DATA SPILLAGE Organization proactively audits using terms, such as “eyes only” and “top secret.” All instances flagged for removal in accordance with policies. C
C
M
M
Y
Y
CM
CM
MY
MY
CY
CY
CMY
CMY
K
K
Compliance
Computer Forensics
Network Security
Integrated Platform
CREDIT CARD INFORMATION REPORTED Help desk is called alerting them that employee discovered credit card information on an unsecure location. Company reactively conducts PCI audit to locate exposed credit card holder info. Instances are wiped. Findings are reported. Information Assurance
Incident Response
INTRUSION ALERT Unauthorized port 443 traffic. Visualize communications, drill down into suspect host. Perform behavioral forensic analysis. Honeypot avoidance, crypto, dynamic loading, high entropy and other criteria indicate malware. Batch remediation function is leveraged.
ADVANCED MALWARE AND ZERO-DAY DETECTION Proactive monitoring enables the identification of malicious codes behaviors from multiple computers. Perform differential analysis of volatile data, perform malware analysis/threat scoring. Analysis reveals malicious processes. Scan large enterprise for defined processes and/or similar behavior and issue batch remediation. Monitor for recurrence.
Integrated analysis offers value across the organization and decreases recovery time.
The Shift to Integrated Incident Response Capabilities : 7
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:19 PM
Conclusion Integration should be a priority in all three parts of a cyber-security program—people, processes and technology—and the right technology can facilitate an integrated, collaborative approach among the various teams and their processes, while facilitating a far more effective information security program. CIRT, from AccessData, makes it possible.
C
M
Y
CM
MY
CY
CMY
K
About AccessData Group AccessData Group has pioneered digital investigations and litigation support for more than 25 years. Its family of stand-alone and enterprise-class solutions, including FTK, SilentRunner, Summation and the CIRT security framework, enable digital investigations of any kind, including computer forensics, incident response, e-discovery, legal review, compliance auditing and information assurance. More than 100,000 users in law enforcement, government agencies, corporations and law firms worldwide rely on AccessData software solutions and premier digital investigation and hosted review services. AccessData is also a leading provider of digital forensics and litigation support training and certification. accessdata.com
Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements, United States Government Accountability Office Report to Congressional Committees, Oct. 2011, http://www.gao.gov/assets/590/585570.pdf
1
2
The Wallstreet Journal, http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html?mod=djemalertNEWS
Copyright © 2012 AccessData Group, LLC. All rights reserved.
1
CIRT_A_Balanced_Approach.pdf
C
M
Y
CM
MY
CY
CMY
K
7/6/12
1
1:24 PM
7/6/12
12:02 PM
C
M
Y
CM
MY
CY
AccessData Group
CMY
K
The Shift to Integrated Incident Response Capabilities White Paper
A Pioneer in Digital Investigations Since 1987
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:10 PM
Table of Contents Introduction .................................................................................................................................................. 3 Incident Response Standards ...................................................................................................................... 3 Scenarios .................................................................................................................................................... 4 AccessData ® Cyber Intelligence and Response Technology (CIRT)—The New Paradigm ......................... 5 Conclusion ...................................................................................................................................................8
C
M
Y
CM
MY
CY
CMY
K
2 : The Shift to Integrated Incident Response Capabilities
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:11 PM
Introduction Despite increased regulation, oversight and spending, corporate and government organizations continue to see an increase in cyber security breaches. According to the October 2011 GAO Information Security report 1, there’s been a 650% increase in federal government security incidents over the last five years. And corporate incidents have gone up, not only due to the infiltration of mobile devices—both corporate-owned and employee-owned—but computer-based as well. In an interview on March 28, 2012, Shawn Henry, the FBI’s executive assistant director, stated that the US is not winning the battle of keeping hackers away from corporate networks 2. Historically, organizations have relegated incident response and remediation to a disparate array of tools used and managed by different teams—teams unable to easily collaborate due to the number of different tools in use. This is analogous to trying to bake a single cake, but using five different bakers, each with different recipes. Alone they will all get you “a” cake, but not the same cake. Given the increase in the number of attacks and exploits, the time is right to break down the barriers between teams, optimize response and collaboration across internal incident response boundaries and enable integration among the teams tasked with protecting the organization. A new approach is needed. One that involves not just new technologies, but a whole paradigm shift in the approach organizations take toward cyber security. C
M
Y
CM
MY
CY
In a June 2010 article in the DoD blog, Armed with Science, head of US Cyber Command, General Alexander, stated the need for the new paradigm, “…we have been leaning forward and building an organization and a mission alignment that is more integrated, synchronized and effective….” “Integrated, synchronized and effective” must extend beyond people and processes to include the technology deployed to carry out incident response and create an approach that empowers all of an organization’s security experts to collaborate and seamlessly hand information off to one another in order to reduce response time and cost.
CMY
K
Incident Response Standards To effectively identify and address security incidents, seven standard incident response capabilities are needed. These capabilities are the same regardless of the size of the organization or the people and the processes and technology in place. 1. 2. 3. 4. 5. 6. 7.
Network forensics Monitoring Host forensics Malware analysis Data auditing Collaboration and reporting Remediation
Most organizations tackle each of these capabilities with a variety of different tools run by different teams, such as the incident response team, information assurance team, network security team, compliance team, and computer forensics team. Correlating the intelligence gathered with these different tools among these different teams is largely a manual—and often hit-and-miss—process; one that slows time-to-remediation and future prevention.
The Shift to Integrated Incident Response Capabilities : 3
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:13 PM
Compliance
Compliance
Computer Forensics
Computer Forensics
Network Security
Network Security
Incident Response Information Assurance
Incident Response
Information Assurance
Traditional approach: Point solutions don’t provide a true 360-degree view of what is happening across the organization.
Paradigm shift: Integrated analysis in single platform with built-in remediation.
C
M
Y
CM
MY
CY
CMY
K
What’s needed is a way to quickly and easily merge the needed capabilities into an interface and communication flow that can be used by and shared among all teams in order to create a highly effective, collaborate incident response flow that keeps each teams’ expertise working for the organization, while creating a pathway of information exchange that facilitates a faster time to full remediation and future prevention due to recurrence. What’s needed is a way to integrate all seven incident response requirements into a single cyber intelligence and response platform that works within existing IT infrastructures and delivers visibility, integration, automation and collaboration.
Scenarios Historical Scenario—Infected Word File in E-Mail An e-mail is received within the organization. The e-mail includes an attachment—one that looks like an innocent Word file. The file contains a virus, one that doesn’t launch immediately, so the end user innocently forwards it on to a handful of colleagues. The process repeats itself. Eventually, the virus starts wreaking havoc on valuable corporate assets—end users’ computers and their productivity. The incident response team responsible for suspicious e-mails identifies the offending e-mail and fixes the first few users’ computers. But, unbeknownst to them, the e-mail has been sent on and deleted, but the infected file left behind and even transmitted over a corporate share. The team responsible for suspicious e-mails doesn’t get around to telling other incident response teams for a while. The team that would find and wipe out the offending file from computers, servers and network drives, doesn’t learn for over a week that they need to act. In the interim, thousands of hours of productivity have been wasted on downed computers and time to remediate—over and over again.
4 : The Shift to Integrated Incident Response Capabilities
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:14 PM
The New Paradigm—Infected Word File in E-Mail In the new paradigm where people, processes and technology are integrated, the team responsible for suspicious e-mail is using the same interface as the team responsible for wiping bad files. The e-mail team can triage the infected computer and identify the suspicious behaviors and quickly track the problem to the file and the e-mail contained it, while they continue working to fix affected computers. An alert has shown the team responsible for wiping bad files that the infected Word file is bad news and they immediately batch wipe it from every computer, server and drive in the network—even those currently off the network the minute they log back on—and stop the offending process. Thousands of hours of productivity are saved. They can even search the network for keywords contained in the file in case someone renamed it, and wipe those files as well.
Historical Scenario—Binary with Sandbox Avoidance Capabilities Makes It onto the Network A file comes from a vendor over the ftp site. It’s infected, and like any file coming on to the network is sandboxed. But the offending binary was built to disguise itself when sandboxed. It passes through the sandbox and ends up on several machines before the bad executable begins to do damage.
The New Paradigm—Binary with Sandbox Avoidance Capabilities Never Makes It onto the Network C
M
Y
CM
The file is triaged because it includes some suspicious attributes. It’s suspicious enough that it’s automatically placed into stage two analysis where parts of the code are run without the entire executable being run. This gives the initial incident response team insight into the file and its capabilities. They quickly pass it along to the escalation team, who quickly identifies the files full intent and wipe it from the network and prevent it from ever entering the network again.
MY
CY
CMY
K
Scan a system or image for executable binaries.
through network or host analysis are automatically given a threat score.
Basic and advanced disassembly extracts arguments to determine what binary is capable of doing.
Interact with the results to perform deeper analysis.
Set a threat score threshold: If threat ≥ 30, automatically sent to stage two analysis.
User can feed signatures into forensics software to catch threats as they come in the front door.
Note: Malware analysis is happening on the agent.
The value from the user perspective.
AccessData ® Cyber Intelligence and Response Technology (CIRT)—The New Paradigm The new paradigm, where people, processes and technology integrate and collaborate is made possible by AccessData ® Cyber Intelligence and Response Technology (CIRT). CIRT allows all incident response teams to detect and quickly and effectively analyze a threat from multiple vantage points and perform thorough remediation by allowing teams to achieve: The Shift to Integrated Incident Response Capabilities : 5
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:17 PM
Increased Intrusion Detection and Decreased Recovery Time Incident response teams can more quickly validate alerts and decipher event logs with real-time visualization of network traffic, as well as integrated correlation of associated host data. Even when signature-based solutions fail, organizations can detect threats through automated enterprise scanning, as well as graphic illustration of network communication flows to identify anomalous behavior. When a potential threat is detected, responders can drill down into suspect nodes and see what is happening in real-time, along with automated threat scores of binaries. An integrated platform will then do automated disassembly and data flow analysis of suspect binaries to determine behavioral intent. This allows for the detection and validation of malicious code without waiting for another team to perform heuristics or dynamic analysis.
C
M
Y
CM
MY
CY
CMY
K
Built-in analysis.
Finally, after scanning to identify all affected computers, batch remediation can be performed.
Continuous Monitoring, Even When Assets Aren’t Logged On to the Network Unlike other network monitoring solutions, the integrated AccessData platform isn’t blinded when a laptop user leaves the network. Integrated host-based network forensics technology allows everything leaving from and coming onto a laptop (disconnected node) to be recorded. In addition, the platform monitors files being copied to or from removable media.
Detection and Remediation of PII and Classified Spillage By performing regularly scheduled automated audits of the enterprise, organizations can detect spillage that DLP (data leakage protection) solutions routinely miss. Once spillage is detected, integrated network and host analysis allows information assurance (IA) teams to identify the origin of the spill, how it happened, as well as all other compromised assets. Finally, IA teams are able to perform batch wiping when policies allow.
6 : The Shift to Integrated Incident Response Capabilities
CIRT_A_Balanced_Approach-Web.pdf
1
CIRT_A_Balanced_Approach.pdf
7/6/12
1
2:40 PM
7/6/12
12:18 PM
A Proactive Approach to Addressing Internal Threats Incident response and IA teams can proactively scan for unauthorized applications and access. The ability to correlate data at rest with data in motion allows these teams to determine the behavior and intent of an employee, and built-in remediation allows unauthorized applications to be removed or disabled. Once a potentially malicious insider has been identified, personnel are able to monitor all the suspect’s actions on and off the network, including use of removable media.
Achieving a Collaborative, Synchronized Environment Integrated cyber-intelligence and response technology creates a collaborative ecosystem, providing different views into the network environment, tailored to suit the needs of the various teams using the solution. Multiple responders and analysts can be permitted to log in to the platform to work an incident simultaneously and to report real-time status and metrics up and down the chain of command.
TRAVELING EXECUTIVE Exec’s laptop checks in at intervals to be scanned for anomalies that are all recorded, including network and USB activity. Remote monitoring helps identify any instance of IP theft.
CLASSIFIED DATA SPILLAGE Organization proactively audits using terms, such as “eyes only” and “top secret.” All instances flagged for removal in accordance with policies. C
C
M
M
Y
Y
CM
CM
MY
MY
CY
CY
CMY
CMY
K
K
Compliance
Computer Forensics
Network Security
Integrated Platform
CREDIT CARD INFORMATION REPORTED Help desk is called alerting them that employee discovered credit card information on an unsecure location. Company reactively conducts PCI audit to locate exposed credit card holder info. Instances are wiped. Findings are reported. Information Assurance
Incident Response
INTRUSION ALERT Unauthorized port 443 traffic. Visualize communications, drill down into suspect host. Perform behavioral forensic analysis. Honeypot avoidance, crypto, dynamic loading, high entropy and other criteria indicate malware. Batch remediation function is leveraged.
ADVANCED MALWARE AND ZERO-DAY DETECTION Proactive monitoring enables the identification of malicious codes behaviors from multiple computers. Perform differential analysis of volatile data, perform malware analysis/threat scoring. Analysis reveals malicious processes. Scan large enterprise for defined processes and/or similar behavior and issue batch remediation. Monitor for recurrence.
Integrated analysis offers value across the organization and decreases recovery time.
The Shift to Integrated Incident Response Capabilities : 7
CIRT_A_Balanced_Approach.pdf
1
7/6/12
12:19 PM
Conclusion Integration should be a priority in all three parts of a cyber-security program—people, processes and technology—and the right technology can facilitate an integrated, collaborative approach among the various teams and their processes, while facilitating a far more effective information security program. CIRT, from AccessData, makes it possible.
C
M
Y
CM
MY
CY
CMY
K
About AccessData Group AccessData Group has pioneered digital investigations and litigation support for more than 25 years. Its family of stand-alone and enterprise-class solutions, including FTK, SilentRunner, Summation and the CIRT security framework, enable digital investigations of any kind, including computer forensics, incident response, e-discovery, legal review, compliance auditing and information assurance. More than 100,000 users in law enforcement, government agencies, corporations and law firms worldwide rely on AccessData software solutions and premier digital investigation and hosted review services. AccessData is also a leading provider of digital forensics and litigation support training and certification. accessdata.com
Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements, United States Government Accountability Office Report to Congressional Committees, Oct. 2011, http://www.gao.gov/assets/590/585570.pdf
1
2
The Wallstreet Journal, http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html?mod=djemalertNEWS
Copyright © 2012 AccessData Group, LLC. All rights reserved.
