CRS Company Overview -Feb 6 2017
-
Upload
joseph-john -
Category
Documents
-
view
118 -
download
2
Transcript of CRS Company Overview -Feb 6 2017
Security and Compliance Practice
Finance and Insurance: Mass Mutual Finance and Insurance (GRC ( Governance ,Risk Management and Compliance, Enterprise Security,
Risk and Compliance)
Technology: Cisco Systems (ISO 27001 Security, Cloud Security, SaaS Security)
Manufacturing: Toyota Motor ( Enterprise IT Security and Compliance)
Finance and Mortgages: Fannie Mae ( Risk Management & Enterprise Security Solutions)
Finance and HealthCare: Transunion ( PCI DSS Security and Compliance )
Retail Sector: TJMAXX / TJX (Security Breach and Remediation & PCI DSS Security)
Travel: Carlson Wagonlit Travels (Enterprise Security and PCI DSS Security and Compliance )
Health Care System: Siemens HealthCare Systems (PCI DSS Security, SAP System Security & Tokenization)
Our Core Team Has Implemented Security Projects in Fortune 500 Companies
Cyber Radar Systems
Health Care System: Blue Cross Blue Shield ( Web Application, PCI DSS Security & HIPAA Security )
Banking Sector: World Bank ( PeopleSoft Security and HIPAA Security)
Banking Sector: Wells Fargo / Wachovia Bank ( PCI DSS, Enterprise Security and Web Application Security)
Finance and Healthcare: Principal Finance, Bank and HealthCare (PCI DSS,HIPAA, IBM Z O/S Security and Enterprise Risk Management)
IT Security: EMC / RSA Security (Security Breach and Remediation & Enterprise Security Risk)
Legal and Storage Service: Iron Mountain/Stratify ( SAS/70 and ISO 27001 and PCI DSS Security )
Our Core Team Has Implemented Security Projects in Fortune 500 Companies
Cyber Radar Systems
Security Breaches
Security Breach
Average cost per record - $197
Average cost per security breach - $23 Million
10% of companies experience security breach within a year
Cost of Security Breaches
TJX Security Breach
Number of Credit Cards Stolen:
45 Million Cards
Cost per record:$197
Total Cost: ~ 9 Billion Dollars
So far TJX spent ~5 Billion Dollars
Avoid security breaches or security fraud
Prevent hackers from attacking systems and networks
Protect brand image
Cyber Radar Systems Security Products, Security & Compliance Services
Secure company confidential, personal and customer sensitive data
Comply with HIPAA or ISO 27001 Security or PCI DSS -credit card data security compliance
Conduct enterprise wide risk assessment to identify security risk and issues etc.,
Security Products, Security & Compliance Services
• What Is Confidential Data?– Customers Data:
• Social Security Numbers, Credit Card , • Bank Account Numbers etc.
– Financial Data: • Sales Revenue, Profit or Loss etc.,
– Manufacturing Data: • Intellectual Property, Patents, etc.,
– Government Data: • Classified/ Confidential Documents
Is Company Data Secure?
The Industry Security Problem
• Any company using IT systems can be hacked
• We hear about it almost everyday about security breaches on enterprises, e.g.,
Financial Companies, Retail Stores, Manufacturing Companies, Government etc., Insurance
CIA Triad The Three Principles of Information Security
C Confidentiality
I Integrity
Information Security
AAvailability
Confidentiality of Data – No unauthorized access
Integrity of Data – No unauthorized modification
Availability of Systems – 99.999 %
What to Protect?CIA Triad - The Three Principles of Information Security
1.Security Products
2.Security Services
3.Audit and Compliance
Services5.Security Training
4.Staffing and
Recruitment
Security Products, Security & Compliance Services
Security Products
1. Data Loss Prevention –DLP
• End Point Protection DLP (Available) • Email DLP ( In Progress) • Network DLP ( In Progress) • Storage DLP ( In Progress) • Mobile DLP ( In Progress)
• Competitors: Symatec Vontu, WebSense , Mcafee , EMC etc.,
Security Products ( In the Pipeline)
2. SIEM ( Security Information and Event Management)
Phase I: Log monitoring of UNIX or Linux SystemsPhase II : Log monitoring of Windows Systems etc.
Competitors: IBM , Arc Sight , Splunk etc.,
Security Products ( In the Pipeline & Future)
3. IoT ( Internet of Things) ( Automobile Security)
4. Identity and Access Management ( Future)
5. Mobile Security ( Future)
Security Consulting Services
Security Gap Assessment
Security Configuration Standards
Encryption Key Management
Identity and Access Management
Security Architecture Review
Enterprise Security Metrics
Security Threat Controlling Strategies
Security Testing Services
Vulnerability Scan & Management
Penetration Testing ( Ethical Hacker Testing)
Application Security Testing
Security Monitoring Services
Security Incident Event Management (SIEM)
Digital Forensics
Data Loss Prevention (DLP)
Audit and Compliance ServicesGap Assessments
PCI DSS Security Compliance
SOX IT Audit
HIPAA Compliance
Third Party Vendor Risk Assessments
ISO 27001 Security Audit
SAS /70 , SOC 1 , SOC 3 and SOC 3 Audits
Due Diligence ( Merger and Acquisitions)
Remediation
SAAS Models
Application Security
Ethical Hacker Testing
Security Testing
SOC Monitoring
SOC (Security Operation Center) (Future) Security Monitoring (ArcSight, Splunk , IBM QRadar , Envision etc., ) ( 24*7)
Vulnerability Scan and Security Testing
Penetration / Ethical Hacker Testing ( Black, White and Grey Testing)
Application Security Testing (Static Code Analysis, Dynamic Code Testing)
SAAS Models ( Security Products)
On Shore / Off Shore Model
Cyber Radar Systems
Provide security solutions
Provide resources to implement the
solutions
Conduct compliance and audits
Vulnerability Management Training
Security Architecture, Design and Solutions
PCI DSS Compliance
Security Awareness Training
Security Awareness
Security Solutions
PCI DSS Compliance
Vulnerability Testing
Ethical Hacker
Security Tools
Certified Ethical Hacker ( CEH) Training Course
All security tools (Ethical, Pen testing, vulnerability management, WAF, DLP, SIEM tool etc.)
Training ( Security and Compliance)
Cyber Radar Systems
Staffing and Recruitment
Get the requirements for any kinds of IT and IT Security jobs.
Place the candidates to our clients
• Security Gap Assessment
• Vulnerability Scan
• Penetration Testing
• Application Security Testing
• Log Monitoring (SIEM (Security Incident Event Management))
• DLP (Data Loss Prevention)
Core Security & Compliance Practice
Cyber Radar Systems
Provide security solutions
Provide resources to implement the
solutions
Conduct compliance and audits
Use Cases and Key Projects
• TJMAXX (After Security Breach)
• PCI DSS Compliance Certification
• Audit and Legal Expenses
• Total Spend : $5 B so far
Use Cases and Key Projects
• TransUnion
• Project: PCI DSS Compliance Security • Program Management • Project Cost : $24 Million Dollars • Project Duration: 1 ½ - 2 Years• Project Managers : 7• Total Resources: 45
Use Cases and Key Projects
• EMC /RSA( After the security breach of RSA two factor authentication tokens)
• Project Name: Enterprise Risk Assessment
• Cost of the Project : 12 Million Dollars
Security Gap Assessment(identifying gaps or security issues)
Current State Desired StateGaps or Risks or Security Issues
Security Gap /Risk Assessment
Security Gap AssessmentConduct a “Gap Analysis” to identify security issues or gaps.
• Security Gap Assessment Process
Conduct security gap assessment
Identify the security issues
Recommend security solutions
Provide resources to implement the solutions
Conduct compliance and security audits
Security GAP AssessmentSecurity Gap /Risk Assessment
• Black Box• Grey Box• White Box
• Static Code Analysis ( Static Code Review)• Dynamic testing ( Web applications ( Black Box testing) or
Penetration testing• Manual Code Review
Application Security Testing Categories
Application Security Testing Methods
Application Security Assessment
Cyber Radar Systems
Application Security Testing Process
Run application security scan
Review the results
Identify the false positives
Provide practical recommendations
Work with programmers to mitigate the issues
Re-run the scan to validate the issues
Penetration Testing Services
10
Establish Goal
Information Gathering
Vulnerability Analysis
Penetrate the System
Risk Assessment
Reports and Recommendations
Vendor on
Boarding Process
Third Party /Fourth Party Vendor Risk
Assessment
Contract and Legal Agreement
Security incidents due to third party and
fourth party vendor is 28%
Third Party Vendor Security Risk Assessment
Cyber Radar Systems
Registration of VendorsShort List the Vendors
Conduct third party risk assessment
Identify the gaps
Provide practical recommendation
Work with the vendor to mitigate the issues
Re-test and validate the implemented controls
Third Party Vendor Security Risk Assessment
Identify the scope
Conduct gap assessment
Identify the areas of non-compliance
Recommend policies and controls to meet the compliance requirements
Create ISMS (Information Security Management Systems) manual
Work with the team to implement to security policies and controls
Test & validate the implemented requirements
ISO 27001 Security Assessment
Summer Cyber-Security Workshop, Lubbock, July 2014
1. DISCOVERY
2. ASSET PRIORITISATION
3. ASSESSMENT (Scanning)
4. REPORTING
5. REMEDIATION
6. VERIFICATION
Vulnerability Management
Cyber Radar Systems
Security Configuration Standard Service
Security Configuration Standards
1. System Metrics & Conformance
5.Perimeter Metrics & Conformance
4.Network Metrics & Conformance
3. Endpoint Metrics & Conformance
2. Application Metrics & Conformance
Enterprise Security Metrics & ConformanceExecutive Dash Board Report
Security
Strategies
Identify Security Threat Metrics
Example : Blocked and Allowed Security Threats.
• Recommend Security Threat Controlling Strategies
Example: Evaluate and recommend the signatures that need to be blocked instead of allowed.
Security Threat Controlling Strategies
Cyber Radar Systems
Log Monitoring Service
Event Correlation ( Identify key security issues)
Alerts and Escalation
Incident Response
SOC Monitoring Services ( On Shore /Off Shore)
Cyber Radar Systems
Security Architecture & Security Requirements
Compliance /Legal Requirement
Industry Best Practices
Security Design and Architecture Solutions
Cyber Radar Systems
•Data at Rest •Data in Use•Data in Transit
Encryption
•Symmetric key Symmetric Encryption
•Public key •Private key
Asymmetric Encryption
(PKI)
Encryption, Cryptography and Key Management Service
Cyber Radar Systems
Enterprise Information Security
Policy (EISP)
Issue-Specific Security Policy
(ISSP)
Systems-Specific Policy (SysSP)
Information Security Policies, Standards and Practices
Cyber Radar Systems
Create and Implement Security Policies ,
Standards and Processes
1. Acceptable Use Policies
2. IT Security Risk Management Policy
3. Third Party Connectivity Management Policy
4. Information Classification Policy
5. Workforce Security Responsibilities Policy
6. Security Awareness and Training Policy
7. Physical and Environmental Controls Policy
8. Wireless Policy
9. Removable Media Policy
10. Remote Access Policy
11. Backup and Recovery Policy
12. Anti-Virus Policy
13. Change Management Policy
14. Information Handling Policy
15. Firewall/Router Policy
16. Computer Modem/Facsimile Use Policy
17. Monitoring and File Integrity Policy
18. Mobile Computing Policy
19. Desktop Computer Security Policy
20. Access Control and Password Management Policy
21. Secure Development and Support Policy
22. Software Installation/Download Policy
23. Encryption and Key Management Policy
24. Patch Management Policy
25. Vulnerability Management Policy
26. Incident Response Policy
27. Disaster Recovery Policy
28. Business Continuity Policy
29. Service Provider Policy
30. Data Retention and Disposal Policy
31. Compliance Audit Policy
Creation and Implementation of Security Policies ( 31 Policies)
Cyber Radar Systems
Create and Implement Security Policies ,
Standards and Processes
Data Loss Prevention (DLP)
Log Monitoring and Event Correlation Tools
IoT ( Automobile Security )
Security Products/Tools Development
Cyber Radar Systems
Monitoring of System ( Event Correlation Tools)
Data Loss Prevention /Content Management Filter
Vulnerability Testing ( Qualys , Rapid7 etc.,)
Penetration Testing /Ethical Hacking
File Integrity Monitoring
DDoS
End Point Protection (Fire Eye)
Design and Implementation of Security Tools
Cyber Radar Systems
Thanks
Initial Scoping
Information Gathering
Security Assessment
Result Analysis
Reporting
Once the initial order has been received, the next stage is to carry out the initial
scoping. At this stage the application access information is provided by the customer
along with any authentication credentials that are required to perform the security
assessment.
In the passive information gathering stage we examines the application's general
and business logic. Business logic flaws in the application can also lead to serious
security issues. At the end of this phase, we should understand all the access points (gates) of the application (e.g.
HTTP headers, parameters, and cookies)
In this phase we perform the assessment of the application using
manual and automated process, depending upon the information
gathered.
Once all of the assessment data has been collected, the next phase is to analyze the data and create two reports for the customer. The report
contain the details of the vulnerability and screenshot
for POC.
In this phase we analysis the result to verify the false positive and false negative to make sure that the application is tested properly.
Application Security Assessment
• Backup
Application Security testing
Dynamic Application
Testing
Static Code Analysis
Manual testingAutomated
Testing
Tools used for the testing
Fortify, Checkmarx,
Veracode
Tool used : Burp Suite
Tool used: Acunetix ,
Appscan , Burp Suite pro
Types of Application Security Testings
Testing MethodsBlack BoxWhite BoxGrey Box
Use Cases and Key Projects
• Wells Fargo /Wachovia
Provide security
solutions
Provide resources
to implement
the solutions
Conduct compliance and audits
C a t a l o g u e o f S e c u r i t y S e r v i c e s
PCI DSS Security Compliance, Audit, Risk and GovernanceIT Audit Third Party Vendor Risk AssessmentsDue Diligence (Merger and Acquisitions)Disaster Recovery & Business Continuity GLBA Audit Threat Assessment ISO 27001 Security Audit SAS /70 , SOC 1 , SOC 3 and SOC 3 AuditsSOX IT Audit
Compliance, Audit, Risk and Governance
Security Risk or Gap Assessment Vulnerability and Patch Management Penetration TestingWeb Application Security Cloud SecuritySecurity Configuration Standards ( System Hardening Standards)SIEM – Security Incident and Event Management Security Incident Response Plan Forensic investigation Process
Security Consulting
Access Control Security Policies Standards Processes and ToolsSecurity Architecture and SolutionsSecurity Design & Integration Identity & Access Management Encryption and Key ManagementFile Integrity MonitoringData Loss PreventionDDOS Mitigation
Other Areas
Security Products Security Services Audit and Compliance Services
Security Products, Services & Compliance Services
Cyber Radar Systems
Provide security solutions
Provide resources to implement the solutions
Conduct compliance and audits
Training (Security and Compliance)
System Conformance• Encryption of Databases• Code-scanning of MM
developed Applications• Security Gateway
Coverage for Web Services
Application Conformance• Encryption of Databases• Code-scanning of MM
developed Applications• Security Gateway
Coverage for Web Services
Perimeter Conformance
• Perimeter Firewall - Critical and High Threats Block Percentage
• Malware Scanning of Email Attachments
• (D)DoS Use Case Coverage
Endpoint Conformance
• Network Access Control (NAC) Coverage
• Mobile-Devices Monitoring Coverage
• End-point Encryption (Laptops and Desktops)
Application Conformance• Encryption of Databases• Code-scanning of MM
developed Applications• Security Gateway
Coverage for Web Services
Enterprise Security Metrics
• Backup