Each year, the CSO50 awards honor 50 security projects and initiatives that have delivered groundbreaking business value through the innovative application of risk and security concepts and technologies. Here are the 2015 winners:
1. Marketing Cloud Implementation
Adobe Systems Inc.
Digital media software and marketing company Adobe needed to implement a highly scalable, highly available host-based intrusion detection and system monitoring system to shorten the time it takes operations and engineering teams to detect vulnerabilities, anomalies and breaches.
In 2014, Adobe implemented a software-defined security platform for centralized monitoring of system level changes and network events for its marketing cloud platform. The platform gives its teams improved insight into the various marketing clouds’ products and services, helps network operations automate security controls and ensures compliance with internal security rules. The platform also alerts network operations of anomalous activity, non-compliance with security controls and rules, or other suspicious activities. Today the platform monitors more than 35,000 systems on multiple operating systems.
2. International Third-Party Governance, Risk and Compliance Management
ADP Streamline International Business Unit uses an international network of specialist payroll processing partners that provide services to multinational companies, and the area covered by these partners has grown from 30+ countries in 2008 to 100 countries in 2014. While the business unit has the overall liability as primary contractor for the payroll service by coordinating the partner network, the partners are responsible for the delivery of local services.
The International Third Party Governance, Risk and Compliance Management Program was started to ensure that partners are compliant with the payroll service, IT and international security standards, and to motivate them to improve their level of risk and service quality as part of a continuous improvement process.
From July 2012 to June 2013, 18 on-site audits where performed in different ADP Streamline partners around the world. Some 303 findings where highlighted in a three-level risk scale, and 293 remediation actions to solve the identified issues were agreed between ADP and partners. By June 2014, 199 actions were closed, representing a 70% risk reduction.
3. Protecting Against Global Power Company Threats
Global power companies like AES have become a major focus for targeted cyber attacks and are among the top five most targeted sectors worldwide. The AES global cybersecurity program was formed to govern and manage cybersecurity risk for its diverse portfolio of distribution businesses and facilities across 20 countries. As part of our implementation of the NIST Cybersecurity Framework, AES identified an opportunity to improve its global defense architecture by implementing an advanced threat protection solution to complement its existing defenses.
After piloting the program, AES calculates that it could avoid tens of million of dollars in IT operational costs for security monitoring and incident handling alone by implementing the solution globally. This estimate is only the tip of the iceberg, as it will also help avoid costs of lost productivity of AES people due to downtime, forensics, potential financial losses, stolen intellectual property, reputational damage, or legal liability.
4. Industry-leading Trusted Email Program
In 2014, insurance provider Aetna implemented a Trusted Email Program that provides a new level of brand protection in the industry. The program leverages standard email protocols that support authentication and policy enforcement to drive removal of fraudulent emails from the Internet that appear to be coming from Aetna.
Aetna used email authentication to associate a clear sender identity with outbound email. Next, a domain-based message authentication, reporting and conformance (DMARC) policy was implemented to help reduce the potential for email-based abuse, such as spoofing and phishing.
In June 2014, the program identified a malicious email botnet campaign targeting a medical management company of Aetna. The domain supporting this company was targeted by malicious email sources to solicit false pharmaceutical advertisement emails to customers. A review of the email headers clearly identified this mail as fraudulent and potentially harmful to the Aetna brand.
With DMARC policy security controls enabled, about 188,000 emails were blocked from delivery in the first three days of enforcement, and 597,000 in 45 days.
5. Securing Nuclear and Radiological Material in Healthcare Facilities
Atlantic Health System
Radioactive materials are often used in healthcare facilities for medical diagnoses and cancer treatment. Homeland Security’s concerns about the possible theft or detonation of nuclear and radiological material prompted Atlantic Health System to partner with the National Nuclear Security Administration’s Global Threat Reduction Initiative and Domestic Threat Reduction Program to implement advanced technology and procedures to secure this material.
With the help of NNSA and various security vendors, AHS installed a radiation detection system, intrusion/tamper detection system, CCTV system, remote monitoring system, duress alarms, access control and emergency power with redundant monitoring locally and off-site 24/7. It also included new procedures, training and response personnel.
Since the end of 2013 when the program was implemented, 12 attempts have been made to infiltrate both the Cancer Center's HDR Room and laboratory blood irradiator locations by the AHS infiltration testing team, known as “Red Cell.” All attempts so far have failed.
6. The Condor Physical Security Project
Baker Hughes Inc.
There is consensus in the oil industry about the need to actively reduce risk exposure, avoid potential incidents and quickly mitigate the impact of realized incidents. The goal is to move beyond managing operations and into building trust in operations through a risk based intelligence-led methodology.
To that end, oil field services company Baker Hughes created the Condor project to develop a centrally managed physical security command and control capability. The team was tasked to design and implement this capability by leveraging the latest in Physical Security Information Management (PSIM) technologies and combining that with existing standard operating security procedures. The first phase of the project already resulted in $1 million of annual savings for operations. Beyond the savings and improvement in procedures, this capability has also allowed Baker Hughes to improve facility utilization and management and create a foundation for further monitoring capabilities beyond security.
7. GRC Access Control System
Bharat Aluminum Company Ltd. (BALCO)
India aluminum producer BALCO recognized that proper segregation of duties and access control over key information assets are among the most effective safeguards for the sound corporate oversight required by regulatory mandates around the world, such as the Sarbanes-Oxley Act. So the company implemented an SAP GRC 10.0 Access control system for enhancing security at the access control level. The system gives them real-time analysis of segregation of duties and sensitive access violations.
8. Shifting the security paradigm
The Blackstone Group LP
Over the last two years, the global investment and advisory firm has fundamentally shifted from a preventative, detective and reactive security program to one that's built with less focus on prevention and more focus on visibility, intelligence and response.
The information risk-security approach balances prevention with enhanced visibility, intelligence and response. The framework is based on four key principles: Keep current and think ahead, constantly monitor the environment to detect and prevent threats, understand the flow of information to respond effectively, and educate employees on threats and prevention. These principles are combined with tools that detect threats, aid in investigation and containment, facilitate forensics and eventually direct remediation efforts.
Since 2013, the firm has experienced a 93.75% drop in compromised systems, largely due to better visibility into its environment and the understanding of who is attacking the firm and why.
9. Detecting Advanced Cyber Threats with Real-time Big Data Visualization Solutions
Blue Cross Blue Shield of Illinois, Texas, New Mexico, Montana, Oklahoma
BCBS through its subsidiaries sought to protect its customers' data against a rapidly evolving cyber threat landscape, so the health insurer decided to pursue research and funding for a project that would address advanced threat detection by visual means.
The insurer deployed operational intelligence software to help improve its security posture. The software combines search and discovery capabilities with analytics on data generated by IT systems, or machine data, and provide insight that helps determine the efficiency of its systems that support business.
The project has helped BCBS detect previously unknown types of cyber threats and active threats through visualization and real-time mining of historical data. It also aided with HIPAA compliance by improving the insurer’s incident detection and response capabilities.
10. Safely and Securely Unlocking Social Media
Blue Cross Blue Shield of North Carolina
To increase brand value, create robust social strategies, and improve customer relationships in a rapidly changing marketplace, Blue Cross Blue Shield of North Carolina organized their "Social Media: Employee Access Project.” Prior to the project, the key concerns the company had about social media were about data loss and network utilization. So the organization embarked on a strategy to not only incorporate critical technology requirements, but also broad education and awareness that recognize appropriate use of social media at work. Through updated data loss prevention technology along with computer based training, user guides, and revised policies, the project has safely and securely provided employee access to social media, which is now a critical tool in many areas of the company and is changing how it does business.