CSO50 2015

CSO50 winners announced

1 2 3 4 5 Page 3
Page 3 of 5

21. Security Event Management Centre – A single cyber-infrastructure view
Government of New Brunswick

In 2012, the Canadian Province of New Brunswick created a Security Event Management Centre in the Office of the CIO to paint a single cyber-infrastructure picture for the province, standardize on processes and equipment, and streamline expenses.

To do this, the deputy CIO and director of information assurance conducted a gap analysis based on self-assessments by public bodies, reports from audit/comptrollers, their own Threat and Risk Assessments and a series of third-party assessments.

From that assessment they built a series of controls, choosing the items most likely to provide a positive impact on its security posture. The SEMC was the cornerstone of that program, meeting a serious need for tactical identification and response, while providing a big data foundation on which to build the rest of the pieces, such as the governance risk and compliance, and information assurance programs.

The Centre has reduced alerts that require desk-side action by 96%, from 80 per month to three, and reduced labor costs by $110,000 annually.

22. Reducing Endpoint Attack Surface
GrafTech International Ltd.

Java-based malware infections were vexing IT staff at GrafTech International, representing its biggest productive loss. To fight back, the manufacturer virtualized Java for accessing Java content using Microsoft App-V, and removed Java from 90% of its workstations. The remaining workstations that still needed Java to run locally had Java disabled in the main browser. This lowered our malware infection rate by 60% and lowered the number of systems that required re-imaging by 80%.

App-V also solved another IT problem of supporting multiple versions of Java running in the environment and the challenge of keeping them patched. GrafTech has a business need for two older versions of Java, so IT created icons just for them and advertised them to only the people who need them.

Today, Java can be updated from just one location. What’s more, removing Java from 90% of its endpoints has eliminated Java-based disruptions to the business.

23. Locally Hosted Security Information and Event Management with Co-Managed Security Services
Health Management Systems Inc.

HMS protects over 400 million patient records and faces many compliance requirements from HIPAA, FISMA and GLBA. Internal security staff was able to review log data during business hours, but HMS also had to prove that the information was being monitored 24x7x365. Lacking the internal resources, HMS needed to outsource.

HMS chose an SIEM and a managed service provider, which provided HMS with complete access to the product in their own environment, and the capability to manage the SIEM on their own should they choose to later.

HMS was also required to have agents installed on every system in the environment that must be kept up to date to allow systems to continue communicating with the SIEM -- a large maintenance investment that HMS was able to pass on to the service provider.

Though difficult to put a price on, the greatest impact of this project, leaders say, is risk reduction, protecting customer data and meeting stringent compliance requirements.

24. Taking Back the Cloud
Honeywell International Inc.

Honeywell’s IT team suspected that tech-savvy business units were taking cloud services into their own hands. The team believed that employees were either signing deals or using free cloud services to solve business problems, yet there was no proof. Meanwhile, the CEO wanted to see IT supporting employees wherever they chose to do business, through mobile and cloud technologies.

With these two challenges, Honeywell’s security team deployed software that looked into Honeywell's cloud exposure and gave them the data they needed to make cloud decisions, reduce risk and enable employees. The data allows IT to weigh risks and trust across at least 50 security attributes so that they can customize their own appetite for risk and security around each cloud service and deliver services in high demand.

Today, stakeholders within Honeywell can negotiate with IT for services in demand, manage licenses and avoid redundant services.

25. Advancing Threat Intelligence and Incident Response
IDT Corp.

Telecom provider IDT Corp. always touted exceptional incident response and remediation processes by traditional standards. But with the speed and variety of today’s threats, its 30-minute window of exposure and 12-hour manual response time were far from ideal.

IDT needed a solution that reduced their response times and made more effective use of their existing information security infrastructure and security personnel.

They turned to a solution that helped them expand their network, endpoints and malware analysis capabilities, and moved beyond containment to automated remediation.

The platform, alerted by the SIEM system about a possible incident, immediately and automatically isolates the system so that it's only able to communicate with the platform – taking about 30 seconds. It then automatically performs full memory and disk acquisition, and enables enterprise scanning to identify all compromised nodes during a security incident and perform comprehensive batch remediation.

Today, the time it takes to isolate, gather forensic data, analyze malware and remediate has dropped from 12 hours to 2.5 hours for IDT.

26. NAGS Access Governance Suite
Johnson & Johnson

Johnson & Johnson’s process for granting and monitoring access rights to the company’s IT resources traditionally involved multiple, passing spreadsheets.

The company had invested in an IDM system to automate and capture access approvals but it only handled the initial approvals. But they added an access governance suite and developed a system that is internally referred to as the NAGS Access Governance Suite. NAGS automates most of the review process from the gathering of the data through the review and on to revocation of those access rights.

One big challenge with identity-access management is that all of the access rights are expressed in technical jargon extracted from the different platforms. The NAGS team worked with application owners to get descriptions of the access granted in a language that business people understood.

The automation enabled J&J to quadruple the scope of what is reviewed with no increase in staff and a significant reduction in reviewer effort.

27. Secure File Transfer and Portal Project
Joseph Decosimo and Co. PLLC

Communicating electronically with customers is vital for Joseph Decosimo and Company, a regional CPA firm with more than 300 employees in 10 offices across the southeast and in Grand Cayman. Collaboration with mobile and tech savvy internal teams and clients in an easy and secure manner is critical, as is remote "anywhere, anytime" access to data files and documents.

So the firm revamped its aging portal with a secure file transfer platform that provided a safe method of transferring and requesting files while exceeding its clients' desire for an easily navigable portal. The firm replaced its existing platform with data rooms for team and client collaboration, electronic collaboration areas and a short-term client portal.

With the new portal and file transfer system in place, the firm has a self-maintaining secure portal for clients and its workforce. It facilitates both the transmission and the request for file security quickly, gives clients a secure method to transfer documents and dramatically reduces Help Desk calls.

28. EngageZone

In the pharmaceutical and life science industry, research and development are keys to success, yet the R&D life cycle increasingly relies on collaboration with geographically dispersed external partners across clinical research organizations, academia, investigators, government agencies and healthcare providers. To achieve objectives, these external organizations and users need access to Merck systems, applications, data, and employees, and vice versa.

To succeed in this environment, Merck required a cloud-based solution that would enable them to share information and applications with hundreds of companies without risking their intellectual property or network security. They developed EngageZone — a highly secure portal that not only accelerates progress, but also has saved more than $3 million in IT operations cost.

29. Creating Sustainable Risk-based IT Assessment Processes

The current volume and frequency of the risk assessment processes were no longer in line with MetLife's risk-based approach. It came up with a strategy that allows MetLife to perform viable due diligence security reviews for new projects, reduce the effect of assessment fatigue on its vendors and internal teams, and create a sustainable recertification program for existing projects.

Also, to aligned with the breadth and depth of this assessment strategy, MetLife created a sustainable, risk-based IT assessment process to review projects while introducing a means to forecast its assessment review process.

Today, IT risk has been able to the plot course of action over the next four years. Business partners understand what level of effort will be needed over the course of this timeframe allowing them to allocate budgetary numbers early in the annual cycle to account for small or large increases in assessments.

30. Project Safe Mobility

Brazilian online sporting goods retailer Netshoes is 100% digital, so it is constantly looking to improve the security barriers and confidentiality features of its systems to avoid information leaks and theft.

One area of concern was smartphone use by the executive team. A smartphone left in a taxi, for instance, can represent a significant risk to the company. Project Safe Mobility was developed to provide a security layer in every situation when the executive team wants to access corporate information using a mobile device, even BYOD.

This project involved a mix of policies, processes and security tools intended to protect the executive team, which handles the most sensitive information in the company, against hackers, virus infection and theft or loss of their devices – whether cell phones, tablets or laptops.

The project was implemented in 10 months ending May 1, and so far Netshoes has zero mobile incidents reported to its information security team.

1 2 3 4 5 Page 3
Page 3 of 5
7 hot cybersecurity trends (and 2 going cold)