CSO50 2017: A step ahead of the threats

The CSO50 awards honor innovative security projects that demonstrate thought leadership and outstanding business value.

cso50 intro
Steve Traynor

Each year, the CSO50 awards honor organizations for a security project or initiative that demonstrates innovation and outstanding business value in security. Winners will be recognized in a ceremony that will take place at the CSO50 Conference + Awards, on May 1-3, 2017 at The Scottsdale Resort at McCormick Ranch in Scottsdale, Ariz. Below is the list of our 2017 winners.

Voya Financial
Proof of information security

The financial services industry’s information security practices are under tight scrutiny by auditors, regulators, clients and vendors. Voya Financial faced increasing challenges to provide security information and evidence to these groups in an efficient manner while maintaining quality and consistency.

Voya implemented a tool called GEAR (Guidance for Evidence, Artifacts and Responses), a highly searchable database for internal auditors that provides accurate and current information, and gives Voya an end-to-end view of its control posture and compliance with policy.

Prior efforts to create the database focused primarily on the questions that auditors might ask. Different auditors could word the question differently, resulting in individualized responses. The new approach focuses on the answers – taking the position that controls are what they are. If Voya understands the control being asked about, it can supply the answer quickly and easily.

Project leaders say the tool has sparked a significant culture change within the audit reponse team as it moves away from “reacting to audits” to proactively reporting on the effectiveness of controls.

Cagey –
Financial Crime Insight Mapping

Knowing good customers from cybercriminals is key for any financial institution. The security, fraud and financial crimes teams at B2B payment platform Viewpost developed software, called Cagey that analyzes all customers based on their risk, financial crime status and relationships with other companies. The software then displays who may be someone they want to watch, take off the platform, or allow to continue transacting business.

The Viewpost team created a unified financial crime platform that graphically displays all customers and their risk score on the platform, their relationship with other vendors and buyers, their association with bad customers tied with improper transactions, their association with fraudsters, and those who have been taken off the platform. All cyber, fraud, anti-money laundering, and other company risk data is pulled together, analyzed and displayed in color format so that the company can predict who is at risk of committing a financial crime or who is already a fraudster.

As a result, the graphical display map has cut down fraud and is beating banks in reporting this information by two to three days.

Identity and Access Management Lifecycle Management

At insurance company USAA, many events over a worker’s career can affect the type and level of access they have to company information – a promotion, termination or a move to another department. These manual changes often took five days to implement, not to mention the time needed to ensure that these changes wouldn’t impact customer service.

The Identity and Access Management (IAM) Lifecycle Management program established automated processes to create new worker accounts and provide basic accesses immediately, monitor and react to transfers that occur within the organization, and ensure that terminated worker accounts are quickly.

USAA workers are now productive within minutes of on-boarding, and workers do not retain privileged accesses when they transfer from one position to another.

When a worker is terminated, the system automaticallly removes privileged accesses in near real-time, as well as when an employee is transferred into a role to another.

Today the five-day, manual IAM process has been reduced to less than 15 minutes.

United Nations International Computing Centre
UNICC Continuous Security Improvement Suite

In 2013, the United Nations acknowledged that information technology has helped advance its ability to bring peace, prosperity and dignity to the world. The next challenge was to explore how the United Nations family could protect those gains and create a more secure cyber environment.

The UNICC Continuous Security Improvement Suite project began in late 2014 to deliver on those goals. The project has four components -- One ICTbox is a rapidly deployable modular infrastructure for UN field offices with built-in security controls. Common Secure is a cyber security information-sharing/threat analysis community network. Common Connect allows UN agencies to collaborate and share information assets. Information Security Governance and Operations offers IS advisory support and operational solutions for smaller UN agencies to implement and manage ISMS standards and processes.

UNICC’s information security solutions have enabled partner agencies to share information security resources and has reduced the cost of building solutions from scratch for all UN agencies.

United Airlines
Bug Bounty Program

United Airlines manages over 93 million Mileage Plus accounts containing hundreds of millions of miles. Customers’ miles are valuable not only to them, but also to malicious outsiders intent on stealing and converting the miles to other products, such as travel or consumer electronic equipment.

To stop the cyber thieves, United invited the world’s most creative and skilled white hat hackers to its Bug Bounty program, which offers compensation in the form of miles to those who find and report security bugs on United.com and other web properties before the bad guys do. The program has proven to be a rapid method to identify highly difficult-to-discover code defects, and for a modest cost to United.

The program’s success is measured more by cost avoidance as opposed to ROI, according to United. With the average cost of a data breach at about $154 per record lost, United says that creative approaches such as the Bug Bounty program are required to manage risk and reduce potential costs, while providing enhanced protections for United customers.

TransUnion Enterprise Security Ratings Platform

As a service provider to many financial institutions, insurance companies, health care organizations and government agencies, TransUnion's information security program is constantly being evaluated.

To meet customers’ stringent requirements, TransUnion launched its Enterprise Security Ratings Platform, which gathers terabytes of data from security sensors around the world and provides insight to indicators of compromise, infected machines, improper configuration, poor security hygiene and harmful user behavior. The data is analyzed to determine the severity, frequency and duration of incidents and then mapped to known networks, resulting in an overall security rating for each selected organization.

The ratings provide continous insight into each organization's security posture and is used in TransUnion's third-party security program, self-assessment exercises, security benchmarking, and mergers and acquisition activities.

The platform has resulted in improved security, transparency and efficiency. SRP enables TransUnion to monitor as many as 10-times more service providers on a continuous basis. SRP generates benchmarking reports that compare TransUnion's security posture to its competitors, and it improves efficiency without increasing headcount.

The Nature Conservancy
Security Analysis Architecture Project

Timely knowledge of cyber attacks on The Nature Conservancy are the cornerstone of risk operations. Without accurate knowledge of attack profiles, many tasks become impossible, such as managing risk, determining what to secure and identifying layered controls.

Rather than relying on instinct, TNC opted for data-driven decisions. Its Technology and Information Services team developed a comprehensive security analysis architecture. The solution contains two components -- a sensor infrastructure that is embedded at field offices, and a centrally managed log/visualization infrastructure, which serves as the focusing system for aggregation, parsing, visualization and analysis.

Developing such a sophisticated system is financially challenging for most non-profits. TNC used white box servers, repurposed consumer gaming devices as sensors, and leveraged open source or free tools to accomplish this task.

Sensors have been deployed to field offices across the U.S. These sensors captured approximately 65,000 unique indicators that will be used to create concise executive level reports for the first time, which will help them measure risk exposure and drive its cybersecurity direction.

The Mitre Corporation

The key to a successful cyber defense is understanding an attacker’s tactics and techniques. MITRE has developed an adversary playbook called ATT&CK, which stands for Adversarial Tactics, Techniques and Common Knowledge. It’s a way for defenders to fight cyber invaders after they gain access to a network’s perimeter. ATT&CK is Mitre’s first detailed battle plan for understanding how cyber adversaries get into a network, and what they do after they’re in – identifying and categorizing an intruder’s every move inside the network. In addition, ATT&CK addresses how an organizations’ technologies and information can confront the attack.

Project leaders say organizations benefit from the ATT&CK tool by having a reference point model to align with their current defenses. Organizations can use ATT&CK to create a blueprint for monitoring and assessment, to build a metrics platform, to determine cyber investments, and for continuous improvement of its cyber battle plan.

State of Missouri Office of Administration
Using Public Data to Alert Organizations of Vulnerabilities

Borrowing a page from a hacker who infiltrated a university’s vulnerable Web-connected devices to disseminate hate speech, The Missouri Office of Cyber Security (OCS) started formulating how it could use the same technique to identify vulnerable systems on the Internet for good purposes.

OCS launched a program to identify vulnerable, Internet connected systems belonging not to just state and local governments, but also to businesses, utilities, and academic institutions across Missouri.

Using Censys.io, a publicly available research platform that scours the entire Internet and indexes devices, open ports, the services exposed, OCS has been identifying vulnerable systems statewide.

OCS finds vulnerable systems based on banner feedback and running services. Data is reviewed and cross referenced against the American Registry for Internet Numbers (ARIN) to obtain contact information for every system identified. OCS then sends a notification to all impacted organizations. To date the program has identified thousands of software programs with expired support, and antiquated protocols that invite intruders at 161 entities and on 10,300 devices.

State of Michigan
Michigan Cyber Disruption Response Plan

The State of Michigan detects tens of thousands of attempts to infiltrate its government network every day. As a global hub for automotive design and manufacturing, and the home of three major research universities, it’s easy to see why cybersecurity and disruption planning are top priorities. To keep pace with evolving cyber threats, Michigan developed the Cyber Disruption Response Plan – the first state to develop such a blueprint, which allows Michigan to establish a common framework though which all private sector and local government partners can easily and effectively protect their IT systems.

The CDRP provides Michigan’s emergency management and information technology personnel, as well as stakeholders, with a plan to coordinate preparedness, response and recovery activities related to large-scale or long-duration cyber disruption. In the past, communication between the state and organizations during a cyber incident was minimal and disjointed – sometimes taking weeks for organizations to share that an incident had occurred. CDRP closes those gaps and facilitates a more open dialogue on cyber-related concerns and emerging threats.

Sallie Mae
Reducing Insider Threats with Risk Analytics

Some 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months, according to Accenture.

At student loan company Sallie Mae, insider threats have been amplified by increasing employee turnover and more contract-based positions. To combat the problem, Sallie Mae adopted a new approach that combines machine learning, analytics and predictive anomaly detection to user behavior and access privileges that can detect and protect against insider threats, as well as external attacks that use compromised insider credentials.

Sallie Mae deployed a user behavior and entity analytics platform from Gurucul. The technology first identified outlier access, orphan and dormant accounts. Next, it was used to monitor user activity to identify anomalous behavior in both on-premises IT resources and in cloud environments. If a user downloads a confidential document under abnormal circumstances, for instance, investigators can search all other users who also accessed it to uncover events which might involve multiple actors. Excess and misaligned access to data has been reduced by up to 40%.

Access Management Automation

1 2 3 4 5 Page 1
Page 1 of 5
7 hot cybersecurity trends (and 2 going cold)